ISO/IEC 20000-1:2011
(Main)Information technology — Service management — Part 1: Service management system requirements
Information technology — Service management — Part 1: Service management system requirements
ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements. ISO/IEC 20000-1:2011 can be used by: an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled; an organization that requires a consistent approach by all its service providers, including those in a supply chain; a service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfil service requirements; a service provider to monitor, measure and review its service management processes and services; a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS; an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2011.
Technologies de l'information — Gestion des services — Partie 1: Exigences du système de management des services
L'ISO/CEI 20000-1:2011 est une norme de système de management des services (SMS). Elle spécifie les exigences destinées au fournisseur de services pour planifier, établir, implémenter, exécuter, surveiller, passer en revue, maintenir et améliorer un SMS. Les exigences incluent la conception, la transition, la fourniture et l'amélioration des services afin de satisfaire aux exigences de services. L'ISO/CEI 20000-1:2011 peut être utilisée par: un organisme attendant des services de la part de fournisseurs de services et exigeant d'avoir la garantie que les exigences de services de ces derniers seront satisfaites; un organisme qui exige une approche cohérente de la part de tous ses fournisseurs de services, y compris ceux qui sont compris dans une chaîne logistique; un fournisseur de services qui souhaite démontrer son efficience dans la conception, la transition, la fourniture et l'amélioration des services qui satisfont aux exigences de services; un fournisseur de services pour surveiller, mesurer et passer en revue ses processus de gestion des services ainsi que ses services; un fournisseur de services pour améliorer la conception, la transition et la fourniture des services par l'implémentation et le fonctionnement effectifs d'un SMS; un évaluateur ou un auditeur comme critère d'évaluation de conformité du SMS d'un fournisseur de services par rapport aux exigences figurant dans l'ISO/CEI 20000-1:2011.
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 20000-1
Redline version
compares second edition
to first edition
Information technology — Service
management —
Part 1:
Service management system
requirements
Technologies de l’information — Gestion des services —
Partie 1: Exigences du système de management des services
Reference number
ISO/IEC 20000-1:redline:2014(E)
©
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 20000-1:redline:2014(E)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x . — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER
This Redline version provides you with a quick and easy way to compare the main changes
between this edition of the standard and its previous edition. It doesn’t capture all single
changes such as punctuation but highlights the modifications providing customers with
the most valuable information. Therefore it is important to note that this Redline version is
not the official ISO standard and that the users must consult with the clean version of the
standard, which is the official standard, for implementation purposes.
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 20000-1:redline:2014(E)
Contents Page
Foreword .iv
Introduction .vi
1 Scope . 1
1.1 General . 1
1.2 Application . 2
2 Normative references . 3
2 3 Terms and definitions . 4
3 Requirements for a management system . 9
3.1 Management responsibility . 9
3.2 Documentation requirements. 9
3.3 Competence, awareness and training .10
4 Planning and implementing service management Service management system
general requirements.10
4.1 Plan service management (Plan) Management responsibility .10
4.2 Implement service management and provide the services (Do) Governance of processes
operated by other parties .12
4.3 Documentation management .13
4.4 Resource management .14
4.3 4.5 Monitoring, measuring and reviewing (Check) Establish and improve the SMS .14
4.4 Continual improvement (Act) .18
5 Planning and implementing Design and transition of new or changed services .18
5.1 General .18
5.2 Plan new or changed services .19
5.3 Design and development of new or changed services .19
5.4 Transition of new or changed services .20
6 Service delivery process processes .21
6.1 Service level management.21
6.2 Service reporting .22
6.3 Service continuity and availability management .22
6.4 Budgeting and accounting for IT services .24
6.5 Capacity management .24
6.6 Information security management .25
7 Relationship processes .26
7.1 General .26
7.2 7.1 Business relationship management .26
7.3 7.2 Supplier management .27
8 Resolution processes .29
8.1 Background .29
8.2 8.1 Incident and service request management .29
8.3 8.2 Problem management.30
9 Control processes .31
9.1 Configuration management .31
9.2 Change management .32
9.3 Release and deployment management .33
10 Release process .34
10.1 Release management process .34
Bibliography
.35
© ISO 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 20000-1:redline:2014(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 20000-1 was prepared by BSI (as BS 15000-1) and was adopted, under a special “fast-track
procedure”, by Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallelSubcommittee
SC 7, with its approval bySoftware and systems engineering national bodies of ISO and IEC. This second
edition cancels and replaces the first edition (ISO/IEC 20000-1:2005.), which has been technically
revised. The main differences are as follows:
— closer alignment to ISO 9001;
— closer alignment to ISO/IEC 27001;
— change of terminology to reflect international usage;
— addition of many more definitions, updates to some definitions and removal of two definitions;
— introduction of the term “service management system”;
— combining Clauses 3 and 4 of ISO/IEC 20000-1:2005 to put all management system requirements
into one clause;
— clarification of the requirements for the governance of processes operated by other parties;
— clarification of the requirements for defining the scope of the SMS;
— clarification that the PDCA methodology applies to the SMS, including the service management
processes, and the services;
— introduction of new requirements for the design and transition of new or changed services.
ISO/IEC 20000 consists of the following parts, under the general title Information technology —
Service management:
— Part 1: SpecificationService management system requirements
1)
— Part 2: Code of practiceGuidance on the application of service management systems
— Part 3: Guidance on scope definition and applicability ofISO/IEC 20000-1 [Technical Report]
— Part 4: Process reference model [Technical Report]
1) To be published. (Technical revision of ISO/IEC 20000-2:2005.)
iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 20000-1:redline:2014(E)
— Part 5: Exemplar implementation plan forISO/IEC 20000-1 [Technical Report]
A process assessment model for service management will form the subject of a future Part 8.
© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 20000-1:redline:2014(E)
Introduction
The requirements in this part of ISO/IEC 20000 include the design, transition, delivery and improvement
of services that fulfil service requirements and provide value for both the customer and the service
provider. This part of ISO/IEC 20000 promotes the adoption ofrequires an integrated process approach
to effectively deliver managed services to meet the business and customer requirements. For an
organization to function effectively it has to identify and manage numerous linked activities. An activity
using resources, and managed in order to enable the transformation of inputs into outputs, can be
considered as a process. Often the output from one process forms an input to anotherwhen the service
provider plans, establishes, implements, operates, monitors, reviews, maintains and improves a service
management system (SMS).
Co-ordinated integration and implementation of the service management processes provides the
ongoing control, greater efficiencyan SMS provides ongoing control and opportunities for continual
improvement. Performing the activities and processes requires people in the service desk, service,
greater effectiveness and efficiency. The operation of processes as specified in this part of ISO/IEC 20000
support, service delivery and operations teamsrequires personnel to be well organized and co-ordinated.
Appropriate tools are also required to ensure that the processes arecan be used to enable the processes
to be effective and efficient.
The most effective service providers consider the impact on the SMS through all stages of the service
lifecycle, from strategy through design, transition and operation, including continual improvement.
