IT Service Management Core Concepts and Terminologies Tutorial
1.1 Introduction Slide
Welcome to the EXIN (pronounce as one word) foundation course on IT service management, based on the ISO/IEC 20000 (pronounce as I-S-O - I-E-C-20000) standard, offered by Simplilearn. It is meant for people who believe in the importance of IT service management and want to do it well. The IT service management foundation certificate requires an overview of the field and its relationship with the other areas of information management. Such an overview is based on knowledge of the service management processes in the five key areas. The key areas of resolution process, control process, release process, service delivery process and relationship process also have a good understanding of the core concepts and basic terminology. Let us get started with this course.
1.2 Welcome and Administration
IT service management is about how to provide IT related services to support a business. The international standard in IT service management ISO/IEC 20000 makes it clear, what is essential: making service arrangements and its needs, adapting the infrastructure, supporting users and resolving incidents. ITSM Foundation is intended for everyone, playing a role or having an interest in IT service management. This includes staff from internal and external service providers, their customers, and their managers. We will be explaining the structure of the training including ISO/IEC 20000 certification and course outline, examination format and the agenda over the next few slides in more detail. The exam IT service management foundation is part of the EXIN ITSM qualification program, and a prerequisite of the higher-level exams in the qualification program. The next slides are about the structure and the qualification program. We will now look at the structure of the training.
1.3 Structure of the Training
The minimum number of contact hours for this training course is 15. This program is created to help professionals’ capitalise on best practices from the ITIL certification, with the spotlight on the application of knowledge and understanding. It uses the core of best practices in IT service management, guided by the international standard for IT service management ISO/IEC 20000, and applies a systematic approach to well-known best practices using EXIN’s innovative quality focus. It would include the introduction to IT service management such as, content of ISO/IEC 20000, concepts of ITSM and quality framework, introduction to service management system which includes, the core concepts of service management system followed by the concepts of service design and service transition as well as the service delivery processes such as service level management, service reporting, service continuity along with availability management, budgeting and accounting which is financial management, capacity management, information security management and their relationship with other processes. Let us continue this topic in the next slide.
1.4 Structure of the Training(Contd.)
In continuation from previous slide about the structure of the training, the other topics which are covered are the relationship processes like business relationship management, supplier management and their relationship with other processes. The resolution processes such as incident and service request management and problem management and their relationship with other processes. The control processes like change management, configuration management, release and deployment management and their processes, and finally the course concludes with some case studies and sample exam includes questions with solutions. Take some time to go through these sample questions once you are done with all the modules which can be useful for the preparation for certification examination. In the next slide we will learn about the qualification program.
1.5 ISO IEC20000 Qualification Program
Certification is the concrete evidence of a successful training and your understanding of the quality requirements. EXIN’s multi-level qualification program is called IT service management according to ISO/IEC 20000. The program is beneficial for every IT professional involved in the quality improvement of IT services and IT service management at all levels, as well as in every role of an organisation, starting from an IT professional right up to a senior consultant and auditor. The program consists of a foundation exam, professional exams and two tracks. The first track is geared towards IT management, while the second focuses on auditing. The program is perfectly suitable for a wide range of staff involved in IT service provision: operational staff, supervisors, managers, senior consultants and auditors. Foundation training provides professionals a basic but no less important level of knowledge, and understanding of both ITSM and service quality management. Topics covered include an introduction and overview of the main principles, concepts, and relationships related to ITSM and the ISO/IEC 20000 standard, as well as terminology of the quality approach to ITSM. The professional level ensures candidates acquire the knowledge, understanding and skills needed to perform well in their roles within any of the five main areas of ITSM, such as managing and improving process areas based on the ISO/IEC 20000 standard, based on the P-D-C-A (Plan-Do-Check-Act) quality approach. Successful candidates would have sufficient knowledge of ITSM and the ISO/IEC 20000 standard to successfully meet their daily targets, and help them contribute more fully towards IT service provision. The associate module is intended for professionals involved in supervising the quality of IT services and supporting the IT service management processes. This is for the generalist who aspires to become a consultant/manager or junior auditor. It is a fast track certification and an alternative to the other 3 professional certificates required for taking the consultant/manager or auditor training and certification. The consultant/manager training is ideal for ITSM managers, who will gain a comprehensive coverage on planning, implementing, deploying as well as maintaining IT services and factual knowledge about ITSM processes, and the overall management system. At conclusion, candidates will know how to implement and maintain management systems in compliance with best practices and the international ITSM standard. Finally, the highest qualification in the ITSM world is the executive consultant/manager seminar, which aims at excellence in IT service management and would require experienced professionals with pre-requisite along with extensive experience to qualify. What is the examination format for foundation? It is explained in the next slide. Let us look into it.
1.6 Examination Format
The exam is available in English, Dutch, French, Portuguese, Japanese, Chinese, German, Italian, Latin-American Spanish and European Spanish. This is a closed book exam. No materials are permitted in the examination room. The duration of the exam is 1 hour, and the total number of questions is 40. They are objective type questions with four multiple-choice options in A, B, C or D or as single answers. The minimum score to pass the exam is 65 % (that is at least 26 right questions of 40).
1.7 Course Material Goal
This course material is designed in accordance with the specifications provided by EXIN and the TUV SUD Academy. It helps to prepare candidates for an ISO/IEC 20000 foundation exam according to specifications from EXIN and TUV SUD academy. Let us proceed to the next slide and begin the discussion on the core concepts of IT service management.
1.8 Core Concepts of IT Service Management
This section covers to make you understand the concepts, definitions, the need, benefits, and the principle of continual improvement with respect to the IT service management. The topics that will be covered are to start with the definition and importance of quality. Subsequently, we will learn about the definition of IT service, followed by the factors needed to provide an IT service. Then we will look into the management system for service management. We will also discuss the benefits and characteristics of a process-based approach. We will understand the concept of IT service management as well as the benefits and risks of it. Next, we will cover the role of tools used within IT service management and the principle of continual improvement. Lastly, we will look into the applications of the PDCA cycle. Let us start with the definition and importance of quality in the next slide.
1.9 What Quality is and Why It is Important
“Quality of service is a measure that indicates the overall effect of service performance that determines the degree of satisfaction of a user of the service. The measure is derived from the ability of the resources to provide different levels of services. The measure can be both quantitative and qualitative.” Customers form perceptions of quality of services (QoS) - how effectively and efficiently the service was delivered and the speed and convenience of completing the transaction. Quality of service is therefore crucial for customer and end user satisfaction as it is a measure of the ability of a service to provide the intended value to a customer. It is defined as a custom made set of metrics or measure for every customer based on the intended service. Customer expectations typically get greater and greater over time and therefore customer perception of service quality get revised over time. It is significant to note that to be effective, quality of service must be measured as both qualitative and quantitative metrics. But these quality metrics can be defined based on the goal of the organisation, which will be defined the policy. We will discuss on what quality policy is, in the next slide.
1.10 Quality Policy
The quality policy declares the general quality goals of an organisation. Every service oriented organisation requires the formulation of its quality policy. Typically, the policy would state the goals and objectives of the organisation to meet its intended objectives and results in an efficient, as well as effective manner. The policy would declare the intent to review the process at preset intervals to ensure optimal adherence by reducing or minimising non conformances through a cycle of continuous improvement. However, it must be remembered that the quality policy typically would not cover legal requirements specific customer requirements or standard related specifics. When we are defining the quality policy, it should be in alignment with IT service. Let us now learn about the relationship between IT services and quality, in the next slide.
1.11 Relationship Between IT Services and Quality
A service is provided through the interaction of the provider with customers and users. The quality of the service depends upon this interaction. It is therefore obvious that quality is a perception in the customers mind as to how well the service fulfills the requirements and expectations needed. Customer perception of quality is largely based on expectations. It is therefore important to keep a clear communication on defined expectations with a common vocabulary or language or terminology to ensure the same understanding of the quality and expectations need to be clearly defined. Communication lines must be always open to facilitate feedback and improvement – a quick turn around will provide greater customer satisfaction. Further, the supplier should continually assess how service is being experienced and what the customer expects in the future as quality needs to be maintained at the same or better level. Next slide is about the principles of quality management.
