exin it service management foundation based on iso/iec...

Workbook

EXIN IT Service

Management

Foundation based on

ISO/IEC 20000

Edition January 2014

2 Workbook EXIN ITSM based on ISO/IEC 20000

DISCLAIMER:

Although every effort has been taken to compose this publication with the utmost care, the Authors,

Editors and Publisher cannot accept any liability for damage caused by possible errors and/or

incompleteness within this publication. Any mistakes or omissions brought to the attention of the

Publisher will be corrected in subsequent editions. All rights reserved.

COPYRIGHT

©2014 All rights reserved. No part of this publication may be published, reproduced, copied or

stored in a data processing system or circulated in any form by print, photo print, microfilm or any

other means without written permission by EXIN.

Trade Mark Acknowledgement Statements

ITIL® Is a registered trademark of AXELOS Limited.

CobiT™ is a registered trademark of the Information Systems Audit and Control Association

(ISACA)/IT Governance Institute (ITGI).

CMMI® is a registered trademark of Carnegie Mellon University.

Six Sigma® is a registered trademark and service mark of Motorola, Inc.


Colophon

Title: EXIN IT Service Management Foundation based on ISO/IEC 20000 –

Workbook

Author: Victoriano Gómez Garrido (ITeratum)

Review: María de la Vega González (Independent Consultant) Carlos Durán Muñoz

(Independent Consultant), Ricardo Santiago Cachero (EXIN)

Editor: Victoriano Gómez Garrido (ITeratum)

A publication of: ITeratum, S.L. and EXIN

ISBN: 978 90 8753 762 3

Edition: 2014


Prologue

Since its emergence in 2005, the international standard ISO/IEC 20000 has certainly become a

compulsory reference for professionals and companies related to IT Service Management (ITSM).

So much so that a great number of private companies and public institutions, such as the US

Department of Defense has adopted this standard.

EXIN, world leader in the field of Information Management for the certification of professionals, was

a pioneer in developing a qualification scheme for people based on ISO/IEC 20000, providing the

professional not only with the knowledge of the first part of the standard (the requirements), but

also with the experience of all our expert contributors in traditional frameworks of IT Service

Management best practice, making the ITSM scheme based on ISO/IEC 20000 the appropriate

scheme for organizations and professionals that want to get the most out of the standard, without

obsessing about the requirements to fulfill.

As IT professionals, we are obliged to be in a continuous process of learning and adaptation to new

technologies and trends, and it is certainly necessary to know the ISO/IEC 20000 standard, even if

you are on the “customer side” or on the “supplier side”. Both sides must understand each other

and speak the same language, in the context in which “services” have an increasing

preponderance.

The aim of this workbook is to be a helpful support for students of ITSM Foundation based on

ISO/IEC 20000. Although the book itself could serve to prepare for the certification of the exam

based on ITSM Foundation of ISO/IEC 20000, it is highly recommended, as far as possible, to

attend official training that any accredited EXIN partner may offer in a large number of countries.

Furthermore, sharing experiences with colleagues and trainers will certainly enrich the reading of

this text.

Ricardo Santiago

Area Manager of Spain, Portugal and Latin America

EXIN


Table of contents

Colophon 2

Prologue 4

Table of contents 5

Introduction 7

1 Introduction to IT Service Management 10

1.1 The importance of quality in IT services 10

1.2 Basic concepts of quality frameworks 23

Exam Preparation: chapter 1 38

2 The Service Management System (SMS) 42

2.1 What is a Service Management System (SMS)? 42

2.2 SMS general requirements 44

2.3 Establish and improve the SMS 50


3 Service Design and Transition 59

3.1 Basic concepts of Service Design and Transition 59


4 The service delivery processes and their relationships 64

4.1 Service Level Management 64

4.2 Service Reporting 67

4.3 Service Continuity and Availability Management 68

4.4 Budgeting and Accounting for Services 72

4.5 Capacity Management 75

4.6 Information Security Management 77


5 The relationship processes and their relationships 85

5.1 Business Relationship Management 85

5.2 Supplier Management 88


6 The resolution processes and their relationships 94

6.1 Incident and Service Request Management 94

6.2 Problem Management 97



7 The control processes and their relationships 103

7.1 Configuration Management 103

7.2 Change Management 106

7.3 Release and Deployment Management 108


8 List of Basic Concepts 115

Literature 119

Answers 122


Introduction

IT Service Management (ITSM) quality is one of the most important requirements to provide

valuable services that add value to the business. The ISO/IEC 20000 standard for the IT Service

Management has been able to join together the principles of ISO quality management and the

standard ITSM processes in the market.

Figure 1.1: Processes in ISO/IEC 20000 (Source: ISO/IEC 20000-2)

The purpose of this book is to help in the preparation of EXIN ITSM Foundation based on ISO/IEC

20000 exam, providing an overview of IT Service Management from the perspective of ISO/IEC

20000. It addresses fundamental concepts, such as the quality, the frameworks, the services

provided to the business and the processes that support, control and facilitate those services.

The exam consists of 40 multiple-choice questions. Throughout the chapters of this book you will

find examples of these exam questions, along with others focused on the understanding of

concepts that will help fix the ideas, which can be found at the end of each chapter. The exam

specifications are given at the beginning of each chapter, and the weight of each of the topics is

shown as a percentage of the total.


Target Audience

The book is aimed at those who wish to prepare for the exam to obtain EXIN ITSM Foundation

based on ISO/IEC 20000 Certification, those interested in IT Service Management or those who

play a role in this field. This includes staff from internal and external service providers, their

customers and their managers.


Introduction to IT Service Management: Exam specifications (15%)

After reading chapter 1, you will be able to understand the basic concepts in which IT Management

is based on and the standards and frameworks related to it. Thereby you will then achieve the

following objectives:

1.1 Understand the core concepts to IT Service Management (10%)

You will be able to:

1.1.1 Describe what quality is and why it is important

1.1.2 Describe what an IT service is

1.1.3 Describe the factors needed to provide an IT service

1.1.4 Describe the benefits and characteristics of a process-based approach

1.1.5 Describe the concept of IT service management

1.1.6 Describe the benefits and risks of IT service management

1.1.7 Describe the role of tools used within IT service management

1.1.8 Describe the principles of continual improvement and the applications of the PDCA cycle

1.2 Understand the core concepts surrounding quality frameworks (5%)


1.2.1 Identify the purpose and benefits of ISO/IEC 20000

1.2.2 Identify the purpose and application/audience of ISO 9001, ISO/IEC 27000 family, ITIL®,

COBIT®, Six Sigma®, CMMI® for Services, GreenIT, Cloud, TMap NEXT®

1.2.3 Describe the complementary nature of the quality frameworks


1 Introduction to IT Service Management

1.1 The importance of quality in IT services

The concept of quality is commonly used in our language. We talk about “good quality” or “bad

quality” when referring to a product or a service acquired, to express if we are satisfied with it or not.

But, what makes the quality be “good” or “bad”? Regarding to what are we comparing this service

or product for making this assessment?

1.1.1 What is quality?

To avoid misunderstandings we should define first what quality is. The ISO 9001 standard, which

defines how a quality management system should be (and in which the ISO/IEC 20000 standard is

based on), says that:

We can talk about quality when the customer obtains every single characteristic expected from a

product or service.

The customer has the last word on whether the service or product acquired fulfills his or hers

expectations. Therefore, any product or service that meets the customer requirements, in the terms

previously agreed, is a quality product or a quality service.

Figure 1.2: The quality concept (Source: ITeratum)


1.1.2 The importance of quality

Quality has not always been a strategic concept on business. At the beginning of XX century,

quality on production chains was restricted to the inspection of the final product, before customer

delivery. This prevented the delivery of wrong products, but neither products nor processes were

improved, what implied and additional cost for the customer, meaning that quality was expensive.

This was a valid method while the demand was higher than the offer. However, when the situation

turned around, the customer expectations increased not only in quality terms but also in the product

cost. As a result, quality wasn’t limited to the final product anymore, as it extended to the complete

manufacturing process (“…it has to be well done from the very first time…”)

During the 80´s, quality became a strategic element in business, a differentiating factor that could

help position the offer of the company ahead of their competitors. The concept of Total Quality

Management (TQM) appeared. This is a management strategy developed by several American

consultants, W. E. Deming and Joseph Duran among them. Kaoru Ishikawa, a well-known expert in

quality management, defined TQM as "Philosophy, culture, strategy or management style of a

company according to which all persons in the same, study, practice, participate and promote

continuous quality improvement."

In 1987, International Organization for Standardization (ISO) adopted a set of quality standards

known as ISO 9000, which has been developed at any kind of Organization. ISO 9000 certification

guarantees that an organization is ruled by TQM principles.

In 1987 the International

Organization for Standardization

(ISO) adopted a set of quality

standards known as ISO 9000 that

were developed to be applied to

any kind of organization. The ISO

9001 certification ensures that an

organization is governed by the

principles of TQM.

Figure 1.3: The quality evolution (Source: ITeratum)


1.1.3 Quality Management

As we saw in the previous section, through the evolution of quality, over time it has grown from a

simple check of a finished product to quality management in which what is sought is customer

satisfaction. Therefore we can say that:

Quality management includes everything the organization does to ensure that its products or

services meet customers’ quality requirements and to comply with all the applicable norms to

those products or services.

In the case of an IT service provider, such as the IT department of an organization, quality

management will be the understanding of what the perspective of the organization is (what we

usually call “the business”) referred to quality and service issues and ensuring that the services

provided are aligned to this perspective.

When the ISO 9000 family of standards (international standard for quality management) was drawn

up, eight basic principles were established to underpin the whole system of quality management.

These principles, according to what is stated in ISO 9001, are as follows:

1. Customer focus An organization depends on its customers, therefore, you need to

understand what their needs are and try to meet them.

2. Leadership Leaders are responsible for guiding the organization, and motivate

and involve the staff in its objectives.

3. Involvement of people It is essential that all staff, whatever their level is, gets involved

putting their skills at the disposal of the organization.

4. Process approach Activities and related resources are much more efficient when they

are managed as a process.

5. System approach to

management

It is important to identify and to manage interrelated processes as

a system in order to achieve the organization objectives effectively

and efficiently.


6. Continual improvement Once the organization has reached a certain level of quality, it

cannot get stuck, because this would mean the loss of its market

position, as well as the loss of its quality level. It is necessary that

the organization has the continual improvement of the overall

performance as a target.

7. Factual approach to

decision making

Only an analysis of existing data and information enables effective

decision-making.

8. Mutually beneficial

supplier

relationships

The organizations depend on their suppliers in order to meet its

commitments with their customers. Therefore, a mutually

beneficial relationship enhances the ability of both parts to add

value to their work.

Figure 1.4: Quality Management Principles (Source: ITeratum, based on ISO 9001)


1.1.4 IT Services

During the last decades, the relationship between IT and the rest of the business has evolved. It

was usually considered that Information Technology used to generate products: computers,

systems, applications, etc. However, at the same time that the quality concept was being reinforced,

the relationship between business and IT was changing and increasingly moving towards a

relationship in which the business demands to IT were not just products but services.

1.1.4.1 What is a Service?

ITIL® gives the following definition of a service that has been adopted by ISO/IEC 20000:2011:

Service is a means of delivering value for the customer by facilitating results the customer wants

to achieve without having to assume ownership and responsibility for the costs and risks involved.

Let's look at a simple example. Let’s suppose one day we decide to eat pizza. One possibility is to

move to a pizzeria, buy the one we like and take it home for dinner. In this case, we are buying a

product.

Another possibility would be to make a call to the pizzeria to order the pizza. In this case, an

operator would receive the order, someone else would elaborate it and a third person would take it

to its vehicle to bring us the pizza home for dinner. We could even make a claim in the event that

the pizza does not arrive in the proper conditions. In this case, we are making use of a service

(home delivery service).

Consequently, we may say that an IT Service is any service provided by the IT organization to the

business. Although information technology uses products for the provision of IT services, nowadays

it is being increasingly accepted that IT activities are within the domain of services.


As a result, we can establish some features of the services:

They are intangible: they have tangible components but they are much more than the

simple combination of these components.

They are produced and consumed at the same time: they cannot be stored.

They are highly variable: not only machines are involved in the services, but also people.

The user gets involved in the service production: it is common that the user has to perform

certain actions so that the service can be used.

Satisfaction is a subjective concept: products can be valued before purchase, but you

cannot judge a service that has not been received yet.

1.1.4.2 IT Service Components

From a technical point of view, we can say that a service consists of an information system that is

linked with a particular support and that is delivered to the customer with certain quality levels that

have been previously agreed.

Information Systems: An information system is a bundle of elements intended to perform the

management and administration of data used in the business

processes information control or support. Basically it consists of

people, products, processes and associated suppliers.

Support: It is necessary to enable a support to provide

maintenance in order to guarantee that services will be active

and that the performance will be aligned with the specified

requirements.

Quality specifications: Since services have to be provided

according to the customers’ requirements, some quality

parameters have to be met in the form of capacity, availability,

security and service levels.

Figure 1.5: IT Service Components

(Source: ITeratum)


1.1.4.3 Differences between services provided and quality perceived

One of the main challenges of providing services is to achieve that the quality perceived by

customers and/or users is aligned with their expectations and that this quality is maintained over

time. To this end it is necessary that the service provider fully understands the customer

expectations, has the knowledge to convert them into real services and carries out continuous

monitoring in order to avoid disparities between what the customer expected and his or her

perception of the service received.

Figure 1.6: The quality perception (Source: ITeratum)

To avoid these disparities ("gaps") it is important that both, the customer and the provider, speak

the same language (COBIT®, ITIL®, etc.), that the customer clearly specifies which his or her

expectations are, and the provider adaptability in order to face the common changing situation of

services.

A continuous review and evaluation of services between the customer and the provider will allow

an increasing alignment between what the business demands and what IT provides, as well as an

adjustment in costs more effective and efficient.


1.1.5 Process Orientation

To get an organization to work effectively it is necessary to carry out a large number of interrelated

activities. It is important that these activities can be controlled and managed from beginning to end,

so that the organization is able to achieve its objectives. To this end the process-oriented approach

is used. But, what does process mean? ISO 9001:2005 defines it as:

A process is an activity or a group of activities that uses resources and that is managed in order to

get the input elements transformed into outcomes.

To have a process structure clearly described it must be established:

What has to be done.

Which are the inputs and the outputs (outcomes).

How to measure the processes outcomes.

How other processes are affected by the outcomes of the process.

Usually, the outputs of one or

more processes are the inputs of

other processes. The

implementation of a process

system in the organization, along

with the system management,

aimed to meet the expected

results is called process-oriented

approach.

The implementation of a process-oriented approach in the organization provides a number of

important benefits, including:

Improved and predictable results.

More effective use of resources, resulting in cost savings and shorter life cycles.

Identification and prioritization of improvement opportunities.

Figure 1.7: Process components (Source: ITeratum)


1.1.5.1 Process evaluation

As we have seen in the previous section, an important point of process orientation is that it allows

identifying improvement opportunities. However, to find out if we do something in the process that

is likely to be improved, we should be able to perform measurements of what is happening in the

process, that is, we need to be able to evaluate the process.

To this end Critical Success Factors (CSF) and Key Performance Indicators (KPI) are used. A CSF

is something that must happen for a service, process or activity to be successful, while the KPIs are

used to measure the achievement or not of each CSF. CSFs are qualitative while KPIs are

quantitative elements.

For example, a CSF could be "avoiding IT services being affected when changes are made". That

can be measured by KPIs as "reduction percentage of failed changes", "reduction percentage of

incidents due to changes", etc.

1.1.5.2 Processes roles

A role is a set of responsibilities, activities and authority levels defined in a process and assigned

to a person or group of people.

According to ISO/IEC 20000-2, the main roles in the process are:

Process Owner: responsible for describing the process and its results.

Process Manager: responsible for the operation of the process, the day-to-day control and

management.

Process Personnel (teams or professionals): responsible for certain activities.

It is important to highlight that a person or a team may be able to perform multiple roles.


1.1.6 IT Service Management

According to ISO/IEC 20000:2011, Service Management is defined as:

Set of capabilities and processes to direct and control the service provider's activities and

resources for the design, transition, delivery and improvement of services to fulfill the service

requirements

Regarding to IT services, the 2011 edition of ITIL® specifies that IT Service Management (ITSM) is

"the implementation and management of IT quality services that meet business needs by service

providers, through a combination of people, processes and technology".

There are basic relationships in ITSM between each of its components: customers, business

processes, IT services and service providers:

Business processes are supported by IT

services.

The main activity of an IT provider is the

delivery of IT services.

IT provider customers are basically

organizations involved in business

processes.

Users make use of IT services to carry out

day-to-day activities.

ITSM frameworks describe best

management practices for IT Services.

Figure 1.8: ITSM relationships (Source: EXIN materials)


1.1.7 Benefits and Risks of IT Service Management

Implementing IT Service Management in the organization brings a number of important benefits,

but if it is not done in a planned, controlled and supported manner by both, the staff and the

business management, can result in negative situations that should be avoided.

The benefits and potential risks or difficulties of IT Service Management are shown in the following

comparison chart:

Benefits Risks and Difficulties

Understanding and implementation of

requirements to achieve customer

satisfaction.

Service delivery driven by the policies and

objectives.

Services designed and delivered following a

defined management system.

Continuous monitoring, measurement,

review of systems management and service

performance.

