There is one clause in ISO20000-1 for service reporting but there are also other places where there are requirements to report. This blog tries to summarise the requirements.
The service reporting process
The service reporting process, clause 6.2, in ISO20000-1 covers some general requirements about reports and then specifies 5 mandatory reports.
The 1st requirement is to list the service reports produced with their identity, purpose, audience, frequency and details of the data source(s). This can be done in a simple spreadsheet or in a more complex document if that is more suitable to your environment. It is a useful exercise to consider what reports you do produce and if they are really required. Many organisations have reports that have been produced for many years but may no longer be relevant.
The list should cover all of the mandatory reports for ISO20000 as well as other reports you produce for customers and internal use. Once done this list is shared with the service provider and interested parties who might be customers, top management, suppliers etc.
There is a requirement to use reports to make decisions and take actions based on the findings in the reports. If the reports are not prompting us to make a decision, then why are we producing them? Hopefully, many reports will tell us that we are doing a good job and no further actions are required. But we still need to review the report to check this.
The requirement is for reports to be produced using information from the delivery of services and the operation of the SMS. The 5 mandatory reports are:
a) performance against service targets;
b) relevant information about significant events including at least major incidents, deployment of new or changed services and the service continuity plan being invoked;
c) workload characteristics including volumes and periodic changes in workload;
d) detected nonconformities against the requirements in this part of ISO/IEC 20000, the SMS requirements or the service requirements and their identified causes;
f) customer satisfaction measurements, service complaints and results of the analysis of satisfaction measurements and complaints.
There is in addition a requirement for trends to be shown in reports. This can be 12 months, more or less depending on what makes sense in your organisation. It is important to look at trends to identify areas showing a downward trend of performance that indicates the need for action, a steady trend or an improving trend that we can point out to our customers and management.
What are the requirements for other reports in ISO20000-1?
There are other reporting requirements in ISO20000-1. These are:
4.1.4 e) – the management representative needs to ‘e) reporting to top management on the performance and opportunities for improvement to the SMS and the services.’
4.5.3 f) – the service provider in implementing and operating the SMS needs to include ‘f) monitoring and reporting on performance of service management activities.’
188.8.131.52 – internal audit needs to report the results of internal audits and follow-up activities.
4.5.5 – requires reporting of improvements made.
5.4 – in design and transition of new or changed services, there is a requirement ‘Following the completion of the transition activities, the service provider shall report to interested parties on the outcomes achieved against the expected outcomes.’
6.3.3 – the service provider needs to report about any deficiencies and actions taken after any service continuity or availability tests and after the service continuity plan has been invoked.
6.4 – reporting of costs against the budget is required.
6.6 – ‘The service provider shall review the effectiveness of information security controls. The service provider shall take necessary actions and report on the actions taken.’ Also in this clause there is a requirement to report information security incidents.
7.1 – report on service complaints. (Duplication of the requirement in 6.2f))
8.2 – report on the effectiveness of problem resolution.
9.1 – report on any deficiencies on the CMDB and actions taken.
Considerations for reports
Graphical reports are extremely useful to get the message across quickly, so that one should be able to see at a glance what the situation is (Part 2 states “Presentation SHOULD aid the understanding of the reports”). Be careful not to make the graphics too complicated as they may easily be misinterpreted or mask the underlying trend or problem.
Remember other statements from ISO20000-1:
“The service reporting process should ensure the production of agreed, timely, reliable, accurate reports to facilitate informed decision making and effective communication”:
“Service reports should be appropriate to the audience’s needs and of sufficient accuracy to be used as a decision support tool”
“Purpose and quality checks on service reports should ensure that reports are timely, clear and concise”.
It is important to think carefully about service reporting. The good use of reports can make a big difference to your service.
I am going to quote from the ITIL® Service Strategy book:
‘A report alone creates awareness
A report with an action plan creates results
There is more reporting in dysfunctional organisations than in effective organisations.’
ISO/IEC 20000-2 provides further guidance on all clauses in part 1.
The revision of ISO20000-1 will remove duplication and simplify reporting requirements. This is due out in late 2018.
Lynda Cooper, an independent consultant and trainer, is one of the first people in the world to hold the ITIL Master qualification. Lynda chairs the BSI committee for IT service management (ITSM), sits on various other BSI committees and ISO committees and is the editor of ISO/IEC 20000-1. Lynda sits on various ISO/IEC committees and is the project editor for ISO/IEC 20000-1. Lynda is a qualified ISO20000 consultant and ISO27001 lead auditor. Her consultancy activities cover training and consultancy for service management and information security.