ISO/IEC TR 20000-4:2010

TECHNICAL ISO/IEC
REPORT TR
20000-4
First edition
2010-12-01
Information technology — Service
management —
Part 4:
Process reference model
Technologies de l'information — Gestion des services —
Partie 4: Modèle de référence de processus

Reference number
©
ISO/IEC 2010
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved

Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Overview of the PRM.1
5 Process descriptions .2
5.1 General .2
5.2 Audit.3
5.3 Budgeting and accounting for IT services.4
5.4 Business relationship management.4
5.5 Capacity management .5
5.6 Change management .5
5.7 Configuration management.6
5.8 Human resource management.6
5.9 Improvement .7
5.10 Incident management and request fulfilment.8
5.11 Information item management .9
5.12 Information security management.10
5.13 Management review .10
5.14 Measurement .11
5.15 Organizational management .12
5.16 Problem management.13
5.17 Release and deployment management.13
5.18 Risk management.14
5.19 Service continuity and availability management .14
5.20 Service design .15
5.21 Service level management .15
5.22 Service planning and monitoring .16
5.23 Service reporting.17
5.24 Service requirements.17
5.25 Service transition .18
5.26 SMS establishment and maintenance.19
5.27 Supplier management.20
Annex A (informative) Statement of conformity to ISO/IEC 15504-2 .21
Bibliography.23

Figures
Figure 1 — Relationships between relevant documents.v
Figure 2 — Processes in the process reference model .2

© ISO/IEC 2010 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report
of one of the following types:
⎯ type 1, when the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts;
⎯ type 2, when the subject is still under technical development or where for any other reason there is the
future but not immediate possibility of an agreement on an International Standard;
⎯ type 3, when the joint technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to
be reviewed until the data they provide are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 20000-4, which is a Technical Report of type 2, was prepared by Joint Technical Committee
ISO/IEC JTC 1, Information technology, Subcommittee SC 7, Software and systems engineering.
ISO/IEC TR 20000 consists of the following parts, under the general title Information technology — Service
management:
⎯ Part 1: Service management system requirements
⎯ Part 2: Code of practice
⎯ Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1 [Technical Report]
⎯ Part 4: Process reference model [Technical Report]
⎯ Part 5: Exemplar implementation plan for ISO/IEC 20000-1 [Technical Report]
Process assessment model for service management will form the subject of a future Part 8.
iv © ISO/IEC 2010 – All rights reserved

Introduction
The purpose of this part of ISO/IEC 20000 is to facilitate the development of a process assessment model
(PAM) that will be described in ISO/IEC TR 15504-8.
ISO/IEC 15504-2 describes the requirements for the conduct of an assessment and a measurement scale for
assessing process capability. ISO/IEC 15504-1 describes the concepts and terminology used for process
assessment.
This process reference model (PRM) is a logical representation of the elements of the processes within
service management. Using the PRM in a practical application might require additional elements suited to the
environment and circumstances.
The PRM specified in this part of ISO/IEC 20000 describes at an abstract level the processes including the
general service management system (SMS) processes implied by ISO/IEC 20000-1. Each process of this
PRM is described in terms of a purpose and outcomes. The PRM does not attempt to place the processes in
any specific environment nor does it pre-determine any level of process capability required to fulfil the
ISO/IEC 20000-1 requirements. The PRM is not intended to be used for a conformity assessment audit or
process implementation reference guide.
The relationships between ISO/IEC 20000-1, ISO/IEC TR 24774, ISO/IEC TR 20000-4, ISO/IEC 20000-8,
ISO/IEC TR 15504-8 and ISO/IEC 15504-2 are shown in Figure 1.
ISO/IEC 20000-1 – Service ISO/IEC TR 24774 – Guidelines for
management system requirements process definition
provides requirements
informs
ISO/IEC TR 20000-4 – Service
management – Process reference model
provides description of
processes assessed by
ISO/IEC 15504-2 – Performing ISO/IEC TR 20000-8/
provides requirements
an assessment ISO/IEC TR 15504-8 – An
for assessment
exemplar assessment model for
service management processes
Figure 1 — Relationships between relevant documents
Any organization can define processes with additional elements in order to suit it to its specific environment
and circumstances. The purposes and outcomes described in this part of ISO/IEC 20000 are, however,
considered to be the minimum necessary to meet ISO/IEC 20000-1 requirements. Some processes cover
general strategic aspects of an organization. These processes have been identified in order to give coverage
to all the requirements of ISO/IEC 20000-1.
The PRM does not provide the evidence required by ISO/IEC 20000-1. The PRM does not specify the
interfaces between the processes.
© ISO/IEC 2010 – All rights reserved v