It is assumed thatThis part of ISO/IEC 20000 requires the execution of the provisions ofapplication of
the methodology known as “Plan-Do-Check-Act” (PDCA) to all parts of the SMS and the services. The
PDCA methodology, as applied in this part of ISO/IEC 20000 is entrusted to appropriately qualified and
competent people, can be briefly described as follows.
Plan: establishing, documenting and agreeing the SMS. The SMS includes the policies, objectives, plans
and processes to fulfil the service requirements.
Do: implementing and operating the SMS for the design, transition, delivery and improvement of the services.
Check: monitoring, measuring and reviewing the SMS and the services against the policies, objectives,
plans and service requirements and reporting the results.
Act: taking actions to continually improve performance of the SMS and the services.
When used within an SMS, the following are the most important aspects of an integrated process
approach and the PDCA methodology:
a) understanding and fulfilling the service requirements to achieve customer satisfaction;
b) establishing the policy and objectives for service management;
c) designing and delivering services based on the SMS that add value for the customer;
d) monitoring, measuring and reviewing performance of the SMS and the services;
e) continually improving the SMS and the services based on objective measurements.
Figure 1 illustrates how the PDCA methodology can be applied to the SMS, including the service
management processes specified in Clauses 5 to 9, and the services. Each element of the PDCA
methodology is a vital part of a successful implementation of an SMS. The improvement process used in
this part of ISO/IEC 20000 is based on the PDCA methodology.
vi © ISO 2014 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 20000-1:redline:2014(E)
Figure 1 — PDCA methodology applied to service management
This part of ISO/IEC 20000 enables a service provider to integrate its SMS with other management
systems in the service provider’s organization. The adoption of an integrated process approach and the
PDCA methodology enables the service provider to align or fully integrate multiple management system
standards. For example, an SMS can be integrated with a quality management system based on ISO 9001
or an information security management system based on ISO/IEC 27001.
ISO/IEC 20000 is intentionally independent of specific guidance. The service provider can use a
combination of generally accepted guidance and its own experience.
Users of an International Standard are responsible for its correct application. An International Standard
does not purport to include all necessary provisions of a contract. Users of International Standards
are responsible for their correct applicationstatutory and regulatory requirements and contractual
obligations of the service provider. Conformity to an International Standard does not of itself confer
immunity from statutory and regulatory requirements.
Compliance with an International Standard does notFor the purposes of research on service management
standards, users are encouraged to share their views on ISO/IEC 20000-1of itself confer and their
priorities for changes to the rest of the ISO/IEC 20000 immunity from legal obligationsseries. Click on
the link below to take part in the online survey.
ISO/IEC 20000-1 online survey
© ISO 2014 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC 20000-1:redline:2014(E)
Information technology — Service management —
Part 1:
Service management system requirements
1 Scope
This part of ISO/IEC 20000 defines the requirements for a service provider to deliver managed services
of an acceptable quality for its customers.
1.1 General
This part of ISO/IEC 20000 is a service management system (SMS) standard. It specifies requirements
for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve
an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil
service requirements. This part of ISO/IEC 20000 can be used by:
a) an organization seeking services from service providers and requiring assurance that their service
requirements will be fulfilled;
b) an organization that requires a consistent approach by all its service providers, including those in a
supply chain;
c) a service provider that intends to demonstrate its capability for the design, transition, delivery and
improvement of services that fulfil service requirements;
d) a service provider to monitor, measure and review its service management processes and services;
e) a service provider to improve the design, transition and delivery of services through effective
implementation and operation of an SMS;
f) an assessor or auditor as the criteria for a conformity assessment of a service provider’s SMS to the
requirements in this part of ISO/IEC 20000.
Figure 2 illustrates an SMS, including the service management processes. The service management
processes and the relationships between the processes can be implemented in different ways by
different service providers. The nature of the relationship between a service provider and the customer
will influence how the service management processes are implemented.
© ISO 2014 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC 20000-1:redline:2014(E)
Figure 2 — Service management system
It may be used:
1.2 Application
All requirements in this part of ISO/IEC 20000 are generic and are intended to be applicable to all
service providers, regardless of type, size and the nature of the services delivered. Exclusion of any of
the requirements in Clauses 4 to 9 is not acceptable when a service provider claims conformity to this
part of ISO/IEC 20000, irrespective of the nature of the service provider’s organization.
Conformity to the requirements in Clause 4 can only be demonstrated by a service provider showing
evidence of fulfilling all of the requirements in Clause 4. A service provider cannot rely on evidence of
the governance of processes operated by other parties for the requirements in Clause 4.
Conformity to the requirements in Clauses 5 to 9 can be demonstrated by the service provider showing
evidence of fulfilling all requirements. Alternatively, the service provider can show evidence of fulfilling
the majority of the requirements themselves and evidence of the governance of processes operated by
other parties for those processes, or parts of processes, that the service provider does not operate directly.
The scope of this part of ISO/IEC 20000 excludes the specification for a product or tool. However,
organizations can use this part of ISO/IEC 20000 to help them develop products or tools that support
the operation of an SMS.
NOTE ISO/IEC TR 20000-3 provides guidance on scope definition and applicability of this part of
ISO/IEC 20000. This includes further explanation about the governance of processes operated by other parties.
a) by businesses that are going out to tender for their services;
b) by businesses that require a consistent approach by all service providers in a supply chain;
c) by service providers to benchmark their IT service management;
d) as the basis for an independent assessment;
e) by an organization which needs to demonstrate the ability to provide services that meet customer
requirements; and
2 © ISO 2014 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 20000-1:redline:2014(E)
f) by an organization which aims to improve service through the effective application of processes to
monitor and improve service quality.
Figure 1 — Service management processes
This part of ISO/IEC 20000 specifies a number of closely related service management processes, as
shown in Figure 1.
The relationships between the processes depend on the application within an organization and are generally
too complex to model and therefore relationships between processes are not shown in this diagram.
The list of objectives and controls contained in this part of ISO/IEC 20000 are not exhaustive, and an
organization may consider that additional objectives and controls are necessary to meet their particular
business needs. The nature of the business relationship between the service provider and business will
determine how the requirements in this part of ISO/IEC 20000 are implemented in order to meet the
overall objective.
As a process based standard this part of ISO/IEC 20000 is not intended for product assessment. However,
organizations developing service management tools, products and systems may use both this part of
ISO/IEC 20000 and the code of practice to help them develop tools, products and systems that support
best practice service management.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
© ISO 2014 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/IEC 20000-1:redline:2014(E)
No normative references are cited. This clause is included in order to ensure clause numbering is
identical with ISO/IEC 20000-2:—, Information technology — Service management — Part 2: Guidance
2)
on the application of service management systems .
2 3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1 3.1
availability
ability of a component service or service component to perform its required function at a stated an
agreed instant or over a stated an agreed period of time
Note 1 to entry: Availability is usually normally expressed as a ratio or percentage of the time that the service or
service component is actually available for use by the business customer to the agreed service hours time that the
service should be available.
3.2
configuration baseline
configuration information formally designated at a specific time during a service or service component’s life
Note 1 to entry: Configuration baselines, plus approved changes from those baselines, constitute the current
configuration information.
Note 2 to entry: Adapted from ISO/IEC/IEEE 24765:2010.
