ISO/IEC TR 20000-9:2015

TECHNICAL ISO/IEC TR
REPORT 20000-9
First edition
2015-02-15
Information technology — Service
management —
Part 9:
Guidance on the application of ISO/IEC
20000-1 to cloud services
Technologies de l’information — Gestion des services —
Partie 9: Application de l’ISO/IEC 20000-1 au services de cloud
Reference number
ISO/IEC TR 20000-9:2015(E)
©
ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC TR 20000-9:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 20000-9:2015(E)

Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Applying ISO/IEC 20000-1 to cloud services . 2
4.1 Delivering and managing cloud services . 2
4.2 Scenarios . 2
5 Scenarios . 2
5.1 Identify the context for service management of cloud services . 2
5.2 Establish strategy and plan for management of cloud services . 3
5.3 Provide a catalogue of cloud services . 5
5.4 Identify and manage service requirements for cloud services . 6
5.5 Design and develop a new cloud service . 8
5.6 Establish a service relationship with the cloud customer .11
5.7 Establish a cloud service agreement .12
5.8 Onboarding the customer .14
5.9 Deliver and operate the cloud services .16
5.10 Monitor and report cloud services .18
5.11 Manage resources for cloud services .20
5.12 Check and improve the SMS and cloud services .22
5.13 Terminate a cloud service contract .24
5.14 Transfer a cloud service .25
5.15 Remove a cloud service .27
Bibliography .30
© ISO/IEC 2015 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 20000-9:2015(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 40, IT Service
Management and IT Governance.
ISO/IEC 20000 consists of the following parts, under the general title Information technology —
Service management:
— Part 1: Service management system requirements
— Part 2: Guidance on the application of service management systems
— Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1
— Part 4: Process reference model [Technical Report]
— Part 5: Exemplar implementation plan for ISO/IEC 20000-1 [Technical Report]
— Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services [Technical Report]
— Part 10: Concepts and terminology [Technical Report]
The following parts are under preparation:
1
— Part 6: Requirements for bodies providing audit and certification of service management systems
— Part 11: Guidance on the relationship between ISO/IEC 20000-1:2011 and related service management
frameworks [Technical Report]
iv © ISO/IEC 2015 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 20000-9:2015(E)

Introduction
ISO/IEC 20000 is the International Standard for service management. It is based on practical industry
experience and includes information to support identifying, planning, designing, changing, deploying,
operating, supporting, and improving services for the business and customers. ISO/IEC 20000-1 specifies
a service management system (SMS) as the means to achieve the integrated management of the service
management policies, objectives, plans, processes, process interfaces, documentation, and resources. A
key focus of the SMS is to fulfil the service requirements and to deliver value.
The implementation and coordinated integration of an SMS provides ongoing control, greater
effectiveness, efficiency and opportunities for continual improvement. It enables an organization to
work effectively with a shared vision.
The guidance in this part of ISO/IEC 20000 can be used by organizations that are involved in the provision
or management of services that include cloud services. It can also be of interest to organizations that
are faced with changes to their existing services and support arrangements as part of a move to cloud
computing. ISO/IEC 20000 can be used by service providers that offer dedicated or shared services to
internal and external customers.
Key benefits of adopting ISO/IEC 20000 for service providers that offer cloud services can include:
a) greater credibility with internal or external customers of the organization, through delivery of
reliable and cost effective services;
b) the opportunity to build a service management system that is based on a tried and proven best
practice approach;
c) ongoing control, greater effectiveness and efficiency as well as prioritized continual improvement
of services and processes;
d) improved communication within the cloud service provider organization, including a greater
understanding by service management and specialist technical personnel of each other’s viewpoints;
e) improved communication between the cloud service provider organization and cloud customers
and users;
Cloud services primarily focus on enabling access to shared resources, physical or virtual, that are
scalable with on-demand self-service provisioning and administration. The cloud services can be used
without the cloud customer having any knowledge of the location and other details of the infrastructure
supporting those services. These services and resources can include networks, servers and storage
systems and applications that can be rapidly provisioned and released with minimal management effort
or service provider interaction. Typical attributes of cloud environments include the ability to support
dynamic establishment and modification of services and capabilities in a multi-provider environment
and a focus on automation to reduce manual intervention.
The delivery and management of cloud services can require coordinated integration to ensure visibility
and control of all the elements that contribute to services, including technology, processes, people and
partners, or suppliers.
An SMS that conforms to the requirements specified in ISO/IEC 20000-1 can be a powerful tool for
service providers delivering cloud services to achieve high service quality, delivery of value, increased
agility, and reduced risk.
An SMS can be integrated with an information security management system based in ISO/IEC 27001, which
includes requirements for information security in more detail than those specified in ISO/IEC 20000-1.
© ISO/IEC 2015 – All rights reserved v