This part of ISO/IEC 20000 contains a PRM for IT service management with description of processes in
Clause 5. Annex A provides the statement of conformity for this part of ISO/IEC 20000 in accordance with
ISO/IEC 15504-2, Information technology — Process assessment — Part 2: Performing an assessment.
vi © ISO/IEC 2010 – All rights reserved

TECHNICAL REPORT ISO/IEC TR 20000-4:2010(E)

Information technology — Service management —
Part 4:
Process reference model
1 Scope
This part of ISO/IEC 20000 defines a process reference model comprising a set of processes, described in
terms of process purpose and outcomes that demonstrate coverage of the requirements of ISO/IEC 20000-1.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system
requirements
ISO/IEC 15504-1, Information technology — Process assessment — Part 1: Concepts and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 20000-1 and ISO/IEC 15504-1
apply.
4 Overview of the PRM
This clause describes the structure of the process reference model in the context of a management system to
direct and control a service provider with regard to delivery of services to meet the business needs and
customer requirements.
Figure 2 identifies the processes derived from ISO/IEC 20000-1 requirements, which are included in this PRM
for Information technology – Service management.
© ISO/IEC 2010 – All rights reserved 1

Customers Customers
Service management system (SMS)
(and (and
interested interested
Plan
parties) parties)
SMS general processes
Organizational management Improvement
SMS establishment and maintenance Human resource management
Management review  Risk management
Audit   Information item management
Measurement
Design and transition of new or changed services processes
Requirements
Service requirements   Service planning and monitoring
Service
Service design   Service transition
Service delivery processes
Do Act
Capacity management   Service level management  Information security

management
Service reporting
Service continuity and
availability management Budgeting & accounting

for services
Control processes
Configuration management
Change management
Release & deployment management
Resolution processes Relationship processes
Incident management and  Business relationship management
request fulfilment
Supplier management
Problem management
Check
Figure 2 — Processes in the process reference model
5 Process descriptions
5.1 General
Each process in the PRM has the following descriptive elements.
a) Name: the name of a process is a short noun phrase that summarizes the scope of the process,
identifying the principal concern of the process, and distinguishes it from other processes within the scope
of the process reference model.
b) Context: for each process a brief overview describes the intended context of the application of the
process.
c) Purpose: the purpose of the process is a high level, overall goal for performing the process.
d) Outcomes: an outcome is an observable result of the successful achievement of the process purpose.
Outcomes are measurable, tangible, technical or business results that are achieved by a process.
Outcomes are observable and assessable.
e) Requirements traceability: the outcomes are based on the requirements of ISO/IEC 20000-1. The
references identify the applicable subclauses of ISO/IEC 20000-1, the subclause heading, and the
outcomes that are supported.
In Clauses 5.2 to 5.27 all entries in the requirements traceability row end with numbers in square brackets,
(i.e. [n]). Each number in the square brackets is a reference to a numbered outcome. These outcomes are
2 © ISO/IEC 2010 – All rights reserved