2.2 3.3
baseline configuration item
CI
snapshot of the state of a service or individual configuration items at a point in time (see element that
needs to be controlled in order to deliver a service or services2.4)
2.3 3.4
change record configuration management database
CMDB
record containing details of which configuration items (see data store used to record attributes
of configuration items, 2.4) are affected and how they are affected by an authorized change and the
relationships between configuration items, throughout their lifecycle
3.5
continual improvement
recurring activity to increase the ability to fulfil service requirements
Note 1 to entry: Adapted from ISO 9000:2005.
2.4 3.6
configuration item (CI) corrective action
component of an infrastructure or an item which is, or will be, under the control of configuration
management action to eliminate the cause or reduce the likelihood of recurrence of a detected
nonconformity or other undesirable situation
Note 1 to entry: Configuration items may vary widely in complexity, size and type, ranging from an Adapted from
ISO 9000:2005 entire system including all hardware, software and documentation, to a single module or a minor
hardware component .
2) To be published.
4 © ISO 2014 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 20000-1:redline:2014(E)
2.5 3.7
configuration management database (CMDB) customer
database containing all the relevant details of each configuration item and details of the important
relationships between them organization or part of an organization that receives a service or services
Note 1 to entry: A customer can be internal or external to the service provider’s organization.
Note 2 to entry: Adapted from ISO 9000:2005.
2.6 3.8
document
information and its supporting medium
[SOURCE: ISO 9000:2005]
EXAMPLE Policies, plans, process descriptions, procedures, service level agreements, contracts or records.
Note 1 to entry: In this standard, records (see The documentation can be in 2.9) are distinguished from documents
by the fact that they function as evidence of activities, rather than evidence of intentions any form or type of medium.
Note 2 to entry: Examples of In ISO/IEC 20000 documents include policy statements, plans, procedures, service
level agreements and contracts , documents, except for records, state the intent to be achieved.
3.9
effectiveness
extent to which planned activities are realized and planned results achieved
[SOURCE: ISO 9000:2005]
3.10
incident
unplanned interruption to a service, a reduction in the quality of a service or an event that has not yet
impacted the service to the customer
3.11
information security
preservation of confidentiality, integrity and accessibility of information
Note 1 to entry: In addition, other properties such as authenticity, accountability, non-repudiation and reliability
can also be involved.
Note 2 to entry: The term “availability” has not been used in this definition because it is a defined term in this part
of ISO/IEC 20000 which would not be appropriate for this definition.
Note 3 to entry: Adapted from ISO/IEC 27000:2009.
3.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
[SOURCE: ISO/IEC 27000:2009]
3.13
interested party
person or grou
...
INTERNATIONAL ISO/IEC
STANDARD 20000-1
Second edition
2011-04-15
Information technology — Service
management —
Part 1:
Service management system
requirements
Technologies de l'information — Gestion des services —
Partie 1: Exigences du système de gestion des services
Reference number
ISO/IEC 20000-1:2011(E)
©
ISO/IEC 2011
---------------------- Page: 1 ----------------------
ISO/IEC 20000-1:2011(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 20000-1:2011(E)
Contents Page
Foreword .v
Introduction.vii
1 Scope.1
1.1 General .1
1.2 Application .2
2 Normative references.2
3 Terms and definitions .3
4 Service management system general requirements .7
4.1 Management responsibility .7
4.1.1 Management commitment .7
4.1.2 Service management policy .8
4.1.3 Authority, responsibility and communication.8
4.1.4 Management representative.8
4.2 Governance of processes operated by other parties .8
4.3 Documentation management .9
4.3.1 Establish and maintain documents.9
4.3.2 Control of documents .9
4.3.3 Control of records .10
4.4 Resource management.10
4.4.1 Provision of resources.10
4.4.2 Human resources .10
4.5 Establish and improve the SMS.10
4.5.1 Define scope .10
4.5.2 Plan the SMS (Plan).11
4.5.3 Implement and operate the SMS (Do).11
4.5.4 Monitor and review the SMS (Check) .11
4.5.5 Maintain and improve the SMS (Act).13
5 Design and transition of new or changed services .13
5.1 General .13
5.2 Plan new or changed services .14
5.3 Design and development of new or changed services .14
5.4 Transition of new or changed services.15
6 Service delivery processes .15
6.1 Service level management .15
6.2 Service reporting.16
6.3 Service continuity and availability management .16
6.3.1 Service continuity and availability requirements.16
6.3.2 Service continuity and availability plans .16
6.3.3 Service continuity and availability monitoring and testing .17
6.4 Budgeting and accounting for services.17
6.5 Capacity management .18
6.6 Information security management.18
6.6.1 Information security policy .18
6.6.2 Information security controls.19
6.6.3 Information security changes and incidents.19
7 Relationship processes .19
7.1 Business relationship management.19
7.2 Supplier management.20
8 Resolution processes .21
© ISO/IEC 2011 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 20000-1:2011(E)
8.1 Incident and service request management.21
8.2 Problem management .22
9 Control processes .22
9.1 Configuration management.22
9.2 Change management .23
9.3 Release and deployment management .24
Bibliography .26
Figures
Figure 1 — PDCA methodology applied to service management . viii
Figure 2 — Service management system.2
Figure 3 — Example of supply chain relationships .20
iv © ISO/IEC 2011 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 20000-1:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 20000-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and systems engineering. This second edition cancels and replaces the first
edition (ISO/IEC 20000-1:2005), which has been technically revised. The main differences are as follows:
⎯ closer alignment to ISO 9001;
⎯ closer alignment to ISO/IEC 27001;
⎯ change of terminology to reflect international usage;
⎯ addition of many more definitions, updates to some definitions and removal of two definitions;
⎯ introduction of the term “service management system”;
⎯ combining Clauses 3 and 4 of ISO/IEC 20000-1:2005 to put all management system requirements into
one clause;
⎯ clarification of the requirements for the governance of processes operated by other parties;
⎯ clarification of the requirements for defining the scope of the SMS;
⎯ clarification that the PDCA methodology applies to the SMS, including the service management
processes, and the services;
⎯ introduction of new requirements for the design and transition of new or changed services.
ISO/IEC 20000 consists of the following parts, under the general title Information technology — Service
management:
⎯ Part 1: Service management system requirements
1)
⎯ Part 2: Guidance on the application of service management systems
1) To be published. (Technical revision of ISO/IEC 20000-2:2005.)
© ISO/IEC 2011 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 20000-1:2011(E)
⎯ Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1 [Technical Report]
⎯ Part 4: Process reference model [Technical Report]
⎯ Part 5: Exemplar implementation plan for ISO/IEC 20000-1 [Technical Report]
A process assessment model for service management will form the subject of a future Part 8.
vi © ISO/IEC 2011 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 20000-1:2011(E)
Introduction
The requirements in this part of ISO/IEC 20000 include the design, transition, delivery and improvement of
services that fulfil service requirements and provide value for both the customer and the service provider. This
part of ISO/IEC 20000 requires an integrated process approach when the service provider plans, establishes,
implements, operates, monitors, reviews, maintains and improves a service management system (SMS).
