CSA ISO/IEC 20000-2
Information technology — Service management — Part 2: Guidance on the application of service management systems
|Publication Date:||1 January 2020|
|ICS Code (Other services):||03.080.99|
|ICS Code (Information technology (IT) in general):||35.020|
This document provides guidance on the application of a service management system (SMS) based on ISO/IEC 20000-1. It provides examples and recommendations to enable organizations to interpret and apply ISO/IEC 20000-1, including references to other parts of ISO/IEC 20000 and other relevant standards.
Figure 1 illustrates an SMS with the clause content of ISO/IEC 20000-1. It does not represent a structural hierarchy, sequence, or authority levels.
The structure of clauses is intended to provide a coherent presentation of requirements, rather than a model for documenting an organization's policies, objectives, and processes. Each organization can choose how to combine the requirements into processes. The relationship between each organization and its customers, users, and other interested parties influences how the processes are implemented. However, an SMS as designed by an organization cannot exclude any of the requirements specified in ISO/IEC 20000-1.
The term 'service' as used in this document refers to the services in the scope of the SMS. The term 'organization' as used in this document refers to the organization in the scope of the SMS. The organization in the scope of the SMS can be part of a larger organization, for example an IT department of a large corporation. The organization manages and delivers services to customers and can also be referred to as a service provider. Any use of the terms 'service' or 'organization' with a different intent is distinguished clearly in this document. The term 'delivered', as used in this document, can be interpreted as all of the service lifecycle activities that are performed in addition to daily operational activities. Service lifecycle activities include planning, design, transition, delivery, and improvement.
The guidance in this document is generic and is intended to be applicable to any organization applying an SMS, regardless of the organization's type or size, or the nature of the services delivered. While it can be used 'regardless of the organization's type or size, or the nature of the services delivered', ISO/IEC 20000-1 has its roots in IT. It is intended for service management of services using technology and digital information. The examples given in this document illustrate a variety of uses of ISO/IEC 20000-1.
The service provider is accountable for the SMS and therefore cannot ask another party to fulfil the requirements of ISO/IEC 20000-1:2018, Clauses 4 and 5. For example, the organization cannot ask another party to provide the top management and demonstrate top management commitment or to demonstrate the control of parties involved in the service lifecycle.
Some activities in ISO/IEC 20000-1:2018, Clauses 4 and 5 can be performed by another party under the management of the organization. For example, an organization can ask another party to create the initial service management plan as a key document for the SMS. The plan, once created and agreed, is the direct responsibility of and is maintained by the organization. In these examples, the organization is using other parties for specific short-term activities. The organization has accountability, authorities, and responsibility for the SMS. The organization can therefore demonstrate evidence of fulfilling all of the requirements of ISO/IEC 20000-1:2018, Clauses 4 and 5.
For ISO/IEC 20000-1:2018, Clauses 6 to 10, an organization can show evidence of meeting all of the requirements itself. Alternatively, an organization can show evidence of retaining accountability for the requirements when other parties are involved in meeting the requirements in ISO/IEC 20000-1:2018, Clauses 6 to 10. Control of other parties involved in the service lifecycle can be demonstrated by the organization (see 8.2.3). For example, the organization can demonstrate evidence of controls for another party who is providing infrastructure service components or operating the service desk including the incident management process.
The organization cannot demonstrate conformity to the requirements in ISO/IEC 20000-1 if other parties are used to provide or operate all services, service components, or processes within the scope of the SMS. However, if other parties provide or operate only some of the services, service components, or processes, the organization can normally demonstrate evidence of meeting the requirements specified in ISO/IEC 20000-1.
The scope of this document excludes the specification of products or tools. However, ISO/IEC 20000-1 and this document can be used to help with the development or acquisition of products or tools that support the operation of an SMS.
This document follows the clauses in ISO/IEC 20000-1 and, from Clause 4 onwards, provides three sections per clause or sub-clause:
a) Required activities: a summary of the activities required by this clause in ISO/IEC 20000-1 Note that this summary does not replicate the requirement statements in ISO/IEC 20000-1 or add new requirements, but simply describes the activities;
b) Explanation: an explanation of the purpose of the clause and practical guidance on clause contents, including examples and recommendations on how to implement the requirements of ISO/IEC 20000-1. When relevant, it refers to other parts of ISO/IEC 20000 and other relevant standards;
c) Other information: guidance on roles and responsibilities and on documented information supporting the implementation of an SMS. Further relevant information can also be included.