directly linked to the requirements of ISO/IEC 20000-1. The referencing is illustrated by example 1, given
below.
Some outcomes are shown in square brackets. These are only indirectly linked to requirements of
ISO/IEC 20000-1. The outcomes in square brackets are not referenced by any of the entries in the
requirements traceability row. These additional outcomes have been included because they are necessary in
order for this PRM to act as the basis of the PAM ISO/IEC 15504-8. With these additional outcomes, the
process is complete and the process purpose can be achieved. This is illustrated by example 2, below. Cross-
references are made to both the first edition (1ED) and second edition (2ED) of ISO/IEC 20000-1 for the same
reason.
EXAMPLE 1
The second requirements traceability entry in Clause 5.2 is:
20000 1ED IS 04.4.1 Continual improvement (Act): Policy [5]).
The [5] is a reference to outcome 5 in the previous row of Clause 5.2.
Outcome 5. is: nonconformities are communicated to those responsible for corrective action and resolution.
EXAMPLE 2
The first outcome requirements traceability entry in Clause 5.5 is:
1. [current and future capacity and performance requirements are identified and agreed;]
The entries in the requirements traceability row for Clause 5.5 includes references to only outcomes 2-5.
5.2 Audit
Name Audit
Context Audits assess whether the SMS is effectively established and maintained, and whether the SMS and the
services conform to the requirements established by the service provider. Planning for an audit takes into
account the importance of the services, processes and areas to be audited, and the results of previous
audits.
Purpose The purpose of the audit process is to independently determine conformity of selected services, products
and processes to the requirements, plans and agreements, as appropriate.
Outcomes As a result of successful implementation of this process:
1. the scope and purpose of each audit is defined [and agreed];
2. the objectivity and impartiality of the conduct of audits and selection of auditors are assured;
3. conformity of selected services, products and processes with requirements, plans and agreements is
determined;
4. nonconformities are recorded;
5. nonconformities are communicated to those responsible for corrective action and resolution;
6. corrective actions for nonconformities are verified.
Requirements 20000-1 1ED IS 04.3 Monitoring, measuring and reviewing (Check) [1,2,4,5]
traceability
20000-1 1ED IS 04.4.1 Continual improvement (Act): Policy [5]
20000-1 2ED DRAFT 4.5.5.1 General [4]
20000-1 2ED DRAFT 4.5.5.2 Internal audit [1,2,5,6]
20000-1 2ED DRAFT 6.6.1 Information security policy [3]
20000-1 2ED DRAFT 9.1 Configuration management [4]
© ISO/IEC 2010 – All rights reserved 3

5.3 Budgeting and accounting for IT services
Name Budgeting and accounting for IT services
Context Budgeting covers predicting and controlling the spending of money and the monitoring and adjusting of
budgets. Accounting identifies the costs of delivering IT services, comparing these with budgeted costs,
and managing variance from the budget. All accounting practices need to be aligned to the wider
accountancy practices of the whole of the service provider’s organization.
Purpose The purpose of the budgeting and accounting for IT services process is to budget and account for service
provision.
Outcomes As a result of successful implementation of this process:
1. costs of service provision are estimated;
2. budgets are produced using cost estimates;
3. deviations from the budget and costs are controlled;
4. deviations from the budget are resolved;
5. deviations from the budget and costs are communicated to interested parties.
Requirements 20000-1 1ED IS 06.4 Budgeting and accounting for IT services [1,2,3,4,5]
traceability
20000-1 2ED DRAFT 6.4 Budgeting and accounting for services [1,2,3,4,5]
5.4 Business relationship management
Name Business relationship management
Context This process enables a service provider to build a good relationship with its customers by understanding
the business environment in which the services operate. This understanding enables the service provider
to identify the needs of the customers, respond to these needs and manage the expectations of
customers and interested parties.
Purpose The purpose of the business relationship management process is to identify and manage customer needs
and expectations.
Outcomes As a result of successful implementation of this process:
1. customers and interested parties are identified;
2. the needs and expectations of customers are identified and monitored;
3. communication with the customer is planned and implemented;
4. service performance is monitored;
5. changes to the scope of the services, service level agreements (SLAs) and contracts are identified;
6. service complaints are recorded and managed through their life cycle to closure;
7. service complaints which are not resolved through normal channels are escalated;
8. customer satisfaction is measured and analysed;
9. [customer satisfaction analysis results are communicated to interested parties.]
Requirements 20000-1 1ED IS 06.1 Service level management [4]
traceability
20000-1 1ED IS 06.3 Service continuity and availability management [4]
20000-1 1ED IS 07.2 Business relationship management [1,2,3,4,5,6,7,8]
20000-1 1ED IS 08.3 Problem management [4]
20000-1 2ED DRAFT 6.1 Service level management [4]
20000-1 2ED DRAFT 6.3 Service continuity and availability management [4]
20000-1 2ED DRAFT 7.1 Business relationship management [1,2,3,4,5,6,7,8]
20000-1 2ED DRAFT 8.1 Incident management and request fulfilment [4]
20000-1 2ED DRAFT 8.2 Problem management [4]
20000-1 2ED DRAFT 9.2 Change management [4]
4 © ISO/IEC 2010 – All rights reserved

