Let ISO IEC 20000-1 Be Your ITSM Road Map

Recently, I was auditing an organization for an ISO 20000-1 registration. I was surprised to see that every individual was ITIL foundation certified. Around 40% of the staff was ITIL masters certified. I could not resist asking the CIO, “When you have already invested so much on ITIL, why do you need the ISO 20000 registration?” His response was simple –“ISO certification set a goal and we all worked towards that.”

From my experience of working in the IT Service industry, I can tell you with confidence that 90% of large and medium sized IT organizations have been implementing ITIL for the last 5+ years. How many successful ITIL implementations we have seen? I personally have not seen many. Please don’t get me wrong, I am not suggesting that ITIL is a bad choice for IT service improvement. On the contrary, I believe ITIL is the only comprehensive body of knowledge for ITSM. So, then why are we not seeing many success stories? What is the definition of success? Process owners feel completion of process deployment is a success, CIOs/CTOs expect return on investment (ROI), end users expect improved services. So, it is very difficult to have all these stakeholders to agree on a common goal for ITSM. If you can understand this, you will appreciate my CIO’s statement above.

This is human nature – we work better if we see an achievable goal with a well-defined roadmap. ISO 20000-1 provides you a crisp roadmap of implementing IT services best practices. Where do you find the best practices? – ITIL books. Why is certification important? That is your achievable goal which nobody can dispute. The best part of ISO certification is continuous surveillance and recertification after three years. This is like sitting on the back of a tiger where getting down is not an option. This external driver keeps your continuous service improvements going. Obviously there is cost associated with ISO 20000 certification. If you compare this cost with the cost of ITSM tools, ITIL training and certifications, it is peanuts.

If you would like to write a success story about your ITIL implementation, use ISO 20000 as your road map and ISO certification as your goal.

New ISO IEC 20000-1: A step in the right direction

ISO released a new version of ISO IEC 20000-1 in June 2011. I have never been so happy to see a new release of an ISO standard. This version has solved some major issues of the 2005 version of the standard. Let me highlight the improvements in the new standard which I am so excited about.

Improvement #1 Redefinition of section 5How many times have you stumbled on the question, “Why do we need this section: ‘Planning and implementing new or changed services’?” Regardless of wheter a service is new or has been changed, their implementations have to follow Change Management and then Release Management. This question is quite logical. The actual intent of section 5 was to define service design and transition. The 2011 version has redefined section 5 as “Service Design and Transition.”

Improvement #2 Alignments with ISO 9001: There are only 3 clauses for management system requirements in the 2005 version. Honestly, you can’t establish a management system by fulfilling only those three requirements. Perhaps, it was assumed that organizations will follow ISO 9001 anyway. Actually, IT Services organizations should not require ISO 9001 when ISO 20000 is available. The new release of ISO 20000-1 has added more comprehensive requirements from ISO 9001. If you are a start up, ISO 20000-1 is adequate for a management system. If you already have ISO 9001, just add on service related requirements from ISO 20000-1.

Improvement #3 Alignments with ISO 27001: The information security related requirements of 2005 were so inadequate that it was almost imperative to refer to ISO 27001 to understand what was required for information security. If you are looking for a minimum requirement, ISO 27001 will easily overwhelm you. The new version of ISO 20000-1 has adopted the synopsis of ISO 27001. It is adequate to establish a rudimentary information security system which can be easily migrated to a full blown ISMS following ISO 27001.

Improvement #4 Applications in a complex sourcing scenario: In the era of outsourcing, very rarely do you have a straightforward sourcing deal where one service provider delivers end to end IT services, supported by few suppliers. Sourcing scenarios are often far more complicated then envisioned in the 2005 version. What if a client is managing part of the process or a shared services organization is involved in the service delivery? There was no clear guidance. The new version added a section on “Governance of processes operated by other parties.”

With these improvements, the new standard is better aligned to the real world.

Written by:

Subrata Guha, Director of IT Services, UL DQS Inc.