INTERNATIONAL

STANDARD
~~~~;~---~l
Second edition
2011'04·'5

~
~
f=
(/)
UJ
C(
:>
U
:>
lD

Ii
Technologies de /'information - Geslion des services-
z.
5

i II
Partie 1: Exigences du systeme de gestion des services
~

~... .1
(/)

oo
C(
UJ
«

Reference number
ISOIIEC 20000·1:2011(E)

" ISOIIEC 2011

 ISO/IEC 20000-1:2011(E)

f
::>
U
::>
CD

•• ":
Ii
z_
5
-'
::>
U
«
~
w
"-
Ii
l-
(/)

0
0
a:
w
«

COPYRIGHT PROTECTED DOCUMENT

~ ISOlIEe 2011
All rights rO$OlVoo. Unless othcr •••. iso specified. no p~1I101 this pl.lblic<ltion may be reproduCod or utilizod in any form or by any me;\ns,
ele<;llOlllc or mech,lniC<:lI, including phOlocoPYlng and microfilm. without permission in writi~l Irom eilher ISO at the nddross below Of
ISO's member body in lhe country of Iho fl."'Qucsler.
ISO copyright office
Case pOslale 56. CH·1211 Geneva 20
Tel .• 41221490111
FaIC ·<11227490947
E-mail ccpyrighl@iso.org
Web ••••••
vw-iSO.Ofg
Pubhsf'lec In S\°.ilZerbnd

~ ISOIIEe 20 II - AU lights rescrveo

c.
 ISO/lEG 20000-1 :2011 (E)

f
Contents ~ Page

Foreword . ............1T············· v
..
Introduction .... . •.••.•.•.••••.••.••••••••.••••••..••••••.•......••..•..••••••••••••••••••.••••••••• Vll

1 Scope....... . ~I
1
1.1 Gene ral . , , ! ' , 1
1.2 Appiication . ~i" 2

Normative refere nces. "., , ,..'. "., r.. ' 2

Terms and defi n itions ,,' " " .., ;. ', '.. ', ....•................ :..' '.' 3

4
4.1
4.1.1 ~~:~:~:~:~~s~~~~~~:;?::~:~:~~~:al:':e:~~:':~:7:~:~t~:::::::::::::1::::::::::::::.::::::::::::::::::::::::::::::::::::::::::~ >= (/)

4.1.2 w
4.1.3 ;~~i~~t~~~:~~~:i~~lit~I~C:d'~~~'~'~'~i~~ti~'~':::::::::::::::::::::::1:::::::::::::::::::::::::::::::::::::::::
a::
:J
II
4.1.4 :J
4.2
4.3
4.3.1
~~~~~:~~~:i~%~~:~~:~:~·~:;~i~~:~:~:~l~~~:~~~:i:~~::::::.:::::1::::::::::::::::::::::::::
Establish and maintain !
documents ............................•............ 9
CD
'¢. A:
ci
4.3.2 Control of documents ) 9 z.
4.3.3 Con trol of reco rds f 10 :;
4.4
4.4.1
4.4.2
~~~~~~~~
H
~ar~:~~
uman resource s
:::t.::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::~::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::
J.
~~ ~ 10
..J
:J

W
4.5
4.5.1
4.5.2
~::~:~i~~:;ed.i.~.~~~.~.e
..t~~.~~.s.:::::::::::::::::::::::::::::::::::::::::::::3:::::::::::::::::::::::::::::::::::::::::::::::::::::::::~~ ..J
W
U.

ci
>-

?~~j~~~~;~~~~~~~~!
4.5.3 (/)

4.5.4 6
4.5.5
5
5.1 General !! :. . 1... ..................•................................... 13
o
a::
w
«
5.2 Plan new or changed services ~ 14
5.3 Design and development of new or changed services 1 14
5.4 Transition of new or changed services ...................................•......................................................... 15

ml:~~:~!f{fj!::ii:i::~:::~~::~~t i!
6.1
6.2
6.3
6.3.1
6.3.2
6.3.3
§[11
Service continuity and availability monitoring and testing ) ........•................................................ 17

~!~~jj~!f~~~i~:~;;~0
6.4

!~
6.5
6.6
6.6.1
6.6.2
6.6.3
7
7.1 Business relationship management.. ~ : 19
7.2 Suppl ier management.. . 20

J
Resolution processes
, 21

e ISOIIEe 2011 - All righls reserved iii

 ISOIIEe 20000-1:2011(E)

8.1 Incident and service request management.......... . 21

8.2 Problem manag ement 22

9 Control processes 22
9.1 Config uration management '.' '.,. '.' " 22
9.2 Cha nge management 23
9.3 Release and deployment management 24

Bi bliograph y 26

Figures

Figure 1 - POCA methodology applied to service managemenl viii

Fig u re 2 - Service management sys tern 2

Figure 3 - Example of supply chain relationships 20

>=
to.

::J
U
::J
CD
v
.,
<i
z.
5
-'
::J
U
<l:
~
w
"-
ci
>-
en
a0
0:
w
<l:

iv ©lSOltEC 2011 - All nghls reserved

 ISOIIEG 20000-1 :2011 (El

Foreword

ISO (lhe Inlernalional Organization for Siandardizalion) and lEG (the tnternalional Eleclrotechnical
Commission) form the specialized system for worldwide standardization: National bodies that are members of
ISO or lEe participate in the development of International StandardS through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non·governmental, in liaison with ISO and lEe, also lake part in\ the work. In the field of information
technology, ISO and lEG have established a joinllechnical commiilee. ISOIIEC JTC 1.

Internalional Slandards are drafted in accordance with lhe rules given in/lhe ISOIIEC Direclives, Part 2.

The main task of Ihe joinl lechnical commillee is 10 prepare Internalional Siandards. Draft Inlernalionaf
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
;::
an International Standard requires approval by at least 75 % of the natiohal bodies casting a vole. (/)
W

Allenlion is drawn 10 Ihe possibilily that some of Ihe elemenls of Ihis d!cument may be Ihe subjecl of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such palenl rights.
'"
:J
U

.
:J
~ lD

ISOIIEC 20000-' was prepared by Joinl Technical Commillee JTC 1, Information technology,
ISO!IEC i.
Subcommittee SC 7, Software and systems engineering. This second ,edilion cancels and replaces the first Ii
edilion (ISOIIEC 20000-1 :2005), which has been technically revised. Th~ main differences are as follows: ~
r 5

i
closer alignment 10 ISO 9001: .J
:J
U

I
closer alignmenlto ISOIIEC 27001: «
w
.J

r
W
change of terminology to rellect inlernational usage: "-
Ii
•...
(/)
oval
::~~::I:n:~:e~::: ~:::lii:::::::::~:1 :::I::~:finilions and of Iwo definitions: 0
a
'«"
w
combining Clauses 3 and 4 of ISOIIEC 20000-1:2005 to pul all m~nagemenl system requirements inlo
one clause; l
clarification of the requirements for Ihe governance of processes op~rated by other parties;

clarification of the reQuirements for defining the scope of the SMS;

I~
i
'-, c1arificalion Ihat Ihe PDCA melhodology applies 10 Ihe SMS, including Ihe service managemenl
processes. and the services;

introduction of new requirements for the design and transition of neJ or changed
, services.

ISOIIEC
management:
20000 consisls of Ihe following paris. under the general lille
I Information technology - Service

Parl 1: SelVice management system requirements

Part 2: Guidance on [he application of service management system)')

r;

1) To be published. (Technical revision of ISOIIEe 20000-2:2005.)

© ISOllEe 20 II - All rights roscrved

I :1
 ISO/lEG 20000-1:2011(E)

Pari 3: Guidance on scope definition and applicability of ISO/lEG 20000-1 (Technical Report}

Part 4: Process reference model rrechnical Report)

Part 5: Exemplar implementation plan for ISO/tEG 20000·' (Technical Report]

A process assessment model for service management will (orm the subjecl of a future Part 8.

I ~
::J
U
::J
lD
..,.
'"
a:
z.
3::J
U
«
UJ
...J
UJ
U.
a:
J-
</)

0
0
OC
UJ
«

vi '1) ISOIlEe 2011 -AlIligt\lS fl!Servcc

 ISO/IEC 20000-1 ;2011 (E)

Introduction

The requirements in this pari of ISO/lEe 20000 include the design. transition. delivery and improvement of
services that fulfil service requirements and provide value for both Ihe customer and the service provider. This
part of ISO/IEC 20000 requires an integrated process approach when the service provider plans, establishes,
implements, operates, monitors, reviews. maintains and improves a sef'iice management system (SMS).
I
Co-ordinaled integration and implementation of an SMS provides ongoing control and opportunities for
continual improvement, greater effectiveness and efficiency. The operation of processes as specified in this
part of ISOIIEC 20000 requires personnel 10 be well organized and cb·ordinated. Appropriate tools can be
used to enable the processes to be effective and efficient. ~

. . . ..