5.5 Capacity management
Name Capacity management
Context This process ensures that there are sufficient resources and capacity to meet current and future agreed
requirements in a cost effective and timely manner. The process enables a service provider to provide
sufficient resources across an entire service in order to deliver the agreed service performance and meet
the service level targets.
Purpose The purpose of the capacity management process is to ensure that the service provider has service
capacity to meet current and future agreed requirements.
Outcomes As a result of successful implementation of this process:
1. [current and future capacity and performance requirements are identified and agreed;]
2. a capacity plan is developed based on the capacity and performance requirements;
3. capacity is provided to meet current capacity and performance requirements;
4. capacity usage is monitored, analysed and performance is tuned;
5. capacity is prepared to meet future capacity and performance needs;
6. changes to capacity and performance are reflected in the capacity plan.
Requirements 20000-1 1ED IS 06.5 Capacity management [2]
traceability
20000-1 2ED DRAFT 6.5 Capacity management [2,3,4,5,6]
5.6 Change management
Name Change management
Context Changes to services, their applications and infrastructure, are planned and controlled to ensure timeliness
without unnecessary disruption. Unintended effects of changes are remedied.
Purpose The purpose of the change management process is to ensure all changes are assessed, approved,
implemented and reviewed in a controlled manner.
Outcomes
As a result of successful implementation of this process:
1. change requests are recorded and classified;
2. change requests are assessed using defined criteria;
3. change requests are approved before changes are developed and deployed;
4. a schedule of changes and releases is established and communicated to interested parties;
5. approved changes are developed and tested;
6. unsuccessful changes are reversed or remedied.
20000-1 1ED IS 05 Planning and implementing new or changed services [3]
Requirements
traceability
20000-1 1ED IS 06.1 Service level management [1]
20000-1 1ED IS 06.3 Service continuity and availability management [2]
20000-1 1ED IS 06.4 Budgeting and accounting for IT services [1]
20000-1 1ED IS 06.6 Information security management [2]
20000-1 1ED IS 07.2 Business relationship management [1,5]
20000-1 1ED IS 07.3 Supplier management [1]
20000-1 1ED IS 08.3 Problem management [1]
20000-1 1ED IS 09.2 Change management [1,2,3,4,5]
20000-1 1ED IS 10.1 Release management [2,4]
20000-1 2ED DRAFT 5.2 Plan the design, development and transition of new or changed services [2]
20000-1 2ED DRAFT 6.1 Service level management [1]
20000-1 2ED DRAFT 6.3 Service continuity and availability management [2]
20000-1 2ED DRAFT 6.6.3 Information security changes and incidents [2]
20000-1 2ED DRAFT 7.1 Business relationship management [1]
20000-1 2ED DRAFT 7.2 Supplier management [1]
20000-1 2ED DRAFT 8.2 Problem management [1]
20000-1 2ED DRAFT 9.2 Change management [1,2,3,4,5,6]
20000-1 2ED DRAFT 9.3 Release and deployment management [4]
© ISO/IEC 2010 – All rights reserved 5