Co-ordinated integration and implementation of an SMS provides ongoing control and opportunities for
continual improvement, greater effectiveness and efficiency. The operation of processes as specified in this
part of ISO/IEC 20000 requires personnel to be well organized and co-ordinated. Appropriate tools can be
used to enable the processes to be effective and efficient.
The most effective service providers consider the impact on the SMS through all stages of the service lifecycle,
from strategy through design, transition and operation, including continual improvement.
This part of ISO/IEC 20000 requires the application of the methodology known as “Plan-Do-Check-Act”
(PDCA) to all parts of the SMS and the services. The PDCA methodology, as applied in this part of
ISO/IEC 20000, can be briefly described as follows.
Plan: establishing, documenting and agreeing the SMS. The SMS includes the policies, objectives, plans and
processes to fulfil the service requirements.
Do: implementing and operating the SMS for the design, transition, delivery and improvement of the services.
Check: monitoring, measuring and reviewing the SMS and the services against the policies, objectives, plans
and service requirements and reporting the results.
Act: taking actions to continually improve performance of the SMS and the services.
When used within an SMS, the following are the most important aspects of an integrated process approach
and the PDCA methodology:
a) understanding and fulfilling the service requirements to achieve customer satisfaction;
b) establishing the policy and objectives for service management;
c) designing and delivering services based on the SMS that add value for the customer;
d) monitoring, measuring and reviewing performance of the SMS and the services;
e) continually improving the SMS and the services based on objective measurements.
Figure 1 illustrates how the PDCA methodology can be applied to the SMS, including the service management
processes specified in Clauses 5 to 9, and the services. Each element of the PDCA methodology is a vital part
of a successful implementation of an SMS. The improvement process used in this part of ISO/IEC 20000 is
based on the PDCA methodology.
© ISO/IEC 2011 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO/IEC 20000-1:2011(E)
Plan
Service
Management
System
Service
Management
Act
Processes
Do
Services
Check
Figure 1 — PDCA methodology applied to service management
This part of ISO/IEC 20000 enables a service provider to integrate its SMS with other management systems in
the service provider's organization. The adoption of an integrated process approach and the PDCA
methodology enables the service provider to align or fully integrate multiple management system standards.
For example, an SMS can be integrated with a quality management system based on ISO 9001 or an
information security management system based on ISO/IEC 27001.
ISO/IEC 20000 is intentionally independent of specific guidance. The service provider can use a combination
of generally accepted guidance and its own experience.
Users of an International Standard are responsible for its correct application. An International Standard does
not purport to include all necessary statutory and regulatory requirements and contractual obligations of the
service provider. Conformity to an International Standard does not of itself confer immunity from statutory and
regulatory requirements.
For the purposes of research on service management standards, users are encouraged to share their views
on ISO/IEC 20000-1 and their priorities for changes to the rest of the ISO/IEC 20000 series. Click on the link
below to take part in the online survey.
ISO/IEC 20000-1 online survey
viii © ISO/IEC 2011 – All rights reserved
---------------------- Page: 8 ----------------------
INTERNATIONAL STANDARD ISO/IEC 20000-1:2011(E)
Information technology — Service management —
Part 1:
Service management system requirements
1 Scope
1.1 General
This part of ISO/IEC 20000 is a service management system (SMS) standard. It specifies requirements for the
service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The
requirements include the design, transition, delivery and improvement of services to fulfil service requirements.
This part of ISO/IEC 20000 can be used by:
a) an organization seeking services from service providers and requiring assurance that their service
requirements will be fulfilled;
b) an organization that requires a consistent approach by all its service providers, including those in a supply
chain;
c) a service provider that intends to demonstrate its capability for the design, transition, delivery and
improvement of services that fulfil service requirements;
d) a service provider to monitor, measure and review its service management processes and services;
e) a service provider to improve the design, transition and delivery of services through effective
implementation and operation of an SMS;
f) an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the
requirements in this part of ISO/IEC 20000.
Figure 2 illustrates an SMS, including the service management processes. The service management
processes and the relationships between the processes can be implemented in different ways by different
service providers. The nature of the relationship between a service provider and the customer will influence
how the service management processes are implemented.
© ISO/IEC 2011 – all rights reserved 1
---------------------- Page: 9 ----------------------
ISO/IEC 20000-1:2011(E)
ServServServiiiccceee MMMaaannnaaagggeeemmmeeennnttt Sy Sy Sysssttteeemmm ( ( (SSSMMMSSS)))
CuCussttoommeerrss CuCussttoommeerrss
MMMaaannnaaagegegemmmeeennnttt r r reeesssppponononsssiiibbbiiillliiitttyyy
((aandnd o ottheher r GGGooovernvernvernaaancencence of of of ppprrrooocccessessesseseses ((aandnd o ottheher r
oooppperereratedatedated by o by o by otttheheher par par partrtrtiesiesies
inintteerreesstteedd iinnttereeresstteedd
DDDooocccuuummmeeennntttaaatttiiion mon mon maaanananagggeeemmmeeennnttt
paparrttiieess)) EstEstEstaaablblbliiisssh th th thhhe SMe SMe SMSSS paparrttiieess))
RRReeesososouuurrrcecece m m maaannnaaagegegemmmeeennnttt
SeSeSerrrvvviiiccceee
DDDeeesssiiigngngn an an anddd t t trrrananansssiiitttiiiooonnn ooofff nnneeewww or or or c c chhhaaannngegegeddd s s seeerrrvvviiiccceeesss SeSeSerrrvvviiiccceeesss
ReReReqqquuuiiirrreeemmmenenentttsss
ServServService deliice deliice delivvveryeryery ppprrrooocccesesessessesses
CCCaaapapapaccciiitttyyy m m maaannnaaagegegemmmeeennnttt SSSeeerrrvvviciciceee le le levvveeel l l mmmaaannnaaagggeeemmmeeennnttt IIInnnfofoformrmrmaaatttiiiooonnn s s seeecccuuurrriiitytyty
mmmaaanananagggeeemmmeeentntnt
SSSeeerrrvvviciciceee c c cooonnntttinininuuuiiitttyyy &&& SSSeeervrvrviiiccceee re re repppooortrtrtiiinnnggg BBBudgudgudgeeetttiiinnng &g &g &
avavavaiaiailllaaabbbiiillliiitttyyy m m maaannnaaagggeeemmmeeennnttt acacaccococouuunnntititinnnggg f f fooorrr ssseeervirvirviccceeesss
CCCooonnntttrororol prl prl prooocescescesssseeesss
CCCooonnnfffiiigggurururaaatttiiiooonnn m m maaanananagggeeemmmeeentntnt
CCChhhaaannngegege m m maaanananagggeeemmmeeentntnt
RRReeellleeeaaassseee a a annnddd dddeeeplplployoyoymmmeeentntnt
mamamannnaaagggeeemememennnttt
RelaRelaRelatititiooonnnssshhhipipip p p prrroooccceeesssssseeesss
RRReeesssooollluuutttiiiononon p p prrrocococeeesssssseeesss
IIInnnccciiidddeeennnttt anananddd se se serrrvvviiiccce re re reeeqqquuuesesesttt BBBuuusisisinnneeessssss r r reeelllaaatttiiiooonnnssshhhiiippp
mmmaaanananagggeeemmmeeentntnt mamamannnaaagggeeemmmeeennnttt
PPPrrrobobobllleeemmm m m maaannnaaagegegemmmeeennnttt SuSuSuppppppllliiieeerrr m m maaanananagggeeemmmeeentntnt
Figure 2 — Service management system
1.2 Application
All requirements in this part of ISO/IEC 20000 are generic and are intended to be applicable to all service
providers, regardless of type, size and the nature of the services delivered. Exclusion of any of the
requirements in Clauses 4 to 9 is not acceptable when a service provider claims conformity to this part of
ISO/IEC 20000, irrespective of the nature of the service provider's organization.