The most effective service providers. consider the Impact on the SMS thr;pugh all stages
I ..
01 the service hfecycle.
from strategy through design, Iransilion and operalron, including conllnualrmprovemenl.

This pari 01 ISO/IEC 20000 requires the application of the methodqlogy

I
known as ·Plan·Do·Check-Acl"
(PDCA) to all paris of the SMS and the services.
ISOIIEC 20000, can be brieny described as lollows.
The PDCA methodology,
I as applied in this part of

Plan: establishing, documenting and agreeing Ihe SMS. The SMS inclu~es the policies, objectives, plans and
processes to fulfil the service requirements. f ri
Z.
Do: implementing and operating the SMS for the design, transition, delivtry and improvement of the services. 5
...•
Check: monitoring, measuring and reviewing the SMS and the serviceslagainstthe policies. objectives, plans
=>
(,)

and service requiremenls and reporting the results. i q;

w
....
w
Act: taking actions to continually improve performance of the SMS and the services. u-
ri
. . . . 1_ ti
When used within an SMS, the follOWing are the most Important aspects of an Integrated
and the PDCA methodology: I process approach
ao
a:
a} understanding and fulfilling the service requirements to achieve cusfomer satisfaction; w
q;

b) establishing the policy and objectives for service management; f

I
c) designing and delivering services based on Ihe SMS that add valueior the customer;

d) monitoring, measuring and reviewing performance 01 the SMS and the services;

e) continually improving the SMS and the services based on objeclive reasurements.

Figure 1 illustrates how the PDCA methodology can be applied to Ihe S~S, including the service management
processes specified in Clauses 5to 9, and the services. Each element 01 the PDCA methodology is a vital part
of a successful implementation
based on the PDCA methodology. I
of an SMS. The improvement process tsed in this part of ISO/IEC 20000 is

I
i

fJ ISO/lEe rights reserved

I vii

I
2011 - All
 ISOIIEC 20000·1 :2011 (E)

>=
~
Figure 1- PDCA methodology applied to service management U
:J
m
This part of ISO/lEG 20000 enables a service provider 10 integra Ie lIs SMS wilh olher managemenl systems in
the service providefs organizalion. The adoption of an inlegrated process approach and the PDCA ~ ~
methodology enables the service provider to align or fully integra Ie multiple management system standards. <i
For example, an SMS can be inlegraled wilh a quality management syslem based on ISO 900' or an z.
information securily management system based on ISOIIEC 27001. 5
-'
:J
ISO/lEG 20000 is intentionally independenl of specific guidance. The service provider can use a combination U
<{
of generally accepled guidance and ils own experience. w
-'
w
u.
Users of an International Standard are responsible for its correct application. An International Standard does
<i
•...
not purport to include all necessary statutory and regulatory requirements and contractual obligations of the
(/)
service provider. Conformity to an Internalional Standard does not of itself confer immunity from statutory and
regulatory requirements. 0
0
0::
W
For the purposes of research on service management standards, users are encouraged 10 share their views <{

on ISOIIEG 20000-' and Iheir priorities for changes 10 the rest of the ISO/lEG 20000 series. Glick on the link
below to take part in the online survey.

ISOIIEG 20000-1 online survey

viii Q ISOllEe 2011 - All rights reser/eo

 INTERNATIONAL STANDARD

Information technology - Service management-

i

Part 1:
Service management system requirements
I
I

Scope

1.1 General
f=
If)
w
This part of ISO/IEC 20000 is a service management system (SMS) stJdard. II specifies requirements for the 0:
service provider to plan, establish. implement, operate, monitor, review, maintain and improve an SMS. The =>
or U
requirements include the design, transition, delivery and improvement
This part of tSOIlEC 20000 can be used by: I
services to fulfil service requirements. =>
OJ

"$." .
a) an organization seeking services from service providers and requiring assurance that their service ti
requirements will be fulfilled: T z.
l 5
...J
b) an organization
chain:
that requires a consistent
I
approach by all its service providers, including those In a supply
=>
~
W
...J
cj a service provider that in lends to demonstrate its capability lor the design, transition, delivery and W
U.
improvement of services that fulfil service requirements;
I ~
If)
d) a service provider to monitor. measure and review ils service management processes and services;
I o
e) a service provider 10 improve the design.
implementalion and operation of an SMS:
transition and
I
delivery of services through effective
o
0:
w
4;

f)
I
an assessor or audilor as the criteria for a conformity assessment of a service provider's SMS to the
requirements In this part of ISO/IEC 20000.

Figure 2 illustrates an SMS, including the service management processes. The service management
processes and the relationships between the processes can be implelnented in different ways by different
service providers. The nature of the relationship between a service pro\ider and the customer will influence
how the service management processes are implemented.

~ ISO/IEG 2011 - all righls reserved

ISO/IEC 20000-1 :2011 (E)

Sen"jet' ~1:Hl:l:,:clllcnl Syslrm (S~1S)

Cu}IOIlIt'U CU"'utnrt.'l
t:andulhtr ManagementfcsPQnslbilily Governanco01protelnes j:lndlllhrr
inlfrc"'nl oporated by oUlor parties hlll'n· .••h:d
p~rlil~) Establishlhe SMS Documentationmanagement IIar'!"'1
Resource m.magen-oent

ncsi~1l and transilioll uf IU'Wor Ch:JllJ,:l'ds('ITiccs

Sen'irc ddin'ry Ilrurcssl'S

yEJ
Cllp,.;iry"~"'ll_Is.-.-;c

ServicecOtllinury&
•••alali&v~1
•••.••I •••••

s •..• u,loIlC"ing
--,
~lnfotm..lOgntoKuri'Y

Budgrinv'
.ccau •••• "'01"-..icn
CMlrul pruc('ss, ..s
Conflgll.iIllon ••..., •••.•• "1

Rl'solulwln
--,
ChJnll'" m.eN9""'"
lWlu •• ,oddIVloY"*lI

Pf"Ol,.'CSH'S Rl'l:ltiHlls!li')llruc('ss('S
lneidMI1MtdMrvic.rtqI.lni BUWl.U .• ~lgnl.hip
rnlInl",,_1
Probl.,"m~nl
INlQi""""1
SIIpplJof'INI'\aG.rr.n11
>=
CI'

::J
U
Figure 2 - Service management system ::J
m
-i .,
1.2 Application ci
z.
All requirements in this pari of ISOIIEC 20000 are generic and are intended to be applicable to all service 5
...J
providers, regardless of type, size' and the nature of the services delivered. Exclusion of any of the ::J
requirements in Clauses 4 10 g is not acceptable when a service provider claims conformity to Ihis part of U
«
ISOIIEC 20000. irrespective of the nature of the service provide(s organization. ~
w
u.
Conformity to the requirements in Clause 4 can only be demonstrated by a service provider shm ••.ing evidence
ci
of fulfilling all of the requirements in Clause 4. A service provider cannot rely on evidence of the governance of >-
(f)
processes operated by other parties for the requirements in Clause 4.
0
0
Conformity to the requirements in Clauses 5 to 9 can be demonstrated by the service provider showing a:
evidence of fulfilling all requirements. Alternatively. the service provider can Show evidence of fulfilling the w
«
majority of the requirements themselves and evidence of the governance of processes operated by other
parties for those processes. or parts of processes. thai the service provider d?es not operate di~eclly.

The scope of this part of ISOIIEC 20000 excludes Ihe specification for a product or tool. However.
organizations can use this part of ISOIIEC 20000 10 help Ihem develop producls or tools thai support the
operation of an SMS.

NOTE ISOIIEC TR 20000·3 provides guidance on scope definition and applicability 01 this part of ISOIIEC 20000.
This includesfurther explanation about the governanceof processesoperated by other parties,

2 Normative references

The following referenced documents are indispensable for the application of this document. For dated
references. only the edition cited applies. For undated references, lhe latest edition of the referenced
document (including any amendments) applies.

No normative references are cited. This clause is included in order to ensure clause numbering is identical
with ISOIIEC20000·2:-. Information technology - Service management - Part 2: Guidance on "TC
application of service management systems2).

2) To be published.

1tI1S0llEC 2011 - AlllighlS resorvQd

 ISO/lEe 20000-1:2011(E)

3 Terms and definitions

For the purposes of this document. the following terms and definitions apply.
!
~
availability I
ability of a service or service component 10 perform its required function at an agreed instant or over an
agreed period of time I
NOTE Availability is normally expressed as a ratio or percenmge of the lime that the service or service component is
actually available for usc by the customer to the agreed lime thallhe service should be available.

32
configuration baseline
!l
configuration information formally designated at a specific lime during a service or service component's life

NOTE 1 Configura lion baselines, plus approved changes from those

!
baselines, constitute the CUfrent configuration
infom,alion.