5.7 Configuration management
Name Configuration management
Context This process is concerned with establishing and maintaining the integrity of service components to enable
effective control of the services.
Purpose The purpose of the configuration management process is to establish and maintain the integrity of all
identified service components.
Outcomes
As a result of successful implementation of this process:
1. items requiring configuration management are identified;
2. the status of configuration items and modifications are recorded and reported;
3. changes to items under configuration management are controlled;
4. the integrity of systems, services and service components is assured;
5. the configuration of released items is controlled.
Requirements 20000-1 1ED IS 06.1 Service level management [1]
traceability
20000-1 1ED IS 07.3 Supplier management [1]
20000-1 1ED IS 09.1 Configuration management [1,2,3,4,5]
20000-1 2ED DRAFT 6.1 Service level management [1]
20000-1 2ED DRAFT 7.2 Supplier management [1]
20000-1 2ED DRAFT 9.1 Configuration management [1,2,3,4,5]
20000-1 2ED DRAFT 9.2 Change management [3]

5.8 Human resource management
Name
Human resource management
Context The scope of the human resource management process is limited to identifying and developing the
competencies of individuals in relation to their service management activities and the process needs of
the organization. This process specifically excludes other related and commonly accepted aspects of
human resource management such as health and safety, security, and laws or regulations on the fairness
of recruitment and employment practices.
Purpose The purpose of the human resource management process is to provide the organization with necessary
human resources and to maintain their competencies, consistent with business needs and service
requirements.
Outcomes As a result of successful implementation of this process:
1. the competencies required by the organization for service provision are identified;
2. identified competency gaps are filled through training or recruitment;
3. individual competencies and their development are monitored;
4. each individual demonstrates their understanding of their role in achieving service management
objectives.
Requirements 20000-1 1ED IS 03.3 Competence, awareness and training [2,3,4]
traceability
20000-1 2ED DRAFT 4.4.2.1 General [1]
20000-1 2ED DRAFT 4.4.2.2 Competence, awareness and training [1,2,3,4]
6 © ISO/IEC 2010 – All rights reserved

5.9 Improvement
Name Improvement
Context This process enables a service provider to identify opportunities for improvement to the SMS and the
services identified during the operation of service management processes and the delivery of services
including corrective and preventive actions. It includes the identification, evaluation, approval,
management, measurement and review of improvements.
Purpose The purpose of the improvement process is to continually improve the SMS, services and processes.
Outcomes As a result of successful implementation of this process:
1. opportunities for improvement are identified and recorded;
2. opportunities for improvement are evaluated against agreed criteria for approval;
3. approved improvements are prioritised and actions planned;
4. approved improvements are implemented and confirmed;
5. the results of improvement actions are reported and communicated to interested parties.
Requirements 20000-1 1ED IS 04.4.2 Continual improvement (Act): Management of improvements [2,3,4]
traceability
20000-1 1ED IS 06.1 Service level management [1]
20000-1 1ED IS 06.6 Information security management [1]
20000-1 1ED IS 07.2 Business relationship management [1]
20000-1 1ED IS 07.3 Supplier management [1]
20000-1 1ED IS 08.3 Problem management [1]
20000-1 1ED IS 09.2 Change management [1]
20000-1 1ED IS 10.1 Release management [1]
20000-1 2ED DRAFT 4.5.6.1 General [1]
20000-1 2ED DRAFT 4.5.6.2 Management of improvements [2,3,4,5]
20000-1 2ED DRAFT 6.1 Service level management [1]
20000-1 2ED DRAFT 6.6.3 Information security changes and incidents [1]
20000-1 2ED DRAFT 7.1 Business relationship management [1]
20000-1 2ED DRAFT 7.2 Supplier management [1]
20000-1 2ED DRAFT 8.1 Incident management and request fulfilment [1]
20000-1 2ED DRAFT 9.2 Change management [1]
© ISO/IEC 2010 – All rights reserved 7

