Case Study – Successful ISO/IEC 20000 Certification for UK Financial Services Provider
Fox IT assists client in obtaining ISO/IEC 20000 certification for the delivery and management of critical business services.
This IT department (ITD) identified that ISO/IEC 20000 certification would support their activities for further enhancing and optimising their existing IT operations, as well as enabling them to demonstrate to the business the value of their investment and the capability of the ITD to deliver high quality services.
Background and Requirements
The IT department within this organisation is, like many others, under constant pressure to deliver quality and cost-effective services to the business. Struggling to clearly articulate and demonstrate the value that the ITD delivers to the business, it was felt that one way of achieving this was to achieve certification of an internationally recognised Standard (ISO/IEC 20000).
At the same time, whilst existing controls (based on COBIT®) had been implemented, there was a realisation that there was further room for improvement in some key areas, and implementing the additional requirements needed to support compliance with ISO/IEC 20000 would provide additional internal benefits.
Scope and Approach
Fox IT®, with a wealth of experience in successful ISO/IEC 20000 assignments, was engaged to assist the ITD in obtaining certification that covered key locations in Scotland, but also encompassed offices across the UK, Europe, North America and Asia. Fox IT has a proven roadmap of activities for clients wanting to achieve ISO/IEC 20000 certification and this was utilised as the basis for the project.
With limited knowledge within the ITD about the Standard, the first activity to be carried out was ISO/IEC 20000 Awareness sessions to those key stakeholders that would be involved in owning and managing the required processes that would comprise the service management system (SMS), the core framework required by the Standard. The purpose of this was to provide them with an appreciation of ISO/IEC 20000, its purpose and objectives, and so that they could relate it to their role.
This was followed by a workshop to develop a stakeholder map that identified the key services being delivered, the internal and external customers of those services, and the internal and external parties involved in delivering and supporting those services. This knowledge provided the foundation upon which to then define and agree an appropriate scoping statement upon which the subsequent activities and certification audit would be based.
Following this initial work, Fox IT then undertook a number of key activities as part of their standard roadmap to certification, leading to the implementation of an efficient and effective SMS and which also built on the client’s existing control framework. Those activities included:
- Performing a detailed assessment against all requirements of ISO/IEC 20000 to review the current state and to identify all existing non-conformities.
- Developing both a service management system policy and plan.
- Holding workshops with key stakeholders to define and agree new processes required as part of the SMS, as well as identifying and agreeing improvements to existing processes.
- Reviewing and providing quality assurance of existing documentation to ensure compliance with all evidentiary requirements of the Standard.
- Providing relevant guidance and mentoring to certain process owners and managers in the implementation of new processes/process activities.
- Assisting the programme manager in reviewing completed project activities and ensuring that previously identified nonconformities were satisfactorily remediated.
- Performing a pre-audit prior to the certification audit.
- Reviewing the pre-audit output, and recommending and implementing actions to correct identified deficiencies.
Results and Outputs
The results of the detailed assessment enabled all existing non-conformities to be identified and provided an accurate baseline upon which to measure future progress, as well as supporting the Standard’s requirements for continual improvement activities. Non-conformities were detailed along with specific recommendations for addressing these issues, providing the ITD with a clear understanding of the necessary work required to be completed prior to being formally audited.
For this client, the strong COBIT controls and supporting evidence that were already in existence provided an excellent foundation to support the requirements of ISO/IEC 20000, and satisfied many aspects of the SMS framework. This, along with a good level of maturity that was identified for the majority of their existing processes, enabled the timeline for achieving certification to be accelerated (than would otherwise normally be the case based on Fox IT’s implementation experience).
Whilst many of the evidentiary requirements (e.g. documents and records) were already in place, there were a number of notable gaps. Fox IT consultants created the SMS policy and plan, as well as other associated documents specified in ISO/IEC 20000. Also developed were the necessary process documentation (either creating new ones or enhancing existing ones), with the inclusion of process flow diagrams, descriptive narratives that explained the individual process activities, as well as RACI matrices that clearly identified the accountabilities and responsibilities for the individuals performing relevant roles. Further support and guidance was provided to process owners and process managers updating their own documents. With Fox IT’s extensive experience in developing these key SMS artefacts, this is one way we were able to assist the ITD in achieving their ambitious project timelines.
A reference matrix was utilised to ensure that all documents and records required by the Standard were in place. This was also useful in clearly identifying for the internal Governance team and external auditors all of the respective owners and storage locations of the relevant documentation, and helped to evidence that no gaps existed. Additionally, the clients existing use of their Intranet was another positive aspect that enabled good visibility of individual controls of the SMS and their evidentiary support, both to internal staff as well as for external auditors.
Whilst the client was directly responsible for implementing and improving the necessary processes and new process activities, Fox IT provided advice and guidance as required on an ad hoc basis, as well as providing some mentoring aspects to certain individuals.
Value and Benefits
The ITD achieved certification in April 2016. The attainment of ISO/IEC 20000 was key for the IT Director and the rest of the senior management team in having independent verification that they have a mature and properly structured framework in place to assure the delivery of quality, valued and timely services to the business, and as such the achievement was reported to Board-level directors.
The processes that were implemented and/or improved has led to an extension of the control framework that was already in place, and enhanced the structures for process owners and process managers and their respective control submissions that have to be made on a regular basis. The additional activities that are now performed, whilst remediating some previously acknowledged gaps, have helped lead to better communication and improved understanding between internal parties and other key stakeholders including, first and foremost, the business.
Certification has helped to further embed the client’s set of core Operating Principles, and has also provided the groundwork for the prospect of achieving other related certifications (such as those for information security and quality management systems).
Senior IT Governance & Risk Manager: “Fox IT enabled us to achieve ISO/IEC 20000 certification in a timeframe that met our business requirements. Their experience and support shortened our delivery time significantly.”