QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14

8/12/2019 QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14

1/29

ISO/IEC 20000 Auditor

3Application, Eligibilityand Scoping

Copyright 2006, Quint Wellington Redwood


2/29


Copyright 2006, Quint Wellington Redwood


3/29


Module 3

Application, Eligibility and Scoping

Copyright 2006, Quint Wellington Redwood age 3 ! 3


4/29


page 3 - 2

Application o" #S$%#EC 20000

& 'u(ine((e( that are going out to tender "or their (er)ice(

& 'u(ine((e( that re*uire a con(i(tent approach by all (er)ice

pro)ider( in a (upply chain

& +o benchar- their #+ (er)ice anageent

& A( the ba(i( "or an a((e((ent leading to certi"ication

& +o deon(trate the ability to pro)ide (er)ice( that eet

cu(toer re*uireent(

& +o ipro)e (er)ice through the e""ecti)e application o"

proce((e( to onitor and ipro)e (er)ice *uality.

The standard may be used for among others:

by businesses that are going out to tender for their services

by businesses that require a consistent approach by all service providers in a supply chain

by service providers to benchmark their IT service management

as the basis for an assessment which may lead to a formal certification

by an organization who needs to demonstrate the ability to provide services that meet customerrequirements

by an organization which aims to improve service through the effective application of processes to

monitor and improve service quality

age 3 ! 4 Copyright 2006, Quint Wellington Redwood


5/29


page 3 - 3

#S$%#EC 20000 Certi"ication

& Step /

Are you eligible

& Step 2

What i( the (cope

& Step 3

1o you eet the (tandard

The following slides will discuss the certification process which is split in three main steps.

Step 1

o Are you eligible?

Step 2

o What is the scope?

Step 3

o Do you meet the standard

ISO/IEC 20000 is closely related and complementary to the ISO 9001 Quality Management standard.Therefore service providers that have acquired certification to this standard may have already fulfilledsome of the mandatory requirements of ISO/IEC 20000 as long as the scoping of the ISO 9001certification audit includes the scope of the ISO/IEC 20000 audit. This is also true for other standardssuch as the Information Systems Security standard ISO 17799.

Copyright 2006, Quint Wellington Redwood age 3 !


6/29


page 3 - 4

Eligibility

& Eligibility i( ba(ed on the etent and degree o" anageentcontrol that the (er)ice pro)ider ha( o)er the #S$%#EC 20000

proce((e(

& +he organi(ation u(t be able to deon(trate that it ha(

anageent control o" all o" the proce((e( de"ined within the

#S$%#EC 20000 (tandard

& 4anageent control o" a proce(( con(i(t( o"5

nowledge and control o" input(

nowledge, u(e and interpretation o" output(

1e"inition and ea(ureent o" etric(

1eon(tration o" ob7ecti)e e)idence o" accountability "or proce(("unctionality in con"orance to the #S$%#EC 20000 (tandard

1e"inition, ea(ureent and re)iew o" proce(( ipro)eent(

Eligibility is based on the extent and degree of management control that the service provider has over theISO/IEC 20000 processes. In order to be eligible for certification within the ISO/IEC 20000 scheme aservice provider must be able to demonstrate management control of all of the processes containedwithin the ISO/IEC 20000 standard.

In order for a Service Provider organization to achieve certification under the ISO/IEC 20000 scheme itmust be able to demonstrate that it has management control of all of the processes defined within theISO/IEC 20000 standard. For this purpose management control of a process consists of:

Knowledge and control of inputs

Knowledge, use and interpretation of outputs

Definition and measurement of metrics

Demonstration of objective evidence of accountability for process functionality in conformance to the

ISO/IEC 20000 standard

Definition, measurement and review of process improvements

The first two aspects to be considered and agreed when a service provider is seeking to achievecertification under the Scheme are:

is the service provider eligible for certification under the Scheme?

if the service provider is eligible for certification, then what is the scope of the processes beingaudited?



7/29


page 3 - 5

Why Scope

& +he certi"icate (hould not intentionally or unintentionally iplythat the organi(ation ha( capabilitie( o)er and abo)e tho(e

co)ered by the audit

& +he cu(toer( u(t be able to rely on the certi"icate

It is assumed that the organization seeking certification is the Service Provider organization, either ISP orESP as illustrated in the figure below. However, in reality many organizations have multiple roles and mayappear with different functionality in different scenarios. Therefore a single organization may appear as anEUO (End User Organization), ISP, ESP or supplier dependent upon the supply chain being considered.Scoping of the audit and certification are therefore crucial to the whole process.