Conformity to the requirements in Clause 4 can only be demonstrated by a service provider showing evidence
of fulfilling all of the requirements in Clause 4. A service provider cannot rely on evidence of the governance of
processes operated by other parties for the requirements in Clause 4.
Conformity to the requirements in Clauses 5 to 9 can be demonstrated by the service provider showing
evidence of fulfilling all requirements. Alternatively, the service provider can show evidence of fulfilling the
majority of the requirements themselves and evidence of the governance of processes operated by other
parties for those processes, or parts of processes, that the service provider does not operate directly.
The scope of this part of ISO/IEC 20000 excludes the specification for a product or tool. However,
organizations can use this part of ISO/IEC 20000 to help them develop products or tools that support the
operation of an SMS.
NOTE ISO/IEC TR 20000-3 provides guidance on scope definition and applicability of this part of ISO/IEC 20000.
This includes further explanation about the governance of processes operated by other parties.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
No normative references are cited. This clause is included in order to ensure clause numbering is identical
with ISO/IEC 20000-2:—, Information technology — Service management — Part 2: Guidance on the
2)
application of service management systems .
2) To be published.
2 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 20000-1:2011(E)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
availability
ability of a service or service component to perform its required function at an agreed instant or over an
agreed period of time
NOTE Availability is normally expressed as a ratio or percentage of the time that the service or service component is
actually available for use by the customer to the agreed time that the service should be available.
3.2
configuration baseline
configuration information formally designated at a specific time during a service or service component's life
NOTE 1 Configuration baselines, plus approved changes from those baselines, constitute the current configuration
information.
NOTE 2 Adapted from ISO/IEC/IEEE 24765:2010.
3.3
configuration item
CI
element that needs to be controlled in order to deliver a service or services
3.4
configuration management database
CMDB
data store used to record attributes of configuration items, and the relationships between configuration items,
throughout their lifecycle
3.5
continual improvement
recurring activity to increase the ability to fulfil service requirements
NOTE Adapted from ISO 9000:2005.
3.6
corrective action
action to eliminate the cause or reduce the likelihood of recurrence of a detected nonconformity or other
undesirable situation
NOTE Adapted from ISO 9000:2005.
3.7
customer
organization or part of an organization that receives a service or services
NOTE 1 A customer can be internal or external to the service provider's organization.
NOTE 2 Adapted from ISO 9000:2005.
3.8
document
information and its supporting medium
[ISO 9000:2005]
EXAMPLES Policies, plans, process descriptions, procedures, service level agreements, contracts or records.
© ISO/IEC 2011 – All rights reserved 3
---------------------- Page: 11 ----------------------
ISO/IEC 20000-1:2011(E)
NOTE 1 The documentation can be in any form or type of medium.
NOTE 2 In ISO/IEC 20000, documents, except for records, state the intent to be achieved.
3.9
effectiveness
extent to which planned activities are realized and planned results achieved
[ISO 9000:2005]
3.10
incident
unplanned interruption to a service, a reduction in the quality of a service or an event that has not yet
impacted the service to the customer
3.11
information security
preservation of confidentiality, integrity and accessibility of information
NOTE 1 In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be
involved.
NOTE 2 The term “availability” has not been used in this definition because it is a defined term in this part of
ISO/IEC 20000 which would not be appropriate for this definition.
NOTE 3 Adapted from ISO/IEC 27000:2009.
3.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant probability of
compromising business operations and threatening information security
[ISO/IEC 27000:2009]
3.13
interested party
person or group having a specific interest in the performance or success of the service provider's activity or
activities
EXAMPLES Customers, owners, management, people in the service provider's organization, suppliers, bankers,
unions or partners.
NOTE 1 A group can comprise an organization, a part thereof, or more than one organization.
NOTE 2 Adapted from ISO 9000:2005.
3.14
internal group
part of the service provider's organization that enters into a documented agreement with the service provider
to contribute to the design, transition, delivery and improvement of a service or services
NOTE The internal group is outside the scope of the service provider's SMS.
3.15
known error
problem that has an identified root cause or a method of reducing or eliminating its impact on a service by
working around it
3.16
nonconformity
non-fulfilment of a requirement
4 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 20000-1:2011(E)
[ISO 9000:2005]
3.17
organization
group of people and facilities with an arrangement of responsibilities, authorities and relationships
EXAMPLES Company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or
combination thereof.
NOTE 1 The arrangement is generally orderly.
NOTE 2 An organization can be public or private.
[ISO 9000:2005]
3.18
preventive action
action to avoid or eliminate the causes or reduce the likelihood of occurrence of a potential nonconformity or
other potential undesirable situation
NOTE Adapted from ISO 9000:2005.
3.19
problem
root cause of one or more incidents
NOTE The root cause is not usually known at the time a problem record is created and the problem management
process is responsible for further investigation.
3.20
procedure
specified way to carry out an activity or a process
[ISO 9000:2005]
NOTE Procedures can be documented or not.
3.21
process
set of interrelated or interacting activities which transforms inputs into outputs
[ISO 9000:2005]
3.22
record
document stating results achieved or providing evidence of activities performed
[ISO 9000:2005]
EXAMPLES Audit reports, incident reports, training records or minutes of meetings.
3.23
release
collection of one or more new or changed configuration items deployed into the live environment as a result of
one or more changes
3.24
request for change
proposal for a change to be made to a service, service component or the service management system
© ISO/IEC 2011 – All rights reserved 5
---------------------- Page: 13 ----------------------
ISO/IEC 20000-1:2011(E)
NOTE A change to a service includes the provision of a new service or the removal of a service which is no longer
required.
3.25
risk
effect of un
...
