ISO/IEC TR 20000-4:2010

TECHNICAL ISO/IEC
REPORT TR
20000-4
First edition
2010-12-01


Information technology — Service
management —
Part 4:
Process reference model
Technologies de l'information — Gestion des services —
Partie 4: Modèle de référence de processus




Reference number
ISO/IEC TR 20000-4:2010(E)
©
ISO/IEC 2010

---------------------- Page: 1 ----------------------
ISO/IEC TR 20000-4:2010(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2010 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 20000-4:2010(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Overview of the PRM.1
5 Process descriptions .2
5.1 General .2
5.2 Audit.3
5.3 Budgeting and accounting for IT services.4
5.4 Business relationship management.4
5.5 Capacity management .5
5.6 Change management .5
5.7 Configuration management.6
5.8 Human resource management.6
5.9 Improvement .7
5.10 Incident management and request fulfilment.8
5.11 Information item management .9
5.12 Information security management.10
5.13 Management review .10
5.14 Measurement .11
5.15 Organizational management .12
5.16 Problem management.13
5.17 Release and deployment management.13
5.18 Risk management.14
5.19 Service continuity and availability management .14
5.20 Service design .15
5.21 Service level management .15
5.22 Service planning and monitoring .16
5.23 Service reporting.17
5.24 Service requirements.17
5.25 Service transition .18
5.26 SMS establishment and maintenance.19
5.27 Supplier management.20
Annex A (informative) Statement of conformity to ISO/IEC 15504-2 .21
Bibliography.23

Figures
Figure 1 — Relationships between relevant documents.v
Figure 2 — Processes in the process reference model .2

© ISO/IEC 2010 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 20000-4:2010(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report
of one of the following types:
⎯ type 1, when the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts;
⎯ type 2, when the subject is still under technical development or where for any other reason there is the
future but not immediate possibility of an agreement on an International Standard;
⎯ type 3, when the joint technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to
be reviewed until the data they provide are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 20000-4, which is a Technical Report of type 2, was prepared by Joint Technical Committee
ISO/IEC JTC 1, Information technology, Subcommittee SC 7, Software and systems engineering.
ISO/IEC TR 20000 consists of the following parts, under the general title Information technology — Service
management:
⎯ Part 1: Service management system requirements
⎯ Part 2: Code of practice
⎯ Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1 [Technical Report]
⎯ Part 4: Process reference model [Technical Report]
⎯ Part 5: Exemplar implementation plan for ISO/IEC 20000-1 [Technical Report]
Process assessment model for service management will form the subject of a future Part 8.
iv © ISO/IEC 2010 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 20000-4:2010(E)
Introduction
The purpose of this part of ISO/IEC 20000 is to facilitate the development of a process assessment model
(PAM) that will be described in ISO/IEC TR 15504-8.
ISO/IEC 15504-2 describes the requirements for the conduct of an assessment and a measurement scale for
assessing process capability. ISO/IEC 15504-1 describes the concepts and terminology used for process
assessment.
This process reference model (PRM) is a logical representation of the elements of the processes within
service management. Using the PRM in a practical application might require additional elements suited to the
environment and circumstances.
The PRM specified in this part of ISO/IEC 20000 describes at an abstract level the processes including the
general service management system (SMS) processes implied by ISO/IEC 20000-1. Each process of this
PRM is described in terms of a purpose and outcomes. The PRM does not attempt to place the processes in
any specific environment nor does it pre-determine any level of process capability required to fulfil the
ISO/IEC 20000-1 requirements. The PRM is not intended to be used for a conformity assessment audit or
process implementation reference guide.
The relationships between ISO/IEC 20000-1, ISO/IEC TR 24774, ISO/IEC TR 20000-4, ISO/IEC 20000-8,
ISO/IEC TR 15504-8 and ISO/IEC 15504-2 are shown in Figure 1.
ISO/IEC 20000-1 – Service ISO/IEC TR 24774 – Guidelines for
management system requirements process definition
provides requirements
informs
ISO/IEC TR 20000-4 – Service
management – Process reference model
provides description of
processes assessed by
ISO/IEC 15504-2 – Performing ISO/IEC TR 20000-8/
provides requirements
an assessment ISO/IEC TR 15504-8 – An
for assessment
exemplar assessment model for
service management processes

