A few Questions on ISO 20000 - IT Service Management System (ITSMS)

[mjflkitty]

Hi All,

I have some few questions regarding the ITSMS:

1. I notice that the copy of the standard we have states “should” instead of “shall”. Is this correct? And what is be the reason behind this because as far as I can remember QMS states “shall”. Does it mean it’s not anymore mandatory?
2. Do we still have mandatory procedure for ISO20000? What are the Mandatory Procedure for ISO20000? For QMS its 6, how about for ITSMS?


Thank you

 

[howste]

Hi All,

I have some few questions regarding the ITSMS:

1. I notice that the copy of the standard we have states “should” instead of “shall”. Is this correct? And what is be the reason behind this because as far as I can remember QMS states “shall”. Does it mean it’s not anymore mandatory?
2. Do we still have mandatory procedure for ISO20000? What are the Mandatory Procedure for ISO20000? For QMS its 6, how about for ITSMS?


Thank you

1) It sounds like you're looking at ISO 20000-2 instead of ISO 20000-1. 20000-1 is the requirements document, and -2 is the "Code of Practice" which contains only guidance and recommendations.

2) I don't have a list of required procedures required, but if you have a PDF copy of the standard (20000-1), it should be simple to search and find them.

 

[mjflkitty]

Thank you so much for the enlightenment about he -1 and -2. You are right I was reading -2.

And for the mandatory procedure, is it 6? or more than 6?

 

[pldey42]

I teach ISO 20000. It doesn't include phrases like "A documented procedure shall be established ..."

Instead, it summarizes requirements for documentation and records in clause 3.2 "Documentation Requirements" and gives detailed requirements for documents and records in-line, for example in 4.1, 4.2 .. all over the place.

The requirement for an audit procedure is in 4.3. It doesn't say "documented audit procedure". So if the audit proc is not documented, then, provided auditors are competent and the audit process is - in a consistent, repeatable and sustainable fashion -- communicated, understood, executed and there are records of its effectiveness then, like any other undocumented process, it's fine.

This is an interesting management system standard in that it's less dogmatic than others about documented procedures, and apparently more happy with documentation where it makes sense. Also, it's somewhat unusual in that it directly address risk management, accountability and budgets.

Hope this helps,
Pat

 

[mjflkitty]

Thank you so much....I am a bit confuse now...so ISO20000 is not comparable to ISO9000 where in there is a 6 mandatory requirements? My understanding based from your explanation is any word that states documented there must be an equivalent document?

 

[pldey42]

Hi mjflkitty,

There has long been a myth that somehow if you meet the requirements in ISO 9001 for six mandatory documented procedures you've either built a quality management system or will fool the certification body into signing it off. It has never been true. Decent certification bodies look for consistent process management that meets all the requirements of the standard, not just in terms of documentation, but in consistent execution and effective results.

Instead of looking for requirements for documented procedures, why not examine the requirements and consider how best to satisfy them in such a manner as to stabilize IT service delivery and provide an infrastructure for its continual improvement?

ISO 20000 is "quality management for IT". While you might not literally need one document for every requirement that indicates documentation, such material will need to be documented somewhere - whether in one or several documents is a matter for the organization and what's appropriate to its needs.

So, for example, 6.1 says, "Each service provided shall be defined, agreed and documented in one or more service level agreements (SLAs)." If you deliver several different services to one customer, you might combine all the SLAs into one document, or you might not: your choice (and your customer's).

Hope this helps,
Pat

 

[mjflkitty]

Hi,

Thank you so much for the reply...Do you have any sample Audit Plan. I don't know who will I start. I don't know if I will start referencing to a flowchart or should I jst go to the standard?

 

[pldey42]

Auditing is a soft skill, best learned on a training course - like those I deliver for BSI It's much more than copying a sample plan. An audit is about examining conformity with the standard, your own procs, and the effectiveness of the management system - much more than the simplistic checklists that some will try to sell you.

Hope this helps,
Pat

 

[mjflkitty]

Thank you so much...I was hoping I can see thru the template itself