ISO/IEC 29110-4-3:2018

INTERNATIONAL ISO/IEC
STANDARD 29110-4-3
First edition
2018-09
Systems and software engineering —
Lifecycle profiles for very small
entities (VSEs) —
Part 4-3:
Service delivery — Profile
specification
Ingénierie des systèmes et du logiciel — Profils de cycle de vie pour
très petits organismes (TPO) —
Partie 4-3: Prestation de services — Spécification de profil
Reference number
©
ISO/IEC 2018
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
1.1 Fields of application . 1
1.2 Target audience . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Abbreviated terms . 7
5 Conformance . 8
6 Work unit requirements for the Service Delivery profile . 8
6.1 General . 8
6.2 Governance (GO) process . 9
6.3 Service Control (CO) process .10
6.4 Service Relationship (RE) process .10
6.5 Service Incident (IN) process .10
7 Work product requirements for the Service Delivery profile .11
7.1 General .11
7.2 Governance (GO) work products .11
7.3 Service Control (CO) work products .14
7.4 Service Relationship (RE) work products .18
7.5 Service Incident (IN) work products .19
Annex A (informative) Service Delivery requirements imported from base standards .21
Annex B (informative) Service Delivery Guidelines requirements traceability mapping .49
Annex C (informative) Service delivery audit checklist .61
Annex D (informative) Mapping of ISO/IEC 29110-4-3 to ISO/IEC 20000-1:2011 .64
Bibliography .67
© ISO/IEC 2018 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and systems engineering.
A list of all parts in the ISO/IEC 29110 series is available on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at https: //www .iso .org/members .html.
iv © ISO/IEC 2018 – All rights reserved

Introduction
Very Small Entities (VSEs) around the world are creating valuable products and services. For the
purpose of ISO/IEC 29110, a Very Small Entity (VSE) is an enterprise, an organization, a department
or a project having up to 25 people. Since many VSEs develop and/or maintain system and software
components used in systems, either as independent products or incorporated in larger systems, a
recognition of VSEs as suppliers of high quality products is required.
According to the Organization for Economic Co-operation and Development (OECD) SME and
Entrepreneurship Outlook report (2005), ”Small and Medium Enterprises (SMEs) constitute the
dominant form of business organization in all countries world-wide, accounting for over 95 % and
up to 99 % of the business population depending on country”. The challenge facing governments
and economies is to provide a business environment that supports the competitiveness of this large
heterogeneous business population and that promotes a vibrant entrepreneurial culture.
From studies and surveys conducted, it is clear that the majority of International Standards do not
address the needs of VSEs. Implementation of and conformance with these standards is difficult, if not
impossible. Consequently, VSEs have no, or very limited, ways to be recognized as entities that produce
quality systems/system elements including software in their domain. Therefore, VSEs are excluded
from some economic activities.
It has been found that VSEs find it difficult to relate International Standards to their business needs
and to justify the effort required to apply standards to their business practices. Most VSEs can neither
afford the resources, in terms of number of employees, expertise, budget and time, nor do they see a
net benefit in establishing over-complex systems or software life cycle processes. To address some of
these difficulties, a set of guides has been developed based on a set of VSE characteristics. The guides
are based on subsets of appropriate standards processes, activities, tasks and outcomes, referred to as
Profiles. The purpose of a profile is to define a subset of International Standards relevant to the VSEs'
context; for example, processes, activities, tasks and outcomes of ISO/IEC/IEEE 12207 for software; and
processes, activities, tasks and outcomes of ISO/IEC/IEEE 15288 for systems; and information products
(documentation) of ISO/IEC/IEEE 15289 for software and systems.
VSEs can achieve recognition through implementing a profile and by being audited against ISO/
IEC 29110 specifications.
The ISO/IEC 29110 series of standards and technical reports can be applied at any phase of system or
software development within a life cycle. This series of standards and technical reports is intended to
be used by VSEs that do not have experience or expertise in adapting/tailoring ISO/IEC/IEEE 12207 or
ISO/IEC/IEEE 15288 standards to the needs of a specific project. VSEs that have expertise in adapting/
tailoring ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288 are encouraged to use those standards instead of
ISO/IEC 29110.
ISO/IEC 29110 is intended to be used with any lifecycle such as: waterfall, iterative, incremental,
evolutionary or agile.
Systems, in the context of ISO/IEC 29110, are typically composed of hardware and software components.
The ISO/IEC 29110 series, targeted by audience, has been developed to improve system or software
and/or service quality and process performance. See Table 1.
© ISO/IEC 2018 – All rights reserved v

