SMS-DOC-086-1 Incident Management Policy

Page 1

Incident Management Policy

ISO20000 Toolkit: Version 10 ŠCertiKit


Incident Management Policy

Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text, and certain generic terms, see the Completion Instructions document.

Purpose of this document This document sets out the organization’s policy with respect to incident management.

Areas of the standard addressed The following areas of the ISO/IEC 20000:2018 standard are addressed by this document: •

8. Operation of the service management system o 8.6 Resolution and fulfilment ▪ 8.6.1 Incident management

General guidance This policy document may be used to set out the organization’s overall attitude to incident management and clarify the principles that should be followed. It is an opportunity to set incident management in the context of the business i.e. to emphasize the objective of minimizing business disruption. It may also help to define key policies to guide the incident management process, such as whether users must be contacted prior to incident closure and the approach to the reopening of incident records.

Review frequency We would recommend that this document is reviewed annually.

Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. Version 1

Page 2 of 10

[Insert date]


Incident Management Policy

To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will

Version 1

Page 3 of 10

[Insert date]


Incident Management Policy

create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 10

[Insert date]


Incident Management Policy

Incident Management Policy

Version 1

DOCUMENT REF

SMS-DOC-086-1

VERSION

1

DATED

[Insert date]

DOCUMENT AUTHOR

[Insert name]

DOCUMENT OWNER

[Insert name/role]

Page 5 of 10

[Insert date]


Incident Management Policy

Revision history VERSION

DATE

REVISION AUTHOR

SUMMARY OF CHANGES

Distribution NAME

TITLE

Approval NAME

Version 1

POSITION

SIGNATURE

Page 6 of 10

DATE

[Insert date]


Incident Management Policy

Contents 1

2

Introduction ............................................................................................................... 8 1.1

Purpose ....................................................................................................................... 8

1.2

Scope .......................................................................................................................... 8

1.3

Governance and review ............................................................................................... 8

1.4

Policy compliance ........................................................................................................ 9

1.5

Related documents ...................................................................................................... 9

Policy statements ..................................................................................................... 10

Version 1

Page 7 of 10

[Insert date]


Incident Management Policy

1 Introduction 1.1 Purpose The purpose of this policy document is to set out the expectations and intentions of the management of [Organization Name] in the area of incident management. This policy will inform and shape the processes, procedures, organizational structure and resourcing that are applied in support of incident diagnosis and resolution. Incident management is one of the most visible parts of the provision of IT services and often the only one with which users will have regular contact. It is therefore essential that this process is guided by a clear policy which is based on user requirements.

1.2 Scope The scope of this policy is defined according to the following parameters: • • • •

Organizational o [List organizations and parts of those organizations covered] Geographical o [List locations from which incidents will be reported and managed] Services o [Define the services covered by the policy] Technical o [If necessary, cover the technology that may give rise to incidents covered by this policy]

This policy covers all incidents recorded by [Organization Name] in support of the customers and users of services defined in the service catalogue. The following areas are specifically excluded from this policy: [Describe any areas that need to be clearly stated as outside the scope]

1.3 Governance and review This policy has been defined by the Chief Information Officer with input from stakeholders and approved by the IT Steering Group. It will be reviewed on an annual basis and any amendments will be ratified by the IT Steering Group prior to publication.

Version 1

Page 8 of 10

[Insert date]


Incident Management Policy

1.4 Policy compliance Whilst success against some aspects of this policy will depend upon the resources, systems and processes put in place by management, compliance with this policy is largely mandatory for all employees of [Organization Name]. Where appropriate and at management discretion, instances of non-compliance may be subject to formal disciplinary action in accordance with organizational HR procedures.

1.5 Related documents The following documents are relevant to this policy and should be read in conjunction with it: • •

Incident Management Process Major Incident Management Process

Version 1

Page 9 of 10

[Insert date]


Incident Management Policy

2 Policy statements [Organization Name] policy with respect to the management of incidents is as follows: • •

• • • • • • • • • •

Incidents will be managed such that the impact to the business is minimized All incidents must be recorded within the incident management system provided for this purpose. This will allow accurate information to be produced about the performance of the incident management process, including the level of resourcing that must be applied All incidents must be allocated a unique incident reference number All incidents will be stored and managed in a single management system Incidents must be classified according to an agreed scheme which allows for the production of accurate and useful management information All incidents must be prioritized according to their urgency and impact and incidents will be addressed in priority order Major incidents must be managed according to the procedure created for that purpose Incidents must be resolved within timeframes acceptable to the business and documented in the relevant service level agreement All updates to an incident must be recorded against the relevant incident record The user must be informed if an incident is likely to exceed its resolution timescale as defined in the SLA The user will be consulted before an incident record is closed to ensure that it has been dealt with to their satisfaction Incidents will not be re-opened once closed. A new incident will be created, linked to the previous record so that history information is available

Version 1

Page 10 of 10

[Insert date]