;::
rtl
NOTE 2 Adaple<llro", ISOIIEC/IEEE 24765:2010. W

'"
::>

! "
'--
3.3
configuration
CI
item I U
::>
'~-".i •.
element thai needs to be controlled in order to deliver a service or services
ci
M
configuration management database
I
r.
~
5
CMOS i ...J
::>
data store used to record attributes
throughoultheir lifecycle
of configuration items. and the relationships
I between configuration items,
~
...J
W
U.

3.5 . ci
continual improvement I >--

I
rtl
f
recurring activity to increase the ability 10 fulfil service requirements
oo
NOTE Adapled from ISO 9000:2005. a::
w
«
3.6
corrective action 1
action to eliminate the cause or reduce the likelihood of recurrence of a detected nonconformity or other
undesirable situation

NOTE Adapled Iro", ISO 9000:2005.

3.7
customer
organization or part of an organization that receives a service or servicc
1
NOTE

NOTE 2

3.8
1 A cuslomer

Adapte<llro",
can be in lerna I or

ISO 9000:2005.
exlornallo lhe sClVicc provider's

I
Orga~izalion.

Ir.~""."""'"
document
information and its supporting medium

lisa 9000:2005]
EXAMPLES
"~'."",~. ".o,,~.o-"~ _.,~ "'=~

~__ 'S_0_f1_E_C_2_01_1_-_AJI fights reservec . I 3

~-.....,==== •..•
==========~-=_:.._...
_~.--,-------

ISO/lEG 20000-1:2011(E)

NOTE 1 The documentation can be in any form or type of medium.

NOTE 2 In ISOllEe 20000, documenls. except fOf records. slate the intent 10be achieved.

3,9
effectiveness
extent to which planned activities are realized and planned results achieved

[ISO 9000:2005)

3,10
incident
unplanned interruption to a service. a reduction in the quality of a service or an event that has not yet
impacted the service to the customer

3,11
information security
preservation of confidentiality. integrity and accessibility of information ;::
Ul,
NOTE 1 In addition, other properties such as authenticity. accountability. non-repudiation and reliability can also be
involved.
u
:>
NOTE2 The term ·availabilill has not been used in this definition because it is a defined lerm in Ihis part of CD
ISOIlEe 20000 ymich would nol be appropriate for this definilion. ~- .,
ri
NOTE 3 Adapled from ISOIIEe 27000:2009. z.
5
3.12 ..J
:>
information security incident U
<l:
single or a series of unwanted or unexpected information security events that have a significant probability of w
..J
compromising business operations and threatening information security W
u-
(ISO/lEe 27000:2009] ri
>--
Ul
3.13
intereSled party
a0
a::
person or group having a specific interest in the performance or success of the service provider's activity or w
<l:
activities

EXAMPLES Cuslomers, owners, managemenl. people in the service provider's organization. suppliers. bankers.
unions or pmlners.

NOTE 1 A group can comprise an organization. a part thereof. or more than one organization.

NOTE 2 Adapled from ISO 9000:2005,

3,14
inlernal9roup
part of the service provider's organization that enters into a documented agreement with the service provider
10 contribute to the design. transition, delivery and improvement of a service or services

NOTE The internal group is outside the scope of the service provider's $MS.

3.15
known error
problem thai has an identified root cause or a method of reducing or eliminating its impact on a service by
working around it

3,16
nonconformity
non·fuUilment of a requirement

4 4') ,SOllEe 2011 - Atllighl5 reserve<!

 I i
[ISO 9000:20051
3.17
organization
group of people and facilities with an arrangement of responsibIlitIes,
II
authontles and relationships

EXAMPLES Company. corporahon. firm enlerpnse Instttullon, chanty so,el~lrader. assoclatlon or parts or
combrnahon thereof

:::: : ::eo~~~n~:::i::n~~: ::n:~:I:i: ::d:~~ale I"

[ISO 9000:2005J I
~8 I
pr~ventive 3:tion . . . . , .
action 10 avoid or eliminate the causes or reduce the likelihood of occurrence of a potentral nonconformity or
other potential undesirable situation r
NOTE AdapledfromISO 9000:2005.
3.19
problem
root cause of one or more incidents
Ii
Z.
NOTE The root cause is not usually known althe lime a problem record tis created and the problem management
process is responsible for further investigation. r 5
..J
::>
3.20 I U
<i
w
procedure ..J
specified way 10 carry oul an activily or a process W
u.
Ii
....
[ISO 9000:2005)
(/)

NOTE Procedures can be documented or not ao

0:
3.21 w
<i
process
set of interrelated or interacting activities which transforms inputs into outputs

1150 9000:20051

3.22
Ii
record ~
document

[ISO 9000
EXAMPLES
slallng

2005J
results achIeved or providing eVidence of acllVllles performed

Audit reports, InCident reports, training records or mInutes

I
of meetings.

3.23
release
II
collection of one or more new or changed configuration items deployed into (he live environment as a result of
one or more changes I
3.24 r
request for change ,
proposal for a change to be made to a service, service componenl or the. service management system

© ISOllEe 20 II - AlIliBtilS reserved 5

ISOIIEe 20000-1 :2011(E)

NOTE A change 10 a service indudes the provision 01 a new service or the removal of a service which is no longer
required.

3.25
risk
effect of uncertainty on objectives

NOTE 1 An effect is a deviation from the expected - positive and/or negative.

NOTE 2 Objectives can h~ve different aspects (such as financial, heallh and safely, and environmental goats) and can
apply al differenllevels (such as strategic, organization·widc, project. product and process).

NOTE 3 Risk is often characterized by reference to potential events and consequences. or a combination of these.

NOTE 4 Risk is often expressed in terms 01 a combination of the consequences of an event (including changes in
circumstances) and Ihe associated likelihood of occurrence.

1150 31000:2009J
;::
If)
3.26
service
means of delivering value for the customer by facilitating results the customer wants to achieve u
=>
CD
NOTE 1 Service is generally intangible. ..• .,
Ii
NOTE 2 A service can also be delivered to the service provider by a supplier, an internal group or a customer acting as z_
a supplier.
5
...J
3.27 =>
U
service component «
w
single unit of a service. that when combined with other units will deliver a complete service ...J
W
u.
EXAMPLES Hard\Yare. software. 10015,applications, documentation, infonnalion, processes or supporting services. ti
~
If)
NOTE A service componenl can consist of ono or more configuration items.
a0
3.28 c::
w
service continuity «
capability to manage risks and events that could .have serlous impact on a service or services in order to
continually deliver services al agreed levels

3.29
service level agreement
SLA
documented agreemenl between the service provider and customer lhat identifies services and service
largets

NOTE 1 A service level agreement can also be established between the service provider and a supplier. an inlernal
group or a customer acting as a supplier.

NOTE 2 A service level agreement can be induded in a conll'acl or anolher type of documented agreement.

3.30
service management
set of capabilities and processes to direct and control the service provider's aClivities and resources for the
design. transition, delil/ery and improvement of services to fulfil the service requirements

3.31
service management system
SMS
management system 10direci and control the service management activities of the service provider

6 f.) ISO/lEe 2011 - All rights reserved

 I ISO/lEe 20000-1:2011(E)

NOTE 1 A man<lgemcnl
achieve those objectives.
system 15 a sci of interrelated or interacting
i
clements
~
to establish policy and objectives and to

NOTE 2 The SMS includes all service management policies. objcctive~. plans. processes. documentalion and
resources required for Ihe design. transition. delivery and improvement of services and 10 fulfil the requirements in this part
of ISO/lEG 20000.
t,
I .

I
NOTE 3 Adapted from the definition of "quality management sYSlem~in ISO 9000:2005.

3.32
service provider
organizalion or part of an organization thaI manages and delivers a service or services to the customer

. . . I.
I
N OT E A customer can be Internal or external 10 the service provIder's organization.

3.33
service request
request for information, advice. access to a service or a pre-approved change
t=

I
3.34 rJ)
w
service requirement t C<:
needs of the customer and the users of the service. including service le~el requirements, and the needs of the :J
U
service provider :J
lD

3.35 'i •
supplier a:
organizati~nor part o.f an org~nizationth~t is external to. the servi~~pr9vi~er'sorga~izalionand enters into a z.
or services or processes l
contract With the servIce provIder to contnbute to the deSIgn, transItion. oehvery and Improvement of a service 5
..J
:J
U
«
NOTE

1~
top management
Suppliers

.
include designated lead suppliers but noltheir

person or group of people who direcl and control the service provider at the highest level
I
sub-contracted suppliers. w
..J
W
U.