Table 1 — ISO/IEC 29110 target audience
ISO/IEC 29110 Title Target audience
ISO/IEC 29110-1 Overview VSEs and their customers, assessors, stand-
ards producers, tool vendors and methodol-
ogy vendors.
ISO/IEC 29110-2 Framework for profile Profile producers, tool vendors and methodol-
preparation ogy vendors.
Not intended for VSEs.
ISO/IEC 29110-3 Certification and assessment VSEs and their customers, assessors, accredi-
guidance tation bodies.
ISO/IEC 29110-4 Profile specifications VSEs, customers, standards producers, tool
vendors and methodology vendors.
ISO/IEC 29110-5 Management, engineering and VSEs and their customers.
service delivery guides
If a new profile is needed, ISO/IEC 29110-4 and ISO/IEC TR 29110-5 can be developed with minimal
impact to existing documents.
ISO/IEC 29110-1 defines the terms common to the ISO/IEC 29110 series. It introduces processes,
lifecycle and standardization concepts, the taxonomy (catalogue) of ISO/IEC 29110 profiles and the ISO/
IEC 29110 series. It also introduces the characteristics and needs of a VSE and clarifies the rationale for
specific profiles, documents, standards and guides.
ISO/IEC 29110-2 introduces the concepts for systems and software engineering profiles for VSEs. It
establishes the logic behind the definition and application of profiles. For standardized profiles, it
specifies the elements common to all profiles (structure, requirements, conformance, assessment). For
domain-specific profiles (profiles that are not standardized and developed outside of the ISO process),
it provides general guidance adapted from the definition of standardized profiles.
ISO/IEC 29110-3 defines certification schemes, assessment guidelines and compliance requirements for
process capability assessment, conformity assessments and self-assessments for process improvements.
ISO/IEC 29110-3 also contains information that can be useful to developers of certification and
assessment methods and developers of certification and assessment tools. ISO/IEC 29110-3 is addressed
to people who have direct involvement with the assessment process, e.g. the auditor, certification and
accreditation bodies and the sponsor of the audit, who need guidance on ensuring that the requirements
for performing an audit have been met.
ISO/IEC 29110-4-m provides the specification for all profiles in one profile group (a profile group may
contain a single profile or multiple profiles). A profile is specified in terms of requirements imported
from appropriate base standards.
ISO/IEC TR 29110-5-m provides management, engineering and service delivery guides for the profiles
in a profile group.
This document provides the specification for the service delivery profile.
Figure 1 describes the ISO/IEC 29110 International Standards (IS) and Technical Reports (TR) and
positions the parts within the framework of reference. Overview, assessment guide, management and
engineering guide are available from ISO as Technical Reports (TR). The Framework document, profile
specifications and certification schemes are published as International Standards (IS).
vi © ISO/IEC 2018 – All rights reserved

