Introduction to the ISO 20000 standard: Where it came from and how to certify a company
In 2005, the British Standards Institution (BSI) released the new ISO / IEC 20000: 2005 standard, which places demands on the quality of IT services. The adoption of the standard made it possible to evaluate the effectiveness of the services provided to users.
The standard is based on the best international practices of IT service management and is suitable for organizations of all sizes - from small offices to large technological [and not only] companies. In this article we will take a short look at the history of the creation of ISO 20000 and talk about how the certification of the company is carried out.
/ photo WOCinTech Chat CC
')
The idea of ​​summarizing the best practices of IT services in a single document belonged to the British government, which in 1989 commissioned the development of the Information Technology Infrastructure Library, or ITIL. The first phase of the project was implemented by British Central Computer & Telecommunications, on the basis of which a community of representatives of IT providers, corporations and consultants was created. The result of their activity was a seven-volume set of recommendations, which elaborated comprehensive methods for managing IT infrastructure.
The basis for ISO 20000 was the latest version of the British standard BS 15000, developed by BSI and containing a description of universal criteria for evaluating an organization’s IT services management system. ISO 20000 was originally prepared for use in the technical field, so it was formed taking into account the needs and specifics of the work of IT companies - it contains references to the IT risk assessment methodology and is applicable to the assessment of information security systems.
ISO 20000 consists of two parts: Information technology: Specification and Information technology: Code of Practice. The first part contains a detailed description of the requirements for the management system of IT-services, as well as responsibility for them. It identifies the 13 most important IT-processes, divided into five groups:
The second part of the standard - Information technology: Code of Practice - is practical and contains recommendations on the processes and requirements described in the first part. It is intended for auditors and companies intending to undergo certification. Evaluation of IT-services, according to the requirements of ISO 20000, gives you the opportunity to see the amount of unrealized management, which, in turn, allows you to plan its implementation according to the recommendations of the standard, ITIL library or any other methodology.
In 2011, the ISO 20000 standard received an update - a new edition of ISO / IEC 20000: 2011 was released. In the new version of the standard, the requirements for the design and implementation of IT services were expanded and the glossary was expanded, which made the presentation of information more comprehensible.
All ISO [ISO 20000] standards are interrelated. These are the “building blocks” that form the basis of the adaptive structure of any organization. The initiative to create new standards comes from companies using these regulatory documents. They form the basic requirements for the standard and pass them on to regional ISO representatives. After that, the question of the feasibility of developing new standards is decided.
Thus, the information services management system can be integrated with another management system, for example, with the quality management system in accordance with ISO 9001, the environmental management system in accordance with ISO 14001, the information security management system in accordance with ISO 27001 and others.
We also note that in 2010, the Russian GOST R ISO / IEC 20000 “Information technology. Service Management, which also has two parts. The Russian GOST is an exact translation of the original ISO 20000 text (in fact, these standards are equal), but it can be carried out by organizations that have no relation to the structure of the ISO recorders.
In such a procedure as the design of the ISO / IEC 20000-1: 2011 standard, owners of service organizations and companies providing hosting services are primarily interested. These can be companies that develop software or websites. The certification process of the company itself is a check of its policies, objectives, IT services risk assessment system and the procedures used for compliance with the requirements of the standard.
Companies have two options for certification. The first one is the expansion of the registration area, when an organization after receiving ISO 9001: 2000 is checked for compliance with the requirements of ISO 20000. The second is that the company is certified for compliance with ISO 20000 separately.
To obtain an ISO / IEC 20000 certificate, organizations need to contact the certification center, that is, the company responsible for the provision of certificates. Note that certification centers must also be certified according to ISO 17021 and accredited by the local certification laboratory.
To obtain a certificate, you must complete the following steps:
a) execution of the request
b) audit
c) obtaining a certificate
If you have questions, we will be happy to answer in the comments. A little more about the certification of the company and compliance with ISO 20000 - here .
The standard is based on the best international practices of IT service management and is suitable for organizations of all sizes - from small offices to large technological [and not only] companies. In this article we will take a short look at the history of the creation of ISO 20000 and talk about how the certification of the company is carried out.
/ photo WOCinTech Chat CC')
Standard development
The idea of ​​summarizing the best practices of IT services in a single document belonged to the British government, which in 1989 commissioned the development of the Information Technology Infrastructure Library, or ITIL. The first phase of the project was implemented by British Central Computer & Telecommunications, on the basis of which a community of representatives of IT providers, corporations and consultants was created. The result of their activity was a seven-volume set of recommendations, which elaborated comprehensive methods for managing IT infrastructure.
The basis for ISO 20000 was the latest version of the British standard BS 15000, developed by BSI and containing a description of universal criteria for evaluating an organization’s IT services management system. ISO 20000 was originally prepared for use in the technical field, so it was formed taking into account the needs and specifics of the work of IT companies - it contains references to the IT risk assessment methodology and is applicable to the assessment of information security systems.
