Service Management Policy
ISO/IEC 20000 Toolkit Version 9 ©CertiKit
Service Management Policy
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document The Service Management Policy is a required document which acts as the root “Quality Manual” of the Service Management System (SMS). Areas of the standard addressed The following areas of the ISO/IEC 20000:2018 standard are addressed by this document: 5.2 Policy 5.2.1 Establishing the service management policy 5.2.2 Communicating the service management policy General Guidance The service management policy must be approved by Top Management (defined as the “person or group of people who direct and control the service provider at the highest level”) as evidence of their commitment. Section 5.2.1 of the standard sets out some of what the policy must contain, and these areas are covered by the template document. We would therefore recommend that no section headings are removed. Prior to the certification audit you must ensure that the policy has been communicated to relevant staff, that they have understood it and that these facts are evidenced e.g. via meeting minutes. The inviting and answering of questions during such a meeting is likely to show evidence of understanding. We would also recommend that the document is made available via the intranet if you have one or any other appropriate means. The service management policy defines the scope of your SMS. This will be the same as the scope that will appear on your certificate once you have successfully completed the final external audit. Review Frequency We would recommend that this document is reviewed as part of an annual exercise which also covers key documents such as the Service Level Agreement (SLA), Service Management Plan and Service Catalogue. This exercise should include significant business involvement to ensure that changed requirements are captured and customer feedback obtained.
Version 1
Page 2 of 14
[Insert date]
Service Management Policy
Toolkit Version Number ISO/IEC 20000 Toolkit Version 9 ©CertiKit.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions. Copyright notice Except for any third-party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088. Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 14
[Insert date]
Service Management Policy
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 14
[Insert date]
Service Management Policy
[Replace with your logo]
Service Management Policy
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 5 of 14
SMS-DOC-05-1 1 [Insert date]
[Insert date]
Service Management Policy
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 6 of 14
Date
[Insert date]
Service Management Policy
Contents 1
INTRODUCTION ....................................................................................................................................... 8
2
SERVICE MANAGEMENT POLICY ..................................................................................................... 9 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12
SCOPE OF CERTIFICATION ......................................................................................................................... 9 SERVICE REQUIREMENTS .......................................................................................................................... 9 LEADERSHIP AND COMMITMENT ............................................................................................................... 9 CONFORMITY AND REPORTING ................................................................................................................. 9 SERVICE MANAGEMENT OBJECTIVES...................................................................................................... 10 CONTROL OF PROCESSES OPERATED BY OTHER PARTIES ....................................................................... 10 ROLES AND RESPONSIBILITIES ................................................................................................................ 11 SERVICE IMPROVEMENT POLICY ............................................................................................................. 11 APPROACH TO MANAGING RISK ............................................................................................................. 12 HUMAN RESOURCES ........................................................................................................................... 12 AUDITING AND REVIEW ..................................................................................................................... 13 DOCUMENTATION STRUCTURE AND POLICY ...................................................................................... 13
List of Figures FIGURE 1 - ISO/IEC 20000:2018 SCOPE .................................................................................................................. 8 FIGURE 2 - SERVICE MANAGEMENT SYSTEM DOCUMENTATION STRUCTURE ............................................................... 14
Version 1
Page 7 of 14
[Insert date]
Service Management Policy
1 Introduction This policy defines how the Service Management System (SMS) will be planned, established, implemented, operated, monitored, reviewed, maintained and improved within [Organization Name]. The international standard for IT service management, ISO/IEC 20000-1:2018 (referred to in this document as ISO/IEC 20000), is a development of an earlier British Standard, BS 15000 and has been refreshed twice since its first publication as an international standard in 2005. The processes and procedures required by ISO/IEC 20000 are heavily based on the best practice contained in the IT Infrastructure Library (ITIL) which has expanded significantly from its early days as UK central government guidance into an internationally recognised best practice specification. [Organization Name] has previously started on the road to adoption of ITIL and has completed staff training to Foundation qualification level. As part of this process it has decided to pursue full certification to ISO/IEC 20000 in order that the effective adoption of ITIL may be validated by an external third party. The scope of IT service management as defined by the ISO/IEC 20000 standard is set out in the following diagram.