Figure 1 — The ISO/IEC 29110 series
© ISO/IEC 2018 – All rights reserved vii

INTERNATIONAL STANDARD ISO/IEC 29110-4-3:2018(E)
Systems and software engineering — Lifecycle profiles for
very small entities (VSEs) —
Part 4-3:
Service delivery — Profile specification
1 Scope
1.1 Fields of application
This document is applicable to Very Small Entities (VSEs). A VSE is an enterprise, an organization, a
department or a project having up to 25 people.
The purpose of this document is to provide a set of auditable requirements based on multiple standards
(i.e., ISO/IEC/IEEE 15288, ISO/IEC/IEEE 15289, ISO 9000, ISO 9001, ISO 31000, ISO/IEC 38500,
ISO 10004, ISO 10007, ISO/IEC 20000, ISO/IEC 27035) that supports the delivery of services by a VSE.
Services can be delivered to internal or external customers. This document is not a Management System
Standard (MSS), nor does it provide guidance on fulfilling the requirements of an MSS. ISO/IEC 20000-
1:2011 is the MSS for service management (see Annex D for information).
This document does not promote uniformity in the approach across all organizations, as specific
objectives and initiatives are tailored to suit an individual organization’s needs.
1.2 Target audience
This document is targeted at:
— assessors and accrediting agencies to support the conformity needs of the VSE;
— VSEs that want to claim conformity to this profile for service delivery;
— customers who want assurance about a VSE’s abilities to meet their requirements; and
— tool/methodology vendors for future development of commercial tools or methodologies to support
VSEs using this document.
Conformance is achieved by demonstrating that the mandatory requirements have been satisfied using
the content of conformant work products as an evidence.
NOTE In this document, for simplicity of reference, each work product is described as if it were published
as a separate document. However, work products will be considered as conforming if they meet the stated
requirements, are available for reference, divided into separate documents or volumes, or combined with other
work products into one document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29110-2-1, Software engineering — Lifecycle profiles for Very Small Entities (VSEs) — Part 2-1:
Framework and taxonomy
© ISO/IEC 2018 – All rights reserved 1

3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29110-2-1 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at https: //www .electropedia .org/
3.1
activity
set of cohesive tasks of a process (3.21)
[SOURCE: ISO/IEC/IEEE 12207:2017, 3.1.4]
3.2
agreement
mutual acknowledgement of terms and conditions under which a working relationship is conducted
EXAMPLE Contract, memorandum of agreement.
[SOURCE: ISO/IEC/IEEE 12207:2017, 3.1.5]
3.3
audit
systematic, independent, documented process (3.21) for obtaining records (3.23), statements of fact or
other relevant information and assessing them objectively, to determine the extent to which specified
requirements are fulfilled
Note 1 to entry: Whilst “audit” applies to management systems, “assessment” applies to conformity assessment
bodies as well as more generally.
[SOURCE: ISO/IEC TR 29110-1:2016, 3.7]
3.4
change
add, move, modify, removal of a configuration item (CI) (3.5)
Note 1 to entry: changes can be classified based on the risk and impact to the organization (3.18); common types
include pre-approved, emergency or normal.
3.5
configuration item
CI
item or aggregation of hardware, software or both, that is designated for configuration management
(3.16) and treated as a single entity in the configuration management process (3.21)
Note 1 to entry: Configuration items can vary widely in complexity, size and type, ranging from an entire system
(3.37) including all hardware, software and documentation, to a single module or a minor hardware component.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.13, modified — Note 1 to entry has been added.]
3.6
control manager
CM
role that approves/rejects change (3.4) and manages change-related tasks such as testing and
deployment
Note 1 to entry: This role may be combined with other roles and is a direct report (or shared role) with the
Service Manager (3.33). If one person is appointed to the role, the person reports to the Service Manager (3.33) for
service matters and has the authority over change-related tasks.
2 © ISO/IEC 2018 – All rights reserved