NORME ISO/CEI
INTERNATIONALE 20000-1
Deuxième édition
2011-04-15
Technologies de l'information — Gestion
des services —
Partie 1:
Exigences du système de management
des services
Information technology — Service management —
Part 1: Service management system requirements
Numéro de référence
ISO/CEI 20000-1:2011(F)
©
ISO/CEI 2011
---------------------- Page: 1 ----------------------
ISO/CEI 20000-1:2011(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/CEI 2011
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO/CEI 2011 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/CEI 20000-1:2011(F)
Sommaire Page
Avant-propos . v
Introduction . vii
1 Domaine d'application . 1
1.1 Généralités . 1
1.2 Application . 2
2 Références normatives . 3
3 Termes et définitions . 3
4 Exigences générales relatives au système de management des services . 8
4.1 Responsabilité de la direction . 8
4.1.1 Engagement de la direction . 8
4.1.2 Politique de gestion des services . 8
4.1.3 Autorité, responsabilité et communication . 9
4.1.4 Représentant de la direction . 9
4.2 Gouvernance des processus opérés par d'autres parties . 9
4.3 Management de la documentation . 10
4.3.1 Établir et maintenir les documents . 10
4.3.2 Contrôle des documents . 10
4.3.3 Contrôle des enregistrements . 10
4.4 Management des ressources . 11
4.4.1 Mise à disposition des ressources . 11
4.4.2 Ressources humaines . 11
4.5 Établir et améliorer le SMS . 11
4.5.1 Définir le domaine d'application . 11
4.5.2 Planifier le SMS (Planifier) . 11
4.5.3 Mettre en œuvre et exploiter le SMS (Faire) . 12
4.5.4 Surveiller et passer en revue le SMS (Vérifier) . 12
4.5.5 Maintenir et améliorer le SMS (Agir) . 14
5 Conception et transition de services nouveaux ou modifiés . 15
5.1 Généralités . 15
5.2 Planification des services nouveaux ou modifiés . 15
5.3 Conception et développement des services nouveaux ou modifiés . 16
5.4 Transition des services nouveaux ou modifiés . 16
6 Processus de fourniture des services . 17
6.1 Gestion des niveaux de services . 17
6.2 Fourniture des rapports de service . 17
6.3 Gestion de la continuité et de la disponibilité des services . 18
6.3.1 Exigences de continuité et de disponibilité des services . 18
6.3.2 Plans de continuité et de disponibilité des services . 18
6.3.3 Surveillance et test de la continuité et de la disponibilité des services . 19
6.4 Budgétisation et comptabilisation des services . 19
6.5 Gestion de la capacité . 20
6.6 Management de la sécurité de l'information . 20
6.6.1 Politique de sécurité de l'information . 20
6.6.2 Contrôles de la sécurité de l'information . 20
6.6.3 Changements et incidents concernant la sécurité de l'information . 21
7 Processus de gestion des relations . 21
7.1 Gestion des relations commerciales . 21
7.2 Gestion des fournisseurs . 22
© ISO/CEI 2011 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/CEI 20000-1:2011(F)
8 Processus de résolution .23
8.1 Gestion des incidents et des demandes de services .23
8.2 Gestion des problèmes .24
9 Processus de contrôle .25
9.1 Gestion des configurations .25
9.2 Gestion des changements .26
9.3 Gestion des mises en production et de leur déploiement.27
Bibliographie .28
Figures
Figure 1 — Méthodologie PDCA appliquée à la gestion des services . viii
Figure 2 — Système de management des services .2
Figure 3 — Exemple de relations dans la chaîne logistique .22
iv © ISO/CEI 2011 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/CEI 20000-1:2011(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) et la CEI (Commission électrotechnique internationale)
forment le système spécialisé de la normalisation mondiale. Les organismes nationaux membres de l'ISO ou
de la CEI participent au développement de Normes internationales par l'intermédiaire des comités techniques
créés par l'organisation concernée afin de s'occuper des domaines particuliers de l'activité technique. Les
comités techniques de l'ISO et de la CEI collaborent dans des domaines d'intérêt commun. D'autres
organisations internationales, gouvernementales et non gouvernementales, en liaison avec l'ISO et la CEI
participent également aux travaux. Dans le domaine des technologies de l'information, l'ISO et la CEI ont créé
un comité technique mixte, l'ISO/CEI JTC 1.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,
Partie 2.
La tâche principale du comité technique mixte est d'élaborer les Normes internationales. Les projets de
Normes internationales adoptés par le comité technique mixte sont soumis aux organismes nationaux pour
vote. Leur publication comme Normes internationales requiert l'approbation de 75 % au moins des
organismes nationaux votants.
L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO et la CEI ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence.
L'ISO/CEI 20000-1 a été élaborée par le comité technique mixte ISO/CEI JTC 1, Technologies de
l'information, sous-comité SC 7, Ingénierie du logiciel et des systèmes.
Cette deuxième édition annule et remplace la première édition (ISO/CEI 20000-1:2005), dont elle constitue
une révision technique. Les principales différences par rapport à la première édition sont les suivantes:
harmonisation avec l'ISO 9001;
harmonisation avec l'ISO/CEI 27001;
modification de la terminologie afin de refléter l'utilisation internationale;
ajout de nombreuses définitions, mises à jour de certaines définitions et suppression de deux définitions;
introduction du terme «Système de Management des Services»;
regroupement des Articles 3 et 4 de l'ISO/CEI 20000-1:2005 afin de faire apparaître toutes les exigences
d'un système de management dans un seul article;
clarification des exigences relatives à la gouvernance des processus opérés par d'autres parties;
clarification des exigences relatives à la définition du domaine d'application du système de management
de services;
clarification de l'application de la méthodologie du PDCA au système de management de services, y
compris aux processus de gestion des services, ainsi qu'aux services;
introduction de nouvelles exigences relatives à la conception et à la transition de services nouveaux ou
modifiés.
© ISO/CEI 2011 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/CEI 20000-1:2011(F)
L'ISO/CEI 20000 comprend les parties suivantes, présentées sous le titre général Technologies de
l'information — Gestion des services:
Partie 1: Exigences du système de management des services
1)
Partie 2: Directives relatives à l'application des systèmes de management des services
Partie 3: Directives pour la définition du domaine d'application et l'applicabilité de l'ISO/CEI 20000-1
[Rapport technique]
Partie 4: Modèle de référence de processus [Rapport technique]
Partie 5: Exemple de plan de mise en application pour l'ISO/CEI 20000-1) [Rapport technique]
Un modèle d'évaluation de processus pour le management des services fera l'objet d'une future Partie 8.
1) À publier. (Révision technique de l'ISO/CEI 20000-2:2005)
vi © ISO/CEI 2011 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO/CEI 20000-1:2011(F)
Introduction
Les exigences figurant dans la présente partie de l'ISO/CEI 20000 couvrent la conception, la transition, la
fourniture et l'amélioration des services qui satisfont aux exigences de services et apportent de la valeur pour
le client comme pour le fournisseur de services. La présente partie de l'ISO/CEI 20000 requiert l'adoption
d'une approche processus intégrés lorsque le fournisseur de services planifie, établit, implémente, exploite,
surveille, passe en revue, maintient et améliore un système de management des services (SMS, service
management system).
L'intégration et l'implémentation coordonnées d'un SMS présentent l'avantage d'offrir un contrôle des
opérations et des opportunités d'amélioration continue, ainsi qu'une efficacité et une efficience accrues. Il est
nécessaire, pour la mise en œuvre et l'exécution des processus spécifiés dans la présente partie de
l'ISO/CEI 20000, que le personnel soit bien organisé et coordonné. Des outils appropriés peuvent être utilisés
pour améliorer l'efficacité et l'efficience des processus.
Les fournisseurs de services les plus efficaces prennent en compte l'impact du SMS sur la totalité des étapes
du cycle de vie d'un service, de la stratégie à la conception, la transition et l'exploitation des services, en
incluant l'amélioration continue des services.