Figure - ISO/IEC 20000 relationship between providers and suppliers

Copyright 2006, Quint Wellington Redwood age 3 ! 8


8/29


A number of definitions associated with the components illustrated in the figure are contained within thefollowing list:

The Business:

The Business: an overall corporate entity or organization formed of a number of business units

which provide a set of products or services. The Business Unit: is a segment of the business entity by which both revenues are received and

expenditure are caused or controlled, such revenues and expenditure being used to evaluatesegmental performance

The End User : the recipient of a service, a person using the service on a day-to-day basis

The Customer : the recipient of service(s), usually customer management has responsibility for

funding the service, either directly through charging or indirectly through demonstrable businessneed

The End User Organization (EUO): an organization which is a recipient of a product or a service

from the service provider and consists of both customers and end users

The Service Provider:

The Service Provider: the unit responsible for theprovision of IT services. The Service Provider

supplying services to Customers can be either internal (Internal Service Provider - ISP) or external(External Service Provider - ESP).to the overall organization being considered for certification. Thismay also include outsourcing service provider organizations or co-sourcing service providerorganizations, working in partnership with other service provider and supplier organizations.

The Services:

Service(s): a set of IT service provided to an End User Organization

Managed Service(s): a set of services provided by an External Service Provider to the End User

Organization of a separate organization

The Suppliers:

The Supplier: a third party responsible for supplying underpinning elements of the IT services.

These suppliers may range from commodity hardware or software vendors, through network serviceproviders and major hardware and software manufacturers to major outsourcing organizations andstrategic partnering relationships.

The ead Supplier: a third party responsible for supplying underpinning elements of the IT services.

Lead suppliers use subcontracted supplier(s) to assist in the delivery of their elements of ITservice(s).

The Su!contracted Supplier: a third party responsible for supplying underpinning elements of a

service supplied by a lead supplier.

The "T "n#rastructure:

The "T "n#rastructure: the Information Technologies (IT) components or Information Communications

Technologies (ICT) components (hardware, software, products etc.) necessary for the delivery ofservices to the users. It is the convergence of Information Technology, Telecommunications and DataNetworking Technologies into a single integrated technology

"T "n#rastructure i!rar$ ("T"): A set of guides containing best practice guidelines on the

management and provision of operational IT services



9/29


page 3 - 6

Scoping guideline(

& 4ay be an entire organi(ation or part o" an organi(ation

& 4ight rely on e)idence or contribution( "ro other (upplier

organi(ation(

& 9or certi"ication, it i( uniportant whether the proce((e( are

er"ored entirely by a (ingle Ser)ice ro)ider, or

er"ored partly by other organi(ation(

When seeking certification a Service Provider should decide the scope of the service to be audited andagree this with the ISO/IEC 20000 auditor in advance of the audit. The scoping statement should bevalidated by the auditor, referenced in the audit report and the scope stated on any ISO/IEC 20000certificate.The Service Provider seeking certification may be an entire organization or part of an organization. Forcertification, it is unimportant whether the processes within the scope of the audit are performed entirelyby a single Service Provider or performed partly by other organizations. Certification of one ServiceProvider might rely on evidence or contributions from other supplier organizations.

Those who wish to take assurance from a Service Providers certificate might ask to see the scope of aISO/IEC 20000 certification. It is therefore important that this is unambiguous and accurate. Thecertificate should not intentionally or unintentionally imply that the certified Service Provider hascapabilities over and above those covered by the assessment. The auditor should ensure that thedeclared scope accurately describes the actual scope of the audit. If at any time during a ServiceProviders certification cycle (e.g. during repeat audit checks) the auditor determines that the declaredscope has changed, then the certificate, and possibly the basis of the certificate, will need to be amended,including the scope. The terms of a service contract cannot remove or reduce the obligation on theauditor to obtain sufficient appropriate evidence of conformity to the specified requirements. It mighttherefore be necessary for the Service Provider being audited to obtain supporting evidence or assistancefrom suppliers, involved in the delivery of the service(s) in question, in order for the Service Provider itselfto demonstrate compliance with all areas of ISO/IEC 20000 and for the audit to be satisfactorilycompleted.