Continuous improvement of services and

management system based on objectives

measures.

Increase in effectiveness and efficiency of

workflows

Improvement of communications and

knowledge management.

Decrease in errors that result in failures.

Risk Management Improvement.

Bureaucratic procedures, more paperwork.

Less efficiency and effectiveness if:

o Staff is not aware of processes and

measures.

o The staff does not accept the system.

o The management hardly supports the

system without a firm commitment.

o An important part of the work is done

outside the system.

o Processes are not fulfilled.


1.1.8 The tools in the IT Service Management

To carry out the usual tasks of the IT Service Management it is normal to make use of number of

elements (applications, systems, customized developments, etc.) which facilitates the automation

of processes in our daily work. These elements are those generally known as “tools”.

The use of tools is very important because it allows increasing efficiency, with the subsequent cost

reduction, while providing evidence of the processes carried out. ISO/IEC 20000-1:2011 mentions

tools stating “appropriate tools may be used to enable the service management processes to be

effective and efficient”.

Over the last decades ITSM tools, with different complexity, expensiveness, scoping and functional

features, have arisen in the market. Some of the most typical tools that can be found are:

Monitoring tools

Distribution / software discovery / hardware tools

Integrated sets of tools for Service Management

Design and control of workflow tools

Infrastructure remote management tools

In any case, the fact that a company has an ITSM tool does not mean that the Service

Management is implemented by itself, in the same way that the fact of having a piano does not

mean you know how to play it.

We should not make the mistake of confusing the implementation of the Service Management with

the implementation of a provider’s tool, even though it is very powerful and famous. In Service

Management it is necessary to take into account other factors linked to technology: people,

processes and providers/suppliers.


1.1.9 Principles of the Continual Improvement and PDCA Cycle applications

When we discussed about Quality, one of the eight principles of the Quality Management was the

continual improvement. To simplify, we can say that continual improvement consists of providing

the necessary means in order to make things increasingly better.

This could seem easy at first, but implies an effort and a significant involvement by all the staff in

the organization, from top management to the lowest level employees, so that gradual

improvement becomes a reality.

William Edwards Deming (1900-1993) was an

American statistician known for his contribution to

the improvement of productivity and the achieving

of higher levels of quality in products and services.

Deming proposed a four-step strategy for continual

improvement, which is known today, in honor of his

name, as the Deming Cycle, or PDCA methodology.

Steps of PDCA methodology ("Plan-Do-Check-

Act") can be briefly described as follows:

Plan: To establish, document and agree on Service Management System (SMS), including

the policies, objectives, plans and processes necessary to design and deliver services

aligned to business needs, customer requirements and service provider's policies.

Do: To implement and operate the SMS for the design, transition, delivery and

improvement of services, assigning roles and responsibilities.

Check: To monitor, measure and review the SMS and the services against the plans,

policies, objectives and requirements and to report on the results.

Act: To take actions to continually improve SMS performance. This includes the service

management processes and the services themselves.

Figure 1.9: The Deming Cycle (Source:

ISO/IEC 20000-2)


1.2 Basic concepts of quality frameworks

1.2.1 The ISO/IEC 20000 standard

The International Organization for Standardization (ISO) and the International Electrotechnical

Commission (IEC) define a specialized system for worldwide standardization. Their technical

committees (JTC Joint Technical Committees) collaborate in areas of mutual interest, being an

example the ISO/IEC JTC 1, which is responsible for the preparation of the ISO/IEC 20000

standard.

ISO/IEC 20000 is an international standard which aims to ensure the provision of managed

services according to an acceptable level of quality for customers negotiated with them.

It was released for the first time on December 15, 2005 (this standard is known as ISO/IEC

20000:2005). It was reviewed later on (all standards must be reviewed every five years) in order to

align with other existing standards, practices and technologies, releasing the ISO/IEC 20000:2011

on April 15, 2011.

The ISO/IEC 20000 promotes the use of the PDCA methodology. It is a process-based standard

that does not consider a life cycle for services. However, stages of Design, Transition, Operation

and Improvement of such services can be identified. This standard consists of several parts:

Part Designation Type Content

Part 1 ISO/IEC 20000-1:2011 IS Service Management System Requirements

Part 2 ISO/IEC 20000-2:2012 IS Guidance on the application of SMS

Part 3 ISO/IEC 20000-3:2009 TR Guidance on scope definition and applicability

Part 4 ISO/IEC 20000-4:2010 TR Process reference model

Part 5 ISO/IEC 20000-5:2010 TR Exemplar implementation plan for ISO/IEC 20000-1

Part 7 ISO/IEC 20000-7 (*) --- Guidance on cloud deployment


Part Designation Type Content

Part 8 ISO/IEC 20000-8 (**) --- Service Management processes assessment model

Part 10 ISO/IEC 20000-10 (*) --- Concepts and terminology

Part 11 ISO/IEC 20000-11 (*) --- Guidance on the relationship between ISO/IEC 20000-

1:2011 and related frameworks

--- ISO/IEC 27013 (***) --- Guidance on the integrated implementation of ISO/IEC

27001 and ISO/IEC 20000-1

Comments to the chart:

(*) Standards to be published on future dates

(**) Based on the ISO/IEC 15504 standard

(***) Family of standards (ISO/IEC 27000) related to Security Management Information System

(SMIS)

IS: International Standard

TR: Technical Report, Information document that contains information other than the usual

published in a normative document (IS)

As shown in the chart, neither all parties are published nor are in the same evolution state. In this

book, the two parts we will focus on will be Part 1 (ISO/IEC 20000-1:2011) and Part 2 (ISO/IEC

20000-2:2012).

Part 1 considers what the standard calls the “shalls”, that is, “what to do” in an SMS, while Part 2

considers the “shoulds”, or “what should be done”. In other words, while Part 1 provides information

about what is mandatory according to the standard, Part 2 provides recommendations to be

followed.

When an audit mentions breaches or non-conformities with the standard, it is referring to those

points of the SMS that do not adhere to the requirements of ISO/IEC 20000 Part 1.


1.2.2 Scope of the ISO/IEC 20000 standard

Depending on the approach with regards to this international standard, different groups may find it

helpful:

Organizations:

o For any organization seeking services from

service providers and requiring assurance

that their service requirements will be

fulfilled.

o For any organization that requires a

consistent approach by all its service

providers, including those in a supply chain.

Service Providers:

o For a service provider that intends to demonstrate its capability for the design, transition,

delivery and improvement of services that fulfill service requirements.

o For a service provider to monitor, measure and review its service management processes

and services.

o For a service provider to improve the design, transition and delivery of services through

effective implementation and operation of an SMS.

Assessors or Auditors:

o For an assessor or auditor as the criteria for a conformity assessment of a service

provider's SMS to the requirements of the standard.

Figure 1.9: Scope of the standard (Source:

ITeratum, based on ISO/IEC 20000-2)


1.2.3 Sections in the ISO/IEC 20000 standard

Both, Part 1 (ISO/IEC 20000-1:2011) and Part 2 (ISO/IEC 20000-2:2012) of the standard, are

divided into a number of uniform sections that deal with similar subjects. These sections are:

1. Scope

2. Normative references

3. Terms and definitions

4. Service management system general requirements

4.1. Management responsibility

4.2. Governance of processes operated by other parties

4.3. Documentation management

4.4. Resource management

4.5. Establish and improve the SMS

5. Design and transition of new or changed services

6. Service delivery processes

6.1. Service level management

6.2. Service reporting

6.3. Service continuity and availability management

6.4. Budgeting and accounting for services

6.5. Capacity management

6.6. Information security management

7. Relationship processes

7.1. Business relationship management

7.2. Supplier management

8. Resolution processes

8.1. Incident and service request management

8.2. Problem management

9. Control processes

9.1. Configuration management

9.2. Change management

9.3. Release and deployment management


The following chart shows schematically sections 4 to 9 of the standard. Each of these sections will

be discussed in detail from Chapter 2 onward.

Figure 1.10: Sections of the standard & Processes (Source: ISO/IEC 20000-2)


1.2.4 Other complementary frameworks related to quality

There are multiple standards, frameworks, best practices and new technologies that have grown to

currently conform the current panorama of Information Technology Service Management. Since

each of them tends to focus on a specific part of ITSM, taken together form a view in which they

complement and reinforce the effectiveness and efficiency that an organization can achieve

through their knowledge and use.

1.2.4.1 ITIL®

ITIL®, the Information Technology Infrastructure

Library, is the set of best practices for IT Service

Management.

Along with ISO 9000, the ITIL® version 2 is

considered the predecessor of the ISO/IEC 20000.

ITIL® has evolved over time and it currently

considers the services from a lifecycle perspective,

beginning with the strategy and going through

design and transition to the service operation. All

this is controlled and supervised by the continual

service improvement.

In its latest review (2011), ITIL® takes into account 26 processes, many of them closely related to

those considered in the ISO/IEC

20000:2011 standard. Because of this,

it is used by many organizations as

the body of knowledge which

supports the implementation of

ISO/IEC 20000.

Figure 1.11: The Lifecycle according to ITIL®

(Source: EXIN materials)

Figure 1.12: Standards & best practices (Source: EXIN materials)


1.2.4.2 COBIT®

COBIT®, Control Objectives for Information and Related Technologies, is a worldwide accepted

reference framework for the IT Governance based on the standards and best practices of the

industry.

It was created by ISACA in 1996, and then jointly developed with ITGI®, with the objective of being

used in the audit of information systems. Later on it has

evolved into a framework for IT Management. ISACA, the

Information Systems Audit and Control Association, defines

the purpose of COBIT® as "helping IT professionals and

business leaders fulfill their governance and management

responsibilities, particularly in the areas of assurance,

security, risk and control, in order to add value to the

business". ITGI® (IT Governance Institute), is a non-profit,

independent research entity that provides guidance to the

global business community on subjects related to corporate

governance of IT assets. The ITGI ® was established by

ISACA in 1998.

At the time when this book was published, two versions of COBIT® coexisted: version 4.1, widely

spread and which appeared in 2007; and version 5 recently released (2012). Version 4.1 is

structured in 4 domains or groups of

processes (Plan and Organize, Acquire and

Implement, Deliver and Support and

Monitor and Evaluate). These four domains

altogether encompass 34 processes. For

each of these processes, COBIT®

proposes a number of indicators to monitor

and control targets.

Figure 1.13: COBIT® 4.1 (Source: ISACA)

Figure 1.14: Domains in COBIT® 4.1 (Source: ISACA)


On April 2012, COBIT® version 5 came out. This version incorporates concepts from other

frameworks and standards such as ITIL®, ISO/IEC 27002, Risk IT (framework for risk assessment

and management) and Val IT (framework for IT business investment government). COBIT® 5 is

based on five key principles:

Figure 1.15: Key Principles in COBIT® 5 (Source: ISACA)

The COBIT® 5 Process Reference Model subdivides the activities and practices of the

Organization related to IT into two main areas, Government and Administration. The Administration

area is also divided into domains of processes:

The Government Domain contains five government processes, each of them consisting of

practices defined for Evaluate, Direct and Monitor (EDM).

The four domains of the Administration are aligned with the responsibility areas of Plan,

Build, Run and Monitor (PBRM). These are:

o Align, Plan and Organize

o Build, Acquire and Implement

o Deliver, Service and Support

o Monitor, Evaluate and Assess

COBIT® 5 considers 37 processes, taking into account Government and Administration.


1.2.4.3 Six Sigma®

Six Sigma® is a process improvement methodology which aims to reduce defects, where defect is

anything that falls out of customer's specifications. The main objective of Six Sigma® is to reduce

errors to less than 3.4 defects per million executions (regardless of the process in question).

Six Sigma® applies statistical tools to study the processes. That is the reason behind its name:

“sigma” is the standard deviation, which indicates the variability in a process. The efficiency of a

process may be classified according to its level of sigma (DPMO = defects per million events or

opportunities):

1 sigma= 690.000 DPMO = 31% efficiency

2 sigma= 308.538 DPMO = 69% efficiency

3 sigma= 66.807 DPMO = 93,3% efficiency

4 sigma= 6.210 DPMO = 99,38% efficiency

5 sigma= 233 DPMO = 99,977% efficiency

6 sigma= 3,4 DPMO = 99,99966% efficiency

Six Sigma® makes use of DMAIC methodology

(Define, Measure, Analyze, Improve and Control),

based on Deming’s PDCA cycle. DMADV

methodology (Define, Measure, Analyze, Design and

Verify) comes from DMAIC. Whereas DMAIC is a

method of improving already existing processes,

DMADV is applied to the creation of new processes.

Figure 1.16: DMAIC methodology (Source:

ITeratum based on Six Sigma®)


1.2.4.4 CMMI®

Capability Maturity Model Integration (CMMI®) is a model to assess the maturity of processes

carried out in an organization, setting a method for gradual improvement.

It was developed in 1986 by the Software Engineering

Institute (SEI) of Carnegie Mellon University in response

to a request from the Department of Defense of the United

States, who wished to have a method to control the

software development capability of their suppliers. This

original model was called SW-CMM (Maturity Model

Software Capability). SW-CMM evolved to CMMI®,

expanding the scope of its framework. Currently, CMMI®

is divided into four areas of processes (24 processes in

total): CMMI® Foundation, with processes common to all

of them; CMMI® for Development, for the development of

software applications; CMMI® for Services, for the provision of services; and CMMI® for

Acquisition, for the acquisitions. CMMI® defines five gradual steps in which an organization is

positioned depending on the maturity of their processes:

The improvement of the processes is

performed continuously.

Quality and performance quantitative

targets are set and measured.

All processes are defined, documented

and integrated.

There are some basic processes

adopted by the organization.

The processes are chaotic and just a

few are defined.

Organizations may evaluate their maturity level against CMMI® using the Standard CMMI

Appraisal Method for Process Improvement (SCAMPI).

Figure 1.17: CMMI framework

(Source: ITeratum)

Figure 1.18: CMMI maturity levels (Source: ITeratum)


1.2.4.5 ISO 9001

The ISO 9001 standard specifies the requirements to be met by a Quality Management System in

an organization, regardless of the product or service provided and the type of organization in

question.

The ISO 9001 standard has already been mentioned when we talked about Quality Management.

Among its main contributions, the 8 basic principles for the Quality Management stand out:

1. Customer focus

2. Leadership

3. Involvement of people

4. Process approach

5. System approach to management

6. Continual improvement

7. Factual approach to decision making

8. Mutually beneficial supplier relationship

ISO 9001 describes only general processes: organizational management, resource management,

product or service development, measurement, analysis and improvement. On the other hand,

ISO/IEC 20000, relying on ISO 9001, deepens and focuses on the issues related to Service

Management.

Figure 1.19: Quality Management Principles

(Source: ITeratum, based on ISO 9001)


1.2.4.6 ISO/IEC 27001

The ISO/IEC 27001 standard specifies which requirements must be met by an Information

Security Management System of (ISMS).

This standard is closely related to ISO/IEC 20000, up to the point that if an organization is certified

in ISO/IEC 27001, wants to become certified on ISO/IEC 20000, and the scope specified for both

standards is the same, ISO/IEC 20000-1 section 6.6 (Security Management Information) is not

required.

ISO/IEC 27000, just as other ISO standards, is based on the PDCA cycle:

Figure 1.20: PDCA in ISO/IEC 27000 (Source: ISO/IEC 27000)

ISO/IEC 27000 is a family of standards, consisting of multiple documents:

ISO/IEC 27000 – Overview and Terminology

ISO/IEC 27001 – ISMS Requirements

ISO/IEC 27002 – Code of Practice

ISO/IEC 27003 – Implementation

ISO/IEC 27004 – Measures

ISO/IEC 27005 – Security Risk Management

ISO/IEC 27006 – Audit

And the family of standards is still growing (27011, 27031, 27033, 27035…).


1.2.4.7 ISO/IEC 38500

The ISO/IEC 38500 is the standard for IT Governance. Its purpose is to promote an acceptable,

effective and efficient use of Information Technology in organizations.

With Corporate Governance we mean the set of directions, policies, processes and regulations by

which the companies are ruled, operated and controlled whatever their sector is. The ISO/IEC

38500 standard refers to "IT Corporate Governance" and not "IT Governance". The reason behind

is that there is not a separate set of rules for Information Technologies, but they have to comply

with the same rules that govern the business.

The IT Corporate Governance should be carried out through three main tasks:

Evaluate: reviewing and assessing strategies and proposals, taking into consideration the

present and future business needs.

Direct: define and assign responsibilities for the implementation of plans and policies.

Monitor: using measurement systems, monitor performance and conformance to external

obligations.

Figure 1.21: Corporate Governance activities (Source: ISO/IEC 38500)


1.2.4.8 “New” Technologies

Information Technology Service Management, by its very nature, is highly influenced by the

emergence of new or other technologies that evolve from traditional technologies that are driven by

technical advances.

Joining this to the interest of companies in optimizing their resources cost-efficiently, we find as a

result that a series of "New" Technologies come into play. Those technologies add to frameworks,

standards and best practices to enrich the available possibilities for the IT Services Management.

Among the most successful we find the following:

Green IT

The Green IT concept refers to the guidelines focused on the

definition, spreading and promotion of energy efficient

technology, and the reduction of its environmental impact while

achieving cost savings.

