iso/iec 20000 for auditors student handbook

STUDENT HANDBOOK

Copyright 2012, ITpreneurs Nederland B. V. All rights reserved.This product includes Kepner-Tregoe Methodologies and Intellectual Property owned by Kepner-Tregoe, which is used by permission of Kepner-Tregoe. All rights reserved.

r 2.0.0

ISO/IEC 20000 for Auditor

ISO/IEC 20000

Samp

le Ma

terial

- Not

for R

eprin

t

Samp

le Ma

terial

- Not

for R

eprin

t

ISM2320CL Version 2.0.0

Copyright 2012 by ITpreneurs Nederland B.V. All rights reserved.

Nothing from this publication may be duplicated and/or published by means of printing, photocopy, microfilm, or electronic medium or in any other way and may not be stored in any way without preceding written permission of ConnectSphere Limited or ITpreneurs.

Samp

le Ma

terial

- Not

for R

eprin

t

Contents

i

Course AgendA 1

ClAssroom PresentAtion 3

test 1 multiPle ChoiCe Questions 75

Assignment 1 review of A serviCe rePort 79

Assignment 2 85

self-Assessment for inCident And serviCe reQuest mAnAgement 87

definitions on the iso/ieC 20000 Auditor syllAbus 95

guidAnCe from APmg 99

APmg suPPlementAry referenCe PAPer 105

sAmPle PAPer 119

releAse notes 135

feedbACk 137

Samp

le Ma

terial

- Not

for R

eprin

t

This

pag

e ha

s be

en le

ft bl

ank

inte

ntio

nally

Samp

le Ma

terial

- Not

for R

eprin

t

Copyright 2012, ITpreneurs Nederland B.V. All rights reserved. 1

Course Agenda

Samp

le Ma

terial

- Not

for R

eprin

t

ISO/IEC 20000 for Practitioners

Copyright 2012, ITpreneurs Nederland B.V. All rights reserved.2

Course AgeNdA

dAy 1 y Course introduction y Overview of ISO/IEC 20000

Break y Service management system (SMS) general requirements y Test 1

Lunch y Delivery and relationship processes

Break y Delivery and relationship processes (continued) y Sample exam paper - 30 minutes y Close

homework y Complete sample exam paper and Test 2 y Review course material

dAy 2 y Review of day 1 and sample questions y Design and transition, control and resolution processes y Assignment 2 y Achieving ISO/IEC 20000 certification

Lunch y Achieving ISO/IEC 20000 certification (continued) y Review to prepare for exam

Break y Examination (15.30 16.30) y Close

Samp

le Ma

terial

- Not

for R

eprin

t


Classroom Presentation

Samp

le Ma

terial

- Not

for R

eprin

t



2

Student handbook, exercises, sample exam, homework Access to ISO/IEC 20000 part 1, part 2, and part 3

Course Contents

1. Course introduction 32. Overview of ISO/IEC 20000 173. Service management system general requirements 374. Delivery and relationship processes 615. Design and transition, control and resolution processes 896. Achieving ISO/IEC 20000 certification 1217. Summary and feedback 140

Slides

Samp

le Ma

terial

- Not

for R

eprin

t

Instructor | ISO/IEC 20000 for Auditor | Classroom presentation


Module 1 Course Introduction

4

Notice

The information contained in this document is subject to change without notice. This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs.The ISO/IEC 20000 Auditor course includes Intellectual Property owned by Connect Sphere Limited, which is used by permission of Connect Sphere. All rights reserved.Information on international standards can be obtained from www.iso.org.COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute. ITIL is a registered trademark of the Cabinet Office.

Samp

le Ma

terial

- Not

for R

eprin

t



5

Course arrangements

Timings Breaks and refreshments Mobile phones Messages Fire alarms Toilets Smoking

Arrangements

6

Course Arrangements (Contd.)

Keep an open mind. Its not just about taking the

exam; its about understanding the principles and terminology of the approach.

Samp

le Ma

terial

- Not

for R

eprin

t



7

ISO/IEC 20000 Auditor Course: Overview

Duration

Target Audience

2-day (18-hour) learning time, of which 16 hours is direct contact.