SERVICE MANAGEMENT SYSTEM (SMS)
Customers (Internal & External)
- Organization and its Context
CONTEXT OF THE ORGANIZATION - Interested Parties - Scope of the SMS - Establish the SMS LEADERSHIP - Policy - Roles, Responsibilities and Authorities
- Leadership and Commitment
- Risks and Opportunities
SERVICE
- Resources
- Competence
REQUIREMENTS
- Plan the SMS
SUPPORT OF THE SMS - Awareness - Communication - Documented Information
- Knowledge
OPERATION OF THE SMS OPERATIONAL PLANNING AND CONTROL
SERVICES
PLANNING - Objectives
RELATIONSHIP AND AGREEMENT - Business Relationship Management - Service Level Management - Supplier Management
SERVICE PORTFOLIO - Service Delivery - Plan the Services - Control of Parties involved in the Service Lifecycle - Service Catalogue Management - Asset Management - Configuration Management
SERVICE DESIGN, BUILD AND TRANSITION - Change Management - Service Design and Transition - Release and Deployment Management RESOLUTION AND FULFILMENT - Incident Management - Service Request Management - Problem Management
SUPPLY AND DEMAND - Budgeting and Accounting for Services - Demand Management - Capacity Management
PERFORMANCE EVALUATION - Monitoring, Measurement, Analysis and Evaluation - Management Review - Service Reporting
SERVICE ASSURANCE - Service Availability Management - Service Continuity Management - Information Security Management
IMPROVEMENT - Nonconformity and Corrective Action - Continual Improvement
Figure 1 - ISO/IEC 20000:2018 scope
Version 1
Page 8 of 14
[Insert date]
Service Management Policy
2 Service Management Policy 2.1
Scope of Certification
For the purposes of certification within [Organization Name], the boundaries of the SMS are defined as follows: “The service management system of [Service Provider] that delivers [All] IT services to [all] business units within [Organization Name] at [all] locations� Further clarification of the SMS scope parameters may be found in the document SMS Context, Requirements and Scope. Details of the IT services provided can be found within the [Service Provider] Service Catalogue and a list of business units/stakeholders within the Business Relationship Management Plan. 2.2
Service Requirements
A clear definition of the service requirements will be agreed and maintained with the customers of the IT service(s) so that all IT service management activity is focussed on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. It is a fundamental principle of [Organization Name] IT service management quality that the provision of IT services is driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents. 2.3
Leadership and Commitment
Commitment to the delivery of quality IT services extends to senior levels of the organisation and will be demonstrated through this Service Management Policy and the provision of appropriate resources to provide and develop services. Top management will also ensure that a systematic review of performance of the programme is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through the audit programme and management processes. Management review can take several forms including departmental and other management meetings. 2.4
Conformity and Reporting
The Service Manager shall have overall authority and responsibility for the implementation and management of the Service Management System, specifically:
Version 1
Page 9 of 14
[Insert date]
Service Management Policy
• • • • •
2.5
The identification, documentation and fulfilment of service requirements Assigning authorities and responsibilities for the implementation, management and improvement of service management processes Integration of service management processes with the SMS Compliance with statutory, regulatory and contractual requirements in the management of assets used to deliver services Reporting to top management on performance and improvement of the SMS and services Service Management Objectives
An annual cycle will be used for the setting of service management objectives, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the annual IT service management review with customers. Service management objectives will be documented in the Service Management Plan for the relevant financial year, together with details of how they will be achieved. The service management plan will be reviewed on a quarterly basis, at which time the objectives will also be reviewed to ensure that they remain valid. If amendments are required, these will be managed through the change management process. 2.6
Control of Processes Operated by Other Parties
[Organization Name] [Service Provider] makes use of various third parties, both internal and external, in the delivery of services to its customers. Where this involves the operation of a service management process, or a part of the process on behalf of [Service Provider], this is identified in the Service Management Plan. External suppliers will be managed through the Supplier Management Process and an associated underpinning contract. Internal providers will be managed through the Service Level Management Process using an Operational Level Agreement (OLA). In all cases, [Service Provider] will retain governance of the relevant processes by demonstrating: • • • •
Accountability for the process Control of the definition of and interface to the process Performance and compliance monitoring Control over process improvements
This will be evidenced by documents and records such as contracts, OLAs, meeting minutes and performance reports.
Version 1
Page 10 of 14
[Insert date]
Service Management Policy
2.7
Roles and Responsibilities
Within the field of IT service management, there are a number of management roles that correspond to the areas defined within the scope set out in Figure 1 above. In a larger organization, these roles will often be filled by an individual in each area e.g. there will be a separate member of staff responsible for each of incident management, change management, capacity management etc. In a smaller organisation these roles and responsibilities must be allocated between the members of the team. Full details of the responsibilities associated with each of the roles and how they are allocated within [Service Provider] are given in a separate document entitled Service Management Roles, Responsibilities and Authorities. It is the responsibility of the Service Manager to ensure that staff understand the roles they are fulfilling and that they have appropriate skills and competence to do so. 2.8
Service Improvement Policy
[Service Provider] policy with regard to service improvement is to: ➢ Continually improve the effectiveness of the Service Management System and services ➢ Enhance current processes to bring them into line with good practice as defined within ISO/IEC 20000 and ITIL ➢ Achieve ISO/IEC 20000 certification and maintain it on an on-going basis ➢ Increase the level of proactivity (and the Customer perception of proactivity) with regard to the on-going delivery of IT services ➢ Achieve an enhanced understanding of and relationship with the business units to which IT services are delivered ➢ Make the delivery of IT services more measurable in order to provide a sound basis for informed decisions ➢ Review service level metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data and customer feedback ➢ Obtain ideas for improvement via regular service meetings with Customers and document them in a Service Improvement Plan ➢ Review the Service Improvement Plan at regular management meetings in order to prioritise and assess timescales and benefits Ideas for service improvements may be obtained from any source including customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be added to the Service Improvement Plan and evaluated by the staff member responsible for continual service improvement. As part of the evaluation of proposed service improvements, the following criteria will be used:
Version 1
Page 11 of 14
[Insert date]
Service Management Policy
• • • • •
Cost Business Benefit Risk Implementation timescale Resource requirement
If accepted, the service improvement proposal will be prioritised in order to allow more effective planning. For more detail see Procedure for Continual Service Improvement. 2.9
Approach to Managing Risk
A risk management strategy and process will be used which is in line with the requirements and recommendations of ISO 31000, the international standard for risk management. Risk management will take place at several levels within the Service Management System, including: • • • • •
Service management planning – risks to the achievement of objectives Information security risk assessment IT service continuity risk assessment Assessment of the risk of changes as part of the change management process At the project level as part of the design and transition of new or changed services
High level risk assessments will be reviewed on an annual basis, or upon significant change to the business or IT service provision. For more detail on the approach to risk assessment please review the following documents: • •
Risk Assessment and Treatment Process Risk Treatment Plan
2.10 Human Resources [Organization Name] will ensure that all IT staff involved in service management are competent on the basis of appropriate education, training, skills and experience. The skills required to deliver quality services will be determined and reviewed on a regular basis together with an assessment of existing skill levels within [Service Provider]. Training needs will be identified and a plan maintained to ensure that the necessary competencies are in place. Training, education and other relevant records will be kept by the HR Department to document individual skill levels attained.