Cloud

Technologies

Cloud Technologies refer to the provision and acquisition of IT

services based on the Internet. Its main features are:

On demand self service

Pooling resources (multi-tenancy)

Scalability and flexibility

Pay per use

Broad access through the network ("anytime, anywhere,

from any device")

TMap NEXT®

Methodology for "Testing" (test planning, preparation and

measurement) based on four key elements:

Business-driven Test Management (BDTM)

Structured Test Process

Tool kit

Adaptability


1.2.5 Complementary nature of the quality frameworks

Although every standard and/or framework previously seen may be used separately and be

sufficient for an organization, none of them provide a comprehensive solution to IT Management.

However, there is neither competition nor exclusion between them. Furthermore, they often have

overlapping areas, thereby becoming complementary elements.

Many organizations make use of a combination of them for a more effective management and

improvement of Information Technologies. Some companies have chosen a combination of ITIL®,

CMMI® and Six Sigma® as the best option, whereas others have preferred the option of ITIL® plus

COBIT® in order to transform their organization. There is no specific formula. Every organization

should choose their formula depending on their own needs and targets. The following table is a

summary of the elements studied and some possible combinations:

Frame / standard Suitable for:

ISO 9001 Quality Management in the organization.

Six Sigma®

ISO/IEC 20000 Information Technologies Service Management improvement.

ITIL®

ISO/IEC 27001 Information Security Management.

CMMI® Assessment of maturity level of IT processes and services.

COBIT® 5 Information Technology Governance.

ISO/IEC 38500

It is remarkable that all these frameworks and standards have a concept in common: the

commitment of people. People make it possible to apply them.


Exam Preparation: chapter 1

To help prepare for the exam, we have included multiple choice and conceptual questions (the

answer key can be found at the end of this workbook). Additionally you are provided with an

overview of terms with which you should be familiar.

Sample Questions

1. What is Six Sigma®?

A. It is a quality instrument to measure defects in process outputs.

B. It is a six step maturity model to improve the capability of business processes.

C. It is a standard that was developed for improvement of IT processes.

D. It is a structured, statistically based approach to process improvement.

2. A service provider can integrate their Service Management System with a quality

management system or an Information Security Management System to provide the highest

level of service to the customer. Which standard supports the Quality Management System?

A. ISO 9001

B. ISO/IEC 27001

C. COBIT®

D. ITIL®

3. What is the focus of the Deming Cycle?

A. Continual improvement

B. Customer orientation

C. Designing new services

D. Cost calculation


4. The Plan-Do-Check-Act (PDCA) methodology can be applied to all processes. What does the

Act phase of this methodology cover?

A. Establishing the objectives and processes necessary to deliver results in accordance with

Customer requirements and the organization's policies

B. Implementation of the processes

C. Monitoring and measuring the services rendered and the Service management system (SMS)

D. Taking the necessary actions to continually improve

5. Why is it important that reviews are conducted regularly during the Check phase of the Plan-

Do-Check-Act (PDCA) methodology?

A. To be able to allocate roles and responsibilities

B. To be able to define the objectives and requirements that are to be achieved by Service

management

C. To be able to establish the Service management policy, objectives and plans

D. To determine whether the Service management requirements are effectively implemented and

maintained

6. What would be a good reason for organizations to adopt ISO/IEC 20000?

A. To confirm that all of the ITIL® guidelines have been implemented

B. To demonstrate alignment to customer requirements

C. To certify their services

D. To certify their products

7. A process is a set of interacting activities which transforms inputs into outputs. What is the

Process owner responsible for?

A. Describing the process

B. Operating the process

C. Providing process reports

D. Setting up the process


Conceptual Questions

1. Which are the three key components of an IT service?

2. According to the ISO 9001:2005 standard, what is a process?

3. What are CSFs and KPIs?

4. Describe the main roles in a process according to the ISO/IEC 20000-2 standard.

5. Which is the objective of the ISO/IEC 20000:2011 standard?

6. What is the main difference between Part 1 and 2 of ISO/IEC 20000:2011?

7. What is COBIT®?

8. Which are the five steps in DMAIC methodology used in Six Sigma®? What is it based on?

Exam Terms

Quality, Quality Management, Service, Customer, Process, Process orientation, ITSM, Roles,

PDCA, Deming Cycle, Framework, IT Governance, Maturity Model, Best practices, International

Standard, Customer Focus, Service Management Tools.


The Service Management System (SMS): Exam specifications (20%)

After reading chapter 2, you will be able to understand the role of the SMS within the organization.

Thereby you will then achieve the following objectives:

2.1 Understand the management system for service management (10%)


2.1.1 Describe why and which roles are needed

2.1.2 Describe the objective of a service management system

2.1.3 Describe general management responsibilities

2.1.4 Describe general governance principles

2.1.5 Describe importance of documentation and basic requirements for documentation

2.1.6 Describe the requirements for resource management

2.2 Understand the core concepts of the Service Management System (10%)


2.2.1 Describe the objective of planning and improving service management

2.2.2 Describe the continual improvement methodology for service management processes

2.2.3 Describe the key principles of producing and implementing a service management plan

2.2.4 Describe the requirements for monitoring, measuring, reviewing and improving the processes


2 The Service Management System (SMS)

2.1 What is a Service Management System (SMS)?

The ISO/IEC 20000:2011 defines an SMS as a management system to direct, monitor and control

the service management activities of the service provider.

The SMS should include what is required for the planning, design, transition, delivery and

improvement of services. At a minimum this includes service management policies, objectives,

plans, processes, process interfaces, documentation and resources. The SMS encompasses all

the processes as an over-arching management system, with the service management processes

as part of the SMS.

Figure 2.1: Elements in a Service Management System (Source: ITeratum)

Coordinated integration and implementation of an SMS provides ongoing control, greater

effectiveness, efficiency and opportunities for continual improvement. When other management

systems are present in the organization (e.g. based on ISO 9001 or ISO/IEC 27001) that share a

PDCA approach, they may be integrated with the SMS, increasing the effectiveness and efficiency

of the final resultant system.


In an organization, the SMS is the element which allows controlling every stage related to service

management, from design to continual improvement, based on the customers and other interested

parties requirements.

Figure 2.2: The Service Management System (Source: ISO/IEC 20000)

The service provider is accountable for the SMS. It does not mean that the provider is not allowed

to delegate certain activities to third parties. However, delegating does not imply the provider is

exempt from its liability to the customers to whom he provides services. In this case, the service

provider can demonstrate evidence of fulfilling all the requirements of the ISO/IEC 20000-1

standard, proving he has control (government) over those processes operated by suppliers (third

parties).

In the following chapters we will deepen into each relevant section of the standard, that is, sections

4 to 9.


2.2 SMS general requirements

This chapter deals with Section 4 of ISO/IEC 20000:2011.

2.2.1 Top management responsibilities

We have previously seen that quality is a concept that requires the commitment of everyone

working in a company (total quality). This must be clearly shown right from the top of the

hierarchical structure of the organization, which should be an example to be followed by the other

levels.

Top management should be the management who direct, monitor and control the service provider

at the highest level.

Top management responsibilities include:

Management

commitment

Top management should ensure that all service lifecycle stages are

delivered to the agreed levels, as defined in the service requirements.

The service lifecycle includes planning, implementation, operation,

monitoring, measurement, review, maintenance and continual

improvement. The service lifecycle also includes transfer of the service to

a customer or a different party or eventual removal of the service.

Service

management

policy

The service management policy should be specific to the service

provider's circumstances and have a customer focus. The policy should

be based on the agreed scope of the SMS and represent top

management direction and commitment to fulfill service requirements.

Authority,

responsibility and

communication

The service provider should ensure that the authorities and

responsibilities for all aspects of the SMS are defined. Top management

should be accountable for ensuring that communication procedures are

designed, transitioned, implemented and used.

Management

representative

The management representative should be the member of the service

provider’s management team who has the authority to ensure that the

SMS is established, used, improved over time and in alignment with the

changing needs of the business.


2.2.2 Governance of processes operated by other parties

According to ISO/IEC 20000-2, the service provider should be able to identify all service

management processes or parts of processes that are operated by other parties, to have an end-

to-end visibility of the performance of the other parties and to be able to demonstrate control of all

of them. This should be supported by all contracts and other documented agreements.

Other parties include:

Internal groups, who are organizational units inside the same organization as the service

provider, but not within the direct control of the service provider, (e.g. a specialist security

team)

Customers acting as suppliers (e.g. the customer performing some of the activities of

incident and service request management)

Suppliers (e.g. outsourcing of the testing done as part of the release and deployment

management process)

The service provider should demonstrate by providing evidence:

The accountability and authority of the processes that are

operated by other parties.

That every process in Sections 5 to 9 operated by other

parties delivers the outcomes required.

The control of the planning of and setting priorities for

improvements to all processes.

The governance of processes operated by other parties is described in detail in the Part 3 of the

standard (ISO/IEC TR 20000-3:2009).


2.2.3 Documentation management

Documentation is an essential element within the Service Management System, as well as the

effective management of such documentation. The Section 3 of ISO/IEC 20000:2011-1 defines

document and record as follows:

Document: information and its supporting medium

Record: document stating results achieved or providing evidence of activities performed

The service provider should ensure that evidence is available for any audit of the SMS. Much of the

evidence should exist in the form of documents. Documents may be any type, form or medium

suitable for their purpose (e.g. paper based, electronic files or in a database). The following

documents can be considered as evidence for an audit of the SMS:

Service Management policies, objectives

and plans

Contractual documents (including

requirements and change control)

Process and procedure documents Audit planning activities and reports

A catalogue of services Change planning activities

Service documents (designs, specifications,

acceptance criteria)

A good Document Management ensures efficient planning, operation and control of the SMS.

The service provider should understand that an effective procedure is essential for the production

of documents, including records. This includes the use of a naming and numbering system that

aligns with the purpose and revision history of documents. The use of templates and standardized

format can reduce the effort of creating, accessing, updating and using the content.


2.2.3.1 Control of documents

Once produced, the documents should be subjected to a control that should include periodic

reviews, at least annual, with updates if necessary. This control can provide visibility of the impacts

of changes (e.g. to a service level agreement).

The service provider should develop a number of procedures with the necessary authority and

responsibility levels for the adequate control of documents. This way, different levels of authority

would be allocated for writing, editing, reviewing, approving, updating, removal and archiving of

documents.

2.2.3.2 Control of records

Records associated with the SMS should be aligned to the requirements of ISO/IEC 20000-1,

statutory and regulatory requirements and contractual obligations (for example, retention of records,

archival and disposal practices).

Records established to provide evidence of conformity to requirements should be controlled. The

service provider should establish a procedure to define the controls needed for the identification,

storage, protection, retrieval, retention and disposition of records. Records should remain legible,

readily identifiable and retrievable.


2.2.4 Resource management

2.2.4.1 Provision of resources

Implementing a Service Management System would be impossible without a number of essential

resources. According to the requirements of the Section 4 of ISO/IEC 20000:2011:

The service provider should make available all resources agreed in the plan to establish,

implement, maintain and improve the SMS and the agreed services.

The resources include at least the following:

Human Resources: people needed to design,

implement and operate the SMS, top

management and personnel involved in the

management of the SMS.

Technical Resources: infrastructure, tools, regular

work facilities and service continuity facilities.

Information: customer requirements, customer’s

business needs and business plans, service

management policies, measures and other

reports.

Financial resources: funds for projects and funds

for continual operation of the SMS.

2.2.4.2 Human Resources

Human resources play a key function in IT Service Management. Defining the role in the SMS and

the authority level assigned to each person, should be found within the service provider

commitments.

A very useful tool when performing this task is known as the RACI responsibility matrix. RACI is an

acronym that stands for Responsible, Accountable, Consulted and Informed.

Figure 2.3: Resources in a SMS

(Source: ITeratum)


Responsible: Someone who actively participates performing a task or activity.

Accountable: Highest responsible. Validates the work done by others.

Consulted: Someone who is consulted to gather information.

Informed: Someone who is informed (reported).

The authorities and responsibilities for each service management process in the SMS should

include:

Role Accountable for:

Process Owner

The design of the process.

Ensuring adherence to the process.

The measurement and improvement of the process.

Process Manager The daily process operation.

The process resources management.

Personnel of the process Perform the procedures of the process.

The competence required for a role should be based on analysis of the specific characteristics and

requirements of that role. This should include but not be limited to: education (certificates), training,

skills and experience. The service provider should be aware of this and, consequently:

Should maintain the appropriate education, training, skills and experience records.

Should provide training and development.

Should control effectiveness of training and certification.

Top management should ensure that personnel are aware of the relevance and importance of their

activities and of how they contribute to the achievement of service management objectives.


2.3 Establish and improve the SMS

2.3.1 SMS scope definition

The service provider should establish whether ISO/IEC 20000-1 is applicable to their

circumstances early in the planning stage, as well as define the scope of the SMS. When defining

the scope of the SMS the following parameters should be considered:

Organizational units providing services

Services offered

Geographical location from which the service provider delivers the services

Customers and their locations

Technology used to provide the services

For the SMS to be effective, the service provider should continually improve the SMS and the

services using the PDCA methodology. Part 3 of the standard (ISO/IEC TR 20000-3) gives advice

on defining the scope of the SMS and checking the applicability of ISO/IEC 20000-1 to the service

provider’s circumstances.

Figure 2.4: SMS & PDCA Cycle (Source: ITeratum)


2.3.2 Plan the SMS (Plan)

The plan for the SMS should cover all aspects of service management and delivery of services. To

this end it is important to design a plan, known as Service Management Plan, which includes but is

not be limited to the aspects given below.

The service management objectives

Service requirements, policies, standards, regulatory and

statutory requirements

Resources, facilities, budgets

Authority, responsibility and role definition

Process interfaces

Risk Management

Tools for process support

Measures and reports

2.3.3 Implement and operate the SMS (Do)

The service provider should implement and operate the SMS in alignment with the service

management plan and as a means of achieving the service management objectives. To this end,

the following activities should be carried out:

SMS implementation

Budgets allocation

Assign roles and responsibilities

Manage and maintain policies, plans and procedures for

each process

Risk identification and management

Service management process coordination

Teams and facilities management

Monitor and report on services activities

Tracking of the Service Management Plan


2.3.4 Monitor and review the SMS (Check)

The service provider should continuously monitor, measure and review the service management

objectives and plan the necessary activities to ensure they are being achieved.

For this, there should be an Audit Program that takes into

consideration:

Status and importance of the processes and organizations

being audited.

Previous audit outcomes.

Frequency, criteria, scope and methods to be used.

Those responsible for carrying out the audits should be objective

and impartial. A task cannot be audited by the same person who

performs that task.

After conducting audits, the reviews, evaluations, results and corrective actions identified should be

documented. In case of non-compliance, all parties concerned should be informed. Different levels

of assessments and audits can be set:

Self-assessment: A department assesses their own procedures. Necessary, but not very

objective.

Internal audit: Carried out by an internal department within the organization. The

auditor belongs to the same organization but is not involved in the

department being audited.

Vendor audit: Performed by an organization supplier.

External audit: Performed by an independent, external and qualified organization.


Figure 2.5: Types of audits (Source: ITeratum)

Top management should review the SMS at planned intervals to check that it continues to enable

the fulfillment of changing business needs and service requirements. The review can be performed

against:

Performance of the SMS against policies, plans and objectives

Measurement of process key performance indicators (KPIs)

The results of internal and external audits

A review of continual improvement activities aligned with business objectives

Post implementation reviews of changes

Industry best practice

Customer satisfaction survey results

Desired business outcomes

2.3.5 Maintain and Improve the SMS (Act)

Continual improvement is one of the core concepts of ISO/IEC 20000. The standard states that a

strategically approach should be used, establishing an SMS and services continual improvement

policy. This should include evaluation and prioritization criteria of the improvement opportunities.


A documented procedure identifying the authorities and responsibilities for all improvement

activities should be used. This procedure should ensure that opportunities for improvement are

effectively identified, evaluated, prioritized, approved, implemented, managed and measured.

Inputs to manage continual improvement should include:

Relevant directives from top management

Root causes identified as a result of audits and reviews,

both of the SMS and of individual services

Suggestions from the customer and from the service

provider

Problem records

Tests of plans (e.g. service continuity tests)

Optimized resource utilization or risk reduction






Sample Questions

1. IT Service Management needs to be planned to establish the objectives, processes and

procedures necessary to deliver results in accordance with the customer requirements and

the organization's policies. What should definitely be included in the Service Management

Plan?

A. The appropriate tools to support the processes

B. The interfaces between business processes

C. The procedure for dealing with emergency releases

D. The service continuity procedures

2. Top management has to provide evidence of its commitment to planning, establishing,

implementing, operating and improving its Service Management System within the context of

the organization's business and customers' requirements. What is the best way that

management can make this visible?

A. By outsourcing Change management

B. By taking disciplinary action against underperforming employees

C. By taking part in the planning of new IT services

D. Through leadership and actions


3. Why is it important for service providers to maintain documents and records?

A. To be able to uniquely identify and record all Configuration Items (CIs) in the Configuration

Management Database (CMDB)

B. To ensure effective planning, operation and control of the Service Management System

(SMS)

C. To ensure employees are aware of the relevance and importance of their work activities

D. To meet the requirements (evidence) to become ISO/IEC 20000 compliant

4. Why are processes and procedures required for a service management system?

A. To be able to define service management objectives in a structured manner

B. To ensure that service issues never arise

C. To provide consistency in the output from activities

D. To satisfy the needs of major suppliers

5. What should be recorded as a baseline prior to implementing a plan for service improvement?

A. Backlog of changes for the service

B. Number of staff involved

C. Service or component configurations

D. Time taken to operate the process

6. Personnel should be competent on the basis of appropriate education and experience. What

is a requirement relating to competence?