Figure 1 — Relationships between relevant documents
Any organization can define processes with additional elements in order to suit it to its specific environment
and circumstances. The purposes and outcomes described in this part of ISO/IEC 20000 are, however,
considered to be the minimum necessary to meet ISO/IEC 20000-1 requirements. Some processes cover
general strategic aspects of an organization. These processes have been identified in order to give coverage
to all the requirements of ISO/IEC 20000-1.
The PRM does not provide the evidence required by ISO/IEC 20000-1. The PRM does not specify the
interfaces between the processes.
© ISO/IEC 2010 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 20000-4:2010(E)
This part of ISO/IEC 20000 contains a PRM for IT service management with description of processes in
Clause 5. Annex A provides the statement of conformity for this part of ISO/IEC 20000 in accordance with
ISO/IEC 15504-2, Information technology — Process assessment — Part 2: Performing an assessment.
vi © ISO/IEC 2010 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/IEC TR 20000-4:2010(E)

Information technology — Service management —
Part 4:
Process reference model
1 Scope
This part of ISO/IEC 20000 defines a process reference model comprising a set of processes, described in
terms of process purpose and outcomes that demonstrate coverage of the requirements of ISO/IEC 20000-1.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system
requirements
ISO/IEC 15504-1, Information technology — Process assessment — Part 1: Concepts and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 20000-1 and ISO/IEC 15504-1
apply.
4 Overview of the PRM
This clause describes the structure of the process reference model in the context of a management system to
direct and control a service provider with regard to delivery of services to meet the business needs and
customer requirements.
Figure 2 identifies the processes derived from ISO/IEC 20000-1 requirements, which are included in this PRM
for Information technology – Service management.
© ISO/IEC 2010 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC TR 20000-4:2010(E)
Customers Customers
Service management system (SMS)
(and (and
interested interested
Plan
parties) parties)
SMS general processes
Organizational management Improvement
SMS establishment and maintenance Human resource management
Management review  Risk management
Audit   Information item management
Measurement


Design and transition of new or changed services processes
Requirements
   Service requirements   Service planning and monitoring
Service
   Service design   Service transition
Service delivery processes
Do Act
Capacity management   Service level management  Information security

management
Service reporting
Service continuity and

availability management Budgeting & accounting

         for services
Control processes
Configuration management
Change management

Release & deployment management
Resolution processes Relationship processes
Incident management and  Business relationship management
request fulfilment
Supplier management
Problem management
Check