a:>-
rJ)

NOTE Adapled from ISO 9000:2005. !i ci

o
C<:

I
w
«
3.37
transition
activities involved in moving a new or changed service to or from the live environment

4 Service management system general requirements

.~. 4.1 Management responsibility

4.1.1 Management commitment

Top managemenf shall provide evidence of its commilment to planning. establishing. implementing. operating:
' ~ r monitoring, reviewing. maintaining', and improving the SMS and the service's by:

"'Jd-/!vm-·
ii~) establishing and communlcallng
.. h . db"
I e scope. policy an 0 lecllves
(1.
o~ service management:

8~(f'rJiLf!
~

ensuring thai the service management plan is creafed. implemente'1 and maintained in order fO adhere to
Ihe policy. aChieve the objeclives for service management and fulfil tl"e service requirements:

c) communicating the importance of fulfilling service requirements;

d) communicaling
obligations:
the importance of fulfilling statutory and
I
regulatory requirements and contractual

10 ISOilEC 2011 -- All rights reserved 7

 ISOIIEG 20000·1 :2011 (E)

e) ensuring the provision of resources:

f) conducting management reviews al planned intervals:

9) ensuring that risks to services are assessed and managed.

4.1.2 Service management policy

Top management shall ensure that the service management policy:

a) is appropriate to the purpose of the service provider:

b} includes a commitment to fulfil service requirements;

c) includes a commitment to conlinuaily improve the effectiveness of the SMS and the services through the
policy on continual improvement in Clause 4.5.5.1:

d) provides a framework for establishing and reviewing service management objectives:

;::
(fl
e) is communicated and understood by the service provider's personnel;
::>
f) is reviewed for continuing suitability_ u
::>
co
4.1.3 Authority, responsibility and communication 'i. 6;--

ti
Top management shail ensure Ihat: z.
5
a) service management authorities and responsibilities are defined and maintained; ..J
::>
-? b) doc~mented procedures for communication are established and implemented.
;f
w
..J
W
«f'L( 4.1:4' Management representative
u-
ti
•...
(f)
Top management shall appoint a member of the service provider's management who. irrespective of other
responsibilities. has the authorities and responsibilities that include: 6
o
0:
a) ensuring that activities are performed to identify, document and fulfil service requirements; ..:
w

b) assigning authorities and responsibilities for ensuring thai service management processes are designed.
implemented and improved in accordance with the policy and objectives for service management;

c) ensuring that service management processes are integrated with the olher components of the SMS;

d) ensuring that assets, including licences, used to deliver services are managed according to statutory and
regulatory requirements and contractual obligations;

c) reporting 10 lOp management on the performance and opportunities for improvement to the SMS and the,
services.

4.2 Governance of processes operated by other parties _ Pr() ('-eS;:e. -Si..l\.o/(J rfNtrWq/::..
For (he processes in Clauses 5 to 9. the service provider shall identify all processes. or parts of processes,
which are operated by other parties. Other parties can be an internal group. a customer or a supplier. The
service provider shall demonstrate governance of processes operated by other parties by:

a) demonstrating accountability for the processes and aUlhority 10 require adherence 10 the processes;

b) controlling the definition of Ihe processes, and interfaces 10olller processes;

c) determining process performance and compliance with process requirements:

8 ~ ISO/lEe 2011 - All tights rcserveo

 d) controlling the planning and prioritizing Of process improvements.

When a supplier is operating parts of the processes. the service provider shall manage the supplier through
the supplier management process. When an internal group or a custom~r is operating parts of the processes,
the service provider shall manage the internal group or the customer through the service level management

::~:ss. ISOIIEC TR 20000.3 p'ovides gvidance on scope definition and aLlicabilitY of Ihis pari of ISO/lEe 20000.
This includes funher explLlnalion about the governance of processes operated by other panics.

4.3 Documentation management

4.3.1 Establish and maintain documents

The service provider shall establish and maintain documenls, including records. to ensure effective planning.
operation and control of the SMS. These documents shall include:

a) documented policy and objectives for service management;

bj documented service management plan;

c) documented policies and plans crealed for specific processes as reguired by this part 01 ISOIIEC 20000;
I
d) documented catalogue of services;
a:
ej documented SLAs; ~
5
..J
f) documented service manage men I processes; =>
U
i <t
g) documented procedures and records required by this part of tSOIiEf 20000; ill
..J
ill

h) additional documents, including those of external origin, determined by the service provider as necessary "-ri

I
to ensure effective operation of the SMS and delivery of the services.
t;
cJ
'1.3.2 t,~tnt~f.!?frdocuments - "J o
'"
ill
Documents required by the SMS shall be controlled. Records are a s~ecial type of document
I and shall be <t

I
controlled according to the requirements given in Clause 4.3.3.

A dO'Cum-ented procedure. including the authorities and responsibilities. shall be established to define the
controls needed to:

a) create and approve documents prior to issue;

b)

c)

d)
communicate

review and maintain

ensure that changes

10 interested

documenls
parties about new or changed documents;

as necessary;

and the currenl revision status Of documents

!
are idenlified;

e) ensure that relevant versions of applicable documents are available1at points Of use;

f) ensure thal documents are readily identifiable and legible; I

g) ensure thaI documents of external origin are identified and lheir distibution controlled;-

h) prevent the unintended use of obsolete documents

I
and apply suitable identification to them if they are
relained. t

if) ISOllEe 2011 - All rights resorvod 9

 ISO/IE'C 20000-1;2011(E)

~3;3 r~.£e,n\rR!fO!1re.cord,~"

Records shall be kepi to demonstrate conformily to requirements and the effeclive operalion of the SMS,

, ~}:tI!!i:~/docJment~d~droC~d~~
shall be established to define the controls needed for the identification, storage,
protection, retrieval. retention and disposal of records. Records shall be legible, readily identifiable and
retrievable. .

4.4 Resource management

4.4.1 Provision of resources

The service provider shall determine and provide the human, technical, information and financial resources
needed to:

a) establish. implement and maintain the 5M3 and lhe services, and continually improve their effectiveness;

b) enhance customer satisfaction by delivering services that fulfil service requirements,

>=
(0
; ,
::>
4.4.2 Human resources u
::>
The service provider's personnel performing work affecting conformity to service requfrements shall be
competent on the basis of appropriate education. training. skills and experience, The service provider shall:
<D

i
n::
.'-
a) determine the necessary competence for personnel:
z.
5
..J
b) where applicable. provide training or lake other actions to achieve the necessary competence: ::>
U
<>:
c) evaluate the effectiveness of actions taken:
w
..J
W
U.
d) ensure thai its personnel are aware of how they contribute to Ihe achievement of 'service management n::
objeclives and the fulfilment of service requirements; ....
(/)

e) maintain appropriale records of educalion, training, skills and experience.

0
0
a::
w
<>:
4,5 Establish and Improve the SMS

4.5,1 Define scope

The service proviper shall define and include Ihe scope of Ihe SMS in the service manag~';;~ni plan, ~
~F9pe.Sjhall~beodeOii'e~Jby thevna~e;of th~"organjzaticrnal~unit,providi~g i~"'e"'~eljVtces. and, tt:l~jces tofBe ~~
(jelivere£i: :;(1 ,

The service provider shall also take into consideration othe~ factors aff~~ti~g the services to be delivered
including:

a) rgeqgrlfptiicanocation(s). (ror;n which the service provid~r delivers the service~;

b) ~hetcusfomei1a'ndtheir location(s):

c) I~hnology used 1.0 pr9vide ,Ihe services,

NOTE ISO/IEC TR 200bO'3,provides guidance on sco~~ definilion Clndapplicability of this part oIISO/IEC 20000,

10 © ISO/lEG 201\ - All rights tCscrvi!d

 I
I ISO/IEC 20000-1:2011(E)

4.5.2 Plan the SMS (Plan) J

The service provider shall create. implement and maintain arservic~ anagemeDt plan. Planning shall lake
into consideration the service management policy, service ~equirements and requirements in this part of
l
lSD/lEG 20000. The service management plan shall contain or include a reference to alleast the follQ',\ling:

. -.objectives
. . j.

c)
a) service management

b) <Service requirement~:

known limitations which can impacllhe

that are 10 be achieved

SMS:
I
by Ihe service provider;

.. . I. .
d)

e)

f)
.POIICICS, standards,

framewor~ of aulhorities.

authorities
statutory and regulatory requirements

responsibililies

and responsibilities
and process roles:

for plans, service management

I
and contractual obhgatlons;

processes and services;

;::
g) human, technical, information and financial resources necessary to achieve the service management (/J
objectives; w F
':;)"
I.
()
h) ~pproach to be taken. far/working wilh other parties involved in ,the design and transition of new or :;)

J
changed services process: OJ
V
i) approach 10 be taken for the !nteffaces between service managemenl'processes
Ihe other components of the SMS: I and their integration with ri
Z.