A. Appropriate records of education, training, skills and experience need to be maintained

B. At least two employees should be suitably trained for each role

C. Employees should have at least a relevant bachelor's degree

D. Personnel should all have a relevant Security training according to ISO/IEC 27002



1. When ISO/IEC 20000 refers to "third parties", who are they?

2. What is the difference between document and record?

3. In Resource Management, which are the minimal resources to be considered according to the

ISO/IEC 20000 standard?

4. Which are the main responsibilities of a Process Owner?

5. List five elements to be taken into account when designing the Service Management Plan.

6. What kind of audits should be performed in the Monitor and Review stage of the SMS?

Exam Terms

Service Management System (SMS), Third Party, Service Management Policy, Document, Record,

Resources, Process Owner, Process Manager, Scope of the SMS, Planning the SMS,

Implementing the SMS, Monitoring and Reviewing the SMS, Maintain and Improve the SMS.


Service Design and Transition: Exam specifications (5%)

After reading chapter 3, you will be able to understand the importance of the Service Design and

Transition process when transferring a service to the real production environment. Thereby, you will

then achieve the following objectives:

3.1 Understand the core concepts for service design and transition (5%)


3.1.1 Describe at a high level the management requirements for new/changed services

3.1.2 Describe at a high level the requirements for planning new/changed services

3.1.3 Describe at a high level the requirements for designing new/changed services

3.1.4 Describe at a high level the requirements for transitioning new/changed services


3 Service Design and Transition

3.1 Basic concepts of Service Design and Transition


3.1.1 General

The objective of the design and transition of new or changed services process is to establish and

implement the necessary plans to control the delivery of the new or change services offered by the

provider.

This process works closely with control processes (Change Management, Configuration

Management and Release and Deployment Management) and applies not only to new or changed

services but also to the withdrawal of services and the transfer or recovery of services to or from

third parties.

Even though control processes are at the

core of managing all changes to the SMS

and the services, the scope of this process

goes beyond the junction of the three

control processes. According to ISO/IEC

20000-2, this process should be applied to

new or changed services that are either

high risk or have a potentially major impact

on services or the customer, or wherever

there are interfaces with tasks or

deliverables that fall outside the scope of

SMS.

The service provider will determine for what changes it is appropriate to use the new or changed

design and transition process (e.g. when the change affects more than one service or location,

where the risk of infringing any protection data law exists, etc.) For each provider and situation it is

quite usual that the criteria vary.

Figure 3.1: Main processes in transition (Source: ITeratum)


3.1.2 Plan new or changed services

Any new or changed services to which Section 5 of the ISO/IEC 20000:2011 standard applies

should be managed as a project due to the size, risks and scope of the changes. The service

provider should consider the potential impact of such a service and ensure a strong coordination

between the change management process and the project management roles and authorities, from

the earliest possible stage of the project.

Figure 3.2: The planning elements (Source: ITeratum)

When another party is involved in the new or changed services, the service provider should do a

thorough review. The review should evaluate the capability of the other party to fulfill their

commitments, including the agreed service requirements. The review should also evaluate the risk

to the existing services and support environment.

If there were some other party involved in the project besides the service provider (suppliers,

stakeholders, etc.), the service provider should do a thorough review of the ability of the other

parties to fulfill the commitments agreed with the customer as well as the risk these parties raised

for the project.

If a service is to be removed, this should be planned and documented in a service removal plan.

The plan should include:

The conditions where removal applies

The objectives and success factors of the removal

Governance of processes operated by other parties

Roles, responsibilities, constraints and risks

Activity breakdown, milestones and deliverables


Agreed completion criteria for the removal and end of service provider’s responsibility

The date when the service is no longer available to the users and the date when the

service is removed

3.1.3 Design and development of new or changed services

The design of the service should be documented and agreed upon by all the interested parties prior

to the development stage. The design should take into account current service requirements and

information security considerations, as well as the resource capacity projections for growth during

the anticipated life of the service. Likewise, this stage should ensure that the resulting designs meet

the business requirements.

Design and development should include the following items, as appropriate:

The activities of design and implementation, transition, operation and maintenance for

acceptance of services

Required inputs to and outputs from each activity

Planning, resource organization, teams organization and responsibilities

Organizational and technical interfaces between different individuals or groups

The analysis of the possible risks

Training required for every team

Documentation

3.1.4 Transition of new or changed services

The main intent of this stage is to ensure that the service requirements are met. The transition of

services should include the building, test and acceptance of the new or changed services followed

by making operational the new or changed services through the Release and Deployment

Management process, under the supervision of the Change Management process.

The transition should be reviewed with the customer and interested parties to establish that it is

ready for live operation. To this end, a number of service acceptance criteria should be previously

set in order to get the customer compliance.



To help prepare for the exam, we have included a number of conceptual questions (the answer key

can be found at the end of this workbook). Additionally you are provided with an overview of terms

with which you should be familiar.


1. In which cases it is especially adequate to apply the Design and Transition of new or changed

services process?

2. Which is the approach that should be used when planning a modification of an existing service

that is vital for the business?

3. List three elements to be considered when designing new services.

Exam Terms

New or changed services, planning, design, development, service transition.


The delivery processes and their relationships: Exam specifications (15%)

After reading Chapter 4, you will be familiar with the delivery processes. This will allow you to reach

the following objectives:

4.1 Understand the service delivery processes (Service Level Management, Service Reporting,

Service Continuity and Availability Management, Budgeting and Accounting for Services, Capacity

Management and Information Security Management) (15%)


4.1.1 Describe the objectives and quality requirements

4.1.2 Describe the activities and practical application for each process


4 The service delivery processes and their

relationships


4.1 Service Level Management

Objective: to ensure that an agreed service is provided and that service targets are met. This

process ensures that agreed services and service targets are documented in a way that is easily

understood by the customer.

The Service Level Management (SLM) process should define, agree, document, monitor, report

and review the services delivered. The SLM process works closely with the Business Relationship

Management (BRM) process and the Supplier Management Process in order to ensure a correct

end-to-end service delivery. Customer satisfaction is a key element for success.

4.1.1 Terms and Definitions

Term Definition

Service Level Acceptable level of service quality.

Service Level Agreement (SLA) Documented agreement between the service provider and

customer that identifies services and service targets.

Service Level Requirements (SLR) Detailed list of customer requirements on various aspects of

an IT service. SLRs are essential to reach SLAs.

Service Catalogue A structured document with information about all IT services

delivered.


4.1.2 Documentation of service commitments

SLAs may need to be supported by agreements with suppliers external to the service provider's

organization, or with internal groups. These supporting agreements with suppliers can be known as

underpinning contracts. Supporting agreements with internal groups can be known as operational

level agreements (OLA).

Figure 4.1: Providers, suppliers & agreements (Source: ITeratum based on EXIN materials)

4.1.3 Service Catalogue

The catalogue should hold information common to all of the services or most of them, in order to

simplify the SLAs. The catalogue of services should include a variety of information, including:

The name, description and targets of the service

Contact points

Service hours, support hours and exceptions

Dependencies between the services

Dependencies between the services and service components

Security arrangements


4.1.4 Service Level Agreements (SLA)

An SLA is a documented agreement between the service provider and the customer that describes

the service and service targets. An SLA also specifies the responsibilities of the service provider

and the customer. A single SLA may cover multiple services or multiple customers.

SLAs need to be reviewed at regular intervals and all changes made to both services and SLAs will

be under the control of the Change Management process.

The minimum content that should be in an SLA is:

Brief service description

Service targets

Supporting and related services

Validity period and/or SLA change control mechanism

Brief description of communications, including reporting, review frequency and schedule

Service hours (including exceptions, holidays and critical business periods)

Scheduled and agreed interruptions to services

Customer responsibilities

Service provider liability and obligations

Impact and priority guidelines

Escalation and notification process

Complaints procedure

Upper and lower workload limits

High level financial management details

Glossary of terms

Any exceptions to the terms given in the SLA


4.2 Service Reporting

Objective: to ensure the production of agreed, timely, reliable, accurate reports to facilitate

informed decision making and effective communication.

The success of all service management processes is dependent on the use of the information

provided in service reports. Reactive and proactive reports should be produced. Reactive reports

show what has happened, after it has happened. Proactive reports give warning of significant

events, thereby enabling preventive action to be taken beforehand. Where there are multiple

suppliers, lead suppliers and sub-contracted suppliers, the reports should reflect the information

related to all their activities.


Term Definition

Service Report Document agreed between the service provider and the

customer that contains specific information for later

evaluation.

4.2.2 Minimal Requirements

Each service report should be clearly described including its identifier, purpose, frequency,

audience, and details of data source. Service reports are intended to verify the customer's

requirements and identify needs. Service reports for customers and the business should include at

least:

Performance against service targets

Non-conformities (e.g. SLA breaches)

Workload characteristics (resource usage)

Performance reporting on major events (incidents and changes)

Projections of current trends

Customer satisfaction evaluation


4.3 Service Continuity and Availability Management

Objective: to ensure that agreed service continuity and availability commitments can be met, within

agreed targets.

This process includes both, a focus on prevention of and recovery from service failures or disasters,

as well as ensuring the provision of sufficient service availability to meet service requirements.

Service providers may operate the service continuity and availability management process as two

separate processes that are linked or as a single process, depending on the service provider's

circumstances.


Term Definition

Availability Ability of a service or service component to perform its

required function at an agreed instant or over an agreed

period of time. Availability is normally expressed as a ratio

or percentage of the time that the service or service

component is actually available for use by the customer to

the agreed time that the service should be available.

Availability Plan Document containing the actions, measures, costs,

resources and time planning intended to deliver the agreed

availability levels.

Service Continuity Capability to manage risks and events that could have

serious impact on a service or services in order to

continually deliver services at agreed levels.

Service Continuity Plan Document containing the actions, measures, costs,

resources and time planning aimed at maintaining the

service continuity and, where appropriate, to recover from a

disaster scenario.

Risk Effect of uncertainty on objectives. Risk is often expressed

in terms of a combination of the consequences of an event

and the associated likelihood of occurrence.


4.3.2 Activities

The service continuity and availability management

process should allow for both reactive and proactive

aspects of the process. Proactive aspects will allow

measures to be taken to prevent a lack of service or

disasters. Reactive aspects will allow carrying out

recovery actions from an incident or, in the worst case,

from a disaster.

4.3.2.1 Service continuity policy

The service continuity policy should be focused on supporting business continuity. The policy

should address the roles, activities and responsibilities required to meet the agreed service

requirements.

The policy should take into account agreed service hours and critical business periods. The service

provider should identify the requirements separately for each customer group and service,

including:

The maximum acceptable continuous period of lost service

The maximum acceptable periods of degraded service

The acceptable degraded service levels during a period of service recovery

The service continuity policy should be reviewed at agreed intervals, at least annually. Any

changes to the policy should be formally agreed between the service provider and the customer.

4.3.2.2 Risk assessment and management

Once the strategy has been defined in the continuity policy is the time to carry out the risk

assessment and management. The risk assessment should include business impact analysis of a

major loss of service. Risk mitigation measures meeting the business requirements and plans

should be agreed with the business.

Figure 4.2: Continuity and availability

aspects (Source: ITeratum)


Service continuity and availability requirements for normal service and after a major loss of service

should include at least the following:

Access rights (who can have access rights under normal conditions and who can have

access rights following a major loss of service)

Response times (under normal circumstances and also after a major loss of service)

End-to-end availability of services (e.g. for normal service what is the required availability of

components required to deliver a complete service and after a major loss of service what

priority should be given to each service).

4.3.2.3 Service continuity and availability plans

Service continuity plans should be based on the requirements defined in the service continuity

policy, a business impact analysis and risk assessments. These plans should be under the control

of the Change Management process, and responsibilities for invoking should be clearly assigned.

Service continuity testing should be undertaken at least annually or after every major business

change. All the relevant parties should be informed about the existence of service continuity plans

and appropriate awareness and training should be provided. The plans should contain the following

information:

Dependencies between services and service components

Recording and maintenance of plans

Responsibility of each participant in the service continuity plan, clearly stating who can

invoke the plan

Data, documents and software, and any equipment and personnel necessary for service

restoration following a disaster

Standby arrangements with suppliers, where appropriate

The availability plan should identify the business needs and customer requirements, design

requirements, technical specifications and project planning activities required to meet the business

availability requirements both currently and in the future. The availability plan should be reviewed

and revised regularly, at least annually and after any major change.


4.3.2.4 Monitoring and testing

Service continuity testing

Service continuity testing should be undertaken after every major business change and change to

the service environment. The scope of service continuity testing should include the return to normal

service operation following a disruption and should involve the joint participation of the customer

and the service provider, based upon an agreed set of objectives.

Review after a service continuity test should be conducted to assess the achievement of the aims

and objectives of the test and to identify any areas of weakness or opportunities for improvement.

Availability monitoring and testing

Service continuity and availability management should, according to the agreed availability plan:

Monitor and record availability of the service

Maintain accurate historical data regarding availability of services

Make comparisons with requirements defined in SLAs to identify any nonconformity to the

agreed availability targets

Predict future availability requirements

A regular availability testing schedule should confirm that the availability solutions are achievable

and appropriately resilient. Availability, reliability and resilience mechanisms should be reviewed

and tested after any major change.


4.4 Budgeting and Accounting for Services

Objective: to support the service provider's understanding of and ability to manage the total cost of

services.

In order to achieve this objective, the process should ensure that:

The costs of services are understood

Reliable forecasting of both costs and budget is achievable

A budget is developed and used by service management

processes

Unexpected variances of costs or budget are managed

The budget is adhered to so that service delivery is funded

adequately throughout the budget period

Budgets and costs are reviewed regularly

The budgeting and accounting process should control the financial aspects of services and service

components, and provide information that supports both the live operation of services and the

funding of service changes and improvements.

This process should be performed by the service provider, regardless of whether other aspects of

financial management are performed elsewhere in the organization, and should be aligned with and

receive information from the financial processes of the service provider's organization.


Term Definition

Budgeting Prediction of future funding requirements for the agreed

delivery of services.

Accounting Tracing of the service provider regarding funding usage.

Charging Billing to customers for services provided.


4.4.2 Policy

The service provider should have a documented policy and procedures for the financial

management of services. The policy should include the cost types used in the budget for cost

allocation and an explanation of how overhead costs are apportioned. Criteria should be defined to

allow for a budget and accounting analysis for each service.

The resources provided for the budgeting and accounting for services process should be based on

the needs of the customer, service provider, suppliers and other interested parties for financial

detail, as defined in the policy.

4.4.3 Cost types

The service provider should select categories for cost entries in the budget that are useful for

service management. For example, service providers should define cost models in line with

services and their components, as defined in the catalogue of services. Those categories should be

easily measurable (e.g. hardware, software, maintenance, personnel). The service provider should

also consider cost types such as:

Assets used to provide the services

Shared resources (e.g. level 1 support)

Overheads such as office space

Services delivered by suppliers

Service management personnel

4.4.4 Overheads and direct costs

Apportionment of overhead costs may be based on a variety of mechanisms, such as a flat rate

cost, a fixed percentage, or based on the size of an agreed variable element of delivered services.


4.4.5 Budgeting

Forecast of costs and revenue for budgeting should take into account the planned changes to

services during the budget period. Budgeting and cost tracking should support planning to operate

and improve the services so that service levels can be maintained throughout the year.

4.4.6 Accounting

Accounting activities should be used to track costs to an agreed level of detail over an agreed

period of time.

Accounting reports should provide sufficient information to calculate the costs of low service levels

or costs resulting from a loss of service. To calculate these costs, the service provider should have

a clear understanding of costs of resources required to deliver the service (personnel, components,

facilities, and any aspects of the service delivered by other parties).

4.4.7 Charging

Charging is not included in ISO/IEC 20000-1 but it is recommended that where charging is in use,

the charging mechanism is defined and understood by all parties.


4.5 Capacity Management

Objective: to ensure that sufficient capacity is provided to meet the current agreed capacity and

performance requirements.

Resources should be balanced to fulfill both current and agreed

capacity and performance requirements, and to be prepared to fulfill

future requirements.

The capacity management process should include both reactive and

proactive activities. The reactive activities should focus on ongoing

monitoring, tuning, analysis and improvement of operational capacity.

The proactive aspect of the process should focus on planning to meet

future agreed business demand.

The capacity management process should develop plans to ensure that capacity requirements can

be agreed on, forecast and met.


Term Definition

Capacity Maximum performance that can be obtained from a

component or IT service. For certain types of components,

the capacity may be the size or the volume, for example in

the case of a disk drive.

Capacity Plan Document which sets out the actions, measures, costs,

resources and time planning designed to deliver the agreed

capacity levels, both present and future.