5.10 Incident management and request fulfilment
Name Incident management and request fulfilment
Context The objective of incident management is to restore the service within agreed service levels. The focus is
on reducing the duration and consequences of the service outage from a business and customer
perspective and not on finding the root cause of the incident. Request fulfilment aims to fulfil service
requests within agreed service levels.
Purpose The purpose of the incident management and request fulfilment process is to restore agreed service and
fulfil service requests within agreed service levels.
Outcomes As a result of successful implementation of this process:
1. incidents and service requests are recorded and classified;
2. incidents and service requests are prioritised and analysed;
3. incidents and service requests are resolved and closed;
4. incidents and service requests which are not progressed according to agreed service levels are
escalated;
5. information regarding the status and progress of reported incidents or service requests is
communicated to interested parties.
Requirements 20000-1 1ED IS 06.6 Information security management [1,2,3]
traceability
20000-1 1ED IS 08.2 Incident management [1,2,3,5]
20000-1 2ED DRAFT 6.6.3 Information security changes and incidents [1,2,3]
20000-1 2ED DRAFT 8.1 Incident management and request fulfilment [1,3,4,5]

8 © ISO/IEC 2010 – All rights reserved

5.11 Information item management
Name Information item management
Context This process is concerned with the production, storage, dissemination, and integrity of information used in
the SMS. The information security management process is concerned with the security of information
used, stored or transmitted by or within a provided service.
Purpose The purpose of the information item management process is to develop and maintain the recorded
information produced by a process.
Outcomes As a result of successful implementation of this process:
1. information items are produced in accordance with defined criteria;
2. Information items are controlled and issued according to defined criteria;
3. information items are communicated to interested parties;
4. information items are maintained in accordance with planned arrangements;
5. the integrity of information items is assured.
20000-1 1ED IS 03.3 Competence, awareness and training [4]
Requirements
traceability
20000-1 1ED IS 04.1 Plan service management (Plan) [1]
20000-1 1ED IS 04.3 Monitoring, measuring and reviewing (Check) [1]
20000-1 1ED IS 06.1 Service level management [1,2,4]
20000-1 1ED IS 06.3 Service continuity and availability management [1,4]
20000-1 1ED IS 06.5 Capacity management [1,4]
20000-1 1ED IS 06.6 Information security management [1,2,3]
20000-1 1ED IS 07.2 Business relationship management [1,2]
20000-1 1ED IS 07.3 Supplier management [1,2]
20000-1 1ED IS 08.2 Incident management [1]
20000-1 1ED IS 08.3 Problem management [1]
20000-1 1ED IS 09.1 Configuration management [1]
20000-1 1ED IS 09.2 Change management [1]
20000-1 1ED IS 10.1 Release management [1,2]
20000-1 2ED DRAFT 4.1.3 Responsibility, authority and communication [1]
20000-1 2ED DRAFT 4.3.1 General [4]
20000-1 2ED DRAFT 4.3.2 Control of documents [1,5]
20000-1 2ED DRAFT 4.3.3 Control of records [1,4,5]
20000-1 2ED DRAFT 4.4.2.1 General [1,4]
20000-1 2ED DRAFT 4.5.2 Establish scope [1]
20000-1 2ED DRAFT 4.5.3 Plan service management [1,4]
20000-1 2ED DRAFT 4.5.5.1 General [1]
20000-1 2ED DRAFT 4.5.5.2 Internal audit [1]
20000-1 2ED DRAFT 4.5.5.3 Management review [4]
20000-1 2ED DRAFT 4.5.6.1 General [1]
20000-1 2ED DRAFT 5.1 General [1]
20000-1 2ED DRAFT 5.2 Plan the design, development and transition of new or changed services [1]
20000-1 2ED DRAFT 5.3 Design and development of new or changed services [1]
20000-1 2ED DRAFT 6.1 Service level management [1,2,4]
20000-1 2ED DRAFT 6.2 Service reporting [2]
20000-1 2ED DRAFT 6.3 Service continuity and availability management [1,2,4]
20000-1 2ED DRAFT 6.4 Budgeting and accounting for services [1]
20000-1 2ED DRAFT 6.5 Capacity management [1,4]
20000-1 2ED DRAFT 6.6.1 Information security policy [2,3]
20000-1 2ED DRAFT 6.6.2 Information security controls [1,2]
20000-1 2ED DRAFT 7.1 Business relationship management [1,2]
20000-1 2ED DRAFT 7.2 Supplier management [1,2]
20000-1 2ED DRAFT 8.1 Incident management and request fulfilment [1,2]
20000-1 2ED DRAFT 8.2 Problem management [1]
20000-1 2ED DRAFT 9.1 Configuration management [1]
20000-1 2ED DRAFT 9.2 Change management [1]
20000-1 2ED DRAFT 9.3 Release and deployment management [1,2]
© ISO/IEC 2010 – All rights reserved 9