Third-party auditors who will conduct audits to certify service providers against ISO/IEC 20000-1.Internal auditors who wish to understand the specific requirements of auditing IT service management systems for conformity with the ISO/IEC 20000-1 standard.

Purpose To enable a candidate to demonstrate an understanding of ITSM generally. Through knowledge of the contents and requirements of the ISO/IEC 20000-1 standard covered, the candidate will be able to perform audits against the standard.

Prerequisites A minimum of three years experience conducting audits in an IT environment. The qualification assumes knowledge of auditing and auditing techniques and does not cover the generic principles of management system auditing.

8

By the end of this module, you should be able to explain the: Principles of ITSM and requirements of the ISO/IEC 20000-1 standard. Use of a typical IT service provider organization and main elements of the certification

process. Scope and purpose of Parts 1, 2, and 3 of ISO/IEC 20000 and how these can be used

during auditing and certification. Key terms and definitions. ITSM general principles. Structure, processes, objectives, and high level requirements of ISO/IEC 20000-1. Issues regarding applicability and scope definition. Purpose of internal and external audits, their operation, and the associated

terminology. Operation of the APMG Certification Scheme. Relationship with best practices, ITIL, and related standards, ISO 9001, and ISO/IEC

27001. Assessments for ISO/IEC 20000 certification readiness. Audit requirements by identifying the conformity and improvements against ISO/IEC

20000-1.

ISO/IEC 20000 Auditor Course: Learning objectives

Samp

le Ma

terial

- Not

for R

eprin

t



9

ISO/IEC 20000 Auditor Course: Agenda

Introduction Overview of ISO/IEC 20000 SMS general requirements Service delivery and relationship

processes Homework: Mock exam

Day 1

Day 2

Review homework Design and transition, control and

resolution processes Achieving ISO/IEC 20000 certification Course evaluation Examination (15.30 16.30)

10

Introductions

Please tell us about your: Experience with IT service management Experience in ISO/IEC 20000 Role in using ISO/IEC 20000 Expectation from the session

Samp

le Ma

terial

- Not

for R

eprin

t



11

APMG ISO/IEC 20000 Qualification Scheme

It helps learners demonstrate a Foundation-level knowledge concerning ISO/IEC 20000 and its use in a typical IT service provider organization. It meets the entry prerequisites for the Practitioner course.

FoundationFoundation

It helps in practising IT third-party auditors of any level who require an orientation in ITSM in general and in ISO/IEC 20000 SMS in particular. It supports the internal auditors working in an organization, which is

implementing or already has ISO/IEC 20000 certification.

AuditorAuditor

It supports practitioners, managers, and consultants involved in an SMS implementation or on-going activities based on ISO/IEC 20000.

PractitionerPractitioner

12

APMG ISO/IEC 20000 Qualification Scheme Assessment

Foundation, Practitioner, and Auditor qualificationsThe APMG ISO/IEC 20000 learning outcomes assessment modelFoundation, Practitioner, and Auditor qualificationsThe APMG ISO/IEC 20000 learning outcomes assessment model

1.Knowledge Know facts, including terms and definitions,

concepts, requirements,

processes, key responsibilities, and use of documents

outlined in the standard.

2. Comprehension Understand the

concepts, responsibilities, tools

used, and the requirements,

processes, and documents needed to

conform to the standard.

3. Application Be able to apply key

ITSM concepts relating to achievement of the

requirements of ISO/IEC 20000 for a

given scenario.

4. Analysis Be able to identify,

analyze, and advise on the appropriate use of

ITSM methods and techniques to achieve the requirements of

ISO/IEC 20000 through assessment of situations outlined in

typical scenarios.

The Auditor qualification examines learning outcomes at levels 1, 2, and 3.Sa

mple

Mater

ial - N

ot for

Rep

rint



13

Includes 40 questions, worth one mark each Multiple choice questions with four options Includes only one question per syllabus topic Includes a maximum of four negative style questions

Example: Which statement does NOT define a requirement for a service report? Includes a maximum of four missing word style questions

Example: Identify the missing words in the following sentence.