1.12 Principles of Quality Management
The ISO/IEC 20000 standard belongs to the ISO family of standards and therefore owes its basis of quality management principles as defined in the parent ISO 9000 standard. It therefore includes the principles of customer focus, leadership and people involvement through a systems and process approach. It expects management decisions based on quantitative measures and facts with mutually beneficial relationships for all stakeholders. The continual cycle of improvement process which is the fundamental bulwark of process is also presumed. In the next slide will learn about QMS or quality management system.
1.13 Quality Management System
A QMS can be defined as a set of co-ordinate activities to direct and control an organisation in order to continually improve the effectiveness and efficiency of its performance.” An organisation will beneﬁt from establishing an effective quality management system (QMS). The main objective of a QMS is in deﬁning the processes, which will result in the production of quality products and services, rather than in detecting defective products or services after they have been produced. For it to be effective it needs to ensure that the strategy defines the policy, process and tools that drive the people towards achieving a specific objective in an optimal fashion which will be explained in the next slide.
1.14 Objective of a Quality Management System
ISO 9001 speciﬁes the requirements for a QMS that may be used by organisations, for internal application, certiﬁcation or contractual purposes. The process approach is shown in the conceptual model from the ISO 9001 standard, recognising that customers play a signiﬁcant role in deﬁning requirements as inputs, and monitoring of customer satisfaction is necessary to evaluate and validate whether customer requirements have been met. This is done through right application of competent, aware and trained people, right products, right suppliers, effective communication, and supporting documentation which is being constantly monitored and supported by senior management. To achieve this objective of management system, we need to follow some steps. How to establish this will be defined in the next slide.
1.15 Steps to Establish a Quality Management System
For organisations to design an effective QMS, they have to identify and manage numerous interlinked, cross-functional processes, always ensuring customer satisfaction is the target that is achieved. A QMS must ensure that the products or services conform to customer needs and expectations, and the objectives of the organisation. Issues to be considered when setting up a QMS. Appropriate and trained resources must be identified to support the quality goals. Measurement must be carried out to determine the effectiveness and efficiency of each process towards attaining its objectives at periodic intervals. In the coming slides we will look at some of the definitions of service, process, service management. Let us learn about service first.
In this slide we are going to address what is the meaning of service. If you are already having the ITIL understanding, please recall the definition. The one who is not familiar, we define here. The definition of service is `a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.’ Customers focus on outcomes versus means. Customers transfer costs and risks retain focus and accountability for outcomes. Costs and risks are transferred to service providers. They take on costs and risks responsible for the means of achieving outcomes. Let’s say, an online bookstore is looking for a place to store all the data related to its online book selling business for example books details, customer details, etc., or what in IT is known as database or storage solutions. Now linking it to our description of services, the desired outcome is online selling of books; one of the activities facilitating the outcome is storage of data. Now the bookstore is not specialized in managing storage as an IT service and therefore does not want to manage the associated costs and risks which could come from Infrastructure, staff, facilities etc. However there are organizations in the market that are willing to do that for a cost, commonly called service providers, say for example “Oracle Corporation”, who have specialised knowledge and experience in large scale database systems, and the confidence to control the associated costs and risks. The bookstore agrees to pay for the database service provided by the service provider under specific terms and conditions. So to get back to the definition, the service provider, i.e. “Oracle Corporation”, provides value to the customer, i.e. the online bookstore, by facilitating, in other words, managing book selling company’s database and its associated costs and risks, the business outcomes of which is selling books online. Just to clarify it further, in this case, online book selling company is the customer and “Oracle Corporation” is the service provider. “Oracle Corporation” is providing “database storage” “service” to the online book selling company. In the next slide, we will discuss on the factors required to provide an IT service.
1.17 Factors Required to Provide an IT Service
IT service needs to ensure efficient and effective usage of all components of an information system such as affiliated people, processes, technology and partners such as suppliers, vendors, customers and end users. An IT system is largely used to manage information and data as well as manages changes to the system including data back up and restoration in cases of IT failure. It also implies good quality of maintenance to ensure performance according to specified requirements. Other attributes include quality aspects such as availability, capacity, performance, security scalability, and adjustability and portability against agreed parameters. We will understand these in greater detail in subsequent slides.
In this slide we will understand, what the meaning or the definition of process is. Different books and different body explains the process with different definition. For example, the book -Reengineering the Corporation, Hammer and Champy state “A business process is a bundle of activities, which requires one or several inputs and which creates value for the customer.” From the ITIL perspective we can define process is “A set of activities designed to accomplish a specific objective. “, implying formal, laid down activities in pursuit of a pre-specified end result or objective. A process takes defined inputs and turns them into defined outputs. A process may include roles, responsibilities, tools and management controls required to deliver the outputs. We know that the implementation of process takes longer time. But benefits associated with process. Let us know more on this, in the next slide.
1.19 Benefits of a Process based Approach
In this slide we discuss about benefits of having process. IT services are designed to meet business requirements with cost efficient and effective consistent services. Value for money ensuring improved relationships and expectations met or exceeded. IT today has higher visibility than ever before with exacting user demands, increased complexity of the infrastructure, charging for IT services and competition for customers. Customers expect ITSM to help them gain competitive edge over rivals, increase market share and communication. Organisations are increasingly dependent on IT service provision for also reducing or minimising risks. Also by having process once can enhance the knowledge management by documenting the lessons learnt. The other benefits are consistency which results in predictable and comprehensible output and less failures and faults which in turn saves cost and wastages. The process is effective if the output meets customer needs and efficient when it is effective at the least cost. Maximising effectiveness and efficiency together means that process produces high quality at low cost i.e. providing most value to customer. We will now understand the characteristics of a process, in the next slide.
1.20 Characteristics of a Process
All processes have the following common characteristics. • First, they are measurable. Managers, typically want to measure cost, quality and other variables while the doers of the process are concerned with duration and productivity. • Second, they deliver specific results. The reason a process exists is to deliver a specific result. • Third, primary output of a process is delivered to customers or stakeholders, as we saw in our example of internet service provisioning. The process was executed for the customer, who wanted the internet service. Finally, process responds to specific events also known as triggers. As in our example, the process for provisioning of internet service was triggered by a call from prospective customer to get the internet connection. Now, we will learn about service management in the next slide.
1.21 Service Management
Let me begin by a quote from Peter Drucker, a renowned American management guru. ‘Quality in a product or service is not what the supplier puts in. It is what the customer gets out and is willing to pay for.’ Some time back, we defined service management as an effective and efficient, process driven management of transforming IT resources into valuable IT services. Let me explain this further by means of a diagram. As you can see in this diagram, it emphasises the link that has to be preserved between the desired business outcomes and the services that service management is responsible for. So what do we mean by capabilities, resources and other terms used in the graphic? • Capabilities are the functions and processes used to manage services. Capabilities are intangible assets of an organisation and cannot be purchased but have to be developed and matured over time. • Resources is a generic term that includes IT infrastructure, people, money or anything else that might help to deliver an IT service. Resources are the tangible assets of the organisation. Resources and capability put together constitute the service assets. For example, Email as a service. The organisation say, Google, providing this service needs to have some hardware like servers, routers, switches to relay emails and software like g-mail, to let users read their emails. These are example of assets. They also need a capable team to manage these assets and the money required to procure these assets. But if Google’s customers don’t know how to get this email service, all of these assets go waste. So how to get an email account, how to maintain it, where to go for support if any issues occur are some of the critical underlying elements of delivering email service. These methods are called processes. We will touch them in a little while. But before that, let me explain two more terms, performance and value. • Performance is a measure of what is achieved or delivered by a system, person, team, process, or IT service. From our email as a service example, effective use by all users, number of mails delivered to the intended recipients, etc are some of performance measure of email service. • Value is a measure of the return on investments or benefits to the business. Let us go back to our example of “Email as a Service”. In older days, messaging used to happen through paper memos. If somebody had to convey a message, they would get it typewritten on a piece of paper and then a courier service would deliver it to the recipient. At some point in time, organisations realised the constraints this method of message delivery had on the organisational capability to deliver to its customers. Luckily for them somebody realised the constraints and invented email, which has since then revolutionised the messaging capabilities of the organisations'. The results of using this service allowed businesses and organisations to spread across geographies. It has contributed to faster decision making and execution due to speedier flow of information and ultimately contributes to greater revenues and profits for the business or the organisation. Or in other words it has enhanced the business outcomes. We will now proceed to the next slide to look into the benefits of IT service management.