Figure 2 — Processes in the process reference model
5 Process descriptions
5.1 General
Each process in the PRM has the following descriptive elements.
a) Name: the name of a process is a short noun phrase that summarizes the scope of the process,
identifying the principal concern of the process, and distinguishes it from other processes within the scope
of the process reference model.
b) Context: for each process a brief overview describes the intended context of the application of the
process.
c) Purpose: the purpose of the process is a high level, overall goal for performing the process.
d) Outcomes: an outcome is an observable result of the successful achievement of the process purpose.
Outcomes are measurable, tangible, technical or business results that are achieved by a process.
Outcomes are observable and assessable.
e) Requirements traceability: the outcomes are based on the requirements of ISO/IEC 20000-1. The
references identify the applicable subclauses of ISO/IEC 20000-1, the subclause heading, and the
outcomes that are supported.
In Clauses 5.2 to 5.27 all entries in the requirements traceability row end with numbers in square brackets,
(i.e. [n]). Each number in the square brackets is a reference to a numbered outcome. These outcomes are
2 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC TR 20000-4:2010(E)
directly linked to the requirements of ISO/IEC 20000-1. The referencing is illustrated by example 1, given
below.
Some outcomes are shown in square brackets. These are only indirectly linked to requirements of
ISO/IEC 20000-1. The outcomes in square brackets are not referenced by any of the entries in the
requirements traceability row. These additional outcomes have been included because they are necessary in
order for this PRM to act as the basis of the PAM ISO/IEC 15504-8. With these additional outcomes, the
process is complete and the process purpose can be achieved. This is illustrated by example 2, below. Cross-
references are made to both the first edition (1ED) and second edition (2ED) of ISO/IEC 20000-1 for the same
reason.
EXAMPLE 1
The second requirements traceability entry in Clause 5.2 is:
20000 1ED IS 04.4.1 Continual improvement (Act): Policy [5]).
The [5] is a reference to outcome 5 in the previous row of Clause 5.2.
Outcome 5. is: nonconformities are communicated to those responsible for corrective action and resolution.
EXAMPLE 2
The first outcome requirements traceability entry in Clause 5.5 is:
1. [current and future capacity and performance requirements are identified and agreed;]
The entries in the requirements traceability row for Clause 5.5 includes references to only outcomes 2-5.
5.2 Audit
Name Audit
Context Audits assess whether the SMS is effectively established and maintained, and whether the SMS and the
services conform to the requirements established by the service provider. Planning for an audit takes into
account the importance of the services, processes and areas to be audited, and the results of previous
audits.
Purpose The purpose of the audit process is to independently determine conformity of selected services, products
and processes to the requirements, plans and agreements, as appropriate.
Outcomes As a result of successful implementation of this process:
1. the scope and purpose of each audit is defined [and agreed];
2. the objectivity and impartiality of the conduct of audits and selection of auditors are assured;
3. conformity of selected services, products and processes with requirements, plans and agreements is
determined;
4. nonconformities are recorded;
5. nonconformities are communicated to those responsible for corrective action and resolution;
6. corrective actions for nonconformities are verified.
Requirements 20000-1 1ED IS 04.3 Monitoring, measuring and reviewing (Check) [1,2,4,5]
traceability
20000-1 1ED IS 04.4.1 Continual improvement (Act): Policy [5]
20000-1 2ED DRAFT 4.5.5.1 General [4]
20000-1 2ED DRAFT 4.5.5.2 Internal audit [1,2,5,6]
20000-1 2ED DRAFT 6.6.1 Information security policy [3]
20000-1 2ED DRAFT 9.1 Configuration management [4]
© ISO/IEC 2010 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC TR 20000-4:2010(E)
5.3 Budgeting and accounting for IT services
Name Budgeting and accounting for IT services
Context Budgeting covers predicting and controlling the spending of money and the monitoring and adjusting of
budgets. Accounting identifies the costs of delivering IT services, comparing these with budgeted costs,
and managing variance from the budget. All accounting practices need to be aligned to the wider
accountancy practices of the whole of the service provider’s organization.
Purpose The purpose of the budgeting and accounting for IT services process is to budget and account for service
provision.
Outcomes As a result of successful implementation of this process:
1. costs of service provision are estimated;
2. budgets are produced using cost estimates;
3. deviations from the budget and costs are controlled;
4. deviations from the budget are resolved;
5. deviations from the budget and costs are communicated to interested parties.
Requirements 20000-1 1ED IS 06.4 Budgeting and accounting for IT services [1,2,3,4,5]
traceability
20000-1 2ED DRAFT 6.4 Budgeting and accounting for services [1,2,3,4,5]
5.4 Business relationship management
Name Business relationship management
Context This process enables a service provider to build a good relationship with its customers by understanding
the business environment in which the services operate. This understanding enables the service provider
to identify the needs of the customers, respond to these needs and manage the expectations of
customers and interested parties.
Purpose The purpose of the business relationship management process is to identify and manage customer needs
and expectations.
Outcomes As a result of successful implementation of this process:
1. customers and interested parties are identified;
2. the needs and expectations of customers are identified and monitored;
3. communication with the customer is planned and implemented;
4. service performance is monitored;
5. changes to the scope of the services, service level agreements (SLAs) and contracts are identified;
6. service complaints are recorded and managed through their life cycle to closure;
7. service complaints which are not resolved through normal channels are escalated;
8. customer satisfaction is measured and analysed;
9. [customer satisfaction analysis results are communicated to interested parties.]