ISO 20000 consists of two parts: Information technology: Specification and Information technology: Code of Practice. The first part contains a detailed description of the requirements for the management system of IT-services, as well as responsibility for them. It identifies the 13 most important IT-processes, divided into five groups:
- Service delivery process. It includes Service Level Management, Availability Management and Capacity Management. This also includes reporting on the provision of services, information security management, budgeting.
- Relationship processes. This area includes managing the processes that take place between the service provider, the client, and the contractors.
- Incident Resolution Processes (Resolution processes). This includes problem solving processes focused on critical events in the company's IT structure.
- Control processes. It discusses change and configuration management processes. Company executives should have an idea not only about the key quality parameters, but also about the methods of their collection.
- Release Management Processes. It is about developing new and correcting existing solutions.
The second part of the standard - Information technology: Code of Practice - is practical and contains recommendations on the processes and requirements described in the first part. It is intended for auditors and companies intending to undergo certification. Evaluation of IT-services, according to the requirements of ISO 20000, gives you the opportunity to see the amount of unrealized management, which, in turn, allows you to plan its implementation according to the recommendations of the standard, ITIL library or any other methodology.
In 2011, the ISO 20000 standard received an update - a new edition of ISO / IEC 20000: 2011 was released. In the new version of the standard, the requirements for the design and implementation of IT services were expanded and the glossary was expanded, which made the presentation of information more comprehensible.
All ISO [ISO 20000] standards are interrelated. These are the “building blocks” that form the basis of the adaptive structure of any organization. The initiative to create new standards comes from companies using these regulatory documents. They form the basic requirements for the standard and pass them on to regional ISO representatives. After that, the question of the feasibility of developing new standards is decided.
Thus, the information services management system can be integrated with another management system, for example, with the quality management system in accordance with ISO 9001, the environmental management system in accordance with ISO 14001, the information security management system in accordance with ISO 27001 and others.
We also note that in 2010, the Russian GOST R ISO / IEC 20000 “Information technology. Service Management, which also has two parts. The Russian GOST is an exact translation of the original ISO 20000 text (in fact, these standards are equal), but it can be carried out by organizations that have no relation to the structure of the ISO recorders.
Company certification
In such a procedure as the design of the ISO / IEC 20000-1: 2011 standard, owners of service organizations and companies providing hosting services are primarily interested. These can be companies that develop software or websites. The certification process of the company itself is a check of its policies, objectives, IT services risk assessment system and the procedures used for compliance with the requirements of the standard.
Companies have two options for certification. The first one is the expansion of the registration area, when an organization after receiving ISO 9001: 2000 is checked for compliance with the requirements of ISO 20000. The second is that the company is certified for compliance with ISO 20000 separately.
To obtain an ISO / IEC 20000 certificate, organizations need to contact the certification center, that is, the company responsible for the provision of certificates. Note that certification centers must also be certified according to ISO 17021 and accredited by the local certification laboratory.
To obtain a certificate, you must complete the following steps:
a) execution of the request
A company that wants to be certified to ISO / IEC 20000 submits a request to the certification center. The information about the company is reflected in it: the number of people affected by the accreditation, the main type of activity, the scope of work, etc. Based on these data, the certification center calculates the number of days required for the audit and sends the management of the organization the calculation of the cost of the procedure.
b) audit
If a company accepts an offer from a certification center, its representatives begin an audit. This phase is divided into two phases. First, a group of auditors prepares a plan that regulates all aspects that should be checked. It also indicates the responsible persons, the date and time of the audit. At this stage, the verification of the documentation formed by the company: the main processes, technical instructions and so on. It also checks everything related to the management system (PDCA). After the first phase, the group of auditors compiles a report that reflects all detected deviations in the processes.
At the second stage, the group of auditors analyzes the risk assessment system of IT services, company policies and business processes for compliance with the standard. During the second phase of the audit, a report is compiled in which all deviations are noted, including those that were missed during the first phase.
c) obtaining a certificate
If the company eliminates all errors identified during the audit, and provides evidence to the attestation body, the latter forms a report on the results of the assessment and approves the issuance of the certificate. ISO certificate is valid for three years. At this time there may be follow-up visits. After a period of three years, the company will have to endure a recertification audit in order to extend the validity of the certificate.
Certification of an organization for compliance with the requirements of ISO 20000 has at least two advantages. It provides an opportunity to assess the effectiveness of the IT department and help move to the service model of providing services in the field of information technology. Another independent certification allows the company to demonstrate to its customers that the quality of service delivery processes is consistent with leading international practices - this has a positive effect on the prestige of the organization.
If you have questions, you can learn more about the company's certification for compliance with the ISO 20000 standard from the specialists of IT Guild, the official certified partner of ServiceNow.
If you have questions, we will be happy to answer in the comments. A little more about the certification of the company and compliance with ISO 20000 - here .
Source: https://habr.com/ru/post/331378/
All Articles