La présente partie de l'ISO/CEI 20000 requiert d'appliquer la méthodologie appelée «roue de Deming»
(PDCA, Plan-Do-Check-Act) à toutes les parties du SMS ainsi qu'aux services. La méthodologie PDCA, telle
qu'elle est appliquée dans la présente partie de l'ISO/CEI 20000, peut être brièvement décrite comme suit.
Planifier (Plan): établir, documenter et valider le SMS. Ce dernier comprend les politiques, objectifs, plans et
processus visant à satisfaire aux exigences de services.
Faire (Do): implémenter et exploiter le SMS pour la conception, la transition, la fourniture et l'amélioration des
services.
Vérifier (Check): surveiller, mesurer et passer en revue le SMS ainsi que les services en les comparant aux
politiques, objectifs, plans et exigences de services, puis rendre compte des résultats.
Agir (Act): mettre en œuvre les actions nécessaires à l'amélioration continue des performances du SMS ainsi
que des services.
Dans le cadre d'un SMS, les aspects les plus importants d'une approche processus intégrés et de la
méthodologie PDCA sont les suivants:
a) comprendre et mettre en œuvre les exigences de services afin d'obtenir la satisfaction du client;
b) établir la politique et les objectifs de management des services;
c) concevoir et fournir les services en se basant sur le SMS qui apporte de la valeur pour le client;
d) surveiller, mesurer et passer en revue les performances du SMS ainsi que des services;
e) assurer l'amélioration continue du SMS et des services sur la base de mesures objectives.
La Figure 1 illustre la manière dont la méthodologie PDCA peut être appliquée au SMS, y compris aux
processus de gestion des services spécifiés dans les Articles 5 à 9, ainsi qu'aux services. Chaque élément de
la méthodologie PDCA est une composante vitale pour une implémentation réussie d'un SMS. Le processus
d'amélioration continue utilisé dans la présente partie de l'ISO/CEI 20000 est basé sur la méthodologie PDCA.
© ISO/CEI 2011 – Tous droits réservés vii
---------------------- Page: 7 ----------------------
ISO/CEI 20000-1:2011(F)
Figure 1 — Méthodologie PDCA appliquée à la gestion des services
La présente partie de l'ISO/CEI 20000 permet à un fournisseur de services d'intégrer son SMS à d'autres
systèmes de management de son organisme. L'adoption d'une approche processus intégrés et de la
méthodologie PDCA permet au fournisseur de services de se conformer à plusieurs normes de système de
management, ou de les intégrer entièrement. Par exemple, un SMS peut être intégré dans un système de
management de la qualité basé sur l'ISO 9001 ou dans un système de management de la sécurité de
l'information basé sur l'ISO/CEI 27001.
L'ISO/CEI 20000 est volontairement indépendante de tout guide ou référentiel spécifique. Le fournisseur de
services peut utiliser une combinaison de guides ou référentiels généralement admis et sa propre expérience.
Il incombe aux utilisateurs de Normes internationales de veiller à leur bonne application. Une Norme
internationale ne prétend pas couvrir toutes les exigences légales et réglementaires nécessaires ni les
obligations contractuelles du fournisseur de services. La conformité à une Norme internationale ne confère en
soi aucune exemption aux exigences légales et réglementaires.
À des fins de recherche sur les normes de gestion de services, les utilisateurs sont invités à partager leurs
points de vue sur l'ISO/CEI 20000-1 ainsi que leurs priorités en termes de modifications à apporter aux autres
parties de la série ISO/CEI 20000. Cliquez sur le lien ci-dessous pour participer à l'enquête en ligne.
Enquête en ligne ISO/CEI 20000-1
viii © ISO/CEI 2011 – Tous droits réservés
---------------------- Page: 8 ----------------------
NORME INTERNATIONALE ISO/CEI 20000-1:2011(F)
Technologies de l'information — Gestion des services —
Partie 1:
Exigences du système de management des services
1 Domaine d'application
1.1 Généralités
La présente partie de l'ISO/CEI 20000 est une norme de système de management des services (SMS). Elle
spécifie les exigences destinées au fournisseur de services pour planifier, établir, implémenter, exécuter,
surveiller, passer en revue, maintenir et améliorer un SMS. Les exigences incluent la conception, la transition,
la fourniture et l'amélioration des services afin de satisfaire aux exigences de services. La présente partie de
l'ISO/CEI 20000 peut être utilisée par:
a) un organisme attendant des services de la part de fournisseurs de services et exigeant d'avoir la garantie
que les exigences de services de ces derniers seront satisfaites;
b) un organisme qui exige une approche cohérente de la part de tous ses fournisseurs de services, y
compris ceux qui sont compris dans une chaîne logistique;
c) un fournisseur de services qui souhaite démontrer son efficience dans la conception, la transition, la
fourniture et l'amélioration des services qui satisfont aux exigences de services;
d) un fournisseur de services pour surveiller, mesurer et passer en revue ses processus de gestion des
services ainsi que ses services;
e) un fournisseur de services pour améliorer la conception, la transition et la fourniture des services par
l'implémentation et le fonctionnement effectifs d'un SMS;
f) un évaluateur ou un auditeur comme critère d'évaluation de conformité du SMS d'un fournisseur de
services par rapport aux exigences figurant dans la présente partie de l'ISO/CEI 20000.
La Figure 2 illustre un SMS, incluant les processus de gestion des services. Les processus de gestion des
services et les relations entre les processus peuvent être mis en œuvre de différentes manières par différents
fournisseurs de services. La nature de la relation entre un fournisseur de services et le client aura une
influence sur la manière dont les processus de gestion des services sont mis en œuvre.
© ISO/CEI 2011 – Tous droits réservés 1
---------------------- Page: 9 ----------------------
ISO/CEI 20000-1:2011(F)
Figure 2 — Système de management des services
1.2 Application
Toutes les exigences figurant dans la présente partie de l'ISO/CEI 20000 sont génériques et destinées à être
applicables à tous les fournisseurs de services, indépendamment du type, de la taille et de la nature des
services fournis. L'exclusion d'une partie des exigences spécifiées dans les Articles 4 à 9, quelle qu'elle soit,
n'est pas acceptable lorsqu'un fournisseur de services revendique la conformité à la présente partie de
l'ISO/CEI 20000, indépendamment de la nature de l'organisation du fournisseur de services.
Un fournisseur de services ne peut démontrer la conformité aux exigences spécifiées dans l'Article 4 qu'en
apportant la preuve qu'il satisfait à toutes les exigences dudit Article. Un fournisseur de services ne peut pas
s'appuyer sur la preuve de la gouvernance de processus opérés par d'autres parties pour les exigences
spécifiées dans l'Article 4.
Un fournisseur de services peut démontrer la conformité aux exigences spécifiées dans les Articles 5 à 9 en
apportant la preuve qu'il satisfait à toutes les exigences. Mais il peut aussi démontrer cette conformité en
apportant la preuve qu'il satisfait lui-même à la majorité des exigences requises et en apportant également la
preuve de la gouvernance des processus ou parties de processus opérés par d'autres parties, pour les
processus ou parties de processus qu'il n'opère pas lui-même directement.