3.7
customer
CUS
person or organization (3.18) that could or does receive a product or a service (3.26) that is intended for
or required by this person or organization (3.18)
EXAMPLE Consumer, client, end-user, retailer, receiver of product or service (3.26) from an internal process
(3.21), beneficiary and purchaser.
Note 1 to entry: A customer can be internal or external to the organization (3.18).
[SOURCE: ISO 9000:2015, 3.2.4]
3.8
document
information and the medium on which it is contained
EXAMPLE Record (3.23), specification, procedure document, drawing, report, standard.
Note 1 to entry: The medium can be paper, magnetic, electronic or optical computer disc, photograph or master
sample, or combination thereof.
Note 2 to entry: A set of documents, for example specifications and records (3.23), is frequently called
“documentation”.
Note 3 to entry: Some requirements (e.g. the requirement to be readable) relate to all types of documents.
However, there can be different requirements for specifications (e.g. the requirement to be revision controlled)
and for records (3.23) (e.g. the requirement to be retrievable).
[SOURCE: ISO 9000:2015, 3.8.5]
3.9
effectiveness
extent to which planned activities are realized and planned results achieved
[SOURCE: ISO 9000:2015, 3.7.11, modified — Note 1 to entry has been removed.]
3.10
efficiency
relationship between the result achieved and the resources used
[SOURCE: ISO 9000:2015, 3.7.10]
3.11
governance
system (3.37) of directing and controlling
[SOURCE: ISO/IEC 38500:2015, 2.8]
3.12
incident
anomalous or unexpected event, set of events, condition or situation at any time during the life cycle of
a project, product, service (3.26) or system (3.37)
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.21]
3.13
incident manager
IM
role that has authority over all incidents (3.12) and manages incident-related tasks
Note 1 to entry: This role may be combined with other roles. This role is a direct report (or shared role) with the
Service Manager (3.33). The person can also be responsible for a Service Desk, if one exists.
© ISO/IEC 2018 – All rights reserved 3

3.14
information security policy
document (3.8) that states, in writing, how an organization (3.18) plans to protect its physical and
information technology assets
[SOURCE: ISO/TS 21547:2010, 3.2.25]
3.15
lifecycle
evolution of a system (3.37), product, service (3.26), project or other human-made entity, from
conception through retirement
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.23]
3.16
management
MGT
coordinated activities to direct and control an organization (3.18)
Note 1 to entry: Management can include establishing policies and objectives, and processes (3.21) to achieve
these objectives.
Note 2 to entry: The word “management” sometimes refers to people, i.e. a person or group of people with
authority and responsibility for the conduct and control of an organization. When “management” is used in this
sense, it should always be used with some form of qualifier to avoid confusion with the concept of “management”
as a set of activities defined above. For example, “management shall.” is deprecated whereas “top management
(3.38) shall.” is acceptable. Otherwise different words should be adopted to convey the concept when related to
people, e.g. managerial or managers.
[SOURCE: ISO 9000:2015, 3.3.3]
3.17
operator
individual or organization (3.18) that performs the operations of a system (3.37)
Note 1 to entry: The role of operator and the role of user can be vested, simultaneously or sequentially, in the
same individual or organization.
Note 2 to entry: An individual operator combined with knowledge, skills and procedures (3.20) can be considered
as an element of the system (3.37).
Note 3 to entry: An operator may perform operations on a system (3.37) that is operated, or of a system (3.37)
that is operated, depending on whether or not operating instructions are placed within the system boundary.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.26]
3.18
organization
person or a group of people that has its own functions responsibilities, authorities and relationships to
achieve its objectives
[SOURCE: ISO 9000:2015, 3.2.1, modified — Notes 1 and 2 to entry have been removed.]
3.19
practitioner
PT
person or team performing the activities within one or more process (3.21) areas
3.20
procedure
specified way to carry out an activity (3.1) or a process (3.21)
Note 1 to entry: Procedures can be documented or not.
4 © ISO/IEC 2018 – All rights reserved