Requirements 20000-1 1ED IS 06.1 Service level management [4]
traceability
20000-1 1ED IS 06.3 Service continuity and availability management [4]
20000-1 1ED IS 07.2 Business relationship management [1,2,3,4,5,6,7,8]
20000-1 1ED IS 08.3 Problem management [4]
20000-1 2ED DRAFT 6.1 Service level management [4]
20000-1 2ED DRAFT 6.3 Service continuity and availability management [4]
20000-1 2ED DRAFT 7.1 Business relationship management [1,2,3,4,5,6,7,8]
20000-1 2ED DRAFT 8.1 Incident management and request fulfilment [4]
20000-1 2ED DRAFT 8.2 Problem management [4]
20000-1 2ED DRAFT 9.2 Change management [4]
4 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC TR 20000-4:2010(E)
5.5 Capacity management
Name Capacity management
Context This process ensures that there are sufficient resources and capacity to meet current and future agreed
requirements in a cost effective and timely manner. The process enables a service provider to provide
sufficient resources across an entire service in order to deliver the agreed service performance and meet
the service level targets.
Purpose The purpose of the capacity management process is to ensure that the service provider has service
capacity to meet current and future agreed requirements.
Outcomes As a result of successful implementation of this process:
1. [current and future capacity and performance requirements are identified and agreed;]
2. a capacity plan is developed based on the capacity and performance requirements;
3. capacity is provided to meet current capacity and performance requirements;
4. capacity usage is monitored, analysed and performance is tuned;
5. capacity is prepared to meet future capacity and performance needs;
6. changes to capacity and performance are reflected in the capacity plan.
Requirements 20000-1 1ED IS 06.5 Capacity management [2]
traceability
20000-1 2ED DRAFT 6.5 Capacity management [2,3,4,5,6]
5.6 Change management
Name Change management
Context Changes to services, their applications and infrastructure, are planned and controlled to ensure timeliness
without unnecessary disruption. Unintended effects of changes are remedied.
Purpose The purpose of the change management process is to ensure all changes are assessed, approved,
implemented and reviewed in a controlled manner.
Outcomes
As a result of successful implementation of this process:
1. change requests are recorded and classified;
2. change requests are assessed using defined criteria;
3. change requests are approved before changes are developed and deployed;
4. a schedule of changes and releases is established and communicated to interested parties;
5. approved changes are developed and tested;
6. unsuccessful changes are reversed or remedied.
20000-1 1ED IS 05 Planning and implementing new or changed services [3]
Requirements
traceability
20000-1 1ED IS 06.1 Service level management [1]
20000-1 1ED IS 06.3 Service continuity and availability management [2]
20000-1 1ED IS 06.4 Budgeting and accounting for IT services [1]
20000-1 1ED IS 06.6 Information security management [2]
20000-1 1ED IS 07.2 Business relationship management [1,5]
20000-1 1ED IS 07.3 Supplier management [1]
20000-1 1ED IS 08.3 Problem management [1]
20000-1 1ED IS 09.2 Change management [1,2,3,4,5]
20000-1 1ED IS 10.1 Release management [2,4]
20000-1 2ED DRAFT 5.2 Plan the design, development and transition of new or changed services [2]
20000-1 2ED DRAFT 6.1 Service level management [1]
20000-1 2ED DRAFT 6.3 Service continuity and availability management [2]
20000-1 2ED DRAFT 6.6.3 Information security changes and incidents [2]
20000-1 2ED DRAFT 7.1 Business relationship management [1]
20000-1 2ED DRAFT 7.2 Supplier management [1]
20000-1 2ED DRAFT 8.2 Problem management [1]
20000-1 2ED DRAFT 9.2 Change management [1,2,3,4,5,6]
20000-1 2ED DRAFT 9.3 Release and deployment management [4]
© ISO/IEC 2010 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC TR 20000-4:2010(E)
5.7 Configuration management
Name Configuration management
Context This process is concerned with establishing and maintaining the integrity of service components to enable
effective control of the services.
Purpose The purpose of the configuration management process is to establish and maintain the integrity of all
identified service components.
Outcomes
As a result of successful implementation of this process:
1. items requiring configuration management are identified;
2. the status of configuration items and modifications are recorded and reported;
3. changes to items under configuration management are controlled;
4. the integrity of systems, services and service components is assured;
5. the configuration of released items is controlled.
Requirements 20000-1 1ED IS 06.1 Service level management [1]
traceability
20000-1 1ED IS 07.3 Supplier management [1]
20000-1 1ED IS 09.1 Configuration management [1,2,3,4,5]
20000-1 2ED DRAFT 6.1 Service level management [1]
20000-1 2ED DRAFT 7.2 Supplier management [1]
20000-1 2ED DRAFT 9.1 Configuration management [1,2,3,4,5]
20000-1 2ED DRAFT 9.2 Change management [3]

5.8 Human resource management
Name
Human resource management
Context The scope of the human resource management process is limited to identifying and developing the
competencies of individuals in relation to their service management activities and the process needs of
the organization. This process specifically excludes other related and commonly accepted aspects of
human resource management such as health and safety, security, and laws or regulations on the fairness
of recruitment and employment practices.
Purpose The purpose of the human resource management process is to provide the organization with necessary
human resources and to maintain their competencies, consistent with business needs and service
requirements.
Outcomes As a result of successful implementation of this process:
1. the competencies required by the organization for service provision are identified;
2. identified competency gaps are filled through training or recruitment;
3. individual competencies and their development are monitored;
4. each individual demonstrates their understanding of their role in achieving service management
objectives.
Requirements 20000-1 1ED IS 03.3 Competence, awareness and training [2,3,4]
traceability
20000-1 2ED DRAFT 4.4.2.1 General [1]
20000-1 2ED DRAFT 4.4.2.2 Competence, awareness and training [1,2,3,4]
6 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC TR 20000-4:201
...