Version 1
Page 12 of 14
[Insert date]
Service Management Policy
2.11 Auditing and Review Once in place, it is vital that regular reviews take place of how well service management processes and procedures are being adhered to. This will happen at three levels: 1. Structured regular management review of conformity to policies and procedures within [Service Provider] 2. Internal audit reviews against the ISO/IEC 20000 standard by the [Organization Name] Quality Team 3. External audit against the standard in order to gain and maintain certification Details of how internal audits will be carried out can be found in the Procedure for Service Management Audits. 2.12 Documentation Structure and Policy All service management policies and plans that form part of the SMS must be documented. The way in which these documents and their supporting records are created and managed through their lifecycle is set out in Procedure for the Control of Documented Information. All documented information in the Service Management System is uniquely numbered and the current versions are tracked – see document Service Management System Documentation Log. The overall structure of the documented information in the SMS is represented diagrammatically in Figure 2 on the following page.
Version 1
Page 13 of 14
[Insert date]
Service Management Policy
Service Management System (SMS)
4. Context of the organization
SMS Context, Requirements and Scope
8.1 Operational planning and control
5. Leadership
Service Management Policy Service Management Roles, Responsibilities and Authorities Top Management Communication Programme Service Requirements Executive Support Letter
8.2 Service portfolio
Configuration Management Policy Configuration Management Process Configuration Management Procedure Definitive Media Library Catalogue
6. Planning
Service Management Plan
8.3 Relationship and agreement
Business Relationship Management Policy Business Relationship Management Plan Service Complaint Procedure User Satisfaction Survey Service Level Management Policy SLM Process Service Catalogue Service Level Agreement Operational Level Agreement IT Service Card Supplier Management Policy Supplier Management Process Supplier and Contracts Database
7. Support of the SMS
8. Operation of the SMS
Service Management System Documentation Log Procedure for the Control of Documented Information Staff Skills and Training Needs Assessment
8.4 Supply and demand
Budgeting and Accounting for Services Policy Budgeting and Accounting for Services Process Service Costing Model Capacity Management Policy Capacity Management Process Capacity Plan
9. Performance evaluation
Procedure for Service Management Audits Service Management System Audit Plan Internal Audit Report Service Management System Review Spreadsheet Weekly Service Management Meeting Agenda Annual Service Management Review Meeting Agenda ISO20000 Update Calendar Service Reporting Policy Service Report Internal Audit Action Plan Internal Audit Checklist
8.5 Service design, build and transition
Change Management Policy Change Management Process Design and Transition Process Business Case Project Initiation Document Service Reqts Specification Service Design Specification Project Post Implementation Review Release and Deployment Management Policy Release and Deployment Management Process Release and Deployment Plan Software Catalogue Change Request Form Service Acceptance Checklist Project RAID Log Project Progress Report
8.6 Resolution and fulfilment
Incident Management Policy Incident Management Process Major Incident Management Process Service Request Management Policy Service Request Management Process Problem Management Policy Problem Management Process Incident Model Request Model Major Incident Report Problem Dashboard Major Problem Report
10. Improvement
Procedure for Continual Service Improvement Service Improvement Plan
8.7 Service assurance
Service Continuity and Availability Management Policy Business Impact Analysis Process Service Continuity Plan Service Continuity Test Plan Service Continuity Test Report Availability Management Plan Backup Policy Incident Response Procedure Information Security Policy Risk Assessment and Treatment Process Risk Assessment Report Risk Treatment Plan Information Security Summary Card External Organization Information Security Agreement User Access Management Process Data Centre Access Procedure Business Impact Analysis Tool Post Incident Report Risk Assessment and Treatment Tool Personal Commitment Statement
Figure 2 - Service management system documentation structure
Version 1
Page 14 of 14
[Insert date]