Implementation and ISO 20000 certificate – IT service quality management system
What is the ISO 20000 standard?
ISO / IEC 20000-1 provides guidelines for the management of IT services for companies. According to the assumptions, a company that implements ISO 20000 requirements should achieve a stable level of quality of IT services and full technical capacity to provide them. But how does it look in practice?
ISO/IEC 20000-1 implementation benefits:
The assumption of the standard’s authors , in addition to providing a system of a high level of quality of the provided services, key is to increase its business capabilities, which means that the implementation must increase the effectiveness of the company.
At each proposed solution, basic questions should be asked:
• What will this solution give to my company?
• What benefits will my company have?
The main assumption of the standard is to stabilize the conditions of providing the service to the client. As part of the system, the so-called “Service Manual” is created. In this document in addition to the service specification, there is also SLA which is the response time to individual customer needs.
During creating the “Service Manual”, we need to identify the components (parameters) of individual services. The identification of these parameters provides us with the opportunity to properly use the service on the client’s side and the ability to provide the undisturbed service by the company. The most important components include:
1. Hardware requirements on the company and client side.
2. Requirements for software (environment) on the company and client side.
3. If the services are provided via links, requirements for these links.
4. The level of skills (competencies) on the company’s and client’s side.
The identification of constituent elements allows us (as a company implementing ISO 20000 requirements) to complete the inventory of our services and technical capabilities, through these activities we introduce order into our structures.
Determination of response times (SLA – Service level agreement), which is also included in the “Handbook”, means that both we and the customer are aware of the technical limitations of services, which results (similarly as in the case of technical requirements) limited claiming of customers.
The next advantage of the implementation of ISO 20000 is the need to introduce supervision over the infrastructure we provide services. Supervision should be understood as such issues as:
• Version management,
• Ensuring the separation of test and production environments (at least logical),
• Change management in the environment,
• Providing hardware backups, data, software,
• Ensuring the security of environments and links,
• Ensuring compatibility of versions and types of hardware and software,
• Providing the client with a “friendly” service environment and support (Helpdesk).
Everyone who deals with the professional provision of IT services will find that these above are standards that are not subject to discussion. Of course, when we begin to implement these standards, we collide with the prose of life and problems arise. The main ones are: costs, introducing changes to the existing and working network topology, changing the mentality of employees and costs again!
It is clear that we need to remember two things:
1. We decide in what scope of services we implement ISO 20000-1, so at the beginning of the project we need to know about the level of our capabilities and implement the project on the basis of this common sense principle.
2. We have to make money on services !!!
The implementation of ISO 20000 requirements largely boils down to three principal aspects:
• Clarification the terms of services provided
• Developing a feedback between:
– a company and a client
– employees, among themselves
• Introducing the rule – plan first and then implement.
If these rules are known to us and we use them only a little in our company, we will easily approach the implementation of ISO 20000 and it will not cause us any problems.
Providing feedback between us and the customer will allow us to modify the product and its support so that the product is user-friendly. It should be remembered that people, in their nature, are looking for the simplest solutions and tools because learning to use these solutions will take them the shortest time.
Summary of the most important benefits:
• Service manual
• Specified SLA
• Project management (plan – do – check – act to use)
• Order in hardware and software
• User-friendly service
• Feedback between the user and the company.
ISO 20000 implementation costs:
Below we present the estimated cost for the implementation of ISO20000-1 for a company that is based on standard information solutions available on the market. The assumption for the project is as follows:
• We do not increase employment (we have to be profitable),
• We rely on the reconfiguration of existing technical solutions, hardware purchases are a last resort.
Cost items and their description:
1. Purchase of a service consisting in the implementation of the ISO 20000 QMS – cost from 20,000 to 80,000 (depends on the size of the company). Of course, you can find cheaper, but you have to ask yourself a question: why so cheap? Consultants will do for us (but we must actively participate in this):
• Preparation of the QMS documentation – consultants should prepare all documents, do not allow the transfer of this activity on us, because we also burden our employees with something that consultants take money for. In addition, the development of documentation by ourselves causes the project to be extended. Our task is to give opinions on documentation, not to create it!
• Training in the field of ISO20000 – we emphasize that the meaning of the provisions of the norm should be explained to us, we must understand them, otherwise we will become addicted to consultants!
• Internal audits – consultations can carry them out and for the first time they will certainly perform them more professionally than us.
2. Purchase of the certification service – cost from 10 to 50 thousand. (may be higher for a large company). Remember that there are not enough issued certificates, so the auditors, like us, are learning, but on our example! Choose a unit that is accredited to ISO 20000-1 certification, and its auditors approach pragmatically to assess compliance with the standard! Then they will not hurt us, and by the way we will learn something new.
3. Employment of new employees – no need. Due to the so-called system requirements (carrying out internal audits, management reviews, customer satisfaction surveys, supervision of documentation and records, etc.) will bring us tasks of around 3 to 5 working days a year! Within 2-3 years, due to the target increase in work efficiency, we should note a decrease in time consumption for those tasks relative to the starting level.
4. Purchase of hardware and software. This item will only occur if:
• We can not create a logically isolated test environment on existing hardware,
• We use pirated software – we have to legalize it,
• We do not create backups – we need to provide at least a data backup,
• We do not have any hardware and software security – we must have at least firewalls and anti-viruses.
• We do not have the correct connections for data transmission.
5. Instead of buying new solutions, we use existing ones, let us take the time to check whether we use all the possibilities of our equipment, software and people! It often happens that a company spends large amounts on a new solution simply because system administrators or users do not want to learn how to fully use an existing resource!
There are no more cost items. Remember that the cost of implementation depends largely on our inventiveness and creativity of consultants!
ISO/IEC 27001 implementation with currently implemented management system according ISO/IEC 20000-1
Standards for quality management systems, environmental, health and safety risk, published after 2000 have a common foundation. For the first time it was published in the ISO 9001 standard. Components of unified structure:
1. Documents control
2. Records control
3. Internal audits
4. Nonconformity and corrective actions
5. Management review
6. Infrastructure
7. People management
8. Leaders engagement
By implementing an information security management system (ISMS) compliant with ISO / IEC 27001 with the existing quality management system according to ISO / IEC 20000-1 we have developed processes (described in the procedures) in the above-mentioned scope. From the technical side, the implementation of these processes is not different in these systems.
Elements that must be implemented in ISMS and do not appear in the ISO 20000-1 QMS are:
1. Identification of threats, vulnerabilities and risks for our company,
2. Development of security in the field of personal and physical security,
3. Development of some security measures in the field of IT security,
4. Implementation of these safeguards,
5. Extension of incident management to areas: personnel, physical and IT – supporting service delivery processes,
6. ISMS reviews at the level of operational, middle and top management,
7. Preparation of documentation describing the above areas.
The workload for the implementation of ISMS based on the existing ISO 20000-1 quality management system should be 20-40% lower compared to the ISMS implementation in the company without management systems compliant with ISO standards.
How much does ISO 20000 implementation and certification cost?
Find out the estimated cost of implementing an ISO 20000 compliant quality management system