[SOURCE: ISO 9000:2015, 3.4.5]
3.21
process
set of interrelated or interacting activities which transforms inputs into outputs to deliver an
intended result
Note 1 to entry: Whether the “intended result” of a process is called output, product or service (3.26) depends on
the context of the reference.
Note 2 to entry: Inputs to a process are generally the outputs of other processes and outputs of a process are
generally the inputs to other processes.
Note 3 to entry: Two or more interrelated and interacting processes in series can also be referred to as a process.
Note 4 to entry: Processes in an organization (3.18) are generally planned and carried out under controlled
conditions to add value.
[SOURCE: ISO 9000:2015, 3.4.1, modified — Notes 5 and 6 to entry have been removed.]
3.22
profile
set of one or more base standards and/or profiles, and where applicable, the identification of chosen
classes, conforming subsets, option and parameters of those base standards, or standardized profiles
necessary to accomplish a particular function
[SOURCE: ISO/IEC TR 10000-1:1998, 3.1.4, modified — NOTE has been removed; “ISPs” has been
replaced with “(standardized) profiles”.]
3.23
record
document (3.8) stating results achieved or providing evidence of activities performed
[SOURCE: ISO 9000:2015, 3.8.10, modified — Notes 1 and 2 to entry have been removed.]
3.24
relationship manager
RM
role that develops and manages the customer (3.7) and supplier (3.36) interfaces as well as the service
catalogue (3.27)
Note 1 to entry: This role may be combined with other roles. This role is a direct report (or shared role) with the
Service Manager (3.33).
3.25
resource
asset that is utilized or consumed during the execution of a process (3.21)
Note 1 to entry: Resources include those that are reusable, renewable or consumable.
EXAMPLE diverse entities such as funding, personnel, facilities, capital equipment, tools and utilities such
as power, water, fuel and communication infrastructures
[SOURCE: ISO/IEC/IEEE 12207:2017, 3.1.45]
3.26
service
performance of activities, work or duties
Note 1 to entry: A service is self-contained, coherent, discrete, and can be composed of other services.
Note 2 to entry: A service is generally an intangible product.
© ISO/IEC 2018 – All rights reserved 5

[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.42]
3.27
service catalogue
documented information about services that an organization (3.18) provides to its customers (3.7)
3.28
service change request
formal procedure (3.20) for submitting a request for an adjustment of a configuration item (3.5)
[SOURCE: ISO/IEC TR 18018:2010, 3.5, modified — The original term was "change request" and an
abbreviated term "CR" was included.]
3.29
service delivery policy
formal, brief and high-level statement that embraces an organization’s (3.18) general beliefs, ethics,
goals and objectives of service(s) (3.26)
3.30
service design
creation of a service solution(s); typically including the components which create the desired
functionality, technology architecture that supports the components, the processes (3.21) to support and
manage the solution, the associated measures (internal performance or customer agreed measures),
and the supply chain interfaces
3.31
service level agreement
SLA
documented agreement (3.2) between a service provider (3.34) and a customer (3.7) that identifies
services (3.26) and service targets
Note 1 to entry: A service level agreement can also be established between the service provider (3.34) and a
supplier (3.36) or an internal group or a customer (3.7) acting as a supplier (3.36).
Note 2 to entry: A service level agreement can be included in a contract or another type of documented agreement.
[SOURCE: ISO/IEC TR 20000-10:2015, 2.29]
3.33
service manager
SM
role that directly oversees the delivery of services and provides leadership and direction, has
decision-making authority on all activities, and is a direct report or peer to the highest level of the
organization (3.18)
Note 1 to entry: The service manager may have more than one role in the delivery of services (assign the
responsibilities of the Control Manager (3.6) and Service Manager to the same individual).
3.34
service provider
organization (3.18) that manages and delivers a service or services (3.26) to the customer (3.7)
Note 1 to entry: A customer can be internal or external to the service provider's organization.
[SOURCE: ISO/IEC/IEEE 24765:2017, 3.3721]
6 © ISO/IEC 2018 – All rights reserved