4.5.2 Activities

The activities of the Capacity Management process include:

Assess, document and agree the capacity requirements for new or changed services

Being involved in the design of new or changing services and make recommendations for the

procurement of components and resources

Set, monitor and use capacity thresholds, warnings and alarms to automatically manage and

improve the utilization of components and the performance of services

Maintain data and information used by the capacity management process

Producing capacity and performance reports, which provide valuable information to many

service management processes

Forecasting of future component and service capacity and performance

4.5.3 Capacity plan

The capacity plan should document the actual performance, the expected business capacity needs

and the service requirements. It should be produced at least annually. The capacity plan should

include:

Current and forecast service usage, ideally including recommendations regarding

opportunities to influence the demand for capacity

Current and forecast resource usage and performance

The impact on capacity and performance of agreed requirements for availability, service

continuity and service targets

Time-scales, thresholds and costs for upgrades to service capacity

Summaries of relevant business plans, scenarios and patterns of business activity

Summary of changes in business activity, including user profiles if available

Potential impact of new technologies on capacity and performance

Data and procedures to enable predictive analysis (e.g. modeling techniques)

Potential impact on statutory, regulatory, contractual and organizational requirements


4.6 Information Security Management

Objective: to ensure that security controls are in place to protect information assets and that

information security requirements are incorporated into the design and transition of new or

changed services.

Information security should be the result of a system of policies and

procedures designed to identify, control and protect the organization’s

information and any resources used in connection with its storage,

transmission and processing. Management should ensure that clearly

defined information security management objectives are in place and that

they align to business needs.


Term Definition

Information Security Policy Policy governing the vision of the organization on the

management of information security.

Risk Effect of uncertainty on objectives. Risk is often expressed

in terms of a combination of the consequences of an event

and the associated likelihood of occurrence.

Confidentiality Security principle that requires that only authorized

personnel have access to a particular set of data.

Integrity Security principle certifying that the data and configuration

items are changed only by authorized personnel and

activities to ensure accuracy of data.

Availability Security principle that ensures the information is available to

authorized users whenever they require access to it.


4.6.2 Information Security Policy

Service requirements, statutory and regulatory requirements and contractual obligations should

provide the basis of an information security policy. The policy should give direction on the use of

physical, administrative and technical information security controls and should be approved by

managers accountable for the SMS and the services.

Management should ensure that personnel, customers and suppliers and internal groups have both

adequate understanding of the contents of the policy and an appreciation for the importance of

adhering to it.

Management should also ensure that the information security policy is used as part of risk

assessments and during information security audits. The policy should provide guidance on the

criteria for accepting risks and the approach for managing identified information security risks.

Internal information security audits should be conducted at regular intervals and their results

reviewed to identify opportunities for improvement of information security.

Personnel with specialist information security roles can find it helpful to become familiar with the

ISO/IEC 27000 standards, which include guidance and advice for Information Security

Management Systems.

4.6.3 Information security controls

The information security controls are designed to safeguard security of information assets through

the confidentiality, integrity and availability (accessibility). Information security controls can be

physical, administrative or technical.

The service provider should ensure that the controls are documented, describing their related risks

and risk mitigation strategies. The service provider should also define information security controls

to manage external organizations and individuals that need to access, use or manage the

organization’s information or services.


4.6.4 Information security changes and incidents

Information security changes and incidents should be processed in accordance with the Change

Management process and the Incident and Service Request management process.

Requests for change (RFC) should be assessed to identify any new or changed information

security risks as a result of the proposed change. The RFC should also be assessed against any

potential impact on existing services, processes, policies or the existing information security

controls.

The service provider should use the results of reviews of information security incident records to

identify potential deficiencies and opportunities for improvement.






Sample Questions

1. How can an organization determine the effectiveness of the Service Level Management

(SLM) process?

A. By checking contracts with suppliers

B. By defining Service levels

C. By measuring customer satisfaction

D. By reporting on all incidents

2. Where are agreements regarding Service delivery and its relationship to Information security

management recorded?

A. In a Capacity Plan

B. In a Configuration Management Database (CMDB)

C. In a Definitive Software Library (DSL)

D. In a Service Level Agreement (SLA)

3. The Service catalogue for a network company states that LAN authorization requests will be

complete within three weeks. A manager who is a client of the network company does not

believe this is achievable and requests a report demonstrating achievement of the catalogue

statement. Which process is responsible for providing this report?

A. Availability Management

B. Change Management

C. Problem Management

D. Service Level Management (SLM)


4. In Continuity management various precautionary measures are taken to ensure Services are

delivered during/after a catastrophe. An example would be having an emergency electrical

power supply. Which process could also initiate this kind of measure?


B. Capacity Management

C. Change Management

D. Incident Management

5. What is the intent of the Service continuity and availability management processes?

A. To ensure agreed effective communication towards Customers

B. To ensure that agreed levels of service commitments to Customers can be met in all

circumstances

C. To ensure that agreed Service continuity and availability commitments to Customers can be

met within agree targets

D. To ensure that agreed Service continuity and availability commitments to providers can be

met in all circumstances

6. What is the description of Integrity in the Information security management process?

A. Access to the data at any moment

B. Protection of the data

C. The capacity to verify the correctness of the data

D. The correctness of the data


7. Managing the availability of a service as part of an overall Service Management initiative is

important for efficient service delivery. What is the reason behind managing Service

Availability?

A. Most service providers have Service Level Agreements (SLAs) with their customers so

availability is guaranteed.

B. Outsourcing is now a more valid option for today's IT, so availability of a service is left to the

capability of the outsourcer.

C. Service management tools provide real-time performance information, thus managing

availability is debatable.

D. The business is more dependent on IT in order to meet corporate goals, thus achieving

expected availability is crucial.

8. A power failure has knocked out the entire IT infrastructure. Fortunately, a Service Continuity

Plan is available. At what point should the Service Continuity Plan be invoked?

A. Immediately, as the service can no longer be used.

B. When the failure will likely extend beyond the targets defined in the Service Level Agreement

(SLA).

C. When the Incident Manager thinks this is necessary.

D. When the time within which the failure should be solved, has exceeded.

9. Where would an IT service for the customer be defined?

A. In the IT framework

B. In the Service Catalogue

C. In the Service Level Agreement (SLA)

D. In the Service Report


10. What process, other than Business relationship management, would review service

performance with the customer?


B. Service Reporting

C. Service Level Management

D. Budgeting and Accounting for Services

Conceptual Questions:

1. What is the difference among an SLA, an OLA and an underpinning contract regarding to the

parties that establish the agreement?

2. What is the objective of the Service Reporting process?

3. What is availability?

4. What are the three key elements to take into consideration in the Budgeting and Accounting for

Services process?

5. List four characteristics to take into account in the Capacity Plan.

6. What is confidentiality within the Information Security Management process?

7. What is the objective of the Information Security Management process?

Exam Terms

Service level, SLA, OLA, underpinning contract, SLR, service catalogue, service report, availability,

availability plan, continuity, continuity plan, risk, monitoring, testing, budgeting, accounting,

charging, cost types, capacity, capacity plan, information security policy, confidentiality, integrity,

security controls.


The relationship processes and their relationships: Exam specifications (15%)

After reading Chapter 5, you will be familiar with the relationship processes. This will allow you to

reach the following objectives:

5.1 Understand the relationship processes (15%)





5 The relationship processes and their relationships

This chapter deals with Section 7 of ISO/IEC 20000:2011. The relationship processes describe the

characteristics of the Supplier Management and Business Relationship Management processes.

The aim of both processes is to ensure that all parties are aware of the business needs and the

capabilities, limitations, responsibilities and obligations that concern them.

Figure 5.1: Supplier–Provider–Customer Relationships (Source: ISO/IEC 20000-1:2005)

5.1 Business Relationship Management

Objective: to ensure that mechanisms are established to manage the relationship between the

service provider and the customer(s).

There should be a strong link between the Business Relationship Management (BRM) process and

the Service Level Management (SLM) process. The SLM process should define and use measures

to evaluate service level performance. In contrast, the BRM process should seek to work closely

with the customer to understand future business objectives and direction.



Term Definition

Customer satisfaction Degree of satisfaction with the performance that the

customer perceives regarding the agreed service(s).

Service complaint Formal disagreement with the service delivered. To be a

justified claim, the disagreement should be related to what is

agreed in the Service Level Agreement (SLA).

Escalation Within the context of the Business Relationship

Management process, transfer of a service complaint to a

higher authority, usually within the organization.

5.1.2 Activities

Identify Interested

parties

The service provider should identify and document its customers (user

groups and/or business units), other interested parties, suppliers and

dependent sub-contracted suppliers, in order to fully understand the

dependencies between services.

Identify

representatives

The service provider should identify a named individual(s) to be a clear

single point of contact, who is responsible for managing the relationship

and customer satisfaction for each customer. This individual may be

chosen to manage the customer relationship on a fulltime basis, or may

have the role combined with another role, if appropriate.

It is possible for the roles of business relationship manager and service

level manager to be performed by the same person, due to the close

relationship between the BRM and SLM processes. If this is the case, the

role descriptions should distinguish the different nature of the roles: the

BRM process is strategic while the SLM process is operational or tactical.

Not everyone is able to combine both profiles.


Definition of

communication

mechanisms

The communication mechanisms established with the customer should

include ad-hoc meetings and informal meetings, in addition to formalized

and documented meetings. These mechanisms should aid understanding

the business environment in which the service operates including business

needs, customer requirements and major changes. The service provider

should use this information to respond to the identified needs.

Reviews The service provider should hold formal meetings with the customer to

review customer satisfaction, strategic direction and major exceptions to

the performance of the services. The meetings should be scheduled in

advance and held regularly, at least annually. Meetings should be more

frequent when the service provider and the customer are managing a high

rate of change or when there are concerns about the quality of services.

Changes identified as necessary from these reviews should be reflected in

the appropriate SLAs and should be managed through the Change

Management process.

Customer

satisfaction survey

The service provider should establish a formal mechanism for recording

customer satisfaction. The frequency and scale of any measurement

should be agreed with the customer in advance, and this should include

the sample of users to be surveyed.

Satisfaction survey results should be measured over time, so that trends in

satisfaction can be tracked and any necessary issues or improvements

identified.

A documented service complaints procedure should be in place, including

recording, investigating, acting upon, reporting and closing any service

complaints received. It should include an escalation procedure to be used

if the customer does not agree to or accept the proposed actions or

resolution. The complaint should remain open until the customer provides

formal agreement that it can be closed.


5.2 Supplier Management

Objective: to manage suppliers in order to ensure the provision of seamless, quality services.

Service providers can use suppliers to operate some parts of the processes or services, or to

supply components such as hardware and software. All suppliers should use this process. The

supplier management process can be an adequate supplement for the Service Level Management

process as far as the management of internal groups and customers acting as suppliers are

concerned.

Figure 5.2: Supply Chain (Source: ISO/IEC 20000-1:2011)


Term Definition

Lead supplier Supplier in charge of any other subcontracted supplier. The

lead supplier should record the names of all subcontracted

suppliers and their responsibilities and relationships, making

this information available to the service provider.

Subcontracted supplier Supplier contracted and managed by the lead supplier,

rather than the service provider.


Term Definition

Contractual disputes Disagreement between the parties who signed the contract.

Premature Termination Contract termination before the scheduled date. Situations

that may cause premature termination, as well as actions to

take, should be agreed in the contract.

5.2.2 Activities

5.2.2.1 Managing contracts

The service provider should designate a contact person responsible for the relationship with each

supplier. The contract should include the requirements and service levels required of the supplier.

The service targets agreed on in the supplier’s contract should be articulated to ensure that the

service provider’s SLAs with the customer can be met.

All supplier contracts should contain a review schedule. At least an annual review should be

scheduled. If a contract includes penalties or bonuses, their basis should be clearly stated and

compliance to the requirements and service targets measured and reported upon.

The service provider should, at planned intervals, obtain evidence that the supplier is meeting all

requirements of the contract. All outcomes of meetings, reviews and audits concerning the

subcontracted service should be reviewed to identify opportunities for improvement. Where

changes are required, they should be controlled using the Change Management process.

5.2.2.2 Managing sub-contracted suppliers

It should be clear whether the service provider is dealing with all suppliers directly or with lead

suppliers, each taking responsibility for sub-contracted suppliers.


The service provider should obtain evidence, from lead suppliers, that lead suppliers are formally

managing sub-contracted suppliers. An example of this relationship is shown in the following

picture:

Figure 5.3: Subcontracted suppliers (Source: ISO/IEC TR 20000-3)

5.2.2.3 Contractual disputes management

Both the service provider and the supplier should agree on a process for managing disputes, and

this process should be defined within the contract between provider and supplier. An escalation

path should be available for disputes that cannot be resolved through the normal means of

communication. The process should ensure that disputes are recorded, investigated, acted upon

and formally closed.

5.2.2.4 Contract termination

The contract management process should include provision for contract termination, either at the

expected end or prematurely. It should also allow for the transfer of the service to another

organization at the end of the contract (costs, intellectual property rights, hardware, software

licences and data).






Sample Questions

1. What is a responsibility of the Service provider with regard to Supplier Management as

defined in ISO/IEC 20000-1?

A. To ensure that a process exists for the procurement of suppliers

B. To ensure that contracts with suppliers are aligned with SLAs of the business

C. To ensure that subcontracted suppliers meet contractual requirements in all circumstances

D. To ensure that supplier processes and procedures are defined

2. What document is directly supported by the supplier contract?

A. Service Level Agreement (SLA)

B. Operational Level Agreement (OLA)

C. Service Management Plan

D. Service cost model

3. The relationship processes describe the relationships with the business and with the

suppliers. What do the relationship processes ensure?

A. That business requirements and outcomes are the primary driver in managing the business

and supplier relationship.

B. That the business and suppliers are directly informed of major incidents.

C. That the service levels for all services are consistent in the supply chain.

D. That there is a frequent contact between the suppliers and the business to resolve issues.



1. List the activities of the Business Relationship Management process

2. What is called "service complaint"?

3. What is a “premature contract termination”?

4. What is the objective of Supplier Management?

Exam Terms

Lead supplier, subcontracted supplier, service complaint, escalation, customer satisfaction,

contract management, conflict management, contract termination.


The resolution processes and their relationships: Exam specifications (10%)

After reading Chapter 6, you will be familiar with the processes that support the organization in their

daily activities. This will allow you to reach the following objectives:

6.1 Understand the resolution processes and their relationships (Incident and service request

management, Problem management)





6 The resolution processes and their relationships


6.1 Incident and Service Request Management

Objective: to manage incidents and service requests consistently to ensure that incident resolution

or request fulfillment is achieved within agreed service targets and time frames.

Data collected as part of the incident and service request process should be used to monitor

performance against relevant service targets and can be included in service reports to the

customer.


Term Definition

Incident An incident is considered to be an unplanned interruption to

a service, a reduction in the quality of a service or a failure

of a configuration item that has not yet impacted a service.

Service Request Request for information, request for guidance, request for

access to standard services or pre-approved changes.

Priority Relative importance of an incident, problem or change.

Priority is based on impact (effect of an incident, problem or

change on business processes) and urgency (how long it

will be until an incident, problem or change has a significant

impact on the business).

Escalation Within the context of the Incident and Service Request

Management process, transfer of an incident or service

request to a higher technical (functional) or hierarchical level

for resolution.


6.1.2 Activities

The incident and service request management process should be supported by two separate

documented procedures. The first is for the management of incidents, the second for the

management of service requests. The two procedures should define the following:

Recording Mechanisms for recording incidents and service requests, ensuring proper

use, storage and retrieval of data.

Classification and

Priority

All incidents and service requests should be classified so they can be acted

upon in line with their priority and service target commitment. Classification

should include determining which CIs are impacted, which in turn should help

identify the personnel who may need to be involved in resolution or fulfillment.

The priority should be agreed with the customer upon receipt of the incident or

service request, or as soon as possible afterwards. The determination of the

priority should be based on an assessment of the impact and urgency of the

incident or service request in question.

Escalation Rules for escalations, including triggers (events that cause the escalation),

functional or hierarchical types and authority to invoke.

Resolution Detailed definition of the activities to be carried out to resolve the incident or

service request, including access to necessary information (configuration

management database, known errors database, service catalog and other

relevant documents and records).

Closure Definition of the actions required to close an incident or service request record

on the user confirmation that the incident has been resolved or the service

request fulfilled.

Throughout the whole process, appropriate communication channels with customers and users

should be established in order to inform on the status of their requests or incidents.


6.1.3 Major incident procedure

The incident and service request management process should include a documented procedure

specifically for the handling of major incidents. A major incident generally imposes higher impact

and special attention is required to resolve it. The major incident procedure should define:

What constitutes a major incident

Who has the authority to declare a major incident and how it will be declared

Who should coordinate and control activities and who should be involved

How resolution efforts will be conducted

What communications should be provided during and following major incidents

The format, timing and participants required for a major incident review following resolution

The interfaces with the service continuity and availability management process, in the

event that service continuity invocation is required


6.2 Problem Management

Objective: to identify the unknown, underlying root causes of incidents and proposing permanent

resolutions through the change management process, as well as proactively prevent incidents

from occurring through trend analysis and recommendations of preventative actions.


Term Definition

Problem Root cause (origin) of one or more incidents. The cause is

not usually known at the time a problem record is created,

and the problem management process is responsible for

further investigation.

Workaround Temporary action carried out for reducing or eliminating the

impact of an incident or problem for which a full resolution is

not yet available.

Known Error Problem that has an identified root cause or a workaround

available.