:; l
j) ~proach to be taken lor the management

I
of risks and the criteria for accepting risks: -J
:;)
()
q:
k) technology used 10 support the SMS: W
-J
W
I) how the effectiveness of the SMS and the services will be measured, audited, !,~ported and improved. u-
ri
. I'
Plans created for specific processes shall be a Igne
d .h
Wit the service management plan.
Thf. .
e service
. t-
(/J

management plan and plans created for specific processes shall be ieviewed at planned intervals and, if 0
applicable, updaled. 0
'"
W
q:
4.5.3 Implement and operate the SMS (00)

The service provider shall implement and operate the SMS for the design, transi1ion, delivery and
ll
improvement of services according to the service management plan, 1hro ugh activities including at least:

a) t.~~IO~~IiOfl
and managemenl of funds and budgets;

b) \!s.signmenl of aulhorities. responsibilities and process roles:

c) management of human, technical and information resources;

e) management of service management processes;

e ISOIIEe 2011 - All nyllis reserved 11

 ISO/lEG 20000-1 :2011(E)

The objectives of all internal audits and management reviews shall be documCnled. The internal audits and
management reviews shall demonstrate the ability of the SMS and the services 10 achieve service
management objectives and fulfil service requirements. Nonconformities shall be identified against the
requirements in this part of ISOIIEC 20000. the SMS requirements identified by the service provider or the
service requirements.

The results of internal audits and. management revie'....s, including nonconformilies. concerns and actions
identified. shall be recorded. The results and actions shall be communicated to interested parties.

4.5.4.2 Internal audit

The service provider shall conduct internal audits. at planned intervals. 10 determine whelher the SMS and Ihe
services:

a) fulfil the requirements in this part of ISO/IEC 20000:

b) fulfillhe service requirements and the SMS requirements identified by the service provider:
>=
c) are effectively implemented and maintained. (/)

f There'shall be a documented procedure Including the authorities

conducting audits. reporting results and maintaining audit records.
and responsibilities for planning and
U
::J
m
.q
n~YiQAn audil programme shall be planned. This shall take inlo consideralion the stalus and imporlance of Ihe ~~~~
OJ L1. processes and areas to be audited. as well as the resulls of previous audits. The audit criteria. scope, 0::
frequency and methods shall be documented. . z.

The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit. Auditors
3::J
shall not audit their own work. U
W
..:
...J
Nonconformilies shall be communicated, prioritized and responsibility allocated for actions. The management W
responsible for the area being audited shall ensure that any correclions and corrective actions are taken "-0::
without undue delay to eliminate nonoonformities and their causes. Follow-up activities shall include the >-
(/)
verification of the actions taken and the reporting of results. .
0
0
NOTE See ISO 19011 for guidance on managemenlsystemsauditing. a:
w
..:
4.5.4.3 Management ~eview

Top management shall review the SMS and the services at planned intervals 10 ensure their continued
suilability and effectiveness. This review shall include assessing opportunities for improvement and the need
for changes to the SMS. including Ihe policy and objectives for service management.

The input to management reviews shall include at least information on:

a) customer feedback:

b) service and process performance and conformity;

c) current and forecast human. technical. information and fimindal re;6urce~evels:

d} current and forecast human and technical capabllitie,s;

e), risks:

f) results and foliow-up actions from audits;

g) results and follow-up "~cUons from previous management reviews:

h) status of preventive and corrective actions;

12 (0 ISOllEe 2011 - All righls rescfV(:d

 i) changes that cculd affect the SMS and the services:

I j) opportunities for improvement

I
r Records of management reviews shall be maintained.
J
The records from the management review shall include at least decisions and actions related to resources,
improvement of the effectiveness of the SMS and improvement of the sJrvices.

4.5.5 Maintain and improve the SMS (Act)

4.5.5.1 General

fcid (fr' ft CqThere shall be a policy on continual

evaluation cnlena for the opportunilles I
improvement of the SMS and the services.
for Improvement.

There shall be a documented procedure including the authorilies and responsibilHies for identifying.
The policy shall include

documenting, evaluating. approving, prioritizing, managing, measuring and reporting of improvements.

Opportunities for improvement, including corrective and preventive actiohs, shall be documented.

The cause of identified nonccnformilies shall be corrected. Corrective !ctions shall be taken to eliminate the
cau~e ?f
identified nonconform~ties in order to. ~re~ent recurrence. PreienUve actio~s shall be taken in order
to ellmmale the cause of potential nonconformlhes In order to prevent occurrence.

NOTE
I
For more informalionon corrective and preventiveaction. see ISO 9fOl:200B. Clause 8.5. Ii
z.
4.5.5.2 Management of improvements I 5
...J

=>
u
Opportunities for improvement shall be prioritized. The service providerfshall use the evaluation criteria in the
l5
policy on continual improvement,

Approved improvements
when making decisions on opportunities for improvement.

shall be planned. I ...J

W
"-
Ii
f-
en

I oo
The service provider shall manage improvement activities thaI include at least:

a) selting,targels for improvements in one or more of quality; valuc.1apability, cost, productivity, resource cr
w
utilization and risk reduction': 1 •• t
<i

b) ensuring that appr~ved improvements are implemented:

c) revising the service management policies, plans. processes and pra~dures, where necessary;

d) measuring implemented improvements against the targets set and where targets are not achieved. taking
necessary actions:

e) reporting on implemented improvements.

5 Design and transition of new or changed services

5.1 General

The service provider shall use this process for all new services and changes to services with the potenlial to
have a major impact on services or the cuslomer. The changes that ~re in the scope of Clause 5 shall be
determined by the change management policy agreed as part of the cha~ge management process.
l
Assessment, approval. scheduling and reviewing of new or changed services in the scope of Clause 5 shall
be controlled by the change management process. The Cis affected by hew or changed services in the scope
of Clause 5 shaH be controlled by the configuration management

I
proces~ .

•'="""-""-- 13
 ISOIIEe 20000-1:2011(E)

The service provider shall review outputs from lhe planning and design activities for new or changed services
against the agreed service requirements and lhe relevant requirements given in Clauses 5.2 and 5.3. Based
on the review, the service provider shall accept or reject the outputs. The service provider shall take
necessary actions to ensure that the development and transition of the new or changed services can be
performed effectively, using the accepted outputs.

NOTE The need for a new service or a change 10 a service can originate from the customer, the service provider, an
internal group or a supplier in order to satisfy business needs or to improve the effectiveness of the services.

5,2 Plan new or changed services

. The service provider shall identify the service requirements for the new or changed services. New or changed

f;1'-1. l
- J/n/fl
v
services shall be planned to fulfil the service requirements.
agreed with the customer and interested parties.
Planning for the new or changed services snail be

As input to planning, the service provider shall lake into consideration the potential financial, organizational,
and technical impact of delivering the new or changed services. The service provider shall also take inlO
consideration Ihe potential impact of the new or changed services on the SMS. i=
(f) ~'.

Planning for the new or changed services shall contain or include a reference to at least the following:

a) authorities and re"sporisibilities for design, development and transition activities:

b) activities to be performed by the service provider and other panies including activities across interfaces
from the service provider to other parties;

c) communication to interested parties;

d) human, technical, information and financial reSOurces;

e) limescales far'planned activities;

f) identification, assessment and managemenl of risks;

g) dependencies on other services~

h) testing required for the new or changed services;

i) service acceptance criteria;

j) expecl~d outcomes from delivering the new or changed services, expressed in measurable terms.

For services Ihat are to be removed, the service provider shall plan for the removal of the servicels). Planning
shall include the date(s) for the removal, archiving, disposal or transfer of da!a, documentatio.[l and service
components. The s~~~in~~sI1~~ons with associated licences.

1 The service provider shall identify other partIes wh6 will contribute 10 the "provision of service components for
Ihe new or changed services. The service provider shall evaluate Iheir ability to fulfil the service requirements.
The results of the evaluation sllall be recorded and necessary actions taken.

5.3 Design and development of new or changed services

The new or changed services shall be designed and documented to include at least:

a) authorities and responsibililies for delivery of the new or changed services:

b) activities to be performed by the service provider, customer and other panies for delivery of the new or
changed services:

c) new or changed human resource requirements, including requirements tor appropriate education, training,
skills and experience;

14 o I$OJlEC 2011 - All rights reserved

 ISO/lEe 20000-1 :2011 (E)

d) financial resource requirements for delivery of the new or changed 4ervices;

\

e) new or changed technology to supportlhe delivery of the new or chtnged services:

I ' f) new or changed plans and policies as required

I
by this pari of ISOIIEe 20000:

g) new or changed contracts and other documented agreements

I to align
. with changes in service
requirements:

h) changes to the SMS:

i) new or changed SLAs;

j) updates 10 the catalogue of services; I,

k) procedures, measures and information to be used for the delivery of the new or changed services.