---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/IEC TR 20000-9:2015(E)
Information technology — Service management —
Part 9:
Guidance on the application of ISO/IEC 20000-1 to cloud
services
1 Scope
This part of ISO/IEC 20000 provides guidance on the use of ISO/IEC 20000-1:2011 for service providers
delivering cloud services. It is applicable to different categories of cloud service, such as those defined in
ISO/IEC 17788/ITU-T Y.3500 and ISO/IEC 17789/ITU-T Y.3502, including, but not limited to, the following:
a) infrastructure as a service (IaaS);
b) platform as a service (PaaS);
c) software as a service (SaaS).
It is also applicable to public, private, community, and hybrid cloud deployment models.
The applicability of ISO/IEC 20000-1 is independent of the type of technology or service model used to
deliver the services. All requirements in ISO/IEC 20000-1 can be applicable to cloud service providers.
The structure of this part of ISO/IEC 20000 does not follow the structure of ISO/IEC 20000-1. The
guidance is presented as a set of scenarios that can address many of the typical activities of a cloud
service provider. The guidance in this part of ISO/IEC 20000 can also be useful for customers of cloud
service providers.
This part of ISO/IEC 20000 can be used as guidance for a cloud service provider in designing, managing,
or improving an SMS to support cloud services.
This part of ISO/IEC 20000 does not add any requirements to those stated in ISO/IEC 20000-1 and does
not state explicitly how evidence can be provided to an assessor or auditor. The scope of this part of
ISO/IEC 20000 excludes any specifications for products or tools.
NOTE Additional guidance on the application of ISO/IEC 20000-1 can be found in ISO/IEC 20000-2:2012.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 20000-1:2011, Information technology — Service management — Part 1: Service management
system requirements
ISO/IEC/TR 20000-10:2012, Information technology — Service management — Concepts and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions provided in ISO/IEC/TR 20000-10 apply.
© ISO/IEC 2015 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC TR 20000-9:2015(E)

4 Applying ISO/IEC 20000-1 to cloud services
4.1 Delivering and managing cloud services
A cloud service provider should define the services using terminology that customers and other interested
parties, such as suppliers, can understand. For cloud services this should take into account that many
cloud customers can have little knowledge or understanding of technology. Defining different cloud
services or providing a cloud service with several different options can help both service providers and
customers make the best decision about which services are best aligned to their service requirements.
Alignment between services delivered, service requirements, contractual obligations, business needs
and customer requirements can enable cloud service providers and their customers to establish and
maintain a successful relationship. Cloud service providers and cloud customers can share responsibility
for the relationship and each party should take the necessary actions to achieve the results desired by
the customer.
Unambiguous service definitions can reduce discrepancies between customer expectations and service
provider intention for the service. The service provider can find it easier to perform service management
activities with the knowledge that the customer understands what is being delivered.
By fulfilling the requirements specified in ISO/IEC 20000-1, the cloud service provider should be able to
deliver services in alignment with both service targets and customer expectations.
The cloud service provider wishing to demonstrate conformity to ISO/IEC 20000-1 should review its
applicability using the guidance provided in ISO/IEC 20000-3.
NOTE 1 Cloud service providers might find it helpful to refer to ISO/IEC 17788, which provides an overview of
cloud computing along with a set of terms and definitions.
NOTE 2 Cloud service providers might find it helpful to refer to ISO/IEC 17789, which specifies the cloud
computing reference architecture.
4.2 Scenarios
The scenarios in this part of ISO/IEC 20000 describe the service lifecycle utilizing terminology and
examples familiar to cloud service providers.
Each scenario includes references to the most relevant requirements specified by ISO/IEC 20000-1.
There can be additional considerations for each of the scenarios beyond those referenced. Each scenario
includes recommendations and examples of how the referenced clauses in ISO/IEC 20000-1 can be
applicable to cloud services.
All processes specified in ISO/IEC 20000-1 have been included in one or more of the scenarios described
in this part of ISO/IEC 20000.
5 Scenarios
5.1 Identify the context for service management of cloud services
S01 Identify the context for service management of cloud services
Description A cloud service provider should understand the business and technical context for manag-
ing and delivering cloud services. A cloud service provider should ensure that its services,
including cloud services, achieve business objectives and customer requirements while
adhering to the service provider’s principles, rules, and necessary statutory requirements,
regulatory requirements and contractual obligations.
Outcomes — The business and technical environment and context for cloud service delivery is
defined and communicated.
2 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC TR 20000-9:2015(E)