6.2.2 Activities

The problem management process should include procedures for the activities listed below:

Identification There should be a procedure for identifying how a problem arises:

a) Detection of an unknown root cause of one or more incidents

b) The analysis of one or more incidents revealing an underlying

problem

c) A notification from a supplier or an internal group of a problem with a

component of the service


Recording Relevant details of the problem, including the date and time, and a cross-

reference to the incident(s) that initiated the problem record, should be

recorded.

Classification and

Priority

Problems are categorized making use of the same classification criteria that

are used in the incident and service request management process. Each

problem is given a priority for resolution according to its urgency and the

impact of related incidents. Based on this information, time and resources for

investigating the problem are allocated.

Investigation and

Diagnosis

At this point, the necessary steps are taken in order to investigate and

diagnose the root cause and identify a resolution. While the resolution is

achieved, the Problem Management process supports Incident Management

and Service Requests identifying workarounds. Problem diagnosis is

complete when the root cause is identified and a method of resolving the

problem is identified.

Tracking A tracking of the progress through the problem management process is

performed, including details of the persons responsible for progressing the

problem and a record of all resources used and actions taken.

Escalation Setting rules for escalation, defining authorities, responsibilities and escalation

points.

Documenting

Known Errors

When the root cause and a proposed method of resolving the problem are

identified, a known error is recorded in the known error database, together

with details of any temporary fix. This record is not closed until after the

permanent solution has been successfully implemented via the change

management process. Known errors are reported to the Incident and Service

Request Management process so they can make use of the information about

them.

Problem record

closure

Once the problem has been mitigated or eliminated by appropriate resolution,

the problem record is closed.

After every major problem a review should be conducted to examine what was done correctly, what

was done wrong, what can be improved in the future and how to prevent similar situations.


6.2.3 Comparison between Incident Management and Problem Management

As we have seen in previous sections, both processes are closely related but should be kept

separately because of their characteristics:

Incident Management Problem Management

The objective is to restore the service as

soon as possible, with minimal impact (“”it

has to be solved”)

The objective is to minimize or avoid the

impact of incidents and problems ("it should

not happen again")

Short resolution times. Longer resolution times.

Process very visible to the rest of the

organization.

The organization does not always perceive

the results and the importance of this

process, but their absence would cause an

increase in incidents.






Sample Questions

1. When a service outage or other failure is reported, in what order will the processes be

executed?

A. Configuration Management, Incident Management, Change Management, Release

Management

B. Incident Management, Change Management, Problem Management, Release Management

C. Incident Management, Problem Management, Change Management, Release Management

D. Problem Management, Configuration Management, Release Management, Change

Management

2. Which process ensures that an interruption in the provision of services is diagnosed as

quickly as possible?

A. Change Management

B. Incident and Service Request Management



3. What is the intent of Incident and Service Request Management?

A. To communicate with customers as to future service disruptions

B. To match new incidents to known errors

C. To restore services as quickly as possible

D. To track problems into the known error database (KEDB)



1. What is priority and which parameters it is based on?

2. List three elements that should be taken into account in a major incident procedure.

3. What is a workaround?

Exam Terms

Incident, service request, priority, urgency, impact, escalation, major incident, problem, known error,

workaround, major problem.


The control processes and their relationships: Exam specifications (20%)

After reading Chapter 7, you will be familiar with the processes responsible for controlling the

changes that occur in the processes and elements involved in the management of services. This

will allow you to reach the following objectives:

7.1 Understand control processes and their relationships





7 The control processes and their relationships


The three processes that will be studied in this section are

Change Management, Configuration Management and

Release and Deployment Management. They all work in

coordination, allowing the control of the activities carried out

in the SMS.

7.1 Configuration Management

Objective: identification, control, recording, tracking, reporting and verification of configuration

items and the management of CI information in the Configuration Management Database.

Configuration Management establishes and maintains the integrity of information about services,

service components and CIs across the service lifecycle. The configuration management process

should also identify, manage and verify the information about relationships between CIs, as well as

the relationships between CIs and the services they support.

According to the standard ISO/IEC 20000:2011, the scope of the configuration management

process should exclude financial asset management but include an interface to the financial asset

management process.


Term Definition

CI CI stands for Configuration Item. A CI is an element that

needs to be controlled in order to deliver a service or

services.

Figure 7.1: Control Processes

(Source: ITeratum)


Term Definition

CMDB CMDB stands for Configuration Management Database.

The CMDB is a data store used to record attributes of

configuration items, and the relationships between

configuration items, throughout their lifecycle.

Configuration baseline Configuration information formally designated at a specific

time (“photo”) during a service or service component's life.

The configuration baselines, along with their approved

changes, represent the current configuration information.

7.1.2 Concepts

Configuration management should document the definition of each type of CI and identify each CI

according to the configuration management policy and procedures. Configuration information is

recorded in a CMDB that includes data on configuration items, versions, relationships, baselines

and releases. The information for each CI should include:

Identifier

Description

Status

Location

Relationships and associated records (RFCs, incident, problem and known error records)

Configuration information should be maintained by approved individuals and made available only to

approved interested parties.

7.1.3 Types of CIs

There are several elements that can be considered CIs. CI types should include:

Services as listed in the catalogue of services and their related information and documents

(SLAs, agreements, contracts, service requirements, specifications of service design)

Service components, including hardware, software and licenses, tools, applications,

documentation, supporting services


All the releases of services, systems and software configuration baselines

Master copies of CIs stored in physical and/or electronic libraries and in the CMDB

Information security assets

SMS documentation (policies, process documentation, procedures, plans)

7.1.4 Maintenance of CIs

No CI should be added, modified, replaced or removed/withdrawn without appropriate controlling

documentation (e.g. an approved request for change). The evolving status of CIs through their

lifecycle should be documented as a baseline triggered at designated times or under defined

circumstances.

To protect the integrity of systems, services and the

infrastructure, records of CIs and the CMDB should be held

in a suitable and secure environment. There should also be

a means for disaster recovery of the CMDB.

Configuration audit activities should be performed both at planned intervals and in response to

specific events. Adequate procedures and resources should be in place to:

Verify that the service provider is in control of the information about all CIs and their

relationships within the scope of the process

Verify that the service provider is in control of information about the location and quantity of

software licenses

Provide confidence that configuration information is accurate, controlled and visible to

approved personnel

Identify the cause of any discrepancies between the actual and expected configuration

information and resolve in coordination with the change management process

Ensure that a configuration baseline is done at regular intervals and at least prior to the

deployment of a release into the live environment

Ensure confidentiality and accessibility of the information in the CMDB


7.2 Change Management

Objective: to manage changes through their lifecycle, ensuring all changes are assessed,

approved, implemented and reviewed in a controlled manner.

The change management process provides a structured

approach for the effective implementation of changes that

minimizes risk and prevents incidents. To do this there

must be procedures to record, classify, evaluate, approve,

plan, develop, test and deploy the changes.


Term Definition

RFC RFC stands for Request For Change. An RFC is a proposal

for a change to be made to a service, service component or

the service management system. A change to a service

includes the provision of a new service or the removal of a

service which is no longer required.

Change Schedule A document that lists all authorized changes and their

planned implementation dates.

Standard Change A pre-authorized change that is low risk, relatively common

and follows a procedure.

Emergency Change A change that must be introduced as soon as possible, for

example, to resolve a major incident.

Normal Change A change that is not an emergency change or a standard

change. Normal changes can be categorized as major,

significant and minor, depending on the level of cost and

risk involved. This categorization can be used to identify an

appropriate change authority (role).


7.2.2 Change Management Policy

A change management policy should be established and documented that defines the CIs under

the control of the change management process. The change management policy should define

criteria for determining which changes should be managed through the change management

process and which changes should be managed through the design and transition of new or

changed services process. The criteria used to determine changes to be managed through the

design and transition of new or changed services process should include changes for the removal

of a service and changes for the transfer of a service from the service provider to another party.

The other party can be the customer or a supplier.

7.2.3 Reviewing the RFC

Recorded RFCs should be analysed at planned intervals to identify increasing levels of changes,

frequently recurring types, emerging trends and other relevant information. The results and

conclusions drawn from the analysis of changes should be recorded and used to identify

opportunities for improvement.

Once the change has been deployed and accepted, a Post-Implementation Review (PIR) is

performed to verify that change was successful and that there were no problems. In this case, the

request for change should be closed. The request for change can also be closed when a decision

of not carrying out the change has been made. When the request for change has been closed the

result of the change should be reported to the initiator of the request for change and other

interested parties.

7.2.4 Emergency Changes

For emergency changes there should be a defined process, and these changes should be

differentiated from other changes, due to the increased risk and often increased cost of approving

and implementing them. Emergency changes may be used to resolve emergency situations where

there is insufficient time to adhere to normal change process procedures, time lines and approval

authorities. Due to the urgency of implementing an emergency change, some details may be

documented retrospectively and some testing may not be possible. Even in that case, there should

be a plan to reverse or remedy the emergency change if it is unsuccessful.


7.3 Release and Deployment Management

Objective: to ensure that all releases are effectively deployed into the live environment so that the

integrity of hardware, software and service components is maintained.

The service provider should co-ordinate release and deployment

activities with the customers, users and interested parties. In many

cases releases should be coordinated with business change

projects and with business change management.

The release and deployment management process should plan and

manage individual releases for new or changed services in

coordination with both the design and transition of new or changed

services process and the change management process.


Term Definition

Release Collection of one or more new or changed configuration

items which are tested and then deployed jointly into the live

environment as a result of one or more changes.

Release Policy Policy governing the vision of the organization about release

and deployment management.

Emergency release Type of release carried out to implement emergency

changes. The procedure for this type of release must be

closely related to the process for emergency changes.

Acceptance Criteria Conditions set to validate a release before being deployed

into the live environment.


7.3.2 Release Policy

The service provider, together with the customer and interested parties, should develop and agree

on a release policy to help specify the frequency of releases and approach for each type of release.

A release policy can typically include:

Definition of each type of release (emergency, major, significant, minor)

The frequency of each type of release

Definition of key roles and responsibilities

Authority levels for release acceptance and deployment approvals

Rules on verification and acceptance of releases

Build and packaging of releases

Release and deployment approach for each type of release including automated

deployment methods and tools where applicable

A predefined and consistent testing approach

7.3.3 Release and Deployment planning

The release and deployment planning should be developed with the customer and interested

parties. Project management methods and techniques should be used to support release and

deployment planning. These plans should always ensure that all changes are coordinated with the

change management process and should include an assessment of the impact of the release,

associated risks and the identification of any mitigation measures that would be employed to

minimize any unacceptable risks. Release and deployment plans should include the following

components:

Scope and content of the release

Services and service components to transfer, decommission or retire including licences

Timetable for the deployment of the release with dates determined in consultation with the

customer for each nominated site

Roles and responsibilities for planning, coordinating, building, testing, deploying and

reviewing the release

Procedures and methods that ensure the integrity of software, hardware and other service

components during deployment

Test plans, including acceptance criteria

The criteria that the release and deployment should be verified against, along with any

appropriate criteria to be used for reversing or remediation of failed releases


7.3.4 Deployment activities and procedures

Deployment activities and procedures should include the following:

Distributing and delivering the CIs at the correct location and time

Verifying that the services and service components have been tested according to the

acceptance tests

Updating records for the new release and any CIs or services removed during the

changeover

Recording any incidents, problems, known errors, unexpected events or deviations from

the plans

Implementing corrective actions during the deployment

Reversing or taking remedial action to correct an unsuccessful release






Sample questions

1. What is the recommendation with regard to the implementation of an emergency Change?

A. Only the senior manager should authorize emergency changes.

B. The Change process should be completely bypassed.

C. There is a separate process for emergency changes.

D. Where possible the change process should be followed.

2. Which question cannot be answered directly from the configuration management database

(CMDB)?

A. What incidents or problems are related to this workstation?

B. Which Configuration Items (CIs) does a specific service consist of?

C. Which members of staff of department X have moved to department Y?

D. Which Requests for Change (RFCs) have been submitted for a specific server?

3. Which aspects of a Request for change (RFC) shall be assessed?

A. Business benefits, risk and impact

B. Risk, emergency level and classification

C. Risk, impact and effect on the incident management process

D. Risk, scope and impact on supplier relationships


4. Targets for resolution should be based on priority. When scheduling an authorized change

which will eliminate a known error, what should not be taken into account?

A. The available skills

B. The competing requirements for resources

C. The effort/cost to provide the method of resolution

D. The number of previously reported Incidents for the particular Configuration Item (CI)

5. Which process is responsible for recording the logical and physical relationships between the

various components of the IT infrastructure?

A. Availability management

B. Configuration management

C. Release management

D. Incident management

6. When implementing a new version of an application both Change management and Release

management are involved. What is the responsibility of the Change management process

here?

A. Change management has the implementation and installation task in this phase.

B. Change management plays a coordinating role in this phase.

C. Change management must check whether the new application functions properly.

D. Change Management draws up the Request for change (RFC) in this phase.

7. New or changed services need to be accepted before being implemented into the live

environment. What shall be done after a new or changed service has been implemented?

A. A Post implementation review (PIR) is held comparing actual outcomes against those

planned.

B. An approach needs to be defined for interfacing to projects that are creating or modifying

services.

C. Nothing additional. The new or changed service goes into Business As Usual and will be

managed as a normal service.

D. The manner in which the Change shall be reversed or remedied, if unsuccessful, needs to be

defined.


8. What does a Release consist of?

A. A collection of one or more new or changed Configuration items (CIs) deployed into the live

environment

B. A change that consists of both hardware and software

C. A change of several CIs that are merged due to their size

D. A change of several CIs that are merged due to their minor impact

9. One of the activities required for effective planning, coordination and evaluation of requested

changes is assessing the impact and required resources. Which process or function is

responsible for this activity?

A. Change management



D. Service desk

10. In Change management, a number of activities take place between the acceptance of a

Request for Change (RFC) and the completion of the Change. Which activity is performed

first after acceptance of an RFC?

A. Building and testing the Change

B. Determining the urgency of the Change

C. Implementing the Change

D. Scheduling the Change

11. What must be included in the Release and Deployment Management procedures according

to ISO/IEC 20000?

A. The authorization and implementation of Emergency changes

B. The investigation and prevention of Information security incidents

C. The recording of all reported Incidents

D. Procedures to reverse an unsuccessful deployment


Conceptual questions:

1. What is a CI?

2. Describe three types of CI

3. What is a Standard Change?

4. Give an example of a change that should be managed through the design and transition of new

or changed services process.

5. Which is the object of Release and Deployment Management?

6. What are the acceptance criteria within Release and Deployment Management?

7. The procedure for emergency releases must be closely related to a procedure of another

process. Which one?

Exam Terms

CI, CMDB, configuration baseline, RFC, schedule of change, normal change, emergency change,

standard change, release, release types, emergency release, acceptance criteria.


8 List of Basic Concepts

This chapter contains the terms with which candidates should be familiar. Terms are listed in

alphabetical order. For concepts whose abbreviation and full name are included in the list, both can

be examined separately. Please note that knowledge of these terms alone does not suffice for the

exam; the candidate must understand the concepts and be able to provide examples.

Accountability

Accounting

Alignment

Analysis

Applicability

Assessment

Asset (management)

Attribute

Audit

Availability (management)

Awareness

Best practice

Budgeting

Business continuity (management/plan)

Business Impact Analysis

Business requirements

Capability

Capacity (management)

Certification

Change (management)

Classification

CMMI®

CobiT®

Complaints definition/process

Compliance

Component

Confidentiality

Configuration Baseline

Configuration Item (CI)

Configuration (management)

Configuration Management Database (CMDB)


Continual service improvement

Contract (management)

Contractual dispute

Contractual obligation

Control

Corporate policies and principles

Corrective action

Critical Success Factor (CSF)

Customer

Customer focus

Customer satisfaction (management)

Demand management

Deming Cycle

Disaster (recovery)

Distribution

Downtime

Effectiveness

Efficiency

Emergency change

Escalation (Functional)

Evaluation

Evidence

External audit

Forward Schedule of Change

Framework

Function

Governance

Impact

Incident (management)

Information security management

Input

Integrated processes

Integrity

Interface

Internal audit

ISO 9000

ISO/IEC 27001

ISO/IEC 20000

IT Service (Management)

ITIL® (IT Infrastructure Library)

Key performance indicator (KPI)

Knowledge base

Known error

Lead supplier

Major incident

Master copy

Maturity model


Measurable

Metric

Modeling

Monitor(ing)

Mutually beneficial supplier relationship

Non-availability

Non-compliance/non-conformance

Objectivity

Operational level agreement (OLA)

Output

Performance (Management)

Plan

Plan-Do-Check-Act (PDCA) methodology

Policy

Priority

Proactive identification

Problem (management)

Problem resolution

Problem review

Procedure

Process

Process owner

Process manager

Process-based quality management system

Quality (Assurance)

Quality management system

Quality objective

Quality policy

Quality standard

RACI (Responsible, Accountable, Consulted, Informed)

Record

Recovery (plan)

Relationship

Release (management)

Reliability

Remedial action

Request for change (RFC)

Requirement

Resource capacity (management)

Resource schedule

Responsibility

Restoring


Review

Risk

Role

Roll-out (planning)

Scoping

Security (management)

Security control

Security risk assessment

Service (management)

Service catalogue

Service continuity and availability management

Service continuity strategy

Service desk

Service level (management)

Service Level Agreement (SLA)

Service Level Requirements (SLR)

Service management policy/plan

Service provider

Service recovery

Service report

Service request

Six Sigma

Stakeholder

Subcontracted supplier

Supplier contract

Supplier (management)

Survey

Target

Tools

Traceability

Track

Throughput

Tuning

Underpinning contract

Urgency

User

Workaround

Workflow

Workload limit


Literature

Michael Kunas

Implementing Service Quality based on ISO/IEC 20000, 3rd Edition

United Kingdom, IT Governance Publishing, 2012

ISBN: 978 1 84928 442 4

e-pdf ISBN 978 1 84928 444 8

Mart Rovers

ISO/IEC 20000-1:2011: A Pocket Guide 2nd Edition

The Netherlands, Van Haren Publishing, 2013

ISBN 978 90 8753 726 5

e-pdf ISBN 978 90 8753 787 6

e-pub ISBN 978 90 8753 9733

ISO/IEC

ISO/IEC 20000-1:2011 Part 1: Service management system requirements

Switzerland, ISO, 2011

ISO/IEC

ISO/IEC 20000-2:2012 Part 2: Guidance on the application of service management systems

Switzerland, ISO, 2012


Organizations

Throughout this book there have been references to different organizations. Following are a

number of links to their corporate websites:

Organization

Link / description

International Organization for

Standardization (ISO)

ISO (International Organization for

Standardization) is the world’s largest

developer of voluntary International

Standards.

http://www.iso.org

ISO is an independent, non-governmental organization

made up of members from the national standards bodies of

163 countries. ISO has a Central Secretariat in Geneva,

Switzerland, that coordinates the system.

