ISO/IEC 20000 Certification, Three Steps To Certification, Step 3 – Implementation
An article by Mark Sykes, Principal Consultant at Fox IT. ‘ISO/IEC 20000 Certification, Three Steps To Certification, Step 3 – Implementation’ explaining the mechanics of obtaining ISO/IEC 20000 certification. This is the third and final part of a trilogy of articles explaining the mechanics of obtaining ISO/IEC 20000 certification.
Welcome to this third and final part of a trilogy of articles explaining the mechanics of obtaining ISO/IEC 20000 certification.
This article deals with the following aspects:
- Implementing and/or improving your service management system.
- Documentation to support the Standard.
- Pre-audit and certification audit.
Part 1 of the trilogy provided an explanation of ISO/IEC 20000, why organisations would seek to obtain certification and what’s involved in achieving it. Additionally, the paper discussed the typical length of time it takes to obtain certification and where an IT Organisation (ITO) should start when the decision has been made to attain the Standard.
Part 2 covered how to go about assessing the current state of the ITO and then, based on the output from this activity, the subsequent development of a roadmap and project plan that will lead to eventual certification.
The service management system (SMS) as displayed in the above diagram shows all of the processes and the supporting management framework that needs to be in place (and importantly evidence shown of operation), prior to achieving certification.
The output from the detailed assessment report (discussed in the second article “Step 2 – Assessment”) will highlight the current ‘state of play’ within the ITO in respect of the requirements of the Standard. One of the benefits of providing this level of detail is that remedial activities can be specifically targeted (e.g. quick wins), which in turn will help maximise efficiencies and accelerate timescales. These remedial activities need to be built into the roadmap and project plan that was discussed in the previous article.
Before commencing on the implementation and/or improvement activities, first ensure that the roadmap and initial draft of the project plan has been signed-off by the relevant stakeholders.
Next, it is vital to identify owners for each of the processes and management framework that form part of the SMS; this will ensure that the right accountability is in place as the project activities progress. It is also recommended that a steering group is formed of key stakeholders to monitor progress against the project plan and to promptly deal with any issues that may arise.
Notwithstanding all of the processes that need to be in operation to attain ISO/IEC 20000 certification, the Standard puts great significance upon the management framework and associated activities that need to be in place for the entire SMS to be operated, supported and managed in accordance with the mandatory requirements.
This framework includes things such as:
- Management showing their commitment to the SMS;
- Ensuring that appropriate roles, responsibilities and accountabilities are in place;
- Document management and also the control of records;
- Human, technical, informational and financial resources; and
- The mechanisms to plan, implement, monitor and improve the SMS.
There are numerous requirements in this section of the Standard, and the work involved in establishing this framework needs careful planning. As is often the case, ITOs will be doing many of the activities required, but likely not everything. Utilise the recommendations detailed within the assessment report to focus on the areas needing improvement, but also be cognisant of any other certifications that the ITO or Business may already have attained. For example, if ISO 9001 is already in place then look to utilise existing practices (e.g. areas such as document management and the customer complaints process) rather than re-invent something from scratch.
For processes that already exist it will be a simple case of addressing the non-conformities that have been identified in the assessment report. The report should contain associated recommendations to remediate the noted deficiencies, so it will be a case of implementing the necessary remedial actions. It is advisable to include each of these in the project plan and track them accordingly.
In Fox IT’s experience, it is usually the case that at least one of the required processes doesn’t exist within the client ITO and hence this will take somewhat longer to remediate than those non-conformities for processes currently in operation.
For each brand new process the first step will be to design and agree a structure that supports the needs of both the business and the ITO, whilst also satisfying the requirements of the Standard. A workshop will need to be held, with input provided by key stakeholders, to define what this particular process should look like, identifying the main triggers that will initiate the process along with the inputs required to operate it and the outputs to be generated from its execution.
If there are any associated toolset requirements then these will need to be defined and implemented, taking into consideration how the evidentiary requirements of the Standard will need to be satisfied.
The next step is obviously to implement the process. An implementation strategy needs careful consideration – such as a big bang or phased approach. Fox IT usually recommends doing a limited pilot first, just to ensure that the process is fit-for-purpose and to ensure that all of the accompanying documentation (e.g. procedures and work instructions) is ready for formal publication.