5.12 Information security management
Name Information security management
Context This process ensures that the security controls required to perform service management activities
adequately protect information assets.
Purpose The purpose of the information security management process is to manage information security at an
agreed level of security within all service management activities.
Outcomes
As a result of successful implementation of this process:
1. [information security requirements are identified and agreed;]
2. [criteria for the assessment of information security risks and the acceptable level of risk are
identified;]
3. [information security risks are identified;]
4. information security risk is assessed;
5. information security risk measures and controls are defined;
6. information security risk measures and controls are implemented;
7. security incidents are quantified and recorded;
8. information security concerns are communicated to interested parties;
9. [the impact of changes on information security is analysed and reported.]
Requirements 20000-1 1ED IS 06.6 Information security management [5,6,7]
traceability
20000-1 1ED IS 08.2 Incident management [6]
20000-1 1ED IS 09.1 Configuration management [6]
20000-1 2ED DRAFT 6.6.1 Information security policy [4]
20000-1 2ED DRAFT 6.6.2 Information security controls [5,6]
20000-1 2ED DRAFT 6.6.3 Information security changes and incidents [7]
20000-1 2ED DRAFT 8.1 Incident management and request fulfilment [6]
20000-1 2ED DRAFT 9.1 Configuration management [6]
5.13 Management review
Name Management review
Context This process checks the SMS, at planned intervals, to ensure its continuing suitability, adequacy and
effectiveness. It takes into account the results of audits, the performance of services, service reports,
incidents, known errors, risks, suggestions and feedback from interested parties.
Purpose
The purpose of the management review process is to assess the performance of the SMS and to identify
potential improvements.
Outcomes As a result of successful implementation of this process:
1. the objectives of the review are established;
2. the status and performance of an activity or process are assessed;
3. risks, problems and opportunities for improvement are identified and recorded;
4. review results are communicated to interested parties;
5. action items resulting from reviews are tracked to closure.
Requirements 20000-1 1ED IS 04.3 Monitoring, measuring and reviewing (Check) [2]
traceability
20000-1 1ED IS 05 Planning and implementing new or changed services [2]
20000-1 2ED DRAFT 4.5.5.1 General [1,2,5]
20000-1 2ED DRAFT 4.5.5.3 Management review [1,2,5]
10 © ISO/IEC 2010 – All rights reserved

