ISO/IEC 20000

Last updated

ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. [1] It was originally based on the earlier BS 15000 that was developed by BSI Group. [2]

Contents

ISO/IEC 20000, like its BS 15000 predecessor, was originally developed to reflect best practice guidance contained within the ITIL framework,[ citation needed ] although it equally supports other IT service management frameworks and approaches including Microsoft Operations Framework and components of ISACA's COBIT framework. The differentiation between ISO/IEC 20000 and BS 15000 has been addressed by Jenny Dugmore. [3] [4]

The standard was first published in December 2005. In June 2011, the ISO/IEC 20000-1:2005 was updated to ISO/IEC 20000-1:2011. In February 2012, ISO/IEC 20000-2:2005 was updated to ISO/IEC 20000-2:2012.

ISO 20000-1 has been revised by ISO/IEC JTC 1/SC 40 IT Service Management and IT Governance. The revision was released in July 2018. From that point certified entities enter a three-year transition period to update to the new version of ISO 20000-1, ISO/IEC 20000-1:2018 – Information technology — Service management — Part 1: Service management system requirements.

Parts

ISO/IEC 20000-1: Service management

Formally: ISO/IEC 20000-1:2018 ('part 1') specifies requirements for "establishing, implementing, maintaining and continually improving a service management system. An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services, which meet agreed requirements and deliver value for customers, users and the organization delivering the services.". The 2018 version (ISO/IEC 20000-1:2018) comprises ten sections, following the high-level structure from Annex SL of the Consolidated ISO/IEC Directives, Part 1:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support of the Service Management System
  8. Operation of the Service Management System
  9. Performance Evaluation
  10. Improvement

ISO/IEC 20000-2: Guidance on the application of service management systems

ISO/IEC 20000-2:2019 provides guidance on the application of service management systems (SMS) based on the requirements in ISO/IEC 20000-1:2018.

ISO/IEC 20000-3: Guidance on scope definition and applicability of ISO/IEC 20000-1

ISO/IEC 20000-3:2019 provides guidance on scope definition, applicability and demonstration of conformance for service providers aiming to meet the requirements of ISO/IEC 20000-1, or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It supplements the advice in ISO/IEC 20000-2, which provides generic guidelines for implementing an SMS in accordance with ISO/IEC 20000-1.

[Withdrawn] ISO/IEC 20000-4: Process assessment model

ISO/IEC TR 20000-4:2010 has been withdrawn. A set of new documents providing a Process Reference Model (PRM) and a Process Assessment Model (PAM) based on ISO/IEC 20000-1:2018 has been developed by ISO/IEC JTC1/SC7 as ISO/IEC 33054 (PRM) and ISO/IEC 33074 (PAM).

ISO/IEC 20000-5: Implementation guidance for ISO/IEC 20000-1

ISO/IEC TR 20000-5:2022 provides guidance to service providers on how to implement an SMS based on ISO/IEC 20000-1.

ISO/IEC 20000-6 Requirements for bodies providing audit and certification of service management systems

ISO/IEC 20000-6:2017 provides requirements for auditing bodies for the assessment of conformance to ISO/IEC 20000-1.

[Withdrawn] ISO/IEC 20000-7: Guidance on the Integration and Correlation of ISO/IEC 20000-1:2018 to ISO 9001:2015 and ISO/IEC 27001:2013

ISO/IEC TR 20000-7:2019 provides guidance on the integrated implementation of a Service Management System based on ISO/IEC 20000-1:2018 with a Quality Management System based on ISO 9001:2015 and/or an Information Security Management System based on ISO/IEC 27001:2013.

[Withdrawn] ISO/IEC 20000-9: Guidance on the application of ISO/IEC 20000-1 to cloud services

ISO/IEC TR 20000-9:2015 provided guidance on the use of ISO/IEC 20000‑1:2011 for service providers delivering cloud services.

ISO/IEC 20000-10: Concepts and vocabulary

ISO/IEC TR 20000-10:2018 describes the core concepts of ISO/IEC 20000, identifying how the different parts support ISO/IEC 20000‑1:2018 as well as the relationships between ISO/IEC 20000 and other International Standards and Technical Reports. This part of ISO/IEC 20000 also explains the terminology used in the ISO/IEC 20000 series, so that organizations and individuals can interpret the concepts correctly.

ISO/IEC 20000-11: Guidance on the relationship between ISO/IEC 20000-1 and service management frameworks: ITIL

ISO/IEC TS 20000-11:2021 is a Technical Specification that provides guidance on the relationship between ISO/IEC 20000-1:2011 and a commonly used service management framework, ITIL 4.

ISO/IEC 20000-14: Guidance on the relationship between ISO/IEC 20000-1 and service management frameworks: Service Integration and Management

This document discusses the relationships between ISO/IEC 20000-1 and Service Integration and Management (SIAM).

ISO/IEC 20000-15: Guidance on the application of Agile and DevOps principles in a service management system

ISO/IEC 20000-15:2024 provides guidance on the use of Agile and DevOps principles in a service management system.

[Under Development] ISO/IEC 20000-16: Guidance on sustainability within a service management system based on ISO/IEC 20000-1

Projected publication in 2024.