1.22 Benefits of IT Service Management
Now let’s look into the benefits of having IT service management. By having good service management practices we can achieve: • Improved quality service provision • Cost-justifiable service quality • Services that meet business, customer and user demands • Integrated centralised processes • Everyone knows their role and knows their responsibilities in service provision In the next slide we will discuss on the risk, associated with service management.
1.23 Risks of IT Service Management
In the previous slide we spoke about the benefits of service management. On the other side of the coin there will be risk association. Some of the risks are: It takes longer time to implement; The waiting period for realisation of benefits; and Stakeholder buy-in Let us now learn about the role of tools used within IT service management.
1.24 Role of Tools Used Within IT Service Management
There is a popular saying, “if you can’t describe what you are doing as a process, you do not know what you are doing’. Having a tool to aid you with an inadequate knowledge of tool requirements would not meet the purpose intended. However, usage of tools can provide automated support for performing repetitive tasks or activities and lead to significant cost saves through increased efficiencies. They also provide excellent audit trails through inbuilt logging and monitoring features which can provide evidence of performance. There are a vast variety of tools for monitoring, software distribution tools, service management or workflow tools and even remote infrastructure management tools. We can’t have the same service management throughout the delivery and support. There should be scope for improvement. Let’s see, how we can achieve this. This will be explained through a model in the coming slides. In the next slide, we will discuss on the applications of the PDCA cycle.
1.25 The Applications of the PDCA Cycle
This slide explains the process model of quality management of W. Edwards Deming, who proposed the PDCA cycle in the 1950’s. The PDCA cycle is at the heart of the ISO 20K approach to service management and must therefore be understood in its entirety. The principle of ISO 20000 functions is a process improvement model according to the PDCA cycle (Plan - Do - Check - Act) pioneered by Deming. Through this interconnection are achieved performances improving service management processes. The cyclical optimisation of quality, leads to continual improvement. It is significant to remember at this time that ‘Plan-Do-Check-Act’ is applicable to all processes defined in ISO/IEC 20000. The principles of continual improvement and the applications of the PDCA cycle will be explained more in detail in the later part of this session. In summary, so far, we have discussed the aspects of IT service management. In the next topic we are going to address the core concepts of quality frameworks.
1.26 Core Concepts of Quality Frameworks
In this topic we are going to cover the core concepts of quality framework from where we can derive the quality principles which contributes to the ISO/IEC 20000 apart from ISO/IEC purpose and its benefits. Some of the quality frameworks or standards like ISO 9001, Security aspects from ISO/IEC 27000, ITIL, COBIT, 6 sigma, CMMI for services, Green IT, CLOUD, Tap® NEXT etc. and the complimentary nature of these quality frameworks. First we will understand what ISO/IEC 20000:2011 is and its parts.
1.27 ISO IEC20000 1 2011
Slide 27: ISO/IEC 20000-1:2011 In this slide will see what ISO/ICE 20000 part 1 of 2011 is. ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain, and improve an SMS. It delivers ‘quality’ via the SMS. The requirements include the design, transition, delivery and improvement of services to fulfill agreed service requirements. It is based on PDCA approach for the improvement activities which we already discussed during our earlier slides. The PDCA methodology helps to understand or fulfill service requirements to achieve customer satisfaction, establish policy or objectives for Service Management, design/deliver services based on the SMS that add value for customer, monitor, measure, review performance of SMS, and services and continual improve SMS and services based on objective measures. It allows integration to the other management standards like ISO 9001 which is nothing but QMS or quality management stream and the information security management system standard ISO/IEC 27001. The owner of ISO/IEC 20000 is International organisation for Standardisation or ISO and international electro-technical commission or IEC and this is developed by joint technical committee 1 subcommittee 7 also called as JTC 1/SC 7. In the next slide we will learn about the parts of ISO/IEC 20000.
1.28 ISO IEC20000 Parts
Now, we are going to discuss the different parts of ISO/IEC 20000. Part 1 is about Service management system requirements. Updated at 2011-04-12 (replacing ISO/IEC 20000-1:2005). The 2011 version (ISO/IEC 20000-1:2011) comprises nine sections namely: 1. Scope 2. Normative references 3. Terms and definitions 4. Service management system general requirements 5. Design and transition of new or changed services 6. Service delivery processes 7. Relationship processes 8. Resolution processes 9. Control processes Part 2 is Guidance on the application of service management systems. Updated at 2012-02-14 (replacing ISO/IEC 20000-2:2005). This is about what the organisation should have to go for the ISO/IEC 20000 standard certification. Part 3 is provides guidance on scope definition, applicability and demonstration of conformance for service providers aiming to meet the requirements of ISO/IEC 20000-1, or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It supplements the advice in ISO/IEC 20000-2, which provides generic guidelines for implementing an SMS in accordance with ISO/IEC 20000-1. Part 4 is intended to facilitate the development of a process assessment model according to ISO/IEC 15504 process assessment principles. ISO/IEC 15504-1 describes the concepts and terminology used for process assessment. ISO/IEC 15504-2 describes the requirements for the conduct of an assessment and a measurement scale for assessing process capability. So this acts as a process reference model. Part 5 is an exemplar implementation plan providing guidance to service providers on how to implement a service management system to fulfill the requirements of ISO/IEC 20000-1 or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It could also be useful for those advising service providers on how to best achieve the requirements of ISO/IEC 20000-1. In the coming slide we will discuss about rest of the parts.
1.29 ISO IEC20000 Parts
In continuation from previous slide: Part 7 is application of ISO/IEC 20000-1 to the cloud, which is currently under development. This international standard gives guidance on application of Part 1 to the cloud. Part 8 is the future and started to develop an ISO/IEC 20000-based process reference model, which we discussed under part 4, (ISO/IEC 20000-4) that can serve as a basis for a process assessment model. Part 10 is once again the future of service management which provides the concepts and terminologies that will come and is currently being developed. Part 11 is the guidance on the relationship between ISO/IEC 20000-1 and related frameworks, currently being developed. This technical report gives guidance on the relationship between ISO/IEC 20000-1 and ITIL. ISO/IEC 27013:2012 provides guidelines on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for those organisations which are intending to either: a) Implement ISO/IEC 27001 when ISO/IEC 20000-1 is already implemented, or vice versa; b) Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together; c) Integrate existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems. In the coming slide we will look at PDCA methodology.
1.30 PDCA Methodology
In this slide we will discuss in brief about PDCA model. It’s called Plan-Do-Check and Act model used for service continual improvement. It was designed by Edward Deming, also called as Deming cycle. PLAN Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By establishing output expectations, the completeness and accuracy of the specification is also a part of the targeted improvement, when possible start on a small scale to test possible effects. So here service management services or SMS like polices, objectives, processes, customer requirements, business need are agreed and planned. DO Implement the plan, execute the process, and make the product. Whatever that has been agreed as part of plan will be implemented here. Collect data for charting and analysis in the following "CHECK" and "ACT" steps. CHECK Study the actual results (measured and collected in "DO" above) and compare against the expected results (targets or goals from the "PLAN") to ascertain any differences. Look for deviation in implementation from the plan and also look for the appropriateness/completeness of the plan to enable the execution i.e.,"Do". Charting data can make this much easier to see trends over several PDCA cycles and in order to convert the collected data into information. Fundamentally the agreed and implemented SMS are measured, reviews and results in reporting. Information is what you need for the next step "ACT". ACT Request corrective actions on significant differences between actual and planned results. Analyse the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product. When a pass through these four steps does not result in the need to improve, the scope to which PDCA is applied may be refined to plan and improve with more detail in the next iteration of the cycle, or attention needs to be placed in a different stage of the process. Next, we will learn about the ITSM 20 program principles.
1.31 ITSM20 Program Principles
An ITSM 20 program principle is not about technology, communication tools, products, textbook approach and not once in a while. It is about Management system, based on communication to provide negotiated services, delivered in a simple adapted measurable way. Also it is improved continuously and integrated with other processes to make it lean in a service management system. Having definition of ISO/IEC 20000, now we have to look at the users who use this standard.
1.32 Who Uses ISO IEC20000
In this slide we will know who uses the ISO/IEC 20000? The main stakeholders are organisations in particular service providers and auditors who make sure that organisation is adhering to the principles. organisations; • Seeking services, requiring assurance that their requirements will be fulfilled. • Requiring a consistent approach from provider through the supply chain. Service Providers; • Demonstrate capability for design, transition, delivery, and improvement of services fulfilling service requirements. • Improve design, transition and delivery of services through an effective implementation and operation of service management system. Auditors or assessors; • Can confirm the requirements within ISO/IEC 20000 by auditing. In the coming slides we will discuss about service management system and their benefits. Let us move on to the next slide.