5.14 Measurement
Name Measurement
Context This process provides quantitative information for the SMS, processes and services. It enables a service
provider to identify, develop and use a set of measures that demonstrate effective service delivery and
support the identification of improvement opportunities.
Purpose The purpose of the measurement process is to identify, collect, analyse, and report data relating to the
services provided and processes implemented to support effective management of the processes, and to
objectively demonstrate the quality of the services provided.
Outcomes As a result of successful implementation of this process:
1. the prioritised information needs related to provided services and implemented processes are
identified;
2. an appropriate set of measures, driven by the information needs are identified and/or developed;
3. the required data are collected, and verified;
4. the required data are analysed and the results interpreted;
5. [measurement information is used to support decisions and provide an objective basis for
communication.]
Requirements 20000-1 1ED IS 06.1 Service level management [4]
traceability
20000-1 1ED IS 06.3 Service continuity and availability management [1]
20000-1 1ED IS 08.3 Problem management [4]
20000-1 1ED IS 09.2 Change management [4]
20000-1 1ED IS 10.1 Release management [3,4]
20000-1 2ED DRAFT 4.5.6.2 Management of improvements [4]
20000-1 2ED DRAFT 6.3 Service continuity and availability management [1]
20000-1 2ED DRAFT 6.6.3 Information security changes and incidents [4]
20000-1 2ED DRAFT 7.1 Business relationship management [4]
20000-1 2ED DRAFT 8.2 Problem management [4]
20000-1 2ED DRAFT 9.2 Change management [4]
20000-1 2ED DRAFT 9.3 Release and deployment management [3,4]
© ISO/IEC 2010 – All rights reserved 11

5.15 Organizational management
Name Organizational management
Context This process is the umbrella process in the SMS. All the other processes required by the SMS can be
derived from the intent of one or more outcomes associated with this process. From a requirements
perspective, the subclauses of ISO/IEC 20000-1 that reference the responsibilities of top management to
establish the SMS are addressed by the outcomes of this process. The detailed objectives of the SMS are
addressed by one or more of the processes supported by this process reference model.
Purpose The purpose of the organizational management process is to establish the service management
objectives, identify and provide resources, and monitor performance of IT service provision, in order to
satisfy the requirements of customers and interested parties.
As a result of successful implementation of this process:
Outcomes
1. service requirements are established in response to business needs, customer requirements and
customer requests;
2. the objectives and requirements for service management are identified and established to satisfy
business needs, the service provider's financial processes, regulatory, contractual and statutory
requirements;
3. the structure of the organization enables delivery of the services;
4. service management is planned and implemented with the intent of achieving the service
management objectives and satisfying customers;
5. roles, competencies, authorities and responsibilities are identified to enable delivery of the services;
6. individuals with the necessary competencies are appointed to the roles needed to perform service
management activities;
7. resources and infrastructure are determined and provided;
8. services that meet the agreed requirements are developed;
9. services are delivered in accordance with the agreed requirements;
10. services supplied by other parties are managed to meet the service requirements;
11. performance and progress against the planned arrangements is monitored;
12. issues arising from reviews of the SMS and suppliers are tracked to closure;
13. organizational risks are continually identified, analysed, treated and monitored;
14. action is taken to improve the effectiveness and efficiency of the SMS to meet the service
management objectives and requirements.
20000-1 1ED IS 03.1 Management responsibility [1,2,6,7,11,13,14]
Requirements
traceability
20000-1 1ED IS 03.2 Documentation requirements [4]
20000-1 1ED IS 04.1 Plan service management (Plan) [2,4]
20000-1 1ED IS 04.2 Implement service management and provide the services (Do) [4]
20000-1 1ED IS 04.3 Monitoring, measuring and reviewing (Check) [11]
20000-1 1ED IS 04.4.1 Continual improvement (Act): Policy [5]
20000-1 1ED IS 04.4.3 Continual improvement (Act): Activities [14]
20000-1 1ED IS 07.3 Supplier management [4,10]
20000-1 1ED IS 09.1 Configuration management [2]
20000-1 2ED DRAFT 4.1.1 Management commitment [2,4,7,11,14]
20000-1 2ED DRAFT 4.1.2 Service management policy [2]
20000-1 2ED DRAFT 4.1.3 Responsibility, authority and communication [1,2,11,13]
20000-1 2ED DRAFT 4.1.4 Management representative [6]
20000-1 2ED DRAFT 4.2 Governance of processes operated by other parties [2,10]
20000-1 2ED DRAFT 4.3.1 General [4]
20000-1 2ED DRAFT 4.4.1 Provision of resources [7]
20000-1 2
...