Le domaine d'application de la présente partie de l'ISO/CEI 20000 ne couvre pas la spécification pour un
produit ou un outil. Cependant, les organismes peuvent utiliser la présente partie de l'ISO/CEI 20000 pour les
aider à développer des produits ou des outils qui soutiennent les activités d'un SMS.
NOTE L'ISO/CEI TR 20000-3 fournit des directives pour la définition du domaine d'application et l'applicabilité de la
présente partie de l'ISO/CEI 20000. Ces directives incluent des explications plus détaillées sur la gouvernance des
processus opérés par d'autres parties.
2 © ISO/CEI 2011 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/CEI 20000-1:2011(F)
2 Références normatives
Les documents de référence suivants sont indispensables à l'application du présent document. Pour les
références datées, seule l'édition citée s'applique. Pour les références non datées, la dernière édition du
document de référence s'applique (y compris les éventuels amendements).
Aucune référence normative n'est citée. Le présent Article est inclus afin de garantir que la numérotation des
articles est la même que pour l'ISO/CEI 20000-2:—, Technologies de l'information — Gestion des services —
2)
Partie 2: Directives relatives à l'application des systèmes de management des services .
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s'appliquent.
3.1
disponibilité
aptitude d'un service ou d'un composant de service à remplir la fonction spécifiée à un instant donné ou
pendant une période de temps définie
NOTE En règle générale, la disponibilité s'exprime par le rapport ou le pourcentage entre, d'une part, la période
pendant laquelle le service ou le composant de service est réellement disponible pour le client et, d'autre part, la période
définie pendant laquelle le service devrait être disponible.
3.2
configuration de référence
informations de configuration formellement identifiées à un moment donné de la durée de vie d'un service ou
d'un composant de service
NOTE 1 Les configurations de référence, accompagnées des changements approuvés sur celles-ci, constituent les
informations de configuration actuelles.
NOTE 2 Adapté de l'ISO/CEI/IEEE 24765:2010.
3.3
élément de configuration
CI
élément qui doit être contrôlé afin de fournir un ou plusieurs services
3.4
base de données de gestion des configurations
CMDB
base de données utilisée pour enregistrer les attributs des éléments de configuration ainsi que les relations
entre les éléments de configuration, tout au long de leur cycle de vie
3.5
amélioration continue
activité régulière permettant d'accroître la capacité à satisfaire aux exigences de services
NOTE Adapté de l'ISO 9000:2005.
3.6
action corrective
action visant à éliminer la cause ou à réduire la probabilité de récurrence d'une non-conformité ou d'une autre
situation indésirable détectée
NOTE Adapté de l'ISO 9000:2005.
2) À publier.
© ISO/CEI 2011 – Tous droits réservés 3
---------------------- Page: 11 ----------------------
ISO/CEI 20000-1:2011(F)
3.7
client
organisme ou partie d'un organisme qui reçoit un ou plusieurs services
NOTE 1 Un client peut être interne ou externe à l'organisme du fournisseur de services.
NOTE 2 Adapté de l'ISO 9000:2005.
3.8
document
support d'information et l'information qu'il contient
[ISO 9000:2005]
EXEMPLES Politiques, plans, descriptions de processus, procédures, accords sur les niveaux de services, contrats
ou enregistrements.
NOTE 1 La documentation peut se présenter sous toute forme et sur tout type de support.
NOTE 2 Dans l'ISO/CEI 20000, les documents, à l'exception des enregistrements, font état de l'objectif à atteindre.
3.9
efficacité
niveau de réalisation des activités planifiées et d'obtention des résultats escomptés
[ISO 9000:2005]
3.10
incident
interruption non planifiée d'un service, altération de la qualité d'un service ou événement qui n'a pas encore
eu d'impact sur le service au client
3.11
sécurité de l'information
protection de la confidentialité, de l'intégrité et de l'accessibilité de l'information
NOTE 1 En outre, d'autres propriétés telles que l'authenticité, l'imputabilité, la non-répudiation et la fiabilité peuvent
également être concernées.
NOTE 2 Le terme «disponibilité» n'est pas utilisé dans la présente définition car il s'agit d'un terme défini dans la
présente partie de l'ISO/CEI 20000 qui ne serait pas adapté à la présente définition.
NOTE 3 Adapté de l'ISO/CEI 27000:2009.
3.12
incident lié à la sécurité de l'information
un ou plusieurs événements liés à la sécurité de l'information indésirables ou inattendus présentant une
probabilité forte de compromettre les opérations liées à l'activité de l'organisation et de menacer la sécurité de
l'information
[ISO/CEI 27000:2009]
3.13
partie intéressée
personne ou groupe de personnes ayant un intérêt particulier dans le fonctionnement ou le succès de l'activité
ou des activités du fournisseur de services
EXEMPLES Clients, propriétaires, direction, personnels de l'organisme fournisseur de services, fournisseurs,
banques, syndicats ou partenaires.
4 © ISO/CEI 2011 – Tous droits réservés
---------------------- Page: 12 ----------------------
ISO/CEI 20000-1:2011(F)
NOTE 1 Un groupe peut être un organisme, une partie de celui-ci ou plusieurs organismes.
NOTE 2 Adapté de l'ISO 9000:2005.
3.14
groupe interne
partie de l'organisme fournisseur de services qui s'engage auprès du fournisseur de services, via un accord
documenté, à contribuer à la conception, la transition, la fourniture et l'amélioration d'un ou de plusieurs
services
NOTE Le groupe interne n'est pas couvert par le domaine d'application du SMS du fournisseur de services.
3.15
erreur connue
problème dont la cause est identifiée ou qui bénéficie d'une méthode pour limiter ou éliminer son impact sur
un service en le contournant
3.16
non-conformité
non-satisfaction d'une exigence
[ISO 9000:2005]
3.17
organisme
ensemble d'installations et de personnes avec des responsabilités, pouvoirs et relations
EXEMPLES Compagnie, société, firme, entreprise, institution, œuvre de bienfaisance, travailleur indépendant,
association ou parties ou combinaison de ceux-ci.
NOTE 1 Cet ensemble est généralement structuré.
NOTE 2 Un organisme peut être public ou privé.
[ISO 9000:2005]
3.18
action préventive
action visant à éviter ou éliminer les causes d'une non-conformité potentielle ou d'une autre situation
indésirable potentielle, ou à réduire la probabilité de leur survenue
NOTE Adapté de l'ISO 9000:2005.
3.19
problème
cause sous-jacente d'un ou de plusieurs incidents
NOTE La cause sous-jacente n'est en général pas connue au moment de l'enregistrement du problème et le
processus de gestion des problèmes est chargé des investigations plus approfondies.
3.20
procédure
manière spécifiée d'effectuer une activité ou un processus
[ISO 9000:2005]
NOTE Les procédures peuvent ou non faire l'objet de documents.
© ISO/CEI 2011 – Tous droits réservés 5
---------------------- Page: 13 ----------------------
ISO/CEI 20000-1:2011(F)
3.21
processus
ensemble d'activités corrélées ou interactives qui transforme des éléments d
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.