1.33 ISO IEC20000 The SMS
Let us now understand how we can achieve the SMS or how we can achieve the requirements from customers by managing the assets to deliver service. Customer or other interested parties or we can say them as stakeholders will have some requirements which we can call it as service requirements has to be translated to service which provides value. To achieve this we should know about the SMS requirements like management responsibilities, governance, documentation, resource management and we need to establish SMS. We can achieve this definitely by using the various processes which comes from ITIL framework. These processes are categorised under delivery, control, resolution and relationship. To achieve this we should know about how to design the service and make smooth transition into the live network. This entire framework of SMS will be explained in the later part of this course. In the next slides will observe about the purpose and benefits of ISO/IEC 20000.
1.34 Purpose and Benefits of ISO IEC20000
In this slide we will discuss about the purpose of ISO/IEC 20000. It enables IT organisations (whether in-house, outsourced or external) to ensure that, their IT service management processes are aligned both with the needs of the business, and with international best practice. Let us look into the benefits of ISO/IEC 20000.
1.35 Benefits of ISO IEC20000
Here are the benefits of having ISO/IEC 2000; ISO 20000 can assist your organisation in benchmarking its IT service management, improving its services, demonstrating an ability to meet customer requirements and create a framework for an independent assessment. •These are some of the most common uses of ISO 20000 by organisations: •An organisation seeking services from service providers and requiring assurance that their service requirements will be fulfilled. •An organisation that requires a consistent approach by all its service providers, including those in a supply chain. •A service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfil service requirements. •A service provider to monitor measure and review its service management processes and services. •A service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the service management system (SMS). •An assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2011. In the next slide, we will talk about the related standards with the help of a diagram.
1.36 Related Standards Overview
All the standards mentioned earlier are inter-related though they owe their genesis and roots in different service organisations. ISO/IEC 20000, ISO 9000 and six sigma are quality management standards with a specific methodology while CMM, CMMI and ISO 15504 are founded out of the software industry. All the remaining frameworks such as; Microsoft operating frameworks, ITIL version 2 and 3, ISO 27000, BS 15000 – the predecessor of ISO 20000 are essentially IT management frameworks. COBIT is intended to be the link between the control frameworks throughout the company (COSO) and the IT-specific models (e.g. ITIL, ISO17799/27002 etc.). Evidence that COBIT meets this requirement is demonstrated by the fact that COBIT is widely used internationally as a control model by most large companies. We will now look more closely at each of these standards.
The first standard we are looking at is ISO 9000. The owner of this standard is ISO. Its application or audience is generally industry and service providers / management, customers. Its primary objective is to certify companied on an international quality management standard. It has been published in both hard and soft copy media. It is available both as a printout or PDF and as a soft copy downloadable from the ISO site. ISO 9000 comprises a series of documents of which the best known is the ISO 9001 - quality management systems requirements and the ISO 9000 process approach. The ISO 9000 family of standards are related to quality management systems and designed to help organisations ensure that they meet the needs of customers and other stakeholders. The standards are published by ISO, the International organisation for standardisation, and available through national standards bodies while meeting statutory and regulatory requirements. ISO 9000 deals with the fundamentals of quality management systems including the eight management principles on which the family of standards is based. ISO 9001 deals with the requirements that organisations wishing to meet the standard have to fulfill. Third party certification bodies provide independent confirmation that organisations meet the requirements of ISO 9001. Over a million organisations worldwide are independently certified, making ISO 9001 one of the most widely used management tools in the world today.
1.38 ISO IEC27000
The owner of the ISO 27000 standard is again the ISO/IEC published jointly by the international organisation for standardisation (ISO) and the international electrotechnical commission (IEC). Its main application and audience would include all types of organisations / management, customers. Its primary objective is to provide an international information security standard with the intent to certify companies. It has been published in both hard and soft copy media. It is available both as a printout or PDF and as a soft copy downloadable from the ISO site. ISO 27000 comprises a series of documents of which the best known are ISO 27001. The ISO/IEC 27000-series (also known as the 'ISMS family of standards' or 'ISO27k' for short) comprises information security standards. The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series). The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organisations of all shapes and sizes. All organisations are encouraged to assess their information security risks, and then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarised by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents. Next, we will cover Six Sigma.
1.39 Six Sigma
Six sigma is a business management strategy, originally developed by Motorola in 1986. Six sigma became well known after Jack Welch made it a central focus of his business strategy at general electric in 1995, and today it is widely used in many sectors of industry but is not really owned by anyone. Its application and audience is primarily for industry, but is increasingly used by service providers / management. Its objective is to increase in productivity (e.g. reducing spread for standard factory models) through use of different quality management methodologies. Six sigma is a process improvement tool but is not specific to ITSM and can be used with ITIL and ISO20000. However, as a statistically-based quality improvement methodology that can be applied to processes (IT service management).Six sigma is customer based. The customer drives what to improve – the “right” projects are chosen. Its publication media or source is many books as there is no official general document or book trade. It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organisation ("Black Belts", "Green Belts", etc.) who are experts in these methods. Each six sigma project carried out within an organisation follows a defined sequence of steps and has quantified financial targets (cost reduction and/or profit increase). The term six sigma originated from terminology associated with manufacturing, specifically terms associated with statistical modeling of manufacturing processes. The maturity of a manufacturing process can be described by a sigma rating indicating its yield, or the percentage of defect-free products it creates. A six sigma process is one in which 99.99966% of the products manufactured are statistically expected to be free of defects (3.4 defects per million). Motorola set a goal of "six sigma" for all of its manufacturing operations, and this goal became a byword for the management and engineering practices used to achieve it. Now, we will look into the next standard which is, IT Infrastructure Library (ITIL®).
1.40 IT Infrastructure Library(ITIL)
The owner of ITIL is the Cabinet Office. Its application or audience is for IT service provider or management. Its objective is for best practice guidance for IT service management. It is published through written media or source: books and CD’s published by TSO (The stationary office) or book trade. Since summer 2007, fully revised version 3 (ITIL® V3) available, but ITIL® version 2 is the most popular ITSM framework. The names ITIL and IT infrastructure library are registered trademarks of the United Kingdom's office of government commerce (OGC) – now part of the Cabinet Office. Following this move, the ownership is now listed as being with HM government rather than OGC. Responding to growing dependence on IT, the UK government's central computer and telecommunications agency in the 1980s developed a set of recommendations. It recognised that without standard practices, government agencies and private sector contracts had started independently creating their own IT management practices. The information technology infrastructure library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITILv3 underpins ISO/IEC 20000 (previously BS15000), the international service management standard for IT service management, although differences between the two frameworks do exist. ITIL describes procedures, tasks and checklists that are not organisation-specific, used by an organisation for establishing a minimum level of competency. It allows the organisation to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. The IT infrastructure library originated as a collection of books, each covering a specific practice within IT service management. ITIL was built around a process-model based view of controlling and managing operations often credited to W. Edwards Deming and his plan cycle. After the initial publication in 1989–96, the number of books quickly grew within ITIL v1 to more than 30 volumes. Let us learn about ITIL® Version 2 in the next slide.
1.41 ITIL Version2
In 2000/2001, to make ITIL more accessible (and affordable), ITIL v2 consolidated the publications into 8 logical "sets" that grouped related process-guidelines to match different aspects of IT management, applications, and services. The service management sets (service support and service delivery) were by far the most widely used, circulated, and understood  of ITIL v2 publications. The eight ITIL version 2 books and their disciplines are the IT service management sets with service support and service delivery. Other operational guidance is ICT infrastructure management, security management, application management, software asset management (to assist with the implementation of ITIL practices a further book was published (Apr 9, 2002) providing guidance on implementation (mainly of service management, planning to implement service management which has been supplemented more recently (Jan 26, 2006) with guidelines for smaller IT units, not included in the original eight publications: and finally, ITIL small-scale implementation. Let us look at ITIL® 2011 in the next slide.