ISO develops International Standards. ISO was founded in

1947, and since then has published more than 19 500

International Standards covering almost all aspects of

technology and business.

International Electrotechnical

Commission (IEC)

The International Electrotechnical

Commission (IEC) is the world’s leading

organization that prepares and publishes

International Standards for all electrical,

electronic and related technologies.

http://www.iec.ch

IEC is a not-for-profit, non-governmental organization,

founded in 1906, whose Central Office is in Geneva,

Switzerland. IEC is made up of national committees from

82 countries.

IEC provides a platform to companies, industries and

governments for meeting, discussing and developing the

International Standards they require.

http://www.iso.org/

http://www.iec.ch/


Information Systems Audit and Control

Association (ISACA)

ISACA provides practical guidance,

benchmarks and other effective tools for

all enterprises that use information

systems.

http://www.isaca.org

As an independent, nonprofit, global association, ISACA

engages in the development, adoption and use of globally

accepted, industry-leading knowledge and practices for

information systems.

ISACA is widely recognized for its certifications and

frameworks, including COBIT®, Val IT and Risk IT.

AXELOS

AXELOS Limited are the current owner

of ITIL®.

http://www.axelos.com/officialsite.asp

http://www.itil-officialsite.com/

AXELOS are a new joint venture company, created in 2013

by the Cabinet Office on behalf of Her Majesty's

Government (HMG) in the United Kingdom and Capita plc

to run the Best Management Practice portfolio, including

the ITIL® and PRINCE2® professional standards.

Software Engineering Institute (SEI)

The Carnegie Mellon Software

Engineering Institute (SEI) works closely

with defense and government

organizations, industry, and academia to

continually improve software-intensive

systems.

http://www.sei.cmu.edu

Founded in 1984, SEI is funded with federal funds from the

U.S. government for research and development and is

based at Carnegie Mellon University. One of its most

popular products is CMMI ®, the Capability Maturity Model

Integration.

http://www.isaca.org/

http://www.itil-officialsite.com/

http://www.sei.cmu.edu/


Answers

Chapter 1 Sample Questions:

1. What is Six Sigma®?

A. It is a quality instrument to measure defects in process outputs.

B. It is a six step maturity model to improve the capability of business processes.

C. It is a standard that was developed for improvement of IT processes.

D. It is a structured, statistically based approach to process improvement.

A. Incorrect. It is not only a quality instrument, it encompasses an improvement methodology.

B. Incorrect. It is not a maturity model.

C. Incorrect. It was developed for general business processes.

D. Correct. Six Sigma® provides businesses with the tools to measure statistically and to improve

the capability of their business processes.

2. A service provider can integrate their Service Management System with a quality

management system or an Information Security Management System to provide the highest

level of service to the customer. Which standard supports the Quality Management System?

A. ISO 9001

B. ISO/IEC 27001

C. COBIT®

D. ITIL®

A. Correct.

B. Incorrect. This standard covers the Information Security Management System.

C. Incorrect. COBIT® covers the IT Governance framework.

D. Incorrect. ITIL® covers the service lifecycle framework for Service management.


3. What is the focus of the Deming Cycle?

A. Continual improvement

B. Customer orientation

C. Designing new services

D. Cost calculation

A. Correct. Continual improvement is the focus of the Deming Cycle.

B. Incorrect. The focus of the Deming Cycle is continual improvement and not specifically

customer orientation.

C. Incorrect. The Deming Cycle can be used during the design phase, but the focus is on continual

improvement during all phases.

D. Incorrect. The focus of the Deming Cycle is not cost calculation, but continual improvement.

4. The Plan-Do-Check-Act (PDCA) methodology can be applied to all processes. What does the

Act phase of this methodology cover?

A. Establishing the objectives and processes necessary to deliver results in accordance with

Customer requirements and the organization's policies

B. Implementation of the processes

C. Monitoring and measuring the services rendered and the Service management system (SMS)

D. Taking the necessary actions to continually improve

A. Incorrect. This action is taken during the Plan phase of the methodology.

B. Incorrect. This action is taken during the Do phase of the methodology.

C. Incorrect. These are the actions taken during the Check phase.

D. Correct. This action is taken during the Act phase of the methodology.


5. Why is it important that reviews are conducted regularly during the Check phase of the Plan-

Do-Check-Act (PDCA) methodology?

A. To be able to allocate roles and responsibilities

B. To be able to define the objectives and requirements that are to be achieved by Service

management

C. To be able to establish the Service management policy, objectives and plans

D. To determine whether the Service management requirements are effectively implemented and

maintained

A. Incorrect. This is part of implementing the Service Management Plan.

B. Incorrect. This is part of the Service Management Plan.

C. Incorrect. This is a part of top management responsibility.

D. Correct. This is part of the methodology in the Check phase.

6. What would be a good reason for organizations to adopt ISO/IEC 20000?

A. To confirm that all of the ITIL® guidelines have been implemented

B. To demonstrate alignment to customer requirements

C. To certify their services

D. To certify their products

A. Incorrect. ITIL® offers an extensive set of guidance while ISO/IEC 20000-1 provides

requirements.

B. Correct. This is referenced within the scope of the standard.

C. Incorrect. It is the Service Management System that gets certified not the services.

D. Incorrect. It is the Service Management System that gets certified not the products.


7 A process is a set of interacting activities which transforms inputs into outputs. What is the

Process owner responsible for?

A. Describing the process

B. Operating the process

C. Providing process reports

D. Setting up the process

A. Correct. The process owner has the authority and responsibility for ensuring that the process, its

interfaces to other processes and integration within the SMS are documented, adhered to,

measured and improved.

B. Incorrect. Operating the process is the responsibility of the process manager.

C. Incorrect. Process reporting the responsibility of the process manager.

D. Incorrect. Setting up the process is the responsibility of the process manager under the

guidance of the process owner.


1. Which are the three key components of an IT service?

Information Systems

Support

Quality Specifications

2. According to the ISO 9001:2005 standard, what is a process?

A process is an activity or a group of activities that uses resources and that is managed in

order to get the input elements transformed into outcomes.

3. What are CSFs and KPIs?

A CSF is something that must happen for a service, process or activity to be successful, while

the KPIs are used to measure the achievement or not of each CSF. CSFs are qualitative while

KPIs are quantitative elements.


4. Describe the main roles in a process according to the ISO/IEC 20000-2 standard.

Process Owner: responsible for describing the process and its results.

Process Manager: responsible for the operation of the process, the day-to-day control and

management.

Process Personnel (teams or professionals): responsible for certain activities.

5. Which is the objective of the ISO/IEC 20000:2011 standard?

To ensure the provision of managed services according to an acceptable level of quality for

customers negotiated with them.

6. What is the main difference between Part 1 and 2 of ISO/IEC 20000:2011?

Part 1 considers “what to do” in an SMS, while Part 2 considers “what should be done”. In

other words, while Part 1 provides information about what is mandatory according to the

standard, Part 2 provides recommendations to be followed.

7. What is COBIT®?

A worldwide accepted reference framework for the IT Governance based on the standards

and best practices of the industry.

8. Which are the five steps in DMAIC methodology used in Six Sigma®? What is it based on?

Define, Measure, Analyze, Improve and Control. It is based on Deming’s PDCA cycle.


Chapter 2

Sample Questions:

1.

IT Service Management needs to be planned to establish the objectives, processes and

procedures necessary to deliver results in accordance with the customer requirements and

the organization's policies. What should definitely be included in the Service Management

Plan?

A. The appropriate tools to support the processes

B. The interfaces between business processes

C. The procedure for dealing with emergency releases

D. The service continuity procedures

A. Correct. The tools appropriate to the processes should be mentioned in the Service

Management Plan.

B. Incorrect. The interfaces between the business processes should not be included in the Service

Management Plan.

C. Incorrect. Procedures are part of the processes and do not have to be included in the Service

Management Plan.

D. Incorrect. Procedures are part of processes and do not have to be included in the Service

Management Plan.


2. Top management has to provide evidence of its commitment to planning, establishing,

implementing, operating and improving its Service Management System within the context of

the organization's business and customers' requirements. What is the best way that

management can make this visible?

A. By outsourcing Change management

B. By taking disciplinary action against underperforming employees

C. By taking part in the planning of new IT services

D. Through leadership and actions

A. Incorrect. Outsourcing Change Management is irrelevant.

B. Incorrect. This is not sufficient action to ensure that commitment from top management is

visible.

C. Incorrect. Taking part in the planning of new services is insufficient action to ensure that

commitment from top management is visible.

D. Correct. Top management can make their commitment visible by showing strong leadership and

taking firm actions, establishing and communicating the scope, policy and objectives for service

management and communicating the importance of fulfilling service requirements.

3. Why is it important for service providers to maintain documents and records?

A. To be able to uniquely identify and record all Configuration Items (CIs) in the Configuration

Management Database (CMDB)

B. To ensure effective planning, operation and control of the Service Management System

(SMS)

C. To ensure employees are aware of the relevance and importance of their work activities

D. To meet the requirements (evidence) to become ISO/IEC 20000 compliant

A. Incorrect. This is part of Configuration Management.

B. Correct. Services, documents and records are needed to ensure effective planning, operation

and control of the SMS.

C. Incorrect. This is part of competence, awareness and training.

D. Incorrect. Producing documents should never be a goal solely to become ISO/IEC 20000

compliant.


4. Why are processes and procedures required for a service management system?

A. To be able to define service management objectives in a structured manner

B. To ensure that service issues never arise

C. To provide consistency in the output from activities

D. To satisfy the needs of major suppliers

A. Incorrect. Processes and procedures should support the service management objectives.

B. Incorrect. Service issues are a part of day to day life; processes and procedures will help to

prevent and minimize their impact.

C. Correct. A predictable approach is required.

D. Incorrect. Touch points with suppliers are needed to demonstrate end to end quality control.

5. What should be recorded as a baseline prior to implementing a plan for service improvement?

A. Backlog of changes for the service

B. Number of staff involved

C. Service or component configurations

D. Time taken to operate the process

A. Incorrect. This may be one of the measures if backlog of changes is to be reduced but there

may be other details too.

B. Incorrect. This may be one of the measures if staff numbers are to be improved but there may

be other details too.

C. Correct. The standard recommends the current configuration of affected components be

captured before implementation so to measure improvement as well as create a fall back point.

D. Incorrect. This may be one of the measures if time taken is to be improved but there may be

other details too.


6. Personnel should be competent on the basis of appropriate education and experience. What is a

requirement relating to competence?

A. Appropriate records of education, training, skills and experience need to be maintained

B. At least two employees should be suitably trained for each role

C. Employees should have at least a relevant bachelor's degree

D. Personnel should all have a relevant Security training according to ISO/IEC 27002

A. Correct. This is a best practice according to the standard.

B. Incorrect. This is relevant to availability of resources, however not a best practice for competency.

C. Incorrect. A bachelor's degree is not a requirement, relevant training for the role is.

D. Incorrect. This is a specific training for Information security, but not a best practice for competency in

general.


1. When ISO/IEC 20000 refers to "third parties", who are they?

It refers mainly to:

Internal Groups

Customers acting as suppliers

Suppliers

2. What is the difference between document and record?

Document refers to information and its supporting medium. Record is a document stating

results achieved or providing evidence of activities performed.

3. In Resource Management, which are the minimal resources to be considered according to the

ISO/IEC 20000 standard?

Human Resources

Technical Resources

Information

Financial Resources


4. Which are the main responsibilities of a Process Owner?

The Process Owner is responsible for the design of the process, for ensuring adherence to

the process and for the measurement and improvement of the process.

5. List five elements to be taken into account when designing the Service Management Plan.

The service management objectives

Service requirements

Resources, facilities, budgets

Authority, responsibility and role definition

Tools for process support

6. What kind of audits should be performed in the Monitor and Review stage of the SMS?

Self-assessment, performed by its own department.

Internal audit, performed by an internal department within the organization.

Vendor audit, performed by a supplier.

External audit, performed by an independent, external and qualified organization.


Chapter 3


1. In which cases it is especially adequate to apply the Design and Transition of new or changed

services process?

This process should be applied to new or changed services that are either high risk or have a

potentially major impact on services or the customer, or wherever there are interfaces with

tasks or deliverables that fall outside the scope of SMS.

2. Which is the approach that should be used when planning a modification of an existing

service that is vital for the business?

Since it is a vital process for the business, the Section 5 of the ISO/IEC 20000:2011 standard

applies. Regarding to the planning, it should be managed as a project due to the size, risks

and scope of the changes.

3. List three elements to be considered when designing new services.

Required inputs to and outputs from each activity

Planning, resource organization, teams organization and responsibilities

The analysis of the possible risks


Chapter 4

Sample Questions:

1. How can an organization determine the effectiveness of the Service Level Management

(SLM) process?

A. By checking contracts with suppliers

B. By defining Service levels

C. By measuring customer satisfaction

D. By reporting on all incidents

A. Incorrect. Contracts with suppliers are part of the SLM process but you cannot determine the

effectiveness of the process by checking the contracts.

B. Incorrect. Defining Service levels is important to deliver IT services but they do not provide

information about the effectiveness of the SLM process.

C. Correct. Customer satisfaction is the most important aspect to determine the effectiveness

(ability to achieve desired results) of SLM process.

D. Incorrect. By reporting on all Incidents you can determine the effectiveness of Incident

Management but not the effectiveness of the SLM process.

2. Where are agreements regarding Service delivery and its relationship to Information security

management recorded?

A. In a Capacity Plan

B. In a Configuration Management Database (CMDB)

C. In a Definitive Software Library (DSL)

D. In a Service Level Agreement (SLA)

A. Incorrect. A Capacity Plan describes the (future) capacity needs.

B. Incorrect. Agreements are not recorded in the CMDB. In the CMDB all IT components,

Configuration Items (CIs) and their relationships are recorded.

C. Incorrect. The DSL only stores authorized software items.

D. Correct. Agreements with the customer are recorded in an SLA.


3. The Service catalogue for a network company states that LAN authorization requests will be

complete within three weeks. A manager who is a client of the network company does not

believe this is achievable and requests a report demonstrating achievement of the catalogue

statement. Which process is responsible for providing this report?


B. Change Management



A. Incorrect. Meeting customer's requests is the responsibility of SLM.

B. Incorrect. SLM is responsible of meeting customer's requirements and should issue this report.

C. Incorrect. SLM is the process responsible of meeting the customer's requirements and should

issue this report.

D. Correct. SLM is responsible of meeting the customer's requirements and of issuing related

reports. Note that Service Reporting would most like produce the report based on a request from

SLM.

4. In Continuity management various precautionary measures are taken to ensure Services are

delivered during/after a catastrophe. An example would be having an emergency electrical

power supply. Which process could also initiate this kind of measure?


B. Capacity Management

C. Change Management

D. Incident Management

A. Correct. Availability Management can take certain measures to ensure service delivery under

abnormal conditions. One of them is to initiate an emergency electrical power supply.

B. Incorrect. Capacity Management is strategically responsible for the right capacity at the right

time, not for the availability of emergency electrical power.

C. Incorrect. Change Management is responsible for installing an emergency electrical power

supply as it is a change but Change Management is not responsible for initiating these measures.

D. Incorrect. Incident Management is responsible for solving incidents as soon as possible. Taking

precautionary measures is not a task of Incident Management.


5. What is the intent of the Service continuity and availability management processes?

A. To ensure agreed effective communication towards Customers

B. To ensure that agreed levels of service commitments to Customers can be met in all

circumstances

C. To ensure that agreed Service continuity and availability commitments to Customers can be

met within agree targets

D. To ensure that agreed Service continuity and availability commitments to providers can be

met in all circumstances

A. Incorrect. Effective communication is not the intent of the process Service Continuity and

Availability Management. It is more relevant to Service Reporting.