The service provider shall ensure that the design enables the new
I
or iChanged services to fulfil the service
reqUifements. I ;:::
I/)
UJ
0::
The new or changed services shall be developed in accordance with the documented design. ::>
l)
::>
NOTE For further information about design. see the design and development process in ISO 9001 :2008, Clause 7.3 CD
or the architectural design process in ISO/IEC 15288:2008. Clause 6.4.3. t
~
•• •.
5.4 Transition of new or changed services
l
The new or changed services shall be tested 10 verify that they fu/filthe service requirements and documenled
design. The new or changed services shalrbe verified against service ~cceptance 'criteria agreed in advance
ci
~
5
-J
::>
l)
«
by the service provider and intereste'd parties. If ttie 'service accep!ahce criteria are not met, the service UJ
-J
provider and interested parties shall make a decision on necessary actio'ns and deployment. UJ
U.

The release and deployment

services inlo the live environment.
management process
I
shall be used IQ deploy approved new or changed
ci
f-
I/)

oo
Following the completion of the transition activities, the service provid~r shall report to interested parties on 0::
the oulcomes achieved againstlhe expected outcomes. UJ
«

6 Service delivery processes

6.1 Service level management

The service provider shall agree the services 10 be delivered With the customer.

~./~"
~ C~e service provider shall agree a catalogue of services lI,th Ihe custqmer
I The catalogue of services shall
eC1 , (l'clude the dependencies belween services and service components. I
1\ For each service delivered, one or more SLAs shall be agreed WIth thJ customer When creating SlAs, the

'.
service provider shall take Into conslderahon
t~rgets. workload characteristics and exceptions. I
the service requlrement~. SLAs shall include agreed service

~nClI{2ahe service provider shall review services and SLAs wilh the customer at.planned inlervals.

~ .. I.

W
Changes to the documented servIce reqUirements, catalogue of servtces, SLAs and other documented
J agreements shall be controlled by the change management process.! The calalogue of services shall be
i~" maintained following changes 10 services and SLAs to ensure Ihallhey are aligned.

I
.,~'' "' -.'' ".- 1 "
 ISO/IEC 20000-1 :2011 (E)

The service provider shall monitor trends and performance against service targets at planned intervals.
Resulls shall be recorded and reviewed to identify the causes of nonconformities and opportunities for
improvement.

For service components provided by an in lerna I group or the customer, the service provider shall develop,
agree. review and maintain a documented agreement 10 define the activities and interfaces between the two
parties. The service provider shall monitor performance of the internal group or the customer against agreed
service targets and other agreed commitments, at planned inlervals. Results shall be recorded and reviewed
to identify the causes of nonconformilies and opportunilies for improvement.

6.2 Service reporting 1</1. fJo<""""~ do -\-Q../l4J'1 't.Q.

The description of each service report, including its identity. purpose. audience. frequency and details of the
data source(s). shall be documented and agreed by the service provider and interested parties.

Service reports shall be produced for services using information from the delivery of services and the SMS
activities, including the service management processes. Service reporting shall include at least:
i=
C/l
a) performance against service targels;

b) relevanl information aboul significant events including at least major incidenls. deployment of new or U
:J
changed services and the service continuity plan being invoked: . m

c) ,;orklo.ad characteristics including volumes and periodic changes in workload: ". .,-
Ii
Z_
d) detected nonconfom,iiies againstlhe requirements in this pan of ISO/IEC 20000. the SMS requirements
:;
or the service requiremenls and Iheir identified causes: ...J
:J
U
<t:
e) trend informalion: UJ
...J
UJ
f) cuslomer salisfaction measurements. service complainls and resulls 01 Ihe analysis of satisfaction U-

measurements and complainls. ri

t-
C/l
The service provider shall make decisions and lake actions based on the rindings in service reports. The 6
agreed actions shall be communicated 10 interested parties. 0
cr
UJ
<t:
6.3 Service continuity and availability management

6.3.1 Service continuity and availability requirements

The service provider shall assess and document the risks to service continuity and availability of services. The
service provider shall idenlify and agree with the cuslomer and interested parties service continuily and
availability requirements. The agreed requirements shall lake into consideration applicable business plans.
service requirements, SLAs and risks.

The agreed service continuity and availability requirements shall include at least:

a) access rights to the services;

b) service response limes:

c) end to end availability of services.

6.3.2 Service continuity and availability plans

rl .•tJthe service provider shall create, implement and maintain a service continuity plan{s) and an availability
~W plan(s). Changes 10 Ihese pians shall be conlrolled by the change management process.

16 e ISOJIEC 2011 - All righlS reserved

 IS~~\OOO.1 :2011 (E)

f le n d
r
I
The service continuity plan(s) shall include at least:

a) procedures 10 be Implemented In the event of a major fossof service, or reference to them,

~
!
!
.:..i't'" 1$3110 ~,
~~.:T~:;,.,
~':'-'"
;';.".

b) availability targets when the plan IS Invoked. t

c}

d)
recovery requirements.

approach for the return to normal working conditions. I.

t

The service continUity plan(s),

locations is prevented.
contact ItSIS and the CMOS shall be accessible
I when access 10 normal service

The availability plan(s) shall include at least availabilily requirements and targets.

The service provider shall assess the impact of requests for change on1the service continuity plan(s) and the
availability plan(s). I
NOTE The service conlinuily planes) and availability plan(s) can be combined into one document.
1=

I
(J)

! w
a:
6.3.3 Service continuity and availability monitoring and testing ::>
U
::>
~
----, I
Availability of services shall be monitored, the results recorded and compared with agreed largets. Unplanned
non-avaitability shall be investigated and necessary actions taken.
til

i. .
(.e~q «::?Service continuity plans shall be tested against the service continuity r"!luirements. Availability plans shall be
ti
~
-:l tested against the availability requirements. Service continuity and av~;lability plans shall be re·tesled after
major changes to the service environment in which the service provider operates.
:5
..J
::>
U

I The results of the lesls shall be recorded. Reviews shall be conducted' after each test and after the service
continuity plan has been invoked. Where deficiencies are found, the ~ervice provider shall take necessary
actions and report on the actions taken. t
<l:
w
..J
W
u-

6.4 Budgeting and accounting for services I ti

t-
(J)

0
0
a:
' 0 fJ There shall be a defined interface between the budgeting and accounting tor services process and other
w
~ if [ tifCigancial management processes. <l:

There shall be policies and documented procedures for:

p a) budgeting and accounting

1) assets - including
for service components

licences -
including alleast

used to provide the services.

2) shared resources,

3) overheads.

4) capital and operating expenses.

5} externally supplied services,

6) personnel,

7) facilities;

b) apportioning indirect costs and allocating direct costs to services, to provide an overall cost for each
service;

c} effective financial conlrol and approval.

IV ISOIlEC 2011 - All righls reserved 17

 ISO/IEC 20000-1 :2011 (E)

Costs shall be budgeted to enable effective financial control and decision-making for services delivered.

The service provider shall monitor and report costs against the budget. review the financial forecasts and
manage costs.

Information shall be provided to the change management process to support the costing of requests for
change.

NOTE Many service providers charge for their services. The scope of the budgeting and accounting lor services
process exdudes charging.

6.5 Capacity management

The service provider shall identify and agree capacity and perlormance requirements wilh the customer and
interested parties. C'n I!L£> '/ L
~ ~,-'11~
The service provider shall create, implemenl and maintain a capacity plan taking into consideration human.
. .l,~l
technical, information and financial resources. Changes to the capacity plan shall be controlled by the change ;:::
(J)
management process.
~

The capacity plan shall indude at least: u

::>
CD
a) currenl and forecast demand for services;
f.
a::
.,
b) expected impact of agreed requirements tor availability, service continuity and service levels; z_
c) time-scales. thresholds and costs for upgrades to service capacity: 3
::>
u
d) potential impact of statutory, regulatory, conlractual or organizational changes: 4;
w
...J
W
e) potential impaCt of new technologies and new techniques:
"-
Ii
•...
f) procedures to enable predictive analysis. or reference 10 them. (J)

The service provider shall monitor capacity usage. analyse capacity data and tune performance. The service
a0
provider shall provide sufficient capacity to fulfil agreed capacity and performance requirements.
a:
w
4;

6.6 Informalion security management

\'''_1,,,// _'iJ. AA.A-/l,,~tl(/'

-.......-
p ~6.1 Information secunty policy ~( L/\Aj Vl~ (.;Iv
V
""\ ~C&anagement With appropriate authOrity shall approve an'lnformalion security policy laking Into conSideration
~ the servIce requirements, statutory and regulatory reqUiremenls and contractual obligations Management
i\i shall

a) communicate the information security policy and the importance of conforming to the policy to appropriate
personnel within the service provider. customer and suppliers;

b) ensure that information security management objectives are established:

c) define the approach to be taken for the management of information security risks and the crilerla for.
accepting risks;

d) ensure that information security risk assessments arc conducted at planned intervals;

e) ensure that internal information security audits are conducted:

o ensure Ihat audit results are reviewed to identify opportunities for improvement.