1.42 ITIL 2011
ITIL v3 is an extension of ITIL v2 and fully replaced it following the completion of the withdrawal period on 30 June 2011. ITIL v3 provides a more holistic perspective on the full life cycle of services, covering the entire IT organisation and all supporting components needed to deliver services to the customer, whereas v2 focused on specific activities directly related to service delivery and support. Most of the v2 activities remained untouched in v3, but some significant changes in terminology were introduced in order to facilitate the expansion. A summary of changes has been published by HM government. In line with the 2007 edition, the 2011 edition consists of 5 core publications – service strategy, service design, service transition, service operation, and continual service improvement. ITIL 2011 is a major update to the ITIL framework that addresses errors and inconsistencies. There are 26 processes listed in ITIL 2011 edition and described below that shows which core publication provides the main content for each process. Five volumes comprise the ITIL v3, published in May 2007 (2007 edition) and updated in July 2011 (2011 edition) for consistency. It includes ITIL service strategy, ITIL service design, ITIL service transition, ITIL service operation and ITIL continual service improvement. IT service management step-by-step. In phase I, we establish process and direction. In phase II, we implement process changes. In phase III, we analyse process and metrics. In phase IV, we identify process as well as opportunities for improvement.
1.43 Mapping ISO20000Standard to the Service Lifecycle
It is possible to map the service strategy to the requirements for service management system as well as business relationship management, budgeting and accounting. Service design can be mapped to planning and implementing new or changed services as well as other disciplines (e.g. availability management, capacity management, and service level management). Service transition maps to the change, configuration and release management processes and service operation maps to the incident and problem management process. Continual service improvement maps to the planning and implementing service management process. Let us proceed to the next slide now.
1.44 Mapping Deming Cycle to the Service Lifecycle
Plan-Do-Check-Act is otherwise known as Deming Cycle. This methodology is very effective in service management which involves a plan – for service management, do – implement service management and provides the services, check – through monitor, measure and review and act through continuous improvement. Even through this model has been explained in the earlier slides, we see how this can fit into the ITIL service life cycle. Plan for service management should include the scopes, objectives, requirements, processes, roles and responsibilities, automation, and audit procedure. So plan will address the service strategy and service design lifecycle. Doing implementation of service management plan will enable service provider to manage and deliver the services by allocation of funds, roles and responsibilities, proper process and related documentation, managing risk, and coordination of service management processes. As we know this is implementation and is taken care by service transition and service operation lifecycle. Objectives and plan for service management will be checked through monitoring, measuring and reviewing against the actual. Auditors play a pivotal role in this part of methodology. Non-compliance shall be pointed out and communicated to the concerned. Continuously improving the efficiency and effectiveness of ITSM processes is the objective of continuous improvement. It shall be performed using identifying, planning and implementing improvements by consulting with all parties in the aim of heading towards organisational improvements. Check and act part takes care of continual service improvement. Let us now look at the next slide and find what are and what are not covered in ITIL.
1.45 What is(not) ITIL
IT processes can be defined as having a set of objectives, activities in-/outputs and interfaces within. These are available in ITIL as also the recommendations for process implementations requirements including those of staff skills, supporting concepts, required functions, and risks. The Evaluation would include critical success factors and key performance indicators. However, ITIL does not cover a resilient set of minimum requirements, software, tools as well as formal models and templates for processes, relations and information artifacts. We now review the ISO/IEC 20000 standard and its coverage and non-coverage in the ITIL standard. It is obvious ISO 20000 is heavily based on ITIL. It deals with most important ITIL processes, but also adds some new one. It defines requirements and code of practice for ITSM, and also provides the tools for assessment and audit of the system. In the ISO 20000 standard, usage of ITIL is not deemed as mandatory, but since 20000 is by its nature above ITIL in the pyramid, implementation and certification is much easier if it is ITIL supported. ISO 20000 requirements are very short. The “HOWs” and “SHOULDs” are in ITIL, the “SHALLs” are in ISO 20000. ISO 20000 requires full frontal coverage; all processes have to be implemented. Scope can be limited only to a specific customer or part of organisation. But an ITIL phased implementation can be process by process, or in groups of processes. It would be best therefore to apply what ITIL requires, and implement what ISO20000 requires in each phase. In the end, there will then exist a service management organisation functioning on best practice principles and ready for ISO20000 certification. Next, we will discuss on the process document contents.
1.46 Process Document Contents
Typically, all process documents have a minimum set of contents that include the following: 1) An introduction for an overview of the process. 2) The objective to understand the purpose of the process. 3) The scope to understand the coverage of the process and its exclusions. 4) The target audience. 5) Process roles for understanding roles and responsibilities as well as accountability. 6) The Inputs to understand the requirements to begin a process step or task in an organised fashion. 7) The process flow which is largely the steps following each activity. 8) Process details to understand the number of tasks to accomplish each step successfully. 9) The outputs or results expected from the process. 10) Process metrics or quantitative measures to know the variance of planned vs. actual. 11) Process interfaces to understand impact on corresponding process. 12) Appendix and 13) Glossary. Let us now look into another standard that is, Microsoft operations framework or MOF.
1.47 Microsoft Operations Framework(MOF)
The owner of this standard is Microsoft. Its application or target audience is IT service providers or management. Its primary objective is operational guidance for users of Microsoft products. It has been published in both hard and soft copy media. It is available either as a printout or PDF or as a free soft copy downloadable from the Microsoft site. It is based on ITIL® V2, but provides prescriptive guidance extended to ITIL’s descriptive guidance. MOF 4.0 describes the IT service lifecycle in terms of three phases and a foundational layer: MOF organises IT activities and processes into service management functions (SMFs) which provide operational guidance for capabilities within the service management environment. Each SMF is anchored within a related lifecycle phase and contains a unique set of goals and outcomes supporting the objectives of that phase. An IT service’s readiness to move from one phase to the next is confirmed by management reviews, which ensure that goals are achieved in an appropriate fashion and that its goals are aligned with the goals of the organisation. The interrelated disciplines of governance, risk, and compliance (GRC) represent a cornerstone of MOF 4.0. IT governance is a senior management–level activity that clarifies who holds the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. Risk represents possible adverse impacts on reaching goals and can arise from actions taken or not taken. Compliance is a process that ensures individuals are aware of regulations, policies, and procedures that must be followed as a result of senior management’s decisions. The Plan Phase focuses on ensuring that, from its inception, a requested IT service is reliable, policy-compliant, cost-effective, and adaptable to changing business needs. The deliver phase concerns the envisioning, planning, building, stabilisation, and deployment of requested services. The operate phase deals with the efficient operation, monitoring, and support of deployed services in line with agreed-to service level agreement (SLA) targets. The manage layer helps users establish an integrated approach to IT service management activities through the use of risk management, change management, and controls. It also provides guidance relating to accountabilities and role types. Next, we will discuss on MOF 4.0: Framework.
1.48 MOF4. Framework
The MOF 4.0 model has a composition which comprises the process model, team model and risk management disciplines. The process model divided in four quadrants. It is extended and substantiated from ITIL® V2. The change initiation review contains change, configuration and release management and is the change quadrant. The release readiness review is the operations quadrant containing service monitoring and control, system and network administration, directory services administration, security administration, storage management, and job scheduling. The SLA review is the supporting quadrant is the service desk, incident and problem management. Finally, the optimising quadrant has the service level management, capacity, availability, security, infrastructure, financial, workforce, and service continuity management included. MOF principles and guidance are also organised around three core models, which are each manifested within the individual service management functions (SMFs). These three models: The MOF team model contains a high-level discussion of the MOF team model, how it relates to the other models and disciplines, and implementation scenarios. The MOF team model for each team role cluster, the MOF team model defines activities and processes, typical ways in which these role clusters and responsibilities are identified in a production environment and common requirements for specialists within the role. MOF process model with service management functions with change management, configuration management and release management discussed the business value of MOF, why organisations should adopt MOF and the road map to adoption. MOF process model for operations contains a high-level discussion of the MOF team model, how it relates to the other models and disciplines, and implementation scenarios. Operations management reviews contain change initiation review and release readiness review. The MOF team role clusters include the release role cluster and the MOF risk model provides a framework for organisations to identify, categorise, and manage risks proactively and continuously. This is formalised, in order to ensure that team members are continually alert to the potential for risks that might result from IT activities. The MOF risk management discipline for operations is a detailed discussion of the MOF risk management discipline and its importance to an IT organisation. In the next slide, we will understand the capability maturity model integration (CMMI).