3.35
stakeholder
individual or organization (3.18) having a right, share, claim or interest in a system (3.37) or in its
possession of characteristics that meet their needs and expectations
EXAMPLE End users, end user organizations, supporters, developers, trainers, maintainers, disposers,
acquirers, supplier (3.36) organizations and regulatory bodies.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.44, modified — Note 1 to entry has been removed.]
3.36
supplier
SUP
organization (3.18) or an individual that enters into an agreement (3.2) with the acquirer for the supply
of a product or service (3.26)
Note 1 to entry: Other terms commonly used for supplier are contractor, producer, seller or vendor.
Note 2 to entry: The acquirer and the supplier sometimes are part of the same organization.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.45, modified — “SUP” has been added.]
3.37
system
combination of interacting elements organized to achieve one or more stated purposes
Note 1 to entry: A system is sometimes considered as a product or as the services it provides.
Note 2 to entry: In practice, the interpretation of its meaning is frequently clarified by the use of an associative
noun, e.g. aircraft system. Alternatively, the word “system” may be substituted simply by a context-dependent
synonym, e.g. aircraft, though this may then obscure a system principles perspective.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.46, modified — Note 3 to entry has been removed.]
3.38
top management
person or group of people who directs and controls an organization (3.18) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system covers only part of an organization, then top management
refers to those who direct and control that part of the organization.
Note 3 to entry: This definition is only included to support wording used in quoted definitions; with 25 or less
people in a VSE, the concept of top management may not be applicable.
[SOURCE: ISO 9000:2015, 3.1.1, modified — The original Note 3 to entry has been removed, new Note 3
to entry added.]
3.39
vital business service
service (3.26) that is critical to the success of the business
4 Abbreviated terms
The following abbreviations are used in this document:
© ISO/IEC 2018 – All rights reserved 7

CO Service control process
GO Governance process
IN Service incident process
M Mandatory (shall)
MSS Management System Standard
O Optional (should)
RE Service Relationships process
VSE Very Small Entity
WP Work product
5 Conformance
This document can be adopted by organizations implementing and using the processes required by this
document. Therefore, organizations can claim conformance to this profile.
It can be attested by a third party. It can be mandated as part of procurement and contractual processes.
A VSE that claims conformance to a profile specified in this document shall use all the mandatory
profile requirements as identified in its specification clause.
The following variations to the service delivery profile are specified in this document:
a) Governance: 6.2 and 7.2;
b) Operational: 6.3 to 6.5 and 7.3 to 7.5;
c) Full: Governance and Operational.
6 Work unit requirements for the Service Delivery profile
6.1 General
The following section details the core set of requirements for the Service Delivery profile. These
requirements are grouped in four (4) processes: Governance, Maintain Control, Manage Relationships
and Prevent or Manage Incidents. See Figure 2 for a high-level view of the Service Delivery profile.
Annex A provides base standard reference for each requirement. Annex B provides mapping tables
between requirements, tasks and work products. Audit evidence can be found in Annex C.
8 © ISO/IEC 2018 – All rights reserved

Figure 2 — Service Delivery process diagram
6.2 Governance (GO) process
The purpose of governance is to establish a system for directing and controlling service delivery
activities within the VSE. The result of these activities will define the scope, responsibilities and
leadership requirements for an effective and efficient service delivery. The organization shall assure
the following requirements are implemented in accordance with applicable organization policies and
procedures with respect to the Governance process. One set of activities and tasks that support the
achievement of the requirements can be found in ISO/IEC TR 29110-5-3. Other activities or tasks can
achieve similar results.
Table 2 — GO requirements
Profile Profile
Profile requirement (reqr.) text
conformance reqr. ID
M (shall) Top management shall define the scope of the service delivery activities. P01
M (shall) A Service Delivery policy, with information security element(s) shall be cre- P02
ated, documented, implemented and reviewed based on the defined scope of
the service delivery activities.
M (shall) Responsibilities and authorities which support the Service Delivery policy, shall P03
be assigned, monitored and managed.
M (shall) The Service Manager shall review and report to management on actions and P04
achievements against Service Delivery objectives and update plans to achieve
the objectives.
M (shall) Top management shall review policies, processes, procedures and services to P05
confirm compliance and continued relevance to meet changing circumstances
or customer requirements.
NOTE  The source of these requirements can be found in Table A.1.
© ISO/IEC 2018 – All rights reserved 9