18 e ISOilEC 2011 - All rights reserved

 ISO/lEe 20000-1 :2011 (E)

6.6.2 Information security controls

.::} achieve information security management objectives; 'i~ A LJ~

~ e-~ c-10' (J ev/l/Y/4./'(!
d) manage risks related to information security. O~ I
r-. i
These information security controls shall be documented
relale. their opera lion and mainlenance. I
and shall describe the risks 10 which lhe controls

The service provider shall review the effectiveness of information security controls.
lake necessary aClions and reporl on the aclions laken.' I The service provider shall

The service provider shall identify external organizations that have a lneed to access, use or manage the
service provider's information or services. The service provider shall document, agree and implement
information security controls with Ihese external organizations. 'I

6.6.3 Information security changes and incidents

cr
Requests for change shall be assessed 10 idenlify: z.
5
..J
a) new or changed information security risks; :)
()

b) potential impact on the existing information security policy and controls. Lli
..J
W
U.
Information security incidents shall be managed using the incident mJnagement procedures. with a priority
appropriate to Ihe information security risks. The service provider shall analyse the types, volumes and
cr...
(/)
impacts of information security incidents. Information securily inciden~ shall be reported and reviewed to
identify opportunities for improvement. 6
o
<r
NOTE The ISO/IEC27000 famity of standards specifies requirements and provides guidance to support the w
implementation and operation of an inform<llion security management system.
«

7 Relationship processes

7.1 Business relationship management I

The service provider shall identify and document the customers. users and interested parties of the services.

•
R
\R1)~.£~h~/se
For each customer~ the service provider shall have a designaled
the cu:et
I
er relationship and customer

,;., provider shall establish a communication

satisfaction.
.

mechanism wit~ the cuslomer. The communication

I
I
individual who is responsible for managing

-I 1---- mechanism shall promote understanding of the business environmen\ in which the services operate and

I
requirements for new or changed services. This information shall enable the service provider to respond 10
these requiremenls.

The service provider shall review the performance of Ihe services;:lt planned intervals. with the customer.

. . 9!Y the
Changes

'''"",'
to the documented servlc~ reqUlre~enls

• '"' ,~, ,"" "' ~om""M ""' '"' ~- ,~, m'"~r~'

shal! be controlled

,,=,
change management process.

I
© ISOIIEe 2011 - All rights reserved 19
 ISOIIEe 20000·1 :2011(E)

~ e Jo-uco:tu)
.? )

The definition of a service complaint shall be agreed with the customer. There shall be a documented
procedure 10 manage service complaints from the customer. The service provider shall record, investigate, act
upon. report and! close 'serVice complaints. Where a service complaint is not resolved through the 'normal
channels. escalation shall be provided to the customer.
( The service provider shall measure customer satisfaction at planned intervals based on a representative
sample of the customers and users of the services. The results shall be analysed and reviewed to identify
opportunities for improvement.

7.2 Supplier management

The service provider may use suppliers to implement and operate some parts of the service management
processes. An example of supply chain relationships is illustrated in Figure 3.

Supptier 1

>=
'"
:J
U
:J
<ll
v
~
ti
z.
Figure 3 - Example of supply chain relationships
3
:J
U
For each supplier, the service provider shalll)ave a designated individual wno is.responsible for ma!]aging the «
w
relationship. the cont!aCl and performance of the supplier.- ..J
W
u-
The service provider and the supplier shall agree a documented contract. Ttie contract shall contain or include ti
•...
a reference 10: (f)

0
a) scope of the services to be delivered by the supplier; 0
a:
w
b) dependencies between services. processes and lhe parties: «
c) requirements to be fulfilled by the supplier;

d) service targets;

e) interfaces between service management processes operated by the supplier and other parties;

f) integration of the supplier's activities within the SMS;

g) workload characteristics;

h) contract exceplions and how lhese will be handled;

aulhorilies and responsibilities of the service provider and the supplier;

j) reperting and communication to be provided by the supplier;

k) basis for charging;

I) activities and responsibilities for the expecled or earty termination of the contract and the transfer of
services to a different party.

20 GlISOnEC 201 1 - All rights reserved

 i ISOIIEC 20000-1 :2011 (E)

.. ..' II
The service provider shall agree with the supplIer service levels to sup'port and align with the SLAs between
the service provider and the customer.. ..
..
The service provider shall ensure thai roles of. and relatIonshIps between, lead and sub·conlracled suppliers

I
are documented. The service provider shall verify thai lead suppliefu are managing their sub·contracted
sUPPlie~~obt~~('

The service provider shall manilar the performance of the supplier at planned intervals. The performance shall

~
reviewed to identify the causes of nonconformities and opportunities
ensure that the contract reflects currenl requirements,

Changes 10 the conlract shall be conlrolled

improvement.

by the change management

I
be measured against service targets and other contractual obligations. Results shall be recorded and
fO.,
The review shall also

process. 1l!\A'lfOv~( ",,9{~!)1 ~et,fl

./ .0 fjJ-<.'(f::f '(y e-
There shall be a documented procedure 10 manage contractual dispules belween the service provider and the
supplier. .

NOTE 1
services.
The scope of the supplier management process excludes

.
the seltktion

I
of suppliers and the procurement of
~
~
NOTE 2 Further examples of supply chain relationships are shown In ISOllEe TR 20000-3 ~

8 Resolution processes

8.1 Incident and service request management J'r(M ,u\c,'I4

f
r
.b
There shall be a documented

a)~
procedure for all incidents to define:
3
::>
o
<t
~
w
u.
b) allocation 01 priority;
~
UJ
c) classification:
oo
d) updating of records; cr
w
<t
e) escalation:

f) resolution,
N()J.ly- cQJ.;-,~J IWA',A,?v<{/tu/,' ~tt~?
g) C~SUffi (f 1 ~ v

There shall be a documenled procedure for managing the fulfilmenl of service requests from recording to
closure. Incidents and service requests shall be managed according to I te procedures.

When prioritizing incidents and service requests,

and urgency of the incident or service request. I
the service provider shall lake into consideration the impact

The service provider shall ensure thal ~ersonn~1 involved in the i~cidel't ~nd servic.e request m.anagement
process can access and use relevant mformatlon. The relevant mforr;patlon shall Include service request
management procedures. known errors, problem resolutions and lhe CMOB. Information about the success or
failure of releases and future release dates, from the release and deplojment management process. shall be
used by the incident and service request management process. t
The service provider shall keep the customer informed of the progress' of their reported incident or service
request. If service largets cannol be mel, the service provider shall inform the customer and interested parties
and escalate according to the procedure. ,

Q ISO/tEe 2011 - Nl rlghls reserved

I 21
 ..
ISO/IEC 20000·1 :2011(E)

The service provider shall document and agree with the customer the definition of a major incident. Major
incidents shall be classified and managed according to a documented procedure. Top management shall be
informed of major incidents. Top management shall ensure that a designated individual responsible for
managing the major incident is apPJinted. Afler the agreed service has been restored. major incidents shall be

r~
reViewed to Ident,fy opportunlt,es for improvement ~

8.2 Problem management - AA..CVJ. Ol ~.!U:~ vilb..

Th~ere shall be a documented procedure to'identify problems and minimize or avoid the impact of incidents
and probtems~ The procedure for problems shall define:

a) identification;

b)rCOrding;. -

cj allocation of priority:

d) classification; i=
(0
,
e) updating of records; ::J
U
::J
f) escatation; en

g} resolution:
" .,
Ii
z.
h) closure. 5
...J
::J
Problems shall be managed according to the procedure. U
'<I;

The service provider shall analyse data and trends on incidents and problems to identify root causes and their ~
w
potential preventive action. "-
Ii
>-
Problems recuiring changes to a CI shall be resolved by raising a request for change. (/)

0
Where the root cause has been identified. but the problem has not been permanenlly resolved. the service 0
a:
provider shall identify actions to reduce or eliminate the impact of the problem on the services. Known errors w
<I;
shall be recorded.

The effectiveness of problem resolution shall be monitored. reviewed and reported.

Up·to-dale information on known errors and problem resolulions shall be provided to the incident and service
request management process.

9 Control processes

9.1 ~ Gonfiguralio~ management

There shall be 3 do~umenled definition of each type of CI. The information recorded for each CI shall ensure
effective control and include at least: . .