1.49 Capability Maturity Model Integration(CMMI)
The owner of the CMMI standard is the software engineering institute (SEI) of Carnegie Mellon University. Its application and audience is largely software and system developing organisations or management, customers. Its objective is measurement of organisational maturity. It has been published in both hard and soft copy media. It is available either as a printout or PDF or as a free soft copy downloadable from the SEI website www.sei.cmu.edu/cmmi. It is not an ITSM standard, but maturity levels are a frequently used concept. Capability Maturity Model Integration (CMMI) is a process improvement approach whose goal is to help organisations improve their performance. CMMI can be used to guide process improvement across a project, a division, or an entire organisation. Currently supported is CMMI version 1.3. CMMI in software engineering and organisational development is a process improvement approach that provides organisations with the essential elements for effective process improvement. CMMI is registered in the U.S. patent and trademark office by Carnegie Mellon University. According to the software engineering institute (SEI, 2008), CMMI helps "integrate traditionally separate organisational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes." Next, we are going to talk about CMM or CMMI maturity levels.
1.50 CMM CMMI Maturity Levels
Maturity levels are levels of maturity an organisation aspires and grows to. These are well defined processes ranging from basic process moving to existing standard processes implemented and documented and finally, monitoring of quantitative quality goals. CMMi has five maturity levels. However, maturity level ratings are awarded for levels 2 through 5. The process areas below and their maturity levels are listed for the CMMI for development model: Maturity Level 2 -Repeatable CM - Configuration management MA - Measurement and analysis PMC - Project monitoring and control PP - Project planning PPQA - Process and product quality assurance REQM - Requirements management SAM - Supplier agreement management Maturity Level 3 - Defined DAR - Decision analysis and resolution IPM - Integrated project management OPD - Organisational process definition OPF - Organisational process focus OT - Organisational training PI - Product integration RD - Requirements development. RSKM - Risk management. TS - Technical solution. VAL - Validation. VER - Verification. Maturity Level 4 - Quantitatively managed OPP - Organisational process performance QPM - Quantitative project management Maturity Level 5 - Optimising CAR - Causal analysis and resolution OPM - Organisational performance management Let us now move on to the next slide and discuss on capability assessments.
1.51 Capability Assessments
Process capability is a measure of the ability of an enterprise to manage its processes. The levels of capability in the applied international standard (ISO/IEC 15504) process capability model range from 0 to a maximum level of 5. The required level of process capability is based upon an assessment of the risk of the non-performance of that process and its potential impact on achieving business goals. Capability assessments compare the performance of a process against a performance standard, such as agreements in a SLA, a maturity standard, a benchmark comparison to average in the industry, an ISO standard. Assessments help in identifying where we are now and the gap with where we want to be. It is crucial to define clearly what is being assessed as well as identify conformances, non-conformances and observations. Process capability assessment provides tangible evidence of the achievement of a level of process capability in selected processes of an enterprise. We will now learn about the types of capability assessments in the next slide.
1.52 Types of Capability Assessments
Capability assessments could range from evaluation of individual processes within the management system to systematic review of the entire management system by top management, a comprehensive review via self-assessment, e.g. BIP 0015 self-assessment guide book as support aid, official first, second or third party audits or benchmarking of projects e.g. ITSMF benchmark based on comprehensive process questionnaire. For an organisation to improve product or service quality, it must have a proven, consistent and reliable method for assessing the state of its business activities, and a means of using the results as part of a coherent improvement program. Using process assessment within an organisation should encourage a culture of constant improvement and establishing mechanisms to support and maintain that culture, the development and maintenance of processes to meet business requirements; and the most effective use of resources. Purchasers of software products and services benefit from the use of process assessment. When used for determining capability it will reduce uncertainties in selecting suppliers of software intensive systems by enabling the risks associated with the contractor's capability to be identified before contract award, enable appropriate controls to be put in place for risk containment; and provide a quantified basis for choice in balancing business needs, requirements and estimated project cost against the capability of competing suppliers. International and local experience indicates that most software enterprises barely have the capability to effectively perform the basic technical tasks of their business processes, as indicated in the following figure. This lack of technical and managerial capability represents a significant business risk for suppliers and purchases. In the next slide we will discuss on ISO/IEC 15504.
1.53 ISO IEC15504
The Owner of the 15504 standard is the ISO/IEC. Its field of application or audience is largely software and system developing organisations or management, customers. Its objective is to be an international standard of organisational maturity assessment. It has been published in both hard and soft copy media. It is available either as a printout or PDF or as a soft copy downloadable from via ISO site. The standard results from the European project SPICE (software process improvement and capability determination). According to the official ISO definition, a process assessment is: “A disciplined evaluation of an organisational unit’s processes against a process assessment model”. But what does it actually mean? Furthermore, what is the purpose of a process assessment? When performing a process assessment, the main objective is to determine the efficiency of a set of processes by evaluating their capability (i.e. maturity) level. A dedicated ISO standard (ISO/IEC 15504) clearly sets the requirements for defining process assessment models and for performing process assessments whatever the domain covered by the assessed processes. Using the ISO/IEC 15504 standard enables to determine to what extent each process is performed, managed, established, predictable, or optimising (see table below). The process to be assessed just needs to be formally described under the process model form, in other words, with a clear description of its purpose, expected results, base practices, and inputs or outputs. ISO/IEC 15504 constitutes of the following parts: # ISO/IEC 15504-1:2004 Information technology process assessment part 1: concepts and vocabulary. # ISO/IEC 15504-2:2003 Information technology process assessment part 2: performing an assessment. # ISO/IEC 15504-3:2004 Information technology process assessment part 3: guidance on performing an assessment. # ISO/IEC 15504-4:2004 Information technology process assessment part 4: guidance on use for process improvement and process capability determination. # ISO/IEC 15504-5:2006 Information technology process assessment part 5: an exemplar process assessment model. # ISO/IEC PRF TR 15504-6 Information technology process assessment part 6: an exemplar system life cycle process assessment model. # ISO/IEC DTR 15504-7 Information technology process assessment part 7: assessment of organisational maturity. # ISO/IEC TR 15504-7 Information technology — software process assessment — part 7: guide for use in process improvement. # ISO/IEC TR 15504-8 Information technology — Software process assessment — part 8: guide for use in determining supplier process capability. # ISO/IEC TR 15504-9 Information technology — software process assessment — part 9: vocabulary. Next, we will understand about COBIT.
COBIT was originally developed (1993) by the international information systems audit and control association, ISACA (www.isaca.org). COBIT® stands for control objectives for information and related technology and is the internationally recognised manual for IT Governance, i.e. for guaranteeing security, quality and compliance in information technology. COBIT’s fields of application or audience are IT service provider or management, customers, IT auditors. In this context, COBIT does not primarily define how the requirements are to be met but instead concentrates mainly on what has to be implemented. Since the year 2000 the development and updating of COBIT has been the responsibility of the IT governance institute, a sister organisation of the ISACA. Over the years COBIT has developed from being a tool for IT auditors into a tool for the control of IT from the corporate viewpoint and, amongst other things, is also used as a model for ensuring compliance with statutory requirements. This generally promotes the industrialisation of IT. It is the premise of ISACA that 95 % of major companies utilise COBIT in whole or in part. COBIT provides good practices in the form of a domain and process framework and entails activities in a structure which is both logical and easy to use. The good practices contained within COBIT incorporate the views of various experts whose focus is clearly more control than implementation-based. These practices lend support for improving capital investment within the IT environment and ensure service delivery as well as an assessment benchmark in the event of irregularities occurring. To enable IT to successfully fulfill the business requirements, an internal system of monitoring or controls or an internal framework should be implemented by the management. The COBIT framework provides a help in this context through a link with the business requirements, the incorporation of IT-related activities into a generally accepted process model, the identification of key IT resources to be controlled and the definition of the control objectives to be taken into account. Let us now look into the COBIT: framework.