Once a new process has been implemented, or improvements are made to an existing process, it needs to be monitored and assessed for any further improvements that may be necessary. Ensure that appropriate measures and key performance indicators have been set to support this activity. It is useful to keep a record of any improvements that are made, as this will be good evidence to show an auditor that the ITO is continually striving to improve the operation and maturity of their SMS.
Particularly for newly implemented processes, it is important to remember that the Registered Certification Body (RCB) will typically be looking for 3 months’ worth of evidence of processes being in operation and meeting the requirements of ISO/IEC 20000 – and this period should have been built into the roadmap and project plan.
Documentation to Support the Standard
For all processes that form part of the SMS, the Standard expects certain documents to be in place. Already mentioned above for the newly introduced processes, these should be clearly defined and documented along with any relevant procedures to support their management and operation.
Policies and Plans
The Standard also mentions a number of policies and plans that also need to be in place. Two of the key documents that apply to the overall SMS are the service management policy and the service management plan. These can turn into quite detailed, lengthy documents and set the foundation for the operation and management of the SMS. The service management policy and service management plan are vital to successful certification, so it is a good idea to seek the advice of an experienced consultancy firm who can use proven templates and a wealth of experience to help you develop this key documentation. In addition to ensuring that the policy and plan are effective, this professional input will save the ITO time and effort and accelerate delivery timescales.
Another area in which it is advisable to seek expert support is for the development of other policies and evidentiary requirements that are required by the Standard, such as:
- Catalogue of services
- Service level agreements
- Availability plans
- Capacity plans
- Complaints procedure
- Change management policy.
The above list is just a selection of the items required by the Standard and for which the RCB auditor will be looking for. All of these will have been covered during the assessment (discussed in the previous article paper) and so any non-conformities that need addressing will already be understood.
Pre-audit and Certification Audit
Before the RCB visit the ITO to perform the certification audit, Fox IT recommend that an audit-qualified consultant performs a final review prior to the RCB attending.
This review is intended to provide the ITO with a high level of confidence that the RCB audit will be a successful one. When Fox IT carries out this review we assess the ITO’s service management system to ensure that all of the previously identified non-conformities have been remediated; that no new non-conformities have been created; that all policies, processes and procedures are being adhered to; and that all necessary evidence is being generated in an appropriate format.
The output from this ‘pre-audit’ will enable any final issues to be resolved prior to the RCB visiting the ITO. In Fox IT’s experience, organisations like to ‘pass first time’ and hence this pre-audit provides them with that extra level of confidence that certification will be successful at the first attempt.
Finally, it will be time for the RCB to perform the certification audit. All being well the ITO will pass at the first time of asking, but not until an intense few days under the scrutiny of the RCB’s auditors has passed by. Should any issues be identified (either non-conformities or maybe just observations) then the RCB will not be able to provide any advice or guidance as to how to remediate these, so it is advisable to enlist the help of an expert consultant to provide advice and to recommend a suitable solution.
How Can Fox IT Help You?
Fox IT has many years proven experience of ISO/IEC 20000 as well as its previous incarnation, BS15000, producing a demonstrable track record of assisting organisations in attaining certification.
Our proven route map for guiding clients on their journey enables us to support you whatever your requirements – from the initial scoping activities and putting together a business case, then onto the detailed assessment, through to developing and implementing a mature service management system that enables clients to meet the certification requirements.
Our level of involvement on an engagement such as ISO/IEC 20000 certification is commensurate to the level of competence and knowledge within the ITO, as well as the internal resources that they have available. Where the ITO has sufficient resources to carry out the majority of the certification process independently, Fox IT can offer assistance just at those stages where expert guidance is required. For example, in cases where essential processes aren’t in existence, we can facilitate the workshops where the new processes are defined and agreed, followed by mentoring activities with the nominated Process Owner and Process Manager whilst they build their experience. We can also provide guidance for remediating any non-conformities that are highlighted in the assessment report.
Alternatively, Fox IT also has the capability to deliver much more of a hands-on involvement to help you achieve certification. We can perform the role of a Process Owner or Process Manager until the ITO has the capability, and also provide support for the Process Practitioner roles by performing day-to-day operational activities. In addition to this practical support we also provide a comprehensive training portfolio, including ISO/IEC 20000 Foundation, Practitioner and Auditor courses.
Enlisting Fox IT’s expertise will accelerate the timeframe for your certification and help to minimise the risk of any issues arising when the RCB performs the final audit.
Want to speak to a Fox IT consultant today? Contact us now →