a) description of Ihe CI;

b) retationship(s) between the CI and other Cis;

c) relationship(s} between the CI and service components;

d) status;

22 @ISO/IEe2011 -All rights reserved

 e) version:

f)

g)

h)
location;

associaled requests for change,

associated problems and known errors

I
Cis shall be uniquely Idenltfied and recorded In a CMOS The CMOS shall be managed 10 ensure liS rehablhly
and accuracy. including conlrol of upda~~s'lJ A j 1\ l' J . ._n v, , -
_ C...
o7',jJ\JIJ:Y\..()..i. 07 /r·~~·u..t:.1'
There shall be a documenled procedure' for recording. conlrolling and I&cking versions of Cis. The degree of

I
control shall maintain the integrity of services and service components· taking into consideration the service
requiremenls and Ihe risks associaled with the Cis.

The service provider shall audit the records stored in the CMOB. at planned intervals. Where deficiencies are
found. the service provider shall take necessary actions and report on lh~ actions taken .

.
Informallon c· t
f rom the MOB shall be provided 10 the change management process. to support Ihe assessment ;::
C/)
of requests for change.
~
UJ

:J
U
Changes 10 Cis shall be traceable and audilable 10 ensure integrily of Ihe Cis and the data in Ihe CMOB. :J
(IJ

A configuralion
environment.
baseline of Ihe affected
Ib~
Cis shall be taken before dlployment
~ ~~ O~Q0-~
of' a release inlo the live -.i
ri
.j
z.
Master copies of Cis recorded in the CMOS shall be slored in sJcure physical or electrontc flbranes 5
referenced by the conflguratton records ThIS shall IOclude at least [documentallon. licence information, ...J
:::>
software and, where avaltable. images of Ihe hardware conflguraloon r . u
<i
UJ
...J
There shall be a defined Inlerface belween the conflgurallon managemenl process and finanCIal assel UJ

managemenl process. I u-
ri
>-
NOTE The scope of Ihe configuration management process excludes finanJal asset management. C/)

a0
~[J11i?·~2 Change management ...- 1M-d-Al.O vf'»1 r' ~f -oJt/t<I/.i~ ~
UJ
<i
A change managemenl policy shall be estabhshed thai defines

a) CIs which are under the control of change management,

b) criteria to determIne changes With potential 10 have a major Impact on servIces or the customer.
I
Removal of a service shall be classified as a change to a service with the potential 10 have a major impact.

I
Transfer of a serlice from the service provider to the customer or a different party shall be classified as a

p change wilh polenlialto have a major impact.

There shall be a documented procedure to record, classify. assess and a prove requesls for.change.

-p The service provider shall document and agree vlith the customer the definition of an emergency change.
There shall be a documented procedure for managing emergency changes.

All changes to a service or service component shall be raised using la request for change. Requests for
change shall have a defined scope.

1 All requests for change shall be recorded and classified. Requests for change classified as having the
potential to have a major impact on the services or the customer shal~ be managed using t~e design and
trans ilion of new or changed services process. All other requests for change to Cis defined In the change
manClgement policy shall be managed using the change management pr&cess.

e ISO/tEC 2011 - All rights resented 23

 ISO/lEe 20000-1 :2011 (E)

Requests for change shall be assessed using information from the change management process and other
processes.

The service provider and interested parties shall make decisions on the acceptance of requests for change.
Decision-making shall take into consideration the risks, the potential impacts to services and the customer,
service requirements. business benefits, technical feasibility and financial impact.

Approved changes shall be developed and lesled.

A schedule of change conlaining delails of the approved changes and lheir proposed deploymenl dates shall
be established and communicated to interested parties. The schedule of change shall be used as the basis for
planning the deployment of reteases.

The activities required to reverse or remedy an unsuccessful change shall be planned and, where possible.
tested. The change shall be reversed or remedied if unsuccessful. Unsuccessful changes shall be
investigated and agreed aclions taken.

The CMDS records shall be updated following the successfut deploymenl of changes. t=
en
The service provider shall review changes for effectiveness and lake actions agreed with interested parties.
=>
U
=>

.
Requests for change shall be analysed at planned intervals to detect trends. The results and conclusions OJ
drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. " J IJ ;i
9.3 Release and deployment management _
Lh ---/-:
1.'tW.<~ftWA.flu.AJ..;.t /}'-Q-
fJr-lluJJd:r. v
Ii
z.

r~C1I' J
iLhe service provider shall establish and agree wilh the customer a release p011~ stating lh~equency and 3=>
Ut T(t9pe of releases. . __ . ~~ (-%-ctf.-4.~ )/J.f6lAvt, ~4 u
«
DI . 1!ri The service provider shall plan with the cuslomer and interested parties the deployment of new or changed ~
w
f I ~ 1 services and service components into the live environment Planning shall be 'coordinated with the change
"-Ii
management process and include references to the related requests for change, known errors and problems
•...
which arc being closed through the release. Planning shall include the dates for deploymenl of each releas~.. ) en
deliverables and methods of deployment. )
nJ /
l
0 I" _L~../. _ '5.
/loA ,-' flJ / •• \
gr-!)<>-.A.f W 'lAiCV ~'C,("Y lJ~-<H:.u..I/'e. a0
C) The service provider shall document and agre~ Ihe customer the definition of an emergency release. .- <r
w
r Emergency releases shall be managed according to a documented procedure that interfaces to the «
emergency change procedure.

Releases shall be buill and tested prior to deployment. A controlled acceptance test environment shall be
used for the building and tesling of releases.

Acceptance criteria for the release shall be agreed with lhe customer and interested parties. The release shall
be verified against the agreed acceptance criteria and approved before deployment. If the acceptance criteria
are not met, the service provider shall make a decision on necessary actipns and deployment with interested
parties.

The release shall be deployed into the live environment so that the integrity of hardware. software and olher
service components is maintained during deployment of lhe release.

The activities required to reverse or remedy an unsuccessful deployment of a release shall be planned and,
where possible, lested. The deployment of lhe release shall be reversed or remedied if unsuccessful.
Unsuccessful releases shall beinvestigated and agreed actions taken.' .

:; The success or failure of releases shall be monitored and analysed. Measurements shall indude incidents
relaled to a release in the period following deployment of a release. Analysis shall include assessment of the
impact of the release on the customer. The resulls and conclusions drawn from me analysis shall be recorded
and reviewed to identify opportunities for improvement.. .
I

24 OISO!IEC 2011 -'All rights reservrtd

 ISO/IEC 20000-1 :2011 (E)

Information about the success or failure of releases and future release t-dates shall be provided to the change
management process. and incident and service request management process.

Information shall be provided to the change management process to sJpport the assessment of the impact of
requests for change on releases and plans for deployment. I

;::
(/)
W
Cl:
:>
U
:>
<D

i
ri

i
z.
3
:>
U
<{
~
W
u.
ri
•...
(/)

0
0
Cl:
w
<{

If) ISOllEe 2011 - All righls reserved 25

 ISOIIEC 20000-1:2011(E)

Bibliography

[1) ISOIIEC 20000-2:2005, Infonnation technology - Service management - Part 2: Code of praclice

[2) ISO/IEC TR 20000-3, Information technology - Service managemenl - Part 3: Guidance on scope
definition and applicability for ISO/IEC 20000-1

[3J ISO/IEG TR 20000-4, Information lechnology - Service managomenl - Part 4: Process reference
model

[4J ISO/IEC TR 20000-5, Information technology - Service management- Part 5: Exemplar

implementation plan for ISOIIEC 20000,1

[5J ISO 9000:2005, Qualily management systems - Fundamenlals and vocabulary

[6J ISO 9001, Qualily management systems - Requirements >=

fJl

[7J ISO 9004:2000, Quality management syslems - Guidelines for performance improvements
U
::J
[8J ISO 10002, Quality management - Customer satisfaction - Guidelines for complainls handling in m
organizations '" .,
ci
[9) ISO 10007, Quality managemenl systems - Guidelines for configuration management z.
5
[10J ISOIIEC 15288, Systems and software engineering - System life cycle processes 5
u
[11 J ISOllEe 15504-1, Information technology - Process asscssment- Part 1: Concepts and vocabulary ""
W
...J
W
u-
[12J ISOIIEe 15504-2, Information technology - Process assessment - Part 2: Performing an
assessment ci
I-
fJl

[13J ISO/IEC 15504-3, Infonnation technology - Process assessment - Part 3: Guidance on performing 0
0
an assessment a::
w
(14} ISO 19011, Guidelines for quality and/or environmental management systems auditing ""

[15) ISOIIEe 19770-1, Information technology - Software asset management - Part 1. Processes

[16) ISO/IEe/IEEE 24765:2010, Systems anet software engineering - Vocabulary

I [17) ISOIIEe 27000:2009, Information technology - Security lechniques - Informalion security

J; management systems - Overview and vocabulary

[18J ISO/IEC 27001, Information technology - Securily techniques - Information securily management
systems - Requirements

(19J ISOIIEe 27005, Information tectlnology - Security techniques - Information security risk
management
[20) ISO 31000, Risk management- Principles and guidelines

26 Q ISOIIEe 201\ - All righls reserved