6.3 Service Control (CO) process
The purpose of the service control process is to support and control change to defined vital business
services and mitigate the associated risk of change. This includes the design of the new or changed
services, specifically the availability, continuity, capacity and information security needs that meet
current and future business requirements. The organization shall assure the following requirements
are implemented in accordance with applicable organization policies and procedures with respect
to the Service Control process. One set of activities and tasks that support the achievement of the
requirements can be found in ISO/IEC TR 29110-5-3. Other activities or tasks can achieve similar
results.
Table 3 — CO requirements
Profile Profile
Profile requirement (reqr.) text
conformance reqr. ID
M (shall) Management shall define services and control the service component information. P06
M (shall) The Control Manager shall evaluate service changes for approval or rejection P07
based on established criteria and update the service change schedule.
M (shall) Service designs shall conform to documented design, build, test and deploy- P08
ment procedures.
M (shall) Master copies of authorized service components (e.g., hardware, software, P09
documentation, etc.) shall be available and protected.
M (shall) The Control Manager shall approve or reject the deployment of a service change P10
based on test results compared to acceptance criteria, customer agreement and
service change schedule.
NOTE  The source of these requirements can be found in Table A.1.
6.4 Service Relationship (RE) process
The purpose of the service relationship process is to maintain relationships with customers and the
suppliers needed to support effective and efficient service delivery. This can be supported by documented
agreements for services (service catalogue, service level agreements, contracts), communication and
feedback. The organization shall assure the following requirements are implemented in accordance
with applicable organization policies and procedures with respect to the Service Relationship process.
One set of activities and tasks that support the achievement of the requirements can be found in ISO/
IEC TR 29110-5-3. Other activities or tasks can achieve similar results.
Table 4 — RE requirements
Profile Profile
Profile requirement (reqr.) text
conformance reqr. ID
M (shall) All services offered shall be documented in business terms in one or more P11
service catalogue(s) and made available to appropriate stakeholder groups.
M (shall) Requirements for service delivery between the VSE and its customer(s) and/or P12
supplier(s) shall be agreed, documented, reviewed and updated, as required.
M (shall) At a minimum, service reports to customers or from suppliers shall be pro- P13
duced for customer satisfaction, service complaints and performance against
agreed service measures.
NOTE  The source of these requirements can be found in Table A.1.
6.5 Service Incident (IN) process
The purpose of the service incident process is to restore service to the business with minimal disruption
or to prevent incidents from occurring. The organization shall assure the following requirements
are implemented in accordance with applicable organization policies and procedures with respect
to the Service Incident process. One set of activities and tasks that support the achievement of the
10 © ISO/IEC 2018 – All rights reserved