1.55 COBIT Framework
Orientation towards the company is the main theme of COBIT as COBIT was not just created to be read by IT service providers, users and auditors but also - or more specially - as a comprehensive instruction for management and personnel responsible for processes in the core business. The COBIT framework is based on the following principle: in order to supply the information which is required to achieve the corporate objectives the company must manage and control the IT resources using a structured number of processes that guarantee the delivery of corresponding services. The COBIT framework supplies support tools for orientation towards the needs of the company. In this context, information criteria, resources and processes are the central components in the COBIT framework. The COBIT framework is aimed primarily at compliance and security and, as such, ensures the IT governance for the operation of the IT services. COBIT’s orientation towards the core business consists of a link between corporate objectives and IT objectives, the provision of measurement parameters and maturity models for measuring target attainment and includes identification of the relevant responsibilities both in the technical area and IT. COBIT’s process orientation is demonstrated by the process model which organises the IT into 34 processes, subdivided into planning, development, operation and monitoring, establishing an integrated view of the IT. In this context, company-wide architecture models help to identify the key resources for the success of the processes such as e.g. applications, information, infrastructure and personnel. The COBIT process domains include plan and organise (PO) which covers strategy and tactics, and concerns the identification of the way that IT can best contribute to the achievement of the business objectives. The 2nd process domain is acquire and implement (AI) which covers the identification, development, acquisition, implementation, integration and maintenance of IT solutions The 3rd process domain is delivery and support (DS) which covers the actual delivery of required services including service delivery, management of security and continuity, service support for users, and the management of data and operational facilities. The 4th process domain is monitor and evaluates (ME) which cover performance management and monitoring of internal control, regulatory compliance, and governance. Let us understand Company Specific Standards in the next slide.
1.56 Company Specific Standards
In addition, organisations often tailor-make their standards based upon existing frameworks and models such as MOF (based on ITIL, designed to support Microsoft products). Usually, company specific standards need to conform to ISO/IEC 20000 part 1 requirements, in order to gain certification. In addition, various standards and frameworks used by one organization, need to be aligned to each other. Some examples are security policies, standards concerning IT architecture, in-company finance standards, etc. We will now understand complementary frameworks or technologies, in the next slide.
1.57 Complementary Frameworks Technologies
By putting altogether, this slide is about the complementary frameworks and or technologies used with ISO/IEC 20000. They are ITIL, COBIT, 6 sigma, CMMI, ISO 9001, ISO 27001, ISO/IEC 38500 and new technologies like green IT, cloud and Tmap NEXT. Let us learn about those one by one. Let us begin with ITIL 2011.
1.58 ITIL 2011
In this slide we will brief about ITIL 2011. There are 26 processes listed in ITIL 2011. These processes are grouped under 5 core books. Five volumes comprise the ITIL v3, published in May 2007 (2007 edition) and updated in July 2011 (2011 edition) for consistency. It includes ITIL service strategy, ITIL service design, ITIL service transition, ITIL service operation and ITIL continual service improvement. IT service management step-by-step. In the next slide, we will learn about how ITIL and ISO/IEC 20000 make relationship each other.
1.59 ITIL and ISO IEC20000
The structure speaks about two main parts of ISO/IEC 20000 and its basis from ITIL. Part 1 provides the requirements for IT service management to gain certification and is relevant to those responsible for initiating, implementing or maintaining IT service management in their organisation. Senior management is responsible and accountable for ensuring all requirements of part one are met if certification is sought. Part 2 contains the code of practice for service management and provides guidance to internal auditors and assists service providers planning service improvements or preparing for audits against ISO 20000. The framework can be achieved using the ITIL processes and other internal processes and practices defined by the organisation through culture. In the coming slide we will discuss about the other frameworks, standards and technologies. Let us first understand about COBIT 5.
In this slide we will know what COBIT 5 is. Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders. Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct, and monitor (EDM) practices are defined. 01 Ensure governance framework setting and maintenance. 02 Ensure benefits delivery. 03 Ensure risk optimisation. 04 Ensure resource optimisation. 05 Ensure stakeholder transparency COBIT integrated with risk it and Val IT process models. The five COBIT 5 principles are: 1. Meeting stakeholder needs 2. Covering the enterprise end-to-end 3. Applying a single integrated framework 4. Enabling a holistic approach 5. Separating governance from management In the next slide we will discuss on Six Sigma.
1.61 Six Sigma
Six sigma originally designed to improve manufacturing quality. A six sigma process is one in which 99.99966% of the products manufactured are statistically expected to be free of defects (3.4 defects per million). We can achieve this by using PDCA cycle. And also we can adopt DMAIC principle which is define, measure, analyse, improve and control and using project methodology like DMADV which is define, measure, analyse, design and verify. In the next slide we will discuss on CMMI.
1.62 ISO9001 Quality Management Systems
This slide is about 8 principles of QMS. ISO/IEC 20000 is based on these principles. Let us understand how beneficial these 8 principles are. • The principles can be used in validating the design of processes, in validating decisions, in auditing system and processes. You look at a process and ask: • Where is the customer focus in this process? • Where in this process is there leadership, guiding policies, measurable objectives and the environment that motivates the workforce to achieve these objectives? • Where in this process is the involvement of people in the design of the process, the making of decisions, the monitoring and measurement of performance and the improvement of performance? • Where in this process has the process approach been applied to the accomplishment of these objectives? • Where in this process is the systems approach to the management of the interfacing processes, the optimisation of performance, the elimination of bottlenecks? • Where in this process are the facts collected and transmitted to the decision makers? • Where in this process is there continual improvement in performance, efficiency and effectiveness? • Where in this process is there a mutually beneficial relationship with suppliers? The coming slides are about Information security and the corporate governance standards.
1.63 ISO IEC27001
The ISO/IEC 27001 is about requirements for ISMS or Information Security Management System. It gives the guidelines for establishing, implementing, operation, monitoring, reviewing, maintaining and improving based on PDCA. In the next two slides will focus on ISO/IEC 38500.
1.64 ISO IEC38500
ISO/IEC 38500 is an international standard for corporate governance of information technology published jointly by the international organisation for standardisation (ISO) and the international electro-technical commission (IEC). It provides a framework for effective governance of IT to assist those at the highest level of organisations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organisations’ use of IT. ISO/IEC 38500 is applicable to organisations of all sizes, including public and private companies, government entities, and not-for-profit organisations. This standard provides guiding principles for directors of organisations on the effective, efficient, and acceptable use of information technology (IT) within their organisations. It is governed via three tasks: evaluate, direct and monitor. In evaluate, the tasks covered are review, judge strategies and proposals taking current, and future business need. In direct, define and assign responsibilities for implementing plans and policies. During monitoring using measurement systems, monitor the performance and make sure governance are conformance to the external obligations.
1.65 ISO IEC38500 2
In continuation from previous slide, Evaluate will review or judge, strategies or proposals taking into account current and future business need. Direct define or assign responsibilities for implementing plan or policies. Monitor helps in measuring systems, performance and conformance to external obligations. Using these 3 fundamentals defined at corporate governance of information and communication technology which is ICT, the business process of ICT projects and ICT operations can be run. In the next slide we will learn about a few new technologies which are complementing for ITSM.
1.66 New Technologies
This slide is about new technologies emerging. Some of them are green IT, cloud technologies and Tmap NEXT. Green IT refers to environmentally sustainable computing or IT and also about creation of awareness of energy and material use in an efficient way. Cloud is provision and procurement of internet based IT services. It is useful for scalability, cost reductions and efficiency under the SAAS i.e. software as a service. In this model, cloud providers install and operate application software in the cloud and cloud users access the software from cloud clients. The cloud users do not manage the cloud infrastructure and platform on which the application is running. This eliminates the need to install and run the application on the cloud user's own computers simplifying maintenance and support. What makes a cloud application different from other applications is its scalability. This can be achieved by cloning tasks onto multiple virtual machines at run-time to meet the changing work demand. Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user who sees only a single access point. To accommodate a large number of cloud users, cloud applications can be multitenant, that is, any machine serves more than one cloud user organisation. It is common to refer to special types of cloud based application software with a similar naming convention: desktop as a service, business process as a service, test environment as a service, communication as a service.Tmap NEXT: Test management approach (TMap) is a software testing methodology (www.tmap.net. ). TMap is a method which combines insights on how to test and what to manage, as well as techniques for the individual test consultant.
1.67 How it All Fits
So far we discussed about different frameworks, standards, technologies. But how it all fits or how we can leverage to make IT service management success. The fundamental is to have the vision, goals or the expectations by which we can set the strategies. Using these strategies need to plan in a tactical way as per the situation and by adopting improvement methodology like PDCA approach and further can be made as operational by adopting difference processes and while doing so we can use once again PDCA approach for the continual improvement. In the next topic we will understand about management system.
1.68 Introduction to Management Systems
Here in this topic we are going to discuss about management systems. Why and which roles are needed for management system, the objective of a service management system , general management responsibilities , general governance principles , importance of documentation and basic requirements for documentation and the requirements for resource management so that maximum can be leveraged to provide best possible IT service management to the customers. In the next slide we will start with the management system.