[Under Development] ISO/IEC 20000-17: Scenarios for the practical application of ISO/IEC 20000-1

Projected publication in 2024.

Certifications and qualification schemes

As with most ISO standards, organizations and individuals seek training towards establishing knowledge and excellence in applying the standard. The certification scheme targets organizations, while the qualification scheme targets individuals.

Qualification of individuals is offered by URS, APMG-International, EXIN, PECB, Loyalist Certification Services, TÜV SÜD Akademie, PEOPLECERT, and IRCA. The EXIN, Loyalist and TÜV SÜD program is in fact a qualification in IT Service Management based on ISO/IEC 20000 and includes a Foundation level and several role based certificates: professionals in Align, Deliver, Control and Support, Associate, (Executive) Consultant/Manager and Auditor. The APMG qualifications are focused on getting an organization certified and presume knowledge of IT Service Management is already available. The APMG qualifications are conducted at the Foundation, Practitioner and Auditor level. IRCA and other organizations involved in the certification of auditors have developed their own auditor training and certification for ISO/IEC 20000 auditors.

In terms of certification, there are leading certification bodies around the world, for instance, BSI in UK, Quality Austria in Austria, JQA in Japan, KFQ in Korea and SAI Global in Australia, Asia and Americas.

The importance of certification to ISO/IEC 20000 is not correlated by global adoption. [5] ISO collects the number of certificates issued from the different certification bodies and publishes the results annually in The ISO Survey of Management System Standard Certifications. The 2020 survey reports that 7846 (5461 in China) certificates were issued for ISO/IEC 20000. [6]

Academic resources

See also

Notes

Related Research Articles

Information technology service management (ITSM) are the activities performed by an organization to design, build, deliver, operate and control IT services offered to customers.

BS 7799 was a British standard "Code of Practice for Information Security Management", first published as such by the British Standards Institution (BSI) in February 1995. Read about the origins of BS 7799 here.

Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

ITIL security management describes the structured fitting of security into an organization. ITIL security management is based on the ISO 27001 standard. "ISO/IEC 27001:2005 covers all types of organizations. ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."

<span class="mw-page-title-main">BSI Group</span> British standards development organization

The British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

An environmental audit is a type of evaluation intended to identify environmental compliance and management system implementation gaps, along with related corrective actions. In this way they perform an analogous (similar) function to financial audits. There are generally two different types of environmental audits: compliance audits and management systems audits. Compliance audits tend to be the primary type in the US or within US-based multinationals.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

The ISO/IEC 27000 family comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 27003 Information technology — Security techniques — Information security management systems — Guidance. It is part of a family of standards of information security management system (ISMS), which is a systematic approach to securing sensitive information, of ISO/IEC. It provides standards for a robust approach to managing information security (infosec) and building resilience. It was published on February 1, 2010, and revised in April 2017. It is currently not certifiable and is not translated into Spanish.

ISO/IEC 27007 is a standard on Information security, cybersecurity and privacy protection that provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This standard is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published on November 14, 2011, and revised on January 21, 2020.

The IT baseline protection approach from the German Federal Office for Information Security (BSI) is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. To reach this goal the BSI recommends "well-proven technical, organizational, personnel, and infrastructural safeguards". Organizations and federal agencies show their systematic approach to secure their IT systems by obtaining an ISO/IEC 27001 Certificate on the basis of IT-Grundschutz.

ISO/IEC 27001 Lead Implementer is a professional certification for professionals specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard. This professional certification is intended for information security professionals wanting to understand the steps required to implement the ISO/IEC 27001 standard.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

<span class="mw-page-title-main">Tudor IT Process Assessment</span> Process assessment framework

Tudor IT Process Assessment (TIPA) is a methodological framework for process assessment. Its first version was published in 2003 by the Public Research Centre Henri Tudor based in Luxembourg. TIPA is now a registered trademark of the Luxembourg Institute of Science and Technology (LIST). TIPA offers a structured approach to determine process capability compared to recognized best practices. TIPA also supports process improvement by providing a gap analysis and proposing improvement recommendations.

FitSM is the name for a family of standards for lightweight IT service management (ITSM).

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed-upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS are aligned and the compatibility of these standards is enhanced.

ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management. This standard was built from ISO/IEC 27002, suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002.

References

  1. ISO/IEC 20000-1:2018 Service Management System (SMS) Standard
  2. "BSI Group Fast Facts". Archived from the original on 2012-10-20. Retrieved 2010-11-25.
  3. Dugmore, Jenny (2006). Achieving ISO/IEC 20000 - The Differences Between BS 15000 and ISO/IEC 20000. BSI Group. p. 124. ISBN   0-580-47348-1.
  4. Dugmore, Jenny (2006). "BS 15000 to ISO/IEC 20000 What difference does it make?". ITNOW. 48 (3): 30. doi:10.1093/combul/bwl017.
  5. Bettanin, Eric (2016), Benefits of Certification to ISO/IEC 20000-1: 2005 Within an Australian Government Organization, p. 9, retrieved 2022-09-15
  6. Survey, ISO (2020). "2020 ISO Certification Survey". p. 1. Retrieved 2022-09-15.