requirements can be found in ISO/IEC TR 29110-5-3. Other activities or tasks can achieve similar
results.
Table 5 — IN requirements
Profile Profile
Profile requirement (reqr.) text
conformance reqr. ID
M (shall) All reported or identified incidents that reduce the quality of or prevent use of P14
agreed services shall be recorded and managed to closure.
M (shall) Skilled resources, internal or external to the VSE, shall investigate incidents, actual P15
or potential, with the intent of restoring service as soon as possible.
M (shall) All steps taken to restore the service shall be documented and agreed. P16
M (shall) Incidents, actual or potential, with a significant impact on the organization shall P17
be investigated to discover root cause and a solution which will be actioned, if
approved, to prevent or minimize future occurrence.
NOTE  The source of these requirements can be found in Table A.1.
7 Work product requirements for the Service Delivery profile
7.1 General
There are 21 total work products to support the full profile. They are listed below by process group. Note
that there need not be 21 unique work products — based on the need of the VSE and their stakeholders,
work products can be combined or broken into more discrete work products.
7.2 Governance (GO) work products
The following Governance work products support the process tasks. There are eight (8) work products
and they are listed alphabetically. Where a base standard reference is underlined, the reference refers
to optional requirements (“should”).
Table 6 — GO work products & requirements
Base std ID & ref. WP No. WP name WP content requirements Profile conf.
ISO/IEC/ WP.01 Business goals At a minimum, a current copy of the business M (shall)
IEEE 15289:2017 and objectives goals and objectives shall be readily available
— 7.3 d)
ISO/IEC/IEEE 15289:2017
WP.04 Customer At a minimum, the customer experience ap- M (shall)
— 7.5 a), b), c), d), h), k)
experience proach shall:
— 10.14
— Table 4
approach
a) Capture and manage a log for all
comments (compliments, complaints,
general comments)
ISO/IEC/IEEE 15289:2017
WP.05 Data and At a minimum, the following shall be in- M (shall)
— 7.5 a), b), c), d), h), k)
document cluded:
— 10.25
management
procedure
a) Unique identifier
b) Version of the document or data
c) Controls to prevent unauthorized
service changes
d) Location of document/data
© ISO/IEC 2018 – All rights reserved 11

Table 6 (continued)
Base std ID & ref. WP No. WP name WP content requirements Profile conf.
ISO/ WP.06 Feedback At a minimum, the log shall: M (shall)
IEC 20000:2017 log
a) Be stored as a configuration item (CI)
— 7.1
b) Be managed, as determined by
business need
c) Contain:
1) Unique identifier
2) Contact Details (Full name, address,
phone numbers; email address)
3) Description and detail of the
comment
4) Time and date of the interaction
5) Investigation outcome
6) Signature and date
12 © ISO/IEC 2018 – All rights reserved

Table 6 (continued)
Base std ID & ref. WP No. WP name WP content requirements Profile conf.
ISO/IEC/ WP.07 Improvement At a minimum, the improvement report con- M (shall)
IEEE 15289:2017 report tent shall include:
— 7.6 a), c), d), a) Unique identifier
e), f), h), i), m)
b) From the customer perspective,
— 10.30 assessment of performance and
relevance of services
1) Results of service goals’
achievement
2) Issues
c) From the service provider perspective,
assessment of usage and relevance of
written policies and practices to support
service delivery
1) Current performance vs. agree
performance
2) Issues
d) Defined and agreed improvement actions
e) An annual review schedule
ISO/IEC 20000- WP.08 List of At a minimum, the following role shall be M (shall)
1:2011 assigned included:
roles
— 4.4.2 a), b), e) a) Service Manager
1) Service Management training
2) Competence within general
activities of the ISO 29110 series
ISO/IEC/ WP.14 Service At a minimum, the policy shall include: M (shall)
IEEE 15289:2017 delivery
policy,
a) The creation of a service catalogue
objectives
— 7.3 a), b), c),
and plan(s)
b) A prioritization matrix for managing
e), f), h), i), l),
change and failure (based on criticality to
n), q), v)
the business and used to manage events)
— 7.4 a), b), c),
c) Change definitions (pre-approved,
d), e), h)
emergency, normal)
— 10.61
d) Communication practices (written and/
— 10.73 or verbal) to support transparency
with the customer (when, how often,
standardized messages, etc.) and
managing the customer experience
1) Include standard communication
around resolution of incidents,
status of changes, status of service
delivery
© ISO/IEC 2018 – All rights reserved 13

Table 6 (continued)
Base std ID & ref. WP No. WP name WP content requirements Profile conf.
e) Information security measures (based
on organisational risk tolerance and
requirements)
1) Include the confidentiality, integrity
and availability measures to protect
organisational data and information
f) An annual review schedule
ISO/IEC 20000- WP.15
...