The purpose of ISO/IEC 20000-1 is [?].

ISO/IEC 20000 Auditor Certificate Qualification Examination

It is a one-hour exam.It is a one-hour exam.

The passing percentage is 65% (26 out of 40 marks).The passing percentage is 65% (26 out of 40 marks).

The exam is in a closed book in the multiple-choice format.The exam is in a closed book in the multiple-choice format.

14

Module 1: ISO/IEC 20000 Auditor Course Sample Question

Please select ONE answer option.

1. What is the definition of a service in ISO/IEC 20000-1?a) A group of people and facilities with an arrangement of responsibilities,

authorities, and relationships.b) The action of helping or doing work for someone.c) A means of delivering value for the customer by facilitating results the

customer wants to achieve. d) A means of delivering value to customers by facilitating outcomes customers

want to achieve without the ownership of specific costs and risks.

Samp

le Ma

terial

- Not

for R

eprin

t



15

What is Service Management?

Service management is a set of capabilities and processes that help:

direct and control the service providers activities and resources.design, transition, deliver, and improve the services to

fulfill the service requirements. A process is a set of interrelated or interacting activities, which transforms inputs into outputs.

16

Key Parties Involved in Service Management

Supplier Service provider - dependent on other parties

Lead supplier

SupplierSupplier

Subcontracted supplier

Internal group

Customer acting as supplier

Customer

Samp

le Ma

terial

- Not

for R

eprin

t



17

Module 1 Exercise: Assessing Service Management

1. Select an organization that delivers IT services. a) Identify some symptoms of poor service management.b) Identify some characteristics of good service management.

2. Identify examples of evidence that you would look for in an assessment against ISO/IEC 20000 for a service provider.

Samp

le Ma

terial

- Not

for R

eprin

t



Module 2Overview of ISO/IEC 20000 Information Technology - Service Management Series

2

Overview of ISO/IEC 20000: Module 2 Objectives

You should know facts, terms, and concepts about the overview, scope, and schemes for achieving the ISO/IEC 20000 certification. You should specifically be able to recall:

Key documents with the title and purpose in the ISO/IEC 20000 series.ISO/IEC 20000 schemes for certification and qualification.Sources of IT service management best practice and ITIL. Compatibility with related standards:

ISO 9001 for quality managementISO/IEC 27001 for information security managementUse of best practices, standards, and schemes. Key terms and definitions. Roles involved in ISO/IEC 20000.Sa

mple

Mater

ial - N

ot for

Rep

rint



3

Introduction to ISO/IEC 20000-1:2011 (Part 1)

ITSMPart 1: SMS requirements

An international standard based on tried and tested industry practices for service management.

Used by a broad base of organizations worldwide that apply the best practice principles in a variety of ways.

Includes requirements for the design, transition, delivery, and improvement of services that fulfill service requirements and provide value for both the customer and the service provider.

Co-ordinates integration and implementation of a service management system (SMS) and provides on-going control and opportunities for continual improvement, greater effectiveness, and efficiency.

4

Part 1 Introduction: Service Management System (SMS)

Based on Figure 1 ISO/IEC 20000-1: 2011

CHECK

Service management

system (including processes)

PLAN

ACTDO

Services

The SMS is a management system to direct and control the service management activities of the service provider.

It helps an organization in managing service management by applying an integrated process approach and continual improvement.

The service provider is responsible for continual improvement of the SMS. This is done by working with the customer and interested parties for improving the services using the Plan-Do-Check-Act (PDCA) methodology (also known as the Deming cycle).Sa

mple

Mater

ial - N

ot for

Rep

rint



5

ISO/IEC 20000-1: 2011 (Part 1)

First edition of the SMS requirements was published in 2005 and was revised in April 2011.A management system standard that requires a service provider to

establish and improve SMS.Clauses include mandatory requirements, the shalls that can be read as:

must do to describe something that is necessary or has to occur.is required to to express something definite about the requirements.Shall statements are audited for certification or conformance and no

deviation is permitted, if the clause is within scope.The SMS requirements are framework-independent. These provide basis for assessments and act as the auditing standard and

model for certification.

