ISO/IEC 20000 is an international standard for IT service management that specifies requirements for establishing, implementing, maintaining and improving an IT service management system. It aims to ensure consistent service delivery and provide customers with proof of effective IT service management. While based on ITIL best practices, ISO/IEC 20000 differs in that it focuses on certifying an organization's quality management system and processes rather than individual qualifications. Organizations can become certified through an independent audit to demonstrate their compliance with over 200 requirements specified in the standard.

1. Business is evolving, you should too.
What is ISO20000?
Ben Kalland, Tieturi
Helsinki, Tampere, Turku, Tukholma, Göteborg | www.tieturi.fi

2. Agenda
• What is ISO/20000 and why should I care?
• History and future
• Relationship to ITIL and other standards
• Certification, who, how much, why and when
• ISO20000 processes – difference to ITIL
• How to proceed from here

3. ITIL is a library of best practice
Service Strategy
•
strategic analysis, planning, positioning
• Service Design
translates plans to designs and specifications
• Service Transition
ensures design will deliver and can be
operated
• Service Operation
manage a service throughout production life
• Continual Service Improvement
measure performance for maximum benefit

4. ITIL
• ITIL knowledge can be certified for individuals
• Foundation
• Practitioner
• Service Manager – ITIL Expert
• An organisation cannot be ITIL certified
• Anyone can claim they have adopted ITIL

5. ISO/IEC 20000
• Worldwide standard for IT Service Management
• International certification against standard
• Proof that best practices are implemented
• ITIL not requirement
• Not as deep as ITIL – minimum requirement
• ITIL is a set of guidance – ISO is requirements
• Easier to achieve if ITIL based approach
• 200 + requirements to be able to demonstrate compliance
• Based on BS15000, 400 minor adjustments
• Certification for Quality Management (not i.e. tools)

6. Relationship ISO 20000 - ITIL

7. Relationship ISO 20 000 - ITIL

8. Timeline - history and future
• 1989 ITIL V1
• 1999 ITIL V2
• 2000 BS15000
• 2003 itSMF launched BS15000 certification
• 2005 ISO/IEC 20000
• 2007 ITIL V3
• 2009 IS/IEC 20000 – v2

9. Can you answer these questions?
• What are the current and future requirements of the
business
• What happens if you have a major disaster
• What level of service do you provide
• What level of risks and liability do you have
• What is the current level of failures and how much does it
cost the business
• If your business customer base doubles, what does it
mean for IT and how much does it cost and when is it
ready
• Goal of SM: align with business, low cost, high quality

10. Note!
ISO/IEC 20000 certifies the quality management
system and processes SUPPORTING the products or
services provided.
It does NOT certify the products or services
themselves.

11. Position against other frameworks

12. Requirements
• Part 1 provides the requirements for IT service
management to gain certification
• This is relevant to those responsible for initiating,
implementing or maintaining IT service management in
their organization
• Senior Management are responsible and accountable for
ensuring all requirements of Part One are met if
Certification is sought
• Compulsory requirements – shall
• Basis for independent auditing
• Example: “All incidents shall be recorded”

13. Guidance
• Part 2 - Code of Practice for Service Management
• Provides guidance to internal auditors and assists service
providers planning service improvements or preparing for
audits against ISO 20000
• Guidance – should
• Explanations, not compulsory
• Ex: “The process for a major incident should include a
review”

14. Scope
• Part 3 - Scope & Applicability
• Advice on scoping for service management
• Planning & improvements
• Scope statements for certification audits
• Suggestions on applicability include adding
communications or wider technology enabled services
• Not yet formally agreed.

15. Who is certified? Examples
• 50% private, 50% public
• 50% internal, 50% external service providers
• CSC Nordic, Denmark
• Fujitsu Services, Finland
• Siemens Business Services, Germany
• Flughafen Munchen, Germany
• T-Systems ITC Services, Spain
• Salzburg AG, Austria
• EDS, Netherlands
• ING Services Centre Budapest, Hungary

16. Who is certified? 349 organizations in March 2009
• UK 52
• Japan 50
• India 41
• South Korea 35
• China 34
• Germany 20
…
• Denmark 2
• Finland 1
• Sweden, Norway - none

17. Eligibility
• An organisation must be able to demonstrate it has management control of
each of the ISO 20000 processes
• All requirements must be met
• If a process or function is outsourced, the organisation must retain
management control
• Control of input, policy setting
• Use and knowledge of output
• Define metrics and continuous improvement
• Management control of a process consists of:
• knowledge and control of the inputs
• knowledge, use and interpretation of the outputs
• definition and measurement of metrics
• demonstration of objective evidence of accountability for process
functionality
• definition, measurement and review of process improvements

18. ISO/IEC 20000 processes

19. Delivery processes

20. Support processes

21. How to proceed
• Prepare for certification through Consultancy Services
• Assessment, implementation of processes, mentoring and guidance
• Undertake various forms of training:
• ISO 20000 Foundation
• Aimed at individuals familiar with ITIL, who participate in developing processes
or preparing for audition
• ISO 20000 Consultants Certifiacte
• Aimed at experienced IT Service Management practitioners whose roles and
responsibilities include preparing organisations for the adoption of ISO 20000.
• ISO 20000 Auditors Certificate:
• Aimed at experienced internal or external auditors who have at least 3 years’
general IT auditing experience and are either certified ISO 9000, ISO 27001 or
TickIT auditors or are certified internal auditors
• Service Management
• ITIL Foundation, Practitioner, Managers
• Planning To Implement
• Experiential Learning & Awareness
• Select an approved Registered Certified Body

22. Audits
• RCB
• Needed documentation
• Evidence of intention: process designs, SLA’s, plans, contracts, ...
• Inputs, specifications
• Records of achievement or activities performed: statistical data,
minutes of meetings, RFC’s, ...
• Outputs
• Surveillance audits – at least annually
• Full re-audits – every three year
• Internal audits – ”at planned intervals”

23. More information?
Ben Kalland
ITIL Expert, ISO 20000 Foundation certified consultant
Accredited ITIL trainer
ben.kalland@tieturi.fi
Tieturi Oy, HTC Santa Maria
Tammasaarenkatu 5
00180 HELSINKI
www.tieturi.fi/itil