B. Incorrect. Managing levels of service is the intent of the Service Level Management process.

C. Correct. This is the intent of the Service Continuity and Availability Management processes.

D. Incorrect. Service Continuity and Availability Management is a process between a supplier and

a Customer, not between a supplier and a provider.

6. What is the description of Integrity in the Information security management process?

A. Access to the data at any moment

B. Protection of the data

C. The capacity to verify the correctness of the data

D. The correctness of the data

A. Incorrect. The accessibility of data does not mean the data is correct as being meant by the

concept 'Integrity'.

B. Incorrect. The protection of the data is called 'Security'.

C. Incorrect. Not the capacity to verify the correctness of the data but the correctness itself is

called 'Integrity'.

D. Correct. The correctness of the data is called 'Integrity'.


7. Managing the availability of a service as part of an overall Service Management initiative is

important for efficient service delivery. What is the reason behind managing Service

Availability?

A. Most service providers have Service Level Agreements (SLAs) with their customers so

availability is guaranteed.

B. Outsourcing is now a more valid option for today's IT, so availability of a service is left to the

capability of the outsourcer.

C. Service management tools provide real-time performance information, thus managing

availability is debatable.

D. The business is more dependent on IT in order to meet corporate goals, thus achieving

expected availability is crucial.

A. Incorrect. Regardless of a formal or informal SLA, IT must deliver services to meet business

goals.

B. Incorrect. Even if services are outsourced, managing service availability is just as critical so to

meet business needs.

C. Incorrect. Just because IT can collect more data, doesn't mean it should get collected nor is it

all valuable. Managing availability requires more than real-time data input.

D. Correct. The relationship between IT and the business is more critical than ever and in order for

the business to maintain its goals, Services must be delivered to meet agreed upon service levels.


8. A power failure has knocked out the entire IT infrastructure. Fortunately, a Service Continuity

Plan is available. At what point should the Service Continuity Plan be invoked?

A. Immediately, as the service can no longer be used.

B. When the failure will likely extend beyond the targets defined in the Service Level Agreement

(SLA).

C. When the Incident Manager thinks this is necessary.

D. When the time within which the failure should be solved, has exceeded.

A. Incorrect. The Service Continuity Plan will be invoked after a predefined time not immediately

after the Incident takes place.

B. Correct. The Service Continuity Plan will be invoked if the targets as defined in the SLA cannot

be met.

C. Incorrect. The Service Continuity Plan will be invoked after a predefined time not at the call of

the Incident Manager.

D. Incorrect. When the time to repair a failure exceeds the agreed maximum time this is not directly

a reason to invoke the Service Continuity Plan.

9. Where would an IT service for the customer be defined?

A. In the IT framework

B. In the Service Catalogue

C. In the Service Level Agreement (SLA)

D. In the Service Report

A. Incorrect. The IT framework provides a structure for service management but would not define

the service itself.

B. Incorrect. The Service Catalogue shows all the possible services a provider can offer.

C. Correct. The SLA would define the service for the customer.

D. Incorrect. The Service Report would provide details of service performance not define the

service.


10. What process, other than Business relationship management, would review service

performance with the customer?


B. Service Reporting

C. Service Level Management

D. Budgeting and Accounting for Services

A. Incorrect. Availability Management will provide information for the review. Service Level

Management will review service performance (achievement of SLA targets) with the customer.

B. Incorrect. Service Reporting will create the service report that may be given to the customer.

Service Level Management will review service performance (achievement of SLA targets) with the

customer.

C. Correct. Service Level Management will review service performance (achievement of SLA

targets) with the customer.

D. Incorrect. Budgeting and Accounting for Services will provide service cost information for each

service, customer or location. This information will be presented to the customer typically by

Service Level Management. Service Level Management will review service performance

(achievement of SLA targets) with the customer.


1. What is the difference among an SLA, an OLA and an underpinning contract regarding to the

parties that establish the agreement?

An SLA is an agreement between the customer and the service provider.

An OLA is an agreement between an internal group of the organization and the service

provider.

An underpinning contract exists between the service provider and an external supplier.

2. What is the objective of the Service Reporting process?

To ensure the production of agreed, timely, reliable, accurate reports to facilitate informed

decision making and effective communication.


3. What is availability?

The ability of a service or service component to perform its required function at an agreed

instant or over an agreed period of time. Availability is normally expressed as a ratio or

percentage of the time that the service or service component is actually available for use by

the customer to the agreed time that the service should be available.

4. What are the three key elements to take into consideration in the Budgeting and Accounting

for Services process?

Budgeting, Accounting and Charging, although the latter is not obligatory according to the

ISO/IEC 20000-1 standard.

5. List four characteristics to take into account in the Capacity Plan.

Current and forecast service usage, ideally including recommendations regarding

opportunities to influence the demand for capacity

The impact on capacity and performance of agreed requirements for availability, service

continuity and service targets

Potential impact of new technologies on capacity and performance

Potential impact on statutory, regulatory, contractual and organizational requirements

6. What is confidentiality within the Information Security Management process?

The security principle that requires that only authorized personnel have access to a particular

set of data.

7. What is the objective of the Information Security Management process?

To ensure that security controls are in place to protect information assets and that information

security requirements are incorporated into the design and transition of new or changed

services.



1. What is a responsibility of the Service provider with regard to Supplier Management as defined in

ISO/IEC 20000-1?

A. To ensure that a process exists for the procurement of suppliers

B. To ensure that contracts with suppliers are aligned with SLAs of the business

C. To ensure that subcontracted suppliers meet contractual requirements in all circumstances

D. To ensure that supplier processes and procedures are defined

A. Incorrect. Selection and procurement are outside the scope of the standard.

B. Correct. A focus on end-to-end Service Management is essential.

C. Incorrect. This is the responsibility of the Lead Suppliers.

D. Incorrect. The Service provider does not define the supplier processes and procedures.

2. What document is directly supported by the supplier contract?

A. Service Level Agreement (SLA)

B. Operational Level Agreement (OLA)

C. Service Management Plan

D. Service cost model

A. Correct. All supplier contracts should support and align with the SLAs between the service provider

and customer.

B. Incorrect. Just as the supplier contract supports the SLA, so should the OLA

C. Incorrect. The Service Management plan structures the planning and deployment of the service

management system, thus guiding the activities of IT organization. It will not directly support a supplier

contract.

D. Incorrect. A service cost model would include the cost of supplier services. The contract directly

supports the SLA which will drive the cost model based on requirements.


3. The relationship processes describe the relationships with the business and with the

suppliers. What do the relationship processes ensure?

A. That business requirements and outcomes are the primary driver in managing the business

and supplier relationship.

B. That the business and suppliers are directly informed of major incidents.

C. That the service levels for all services are consistent in the supply chain.

D. That there is a frequent contact between the suppliers and the business to resolve issues.

A. Correct. The Relationship processes cover Supplier management and Business relationship

management, and together they should ensure that the business needs of the Customer are

understood and remain the driver for all actions.

B. Incorrect. Dealing with major incidents should include communication across all areas involved,

including top management as well as the customers affected. However, this is managed within the

Incident and Service Request Management process and is the responsibility of the designated

individual responsible managing major incidents. It is therefore outside of the scope of the

relationship processes.

C. Incorrect. It is not necessary for the services levels to be consistent across all suppliers, and in

fact it is unlikely that this will be the case. It is however necessary that supplier service levels are

aligned with those of the business, so that the Service level agreements (SLAs) agreed with the

customer can be met.

D. Incorrect. The business should not have direct contact with the suppliers. The service provider

is responsible for managing the suppliers to ensure the quality of the services provided to the

business.



1. List the activities of the Business Relationship Management process

1) Identify Interested parties

2) Identify representatives

3) Definition of communication mechanisms

4) Reviews

5) Customer satisfaction survey

2. What is called "service complaint"?

Service compliant is a formal disagreement with the service delivered. To be a justified claim,

the disagreement should be related to what is agreed in the Service Level Agreement (SLA).

3. What is a “premature contract termination”?

A contract termination before the scheduled date. There may be many situations that could

cause a premature termination. Those causes, as well as actions to be taken, should be

agreed in the contract.

4. What is the objective of Supplier Management?

Managing suppliers to ensure the provision of seamless, quality services.



1. When a service outage or other failure is reported, in what order will the processes be

executed?

A. Configuration Management, Incident Management, Change Management, Release

Management

B. Incident Management, Change Management, Problem Management, Release Management

C. Incident Management, Problem Management, Change Management, Release Management

D. Problem Management, Configuration Management, Release Management, Change

Management

A. Incorrect. The entry of a service failure will not begin with Configuration management, but will be

formally logged within the Incident management process.

B. Incorrect. Finding root cause via Problem management will typically occur prior to submitting a

Change.

C. Correct. This is the order of the processes.

D. Incorrect. Change management will assess and authorize any Change prior to the

implementation via Release management.

2. Which process ensures that an interruption in the provision of services is diagnosed as

quickly as possible?

A. Change Management

B. Incident and Service Request Management



A. Incorrect. Change Management will not diagnose a failure.

B. Correct. Incident and Service Request Management is responsible of restoring the interrupted

services as quickly as possible.

C. Incorrect. Problem Management is responsible of finding the cause of one or more incidents to

avoid future interruptions.

D. Incorrect. SLM does not diagnose or resolve incidents.


3. What is the intent of Incident and Service Request Management?

A. To communicate with customers as to future service disruptions

B. To match new incidents to known errors

C. To restore services as quickly as possible

D. To track problems into the known error database (KEDB)

A. Incorrect. Communication is an important activity performed by the Service Desk to support

Incident Management but is not its intent.

B. Incorrect. Incident matching is not the intent of Incident management. It is part of an Incident

Management activity.

C. Correct. This is the intent of Incident and Service Request Management.

D. Incorrect. This is a responsibility of Problem Management.


1. What is priority and which parameters it is based on?

Priority is the relative importance of an incident, problem or change. It is based on impact

(effect of an incident, problem or change on business processes) and urgency (how long it will

be until an incident, problem or change has a significant impact on the business).

2. List three elements that should be taken into account in a major incident procedure.

What constitutes a major incident

Who has the authority to declare a major incident and how it will be declared

Who should coordinate and control activities and who should be involved

3. What is a workaround?

Temporary action carried out for reducing or eliminating the impact of an incident or problem

for which a full resolution is not yet available.


Chapter 7

Sample questions:

1. What is the recommendation with regard to the implementation of an emergency Change?

A. Only the senior manager should authorize emergency changes.

B. The Change process should be completely bypassed.

C. There is a separate process for emergency changes.

D. Where possible the change process should be followed.

A. Incorrect. The authorization of the emergency Change is part of the process and there is no

recommendation about who does this.

B. Incorrect. It is not recommended to bypass the whole process although some activities may be

bypassed and covered later.

C. Incorrect. There is a requirement for a separate policy for emergency Changes but not a

recommendation for a separate process.

D. Correct. It is recommended that the Change process should be followed where possible

although any activities bypassed should be undertaken as soon as possible.

2. Which question cannot be answered directly from the configuration management database

(CMDB)?

A. What incidents or problems are related to this workstation?

B. Which Configuration Items (CIs) does a specific service consist of?

C. Which members of staff of department X have moved to department Y?

D. Which Requests for Change (RFCs) have been submitted for a specific server?

A. Incorrect. Incidents and Problems are related to CIs and are registered in the CMDB.

B. Incorrect. Relationships between CIs are registered in the CMDB.

C. Correct. Personnel moves would be tracked by Human Resources and only current office

location information would be directly part of the CMDB.

D. Incorrect. An RFC is registered in the CMDB. When the Change is implemented the CMDB will

be updated.


3. Which aspects of a Request for change (RFC) shall be assessed?

A. Business benefits, risk and impact

B. Risk, emergency level and classification

C. Risk, impact and effect on the incident management process

D. Risk, scope and impact on supplier relationships

A. Correct. An RFC shall be assessed on risk, impact and benefits.

B. Incorrect. Emergency is a type of classification. Classification is not assessed, but assigned to a

RFC.

C. Incorrect. Effect on the Incident Management process shall not be assessed.

D. Incorrect. Impact on supplier relationships shall not be assessed.

4. Targets for resolution should be based on priority. When scheduling an authorized change

which will eliminate a known error, what should not be taken into account?

A. The available skills

B. The competing requirements for resources

C. The effort/cost to provide the method of resolution

D. The number of previously reported Incidents for the particular Configuration Item (CI)

A. Incorrect. This is a relevant aspect for scheduling Incident or Problem resolution.

B. Incorrect. This is a relevant aspect for scheduling Incident or Problem resolution.

C. Incorrect. This is a relevant aspect for scheduling Incident or Problem resolution.

D. Correct. This is not relevant when scheduling resolution. It is relevant when identifying

Problems.


5. Which process is responsible for recording the logical and physical relationships between the

various components of the IT infrastructure?

A. Availability management



D. Incident management

A. Incorrect. Configuration Management is responsible of recording the components of the

infrastructure and their relationships.

B. Correct. This is the primary intent of Configuration Management.

C. Incorrect. Release Management is not responsible for the recording of the components of the IT

infrastructure.

D. Incorrect. Incident Management is not responsible for the recording of the components of the IT

infrastructure.

6. When implementing a new version of an application both Change management and Release

management are involved. What is the responsibility of the Change management process

here?

A. Change management has the implementation and installation task in this phase.

B. Change management plays a coordinating role in this phase.

C. Change management must check whether the new application functions properly.

D. Change Management draws up the Request for change (RFC) in this phase.

A. Incorrect. This activity belongs to Release Management Process.

B. Correct. Change Management process plans, coordinates and approves all activities in this

phase.

C. Incorrect. This is a Release Management task.

D. Incorrect. An RFC would already be in place for an application to reach the implementation

stage.


7. New or changed services need to be accepted before being implemented into the live

environment. What shall be done after a new or changed service has been implemented?

A. A Post implementation review (PIR) is held comparing actual outcomes against those

planned.

B. An approach needs to be defined for interfacing to projects that are creating or modifying

services.

C. Nothing additional. The new or changed service goes into Business As Usual and will be

managed as a normal service.

D. The manner in which the Change shall be reversed or remedied, if unsuccessful, needs to be

defined.

A. Correct. This clause is part of the standard.

B. Incorrect. This is part of the Service Management Plan, and not relevant after new or changed

services have been implemented.

C. Incorrect. According to the standard a PIR is necessary. Doing nothing additionally is not an

option.

D. Incorrect. This clause is part of Change management. And this should already be in place

or defined before implementing.

8. What does a Release consist of?

A. A collection of one or more new or changed Configuration items (CIs) deployed into the live

environment

B. A change that consists of both hardware and software

C. A change of several CIs that are merged due to their size

D. A change of several CIs that are merged due to their minor impact

A. Correct. A Release is a collection of one or more new or changed CIs deployed into the live

environment.

B. Incorrect. A Release can also exist of only software or hardware.

C. Incorrect. The size of the Release is not relevant.

D. Incorrect. The impact the Release is not relevant.


9. One of the activities required for effective planning, coordination and evaluation of requested

changes is assessing the impact and required resources. Which process or function is

responsible for this activity?

A. Change management



D. Service desk

A. Correct.

B. Incorrect.

C. Incorrect.

D. Incorrect.

10. In Change management, a number of activities take place between the acceptance of a

Request for Change (RFC) and the completion of the Change. Which activity is performed

first after acceptance of an RFC?

A. Building and testing the Change

B. Determining the urgency of the Change

C. Implementing the Change

D. Scheduling the Change

A. Incorrect. Building and testing the Change will take place after classification has been done. Part

of classification is to determine the urgency.

B. Correct. The first step after the acceptance is to determine the urgency of the Change.

C. Incorrect. Implementing the Change will take place after building, testing and scheduling has

been done.

D. Incorrect. Scheduling the Change will take place after classification has been done. Part of

classification is to determine the urgency.


11. What must be included in the Release and Deployment Management procedures according

to ISO/IEC 20000?

A. The authorization and implementation of Emergency changes

B. The investigation and prevention of Information security incidents

C. The recording of all reported Incidents

D. Procedures to reverse an unsuccessful deployment

A. Incorrect. This is part of the Change management procedures.

B. Incorrect. This is part of the Information security management procedures.

C. Incorrect. This is part of the Incident management procedures.

D. Correct. According to the standard this is a requirement.


1. What is a CI?

CI stands for Configuration Item. According to the standard ISO/IEC 20000:2011, a CI is an

element that needs to be controlled in order to deliver an IT service.

2. Describe three types of CI

Services as listed in the catalogue of services and their related information and documents

(SLAs, agreements, contracts, service requirements, specifications of service design)

Service components, including hardware, software and licenses, tools, applications,

documentation, supporting services

SMS documentation (policies, process documentation, procedures, plans)

3. What is a Standard Change?

A pre-authorized change that is low risk, relatively common and follows a procedure.


4. Give an example of a change that should be managed through the design and transition of

new or changed services process.

Changes for the removal of a service and changes for the transfer of a service from the

service provider to another party (the other party can be the customer or a supplier).

5. Which is the object of Release and Deployment Management?

To ensure that all releases are effectively deployed into the live environment so that the

integrity of hardware, software and service components is maintained.

6. What are the acceptance criteria within Release and Deployment Management?

Conditions set to validate a release before being deployed into the live environment.

7. The procedure for emergency releases must be closely related to a procedure of another

process. Which one?

The procedure for emergency releases must be closely related to the process for emergency

changes of the Change Management process.