1.69 Management System
Let us know first what management system is. A management system can be considered as the framework of processes, tools and resources (personnel and machinery) used to plan, execute, document, and continually improve management tasks in a target-oriented, customer-oriented and quality-oriented way. The service management system defines management responsibilities, documentation requirements, and the rollout of the service management processes. IT governing policies, plans, processes, and procedures shall be established. Its important aspects are quality (cp. quality management), management responsibilities, documentation, competence, awareness and training. In the next slide we will find out the roles and responsibilities of management system.
1.70 Roles and Responsibilities of Management
It outlines the responsibilities of management. Management is responsible to lay down policy, objectives and plans. They must continuously communicate the importance of meeting the objectives and the need for continual improvement. To ensure this, they must appoint a member of management responsible for the co- ordination and management of all services. Management must ensure that customer requirements are determined to ensure commitment to develop, implement and improve service management capabilities by providing the right leadership behavior and accurate measures. To ensure effective service management, management must also provide appropriate resources including human resources for service management. They must take corrective actions and continuously improve through reviews conducted on service management at planned intervals. The management must continuously undertake risk management for the organisation and services.
1.71 Roles and Responsibilities of Management(Contd.)
It further outlines the responsibilities of management to ensure implementation of service management processes. It states that senior management should appoint an executive position as responsible owner for of IT service management. Management representatives must be provided with required resources for continual or project-related improvement. These management representative(s) are empowered to make decisions, allocate a decision-making group and are provided sufficient authority to define rules and make decisions. The objective of SMS is explained in the next slide.
1.72 Objective of a Service Management System(SMS)
Let us look at the objectives of a service management system (SMS).Service Management is a set of specialised organisational capabilities for providing value to customers in the form of services. A system is a set of processes, technology and people working cohesively to achieve a set of common goals. SMS is used to direct and control the service management activities to enable effective implementation and management of the services. It also used to established processes and continually improved to support delivery of service management. To implement SMS successfully the management plays an important role. Let us discuss the general management responsibilities in the next slide.
1.73 General Management Responsibilities
This is about general management responsibilities to make the SMS success. Some of the points to be kept in mind; Setting the; • Vision • Strategy 1. Policies which includes; evaluating, financial performance, service and project portfolios, ongoing operations and handling escalations. • Analysing opportunities and threats • Communication with stakeholders like users, customers and partners and getting the feedback to make improvements. Next slide is about general governance principles.
1.74 General Governance Principles
Governance defines directions, rules and policies.The Six principles that are used to define governance: • Establish responsibilities • Strategy to set and meet the organisation’s objectives • Acquire for valid reasons • Ensure performance when required • Ensure conformance with rules • Ensure respect for human factors For any best practices or process to implement, documentation is very important. The next few slides are about the documentation, its importance and the requirements. Let us move on to the next slide.
1.75 Importance of Documentation and Basic Requirements for Documentation
It details the documentation and records that need to be given to support effective planning, operation and control. It must have a comprehensive documentation of processes required by ISO/IEC 20000 as well as evidence in the form of records required by ISO/IEC 20000. At the most basic level, it must include documentation of Service Management guidelines and Plans and Service Level Agreements. Further, there must exist detailed and written procedures. Procedures and responsibilities must be established for the creation, review, approval, maintenance, disposal, and control of all documentation. In the next slide we will look into Documentation: Best Practices.
1.76 Documentation Best Practices
The senior responsible owner must ensure audits are carried out and have suitable evidence such as policies and plans, service documentation, procedures, processes, and process control records to ensure effective service management and continuous improvement. Further, documentation should be in a suitable and appropriate medium and with adequate protection to ensure no damage to them s a result of various circumstances such as environmental conditions, computer disasters, etc. The next slide is about resource management requirements.
1.77 Requirements for Resource Management
To make the service management success we need to identify the resource requirements and leveraging the existing resources. Let us look at some of the points that make resource management success; • Establishment of resources in the area of HR, finance, technical, IT to manage the service management and to measure the customer satisfaction, • Identify skill and competence requirement, • Analyse the gaps and providing adequate trainings, • Maintenance of records in the area of skills, • Creation of awareness among resources and to look at, how they can improve the service management. The upcoming topic is about core concepts of SMS.
1.78 The SMS
In this slide we will understand about the SMS. As we know the service delivers value to the customer. We can deliver the value by using the assets of the organisation. The organisation has to manage these assets by leveraging the maximum to deliver the value to customer of course in alignment with business requirements. To manage the service effectively we need to define the roles and responsibilities, scope or policies or objectives, plan, budget, critical success factors, key performance indicators, and reporting mechanism. These can be defined by the top management, IT director and the management team like process owners. Once these are defined as part of the strategy then further the processes, which can deliver, maintain relationship, make resolutions, and control overall service, can be started. These aspects can be taken care by various processes like SLM, BRM, SACM, supplier management etc. In addition to these, there should be identification of continual service improvement for the service. In the coming slide we will discuss the points to be considered for defining the SMS.
1.79 Core Concepts of the Service Management System(SMS)
In this topic let’s discuss about the core concepts of SMS which is about the planning, producing, implementing, monitoring, reviewing and improving the service management system. Let’s see one by one in the next few slides. But before that, let’s look at few core concepts of SMS; The core concepts of SMS are describe the objective of planning and improving service management, describe the continual improvement methodology for service management processes, describe the key principles of producing and implementing a service management plan, and also describe the requirements for monitoring, measuring, reviewing and improving the processes. Let us now discuss on objective of planning and improving SMS.
1.80 Objective of Planning and Improving Service Management
In this slide and coming slide we will talk about objective of planning and improving SMS. The objective of planning and improving service management is to make the service management as innovative. Identifying the improvements, this can result in cost effective, and improve the efficiency of the service. The improvement can be approached through plan, do, check and act model which is called Deming’s Cycle.
1.81 Objective of Planning and Improving Service Management
ISO 20000 standard expects service management to be undertaken using Deming’s quality circle of P-D-C-A or Plan-Do-Check-Act. • Plan: Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organisation’s policies. • Do: Implement the processes. • Check: Monitor and measure processes and services against policies’ objectives and requirements and report the results. • Act: Take actions on the differences and continually improve process performance. In the coming slide we will understand about continual improvement in detail.
1.82 Continual Improvement Methodology for Service Management Processes
ProcessesAn important element in service management is continuous improvement which is the purpose of planning and implementing service management. Continuous improvement the performance of the organisation is required to ensure customers are continuously `delighted’ rather than just satisfying them. Continual improvement must be a constant organisational objective in-line with the organisational strategy, and is required to improve organizational performance. This can be effectively implemented through the PDCA cycle. Continual improvement will lead to customer satisfaction, increases flexibility to respond effectively to opportunities presented. In the long run, a culture of continuous improvement will permeate the organisation and lead eventually to more business from `delighted’ customers. Let us now look into PDCA in service management.
1.83 PDCA in Service Management
As stated previously, PDCA applies to all aspects of service management as per the ISO 20K standard. The diagram highlights how management of services is a management responsibility and must follow the P-D-C_A cycle. All aspects of services originating from business requirements, customer requirements, request for new or changed services, other processes related to business, supplier, or customer, other teams such as security, IT operations, etc. and service desk will go through the PDCA cycle to emerge and transform as improved business results, customer satisfaction, new or changed services, other processes, and eventually team and personnel satisfaction. We will now focus on plan service management implementation and delivery based on the PDCA cycle, in the next slide.
1.84 Plan Service Management
In step planning (plan) must be expected to set the objectives and plans for future service management. Then follow-up plans implementation (do), where the individual plans are applied in practice. After plans implementing comes control part of the mechanism (check), which compares the results achieved with previously defined objectives and plans. On the analysis base (act), will reviewed the original plans and a new cycle may continue. Let us move on to the next slide now.
1.85 Planning for Service Management
This slide maps to the PLAN part of the PDCA cycle. Here, we focus on the plan to be created for service management planning. The plan must be termed as the service management plan. It must include all details of roles and responsibilities which are needed to manage the plan. These roles and responsibilities must be documented and clearly articulate the personnel responsible to control, authorise, communicate, operate, and maintain the plans. The service management plan is a master plan, and therefore all processes related to service management must be aligned an
About the On-Demand Webinar
About the Webinar