With regard to scoping of the certification then due consideration should be given to the areas beingreviewed in terms of:

the geographical aspects involved, such as an office, group of offices, a region a country, globally,

etc.

the organizational aspects involved, such as a department, a group of departments, all departments,

etc.

the service aspects involved, such as a service, a group of services, a section of the service

catalogue, all services, etc

Copyright 2006, Quint Wellington Redwood age 3 ! :


10/29


page 3 - 7

1e)eloping a (cope (tateent

& +he (cope (tateent (hould eplicitly co)er5

Ser)ice( encopa((ed by the audit

e.g. one (er)ice, a group o" (er)ice(, a (ection o" the (er)ice catalog,

all (er)ice(

Any geographical or location boundarie(

e.g. one (ite % o""ice, a group o" o""ice(, a regional or national

boundary

$rgani;ational or "unctional boundarie(

e.g. one departent, a group o" departent(, all departent(

Any out(ourced proce(( coponent(

e.g. the per"orance data collection eleent( o" Capacity

4anageent

The scoping statement should explicitly cover:

the services encompassed by the audit

any geographical or location boundaries (e.g. a site, a regional or national boundary)

organizational or functional boundaries

any outsourced process components (e.g. the performance data collection elements of Capacity

Management)

As a guideline a service provider should be able to easily provide the following: clear definition of the scope of the services and infrastructure within the scope of ISO/IEC 20000 audit

the interfaces between processes, with clarity on how they are controlled by the service provider.

With ISO/IEC 20000 it is really important that people realize how the processes interface and interactwith each other and are controlled overall, including key process contacts within other organizations.A service provider with a full set of good processes each operating in isolation, is not good enough toachieve certification

information on the role of and the interfaces to other organizations, involved in the overall service

delivery, including any of the service providers customers and suppliers.

If a service provider can't produce this information easily at high level they are probably not suitable forISO/IEC 20000 certification at this stage, as this indicates inadequate overall service managementprocesses and they are very unlikely of being capable of passing the audit.

The certificate awarded would eventually be limited to the services stated within the agreed audit scope,which might not be the whole Service Provider organization. All audit certificates have a scope, and theISO/IEC 20000 series advises people to check the scope if they intend to accept ISO/IEC 20000 asevidence of good service management (e.g. in a due diligence stage).

Often Service Providers may wish to acquire ISO/IEC 20000 for a scope which represents a small part oftheir total organization. This is acceptable within the Scheme as long as the Service Provider is operatinga management system in compliance with the requirements of the ISO/IEC 20000 standard. Care shouldbe taken to ensure that this is the case for small sections of large Service Provider organizations.



11/29


Similarly, if a Service Provider is seeking certification but does not have management control over allprocesses, they should be informed that ISO/IEC 20000 is not appropriate. A Service Provider such as anoutsourcing company and their EUO therefore cannot both get separate certificates for the same set ofservice management processes

Clearly the scope of each certification is very important. It is used to describe the extent of the certificationwithin the certified organization. The ISO/IEC 20000 certification relates to the service managementprocesses and the management system used to deliver IT services and therefore the scope shouldindicate that. For example if organization A has been certified for the provision of all internal IT servicesthe certificate scope should be:

_The IT Service Management System that supports the provision of SERVICES toCUSTMERS !ithin the technical and organi"ational #oundaries of $E%&$ E'TIT( and$C&TI'S)

Optionally this may also include an additional sentence:

This is in accordance !ith *$E%&$ E'TIT(+s* *SERVICE C&T&$%UE or SERVICEM&'&%EME'T ,$&'* and includes all IT service management processes and the managementcontrol of those interfaces that support them)*

Copyright 2006, Quint Wellington Redwood age 3 ! //


12/29


page 3 - 8

& Electronic ata S!"te#" $ES% i" a certi&ied organi"ation undert'e itSM( )S*5000 Certi&ication "c'e#e+

& ,'e certi&icate a" i""ued on *"t .une 2005 ! EMA

& ,'e "cope o& certi&ication i"1

The IT Service Management System that covers the provision of "Theintegration, delivery and maintenance of end-to-end IT infrastructure

services (Computer and Networ !perations from within the

#oundaries of $%S IT! Netherlands"& This is in accordance with the

$%S service catalogue and includes all IT service management

processes and the management control of the interfaces that

support them

& ,'e location o& t'e certi&icate1 Electronic ata S!"te#" $ES%

In&or#ation ,ec'nolog! Out"ourcing $I,O%+ Spieni""e ,'e

et'erland"

Eaple (coping (tateent /



13/29


page 3 -

Eaple (coping (tateent 2

& ,ata Iron and Steel Co#pan! td i" a certi&ied organi"ation under t'eitSM( )S *5000 Certi&ication Sc'e#e+ ,'e certi&icate a" i""ued !

S,C $India% on *5 (eruar! 2005+

& ,'e "cope o& t'e certi&ication i"1

"Provision of Network and Communication Services, IT

infrastructure and Tools, Project support services and

Maintenance of Software applications."