Information Technology - Service Management Part 1: SMS RequirementsInformation Technology - Service Management Part 1: SMS Requirements

Part 1Shall

6

ISO/IEC 20000-1:2011 Structure and Clause Contents

ForewordIntroduction1 Scope2 Normative references3 Terms and definitions4 Service management system general

requirements4.1 Management responsibility4.2 Governance of processes operated by other

parties4.3 Documentation management4.5 Establish and improve the SMS5 Design and transition of new or changed

services

6. Service delivery processes6.1 Service level management6.2 Service reporting6.3 Service continuity and availability

management6.4 Budgeting and accounting for services6.5 Capacity management6.6 Information security management7. Relationship processes7.1 Business relationship management7.2 Supplier management8 Resolution processes8.1 Incident and service request management8.2 Problem management9 Control processes9.1 Configuration management9.2 Change management9.3 Release and deployment managementBibliographySa

mple

Mater

ial - N

ot for

Rep

rint



7

Part 1 Clause 1.1 (C1.1) Scope: General

Seek services from service providers with the assurance that their service requirements will be fulfilled. Have a consistent approach by all its service providers in its supply chain.

An organization uses Part 1 when it wants to: An organization uses Part 1 when it wants to:

p p

Monitor, measure, and review its processes and services. Design, transition, deliver, and improve services that fulfill service

requirements. Improve the design, transition, and delivery of services through the effective

implementation and operation of an SMS.

Service providers use Part 1 to demonstrate their capability to: Service providers use Part 1 to demonstrate their capability to:

Criteria for a conformity assessment of a service providers SMS to the requirements in Part 1.

An assessor or auditor use Part 1 as the: An assessor or auditor use Part 1 as the:

8

Part 1 Clause 1.2 (C1.2) Scope: Application

All requirements are generic and applicable to all service providers. Cannot exclude any requirements in Clauses 4 to 9.

Clause 4, a service provider needs to show evidence of fulfilling all of the requirements in this clause. It cannot rely on evidence from governance of processes operated by

other parties for this clause.

Clauses 5 to 9, a service provider can demonstrate by showing evidence of fulfilling all the requirements or the majority of the requirements and evidence of the governance

of processes operated by other parties or parts of processes.

Samp

le Ma

terial

- Not

for R

eprin

t



9

ISO/IEC 20000-2: 2012 (Part 2)

First edition was published in 2005 as a Code of Practice and revised in early 2012. It is used by implementers, practitioners, assessors, and auditors.It helps guide on the application of an SMS. It is different from part 1 - No shalls.It uses should, can, or may

should is used to make recommendations, equivalent expressions are it is recommended that or ought to.can means be able to, there is a possibility of, or it is possible

to. may is used to signify permission. Equivalent expressions are is

permitted, is allowed, is permissible.

Guidance on the application of SMSGuidance on the application of SMS

10

Information technology: ISO/IEC 20000 Key Documents

Part Title PurposePart 1 ISO/IEC 20000-1Service

management system requirementsIt is mandatory to implement all of the requirements to achieve certification.

Part 2 ISO/IEC 20000-2 Guidance on the application of service management systems

Guidance and recommendations on how to meet the requirements of Part 1. Its use is optional.

Part 3 ISO/IEC 20000-3 Guidance on scope definition and applicability of ISO/IEC 20000 (Technical report)

Guidance and commentary on scope definition and applicability of Part 1. Its use is optional for service providers. It is referred to in the APMG certification.

Part 4 ISO/IEC 20000-4 Service management process reference model (Technical report)

Not on the syllabus

Part 5 ISO/IEC 20000-5 Exemplar implementation plan (Technical report)

Guidance on how to implement anSMS to fulfil the requirements of Part 1. Its use is optionalSa

mple

Mater

ial - N

ot for

Rep

rint

iso/iec 20000 for auditors student handbook

Documents

y closesample material

y sample exam paper

y review course materialday

y review of day

lunch y delivery

certification lunch

sample questions y design

itpreneurs nederland