S01 Identify the context for service management of cloud services
Applicable clauses — Clause 4.1, Management responsibility
in ISO/IEC 20000-1
— Clause 7.1, Business relationship management
Guidance on the Service providers and customers should seek opportunities to create value with cloud
application to services while optimizing resources and risk. To realize the benefits of delivering cloud
cloud services services, effective decision-making regarding the context and scope of the SMS and
services should be incorporated into the cloud service provider’s strategy and plan. Risk
management, cost models, service delivery planning and any impact on other activities of
the service provider and customer should be taken into consideration.
The ability to ensure governance of any processes operated by other parties, such as sup-
pliers, should be considered in regard to cloud services.
The cloud service provider should determine what categories of cloud services to provide
based on the market demand, opportunities and its own capability.
Multi-tenancy, location and other attributes of cloud services can introduce new gov-
ernance requirements, management and maintenance issues for service providers and
customers that should be considered.
Agreements and contracts can become more complicated for cloud services where the
customer and supplier are located in different countries and different jurisdictions.
Examples Typical service management objectives of cloud service providers can include:
— optimize the cost of cloud services and technology;
— offer a more effective and economic method of providing higher quality services at a
lower cost;
— generate business value from cloud service investments through innovation and value
creation;
— achieve operational excellence through the reliable and efficient management of cloud
services;
— maintain cloud service related risk at an acceptable level;
— comply with relevant laws, regulations and contractual agreements.
The cloud service provider should consider any statutory and regulatory requirements, as
well as financial, safety, data protection, information security, privacy, intellectual prop-
erty, business continuity and sustainability policies and objectives.
Scenario 1: Identify the context for service management of cloud services
5.2 Establish strategy and plan for management of cloud services
S02 Establish strategy and plan for management of cloud services
Description The service management plan should define the way the cloud service provider intends
to provide services. A service strategy can also define how the cloud service provider
intends to provide services to achieve both the desired outcomes for the customer and the
service provider’s own objectives, within known limitations and documented constraints.
The purpose of strategy and planning is to define and plan how the cloud service provider
intends to deliver value for its own organization as well as for different customers and
interested parties using the service provider’s capabilities and resources.
Outcomes — Service management plans are structured to cascade down from a top-level plan to
detailed plans for operation and improvement of the SMS and delivery of the services.
— Service management and process specific policies (examples include: information secu-
rity policy, change management policy, release policy).
— Defined and agreed service management objectives.
© ISO/IEC 2015 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC TR 20000-9:2015(E)

S02 Establish strategy and plan for management of cloud services
Applicable clauses — Clause 4.1, Management responsibility
in ISO/IEC 20000-1
— Clause 4.3, Documentation management
— Clause 4.4, Resource management
— Clause 4.5.1, Define scope
— Clause 4.5.2, Plan the SMS
— Clause 5.2, Plan new or changed services
— Clause 6.4, Budgeting and accounting for services
— Clause 6.6, Information security management
— Clause 7.1, Business relationship management
Guidance on the Cloud service provider’s top management should:
application to
— define desired outcomes and service management objectives to deliver those desired
cloud services
outcomes and service management objectives;
— define what services and capabilities are needed to deliver those desired outcomes and
service management objectives;
— determine how the service provider and customer(s) will know if desired outcomes
have been achieved;
— agree measurement and reporting of delivery against plan and desired outcomes;
— assess and analyse the current state – what exists and what can be leveraged/reused;
— analyse customers, suppliers, competitors, regulatory requirements and contractual
obligations, policies.
When the desired outcomes have been defined, the next step should be to determine the
services and service components needed to deliver those outcomes. The services should
be categorized in a way that captures the service requirements for people (e.g., skills and
competencies), process, technology and organizational structure.
The service management plan can then further categorize and schedule the delivery of the
agreed services, including improvements, into releases. These releases should have agreed
timeframes and targets. Resources should be allocated to achieve the agreed release tar-
gets. The service management plan should make it possible to easily identify dependencies
between different services or service components, to facilitate decisions about priority
and resourcing and to accurately measure delivery of business value. Service components
include all components, both technical and non-technical, necessary to deliver and manage
the service. Examples of how dependencies between service components should be consid-
ered in regard to planning can include:
a) agreements and contracts with suppliers which should be in place before the service is
commercially available;
b) training for service support personnel which should be completed before the service is
commercially available;
c) allocation of specialist personnel across multiple projects;
d) dependencies on hardware components being in place before service components can
be implemented.
4 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC TR 20000-9:2015(E)