& ,'e location co9ered ! t'e certi&ication i" ,atanager India

Copyright 2006, Quint Wellington Redwood age 3 ! /3


14/29


page 3 - *0

& In&or#ation Manage#ent Center C'ung S'an In"titute o& Science and

,ec'nolog! i" a certi&ied organi"ation under t'e itSM( )S *5000

Certi&ication Sc'e#e+

& ,'e certi&icate a" i""ued on *0 Octoer 2005 ! :+


'rovision of Information Infrastructure Services for ManagementInformation System (MIS including %ata )ase, *pplication Serversand Networs& rovision of !ffice *utomation (!* Servicesincluding Internet *ccess Service, Intranet $-Mail $+change Serviceand ortal service& rovision of Information Security Servicesincluding ulnera#ility *ssessment, Intrusion %etection,Certification *uthority, irewall Management and irus rotection&.

& ocation1 )uilding 702 ;"in-;"in )arrac OC+




15/29


page 3 - **

& ?ipro ,ec'nologie" @loal Co##and Centre i" a certi&ied organi"ationunder t'e itSM( )S *5000 Certi&ication Sc'e#e+ ,'e certi&icate a"i""ued on 27 (eruar! 2004 ! : Certi&ication td+


"IT Infrastructure Service Management for eternal clients,provided ! t#e $lo!al Command Centre %$CC& in 'angalore,covering t#e following services() Monitoring, *dministration,+iagnostics, Performance, *nalsis and eporting"

& ,'e location co9ered ! t'e certi&ication i"1

Electronic City, Wipro +echnologie(, lot


16/29


page 3 - *2

Eaple (coping (tateent

& ;C Co#net td i" a certi&ied organi"ation under t'e itSM( )" *5000

Certi&ication Sc'e#e+ ,'e certi&icate a" i""ued on 3 .anuar! 2005 ! :

td

& ,'e "cope o& t'e certi&ication i"

"rovision of networ monitoring and Management Services at /lo#alManagement Centre, Noida 0 rovision of end to end IT infrastructureServices Management comprising of IT Service %es, %estop Services,%estop *pplication ($+change, Citri+, IIS, Send mail, 1*N23*NManagement, Security, oice 0 ideo Conferencing $4uipmentManagement, Server Installation and Management of various !peratingSystems and %ata Centre !perations at !ffshore Management Centre-

*M%, Noida and %5 Centre, Chennai&"

& ,'e location co9ered ! t'e certi&ication i"

Chennai, #ndia ?


17/29


page 3 - *3


& ;elett-oad )angalore India 45/*4 ,u#ur >oad a"'antpur II Stage )angalore India

Copyright 2006, Quint Wellington Redwood age 3 ! /8


18/29


page 3 - *4

$ther Con(ideration(

& Can only be awarded to a (ingle legal entity

&


19/29


page 3 - *5

Scoping Eaple /

OrganiBation *- $End "er OrganiBation- EO%

)u"ine"" unit A )u"ine"" unit ) )u"ine"" unit C )u"ine"" unit

Internal I, Ser9ice


20/29


page 3 - *6

Scoping Eaple 2

OrganiBation 2- $End "er OrganiBation- EO%


Internal I, Ser9ice


21/29


The Service Desk supplier cannot get certified for its external Service Desk services as the standard doesnot relate to products and services. However, they can get their internal processes certified as long as allof the requirements of the ISO/IEC 20000 standard are met.

Copyright 2006, Quint Wellington Redwood age 3 ! 2/


22/29


page 3 - *7

Scoping Eaple 3

OrganiBation 3 - $End "er OrganiBation- EO%


Internal I, Ser9ice


23/29


page 3 - *8

Scoping Eaple >



Internal I, Ser9ice


24/29


measurement of process metrics, process conformity to ISO/IEC 20000 and definition andmanagement of process improvements.

ote: In this particular example it would also be possible for the Service Desk organization to gaincertification, provided all of its internal Service Mgt processes conform to ISO/IEC 20000 requirements.However, the certificate must be carefully scoped to state that this is the case and the certification impliesnothing about the quality of service provided by the Service Desk itself.



25/29


page 3 - *

Scoping Eaple



Internal I, Ser9ice


26/29


page 3 - 20

Scoping Eaple 6



Internal I, Ser9ice


27/29


page 3 - 2*

Scoping Eaple 8



Internal I, Ser9ice


28/29


page 3 - 22

Scoping Eaple B



Internal I, Ser9ice


29/29


page 3 - 23

Que(tion(

QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14

Documents

Transcript of QWR ISO20000 Auditor M03 Application Eligibility and Scoping US-06APR14