S02 Establish strategy and plan for management of cloud services
Examples The service provider’s top management should understand the business objectives, con-
straints, risks and priorities in developing the strategy for cloud services. Considerations
should include the resources and capabilities of the service provider and other interested
parties such as cloud service partners, as well as other service requirements. Top manage-
ment should prioritise the cloud services to be introduced, changed or retired.
In addition to improving service quality, reducing cost and risk, top management should
identify strategic opportunities to optimise services through innovation, increasing stand-
ardization, sharing, automation and self-service provisioning. There can be significant
opportunities for growth from increases in competitive advantage, geographical reach,
innovation, value creation and customer satisfaction.
When the desired business outcomes are understood, the service provider can prioritise
the services, including the capabilities and resources used to plan, design, transition and
deliver those services. The service provider can then invest accordingly.
Strategies and plans for introducing, changing or retiring cloud services should consider
the following:
a) changes to the business environment;
b) the context of use of the cloud services including the typical roles of users who will
access the cloud services, the types of user computing devices and geographical locations;
c) changes to the existing services, changes to any cloud services plus any service capabili-
ties and resources required to deliver all the services across the catalogue of services;
d) standard mechanisms to provide access to the cloud services;
e) the impact on the service management system and its resources and capabilities such
as organizational aspects, processes, documentation, education, training, competence of
personnel;
f) automation, self-service provisioning and administration;
g) sharing geographically distributed computing resources that can change dynamically;
h) automatic provisioning of resources in any quantity at any time, subject to constraints
of service agreements;
i) pooling resources in a location independent fashion, in order to serve multiple custom-
ers through multi-tenancy;
j) maintenance of shared services that potentially impact many organizations, their cus-
tomers and large volumes of users;
k) requirements for transparency and access to customer information to enable customers
to optimize and validate their cloud services.
Scenario 2: Establish strategy and plan for management of cloud services
5.3 Provide a catalogue of cloud services
S03 Provide a catalogue of cloud services
Description A catalogue of cloud services should be made available to prospective and existing cloud
customers. If applicable, this can also be part of a general catalogue of services. Information
should be provided to communicate any relevant options for use of the services.
The catalogue can be either specific to cloud services or can include both cloud and other
services.
Outcomes — Catalogue of cloud services that is understandable to the parties involved.
Applicable clauses — Clause 4.3, Documentation Management
in
— Clause 6.1, Service level management
ISO/IEC 20000-1
— Clause 7.1, Business relationship management
© ISO/IEC 2015 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC TR 20000-9:2015(E)

S03 Provide a catalogue of cloud services
Guidance on the A catalogue should be defined that contains cloud and potentially other services. For exam-
application to ple, customers receiving both cloud and other services from a service provider can find it
cloud services easier if the service provider has combined all services offered into a single catalogue. This
catalogue should be aligned with the requirements specified in ISO/IEC 20000-1, 6.1.
The catalogue of services should be the foundation both for the definition of cloud services
to be provided and for the contracts and SLAs between the service provider and the cloud
customer.
The cloud service provider should have visibility of the dependencies between services and
service components which can be technical and non-technical and that are necessary to
deliver and manage the services. Cloud services and the service components can be grouped
together into categories that possess some characteristics in common with each other. This
can help to structure the catalogue of services and can minimise duplication of information.
Examples A cloud service provider offering cloud services to the general public has defined a cata-
logue with all the available service offerings using terms aligned to the customer’s expecta-
tion of the services. It has been published on the internet so that the customer can select the
desired services using a self-service mechanism.
Apart from the standard content for a catalogue of services described in ISO/IEC 20000-
2
...