During my work training or advising organizations on how to use ISO/IEC 20000, I often get asked for a checklist of documents required by the standard. This blog provides such a list with some helpful hints.
Remember that documents do not need to be very long – in fact they are more likely to be used if they are kept short and succinct. Some documents can be embedded within a tool e.g. procedures. Documents should be written to be used and useful, not just because the standard requires it.
There are a number of required policies. Some organisations produce policies for every process which is fine but not a requirement of the standard. The required policies, with clause numbers shown in brackets are:
a) service management policy (4.1.1, 4.1.2). Usually documented in the service management plan along with the service management objectives
b) policy on continual improvement of the SMS and the services (184.108.40.206) stating evaluation criteria for the opportunities for improvement. Can be documented in the service management plan or the procedure for managing improvements
c) budgeting and accounting policies (6.4). These policies are often driven from the financial policies of the service provider’s organisation and will usually be documented in the budgeting and accounting process
d) information security policy (6.6). Can be documented in the information security management process and/or the service management plan along with the information security objectives
e) change management policy (9.2) which states the CIs under the control of change management and the criteria to determine changes with potential to have a major impact on services or the customer. The criteria are used to determine which changes will be managed through clause 5, design and transition of new or changed services process. Can be documented in the change management process and/or the service management plan
f) release management policy (9.3) which states the frequency and type of releases. Can be documented in the release management process and/or the service management plan.
The required plans are:
a) service management plan (4.1.1, 4.5.2). This will include the scope of the SMS (4.5.1)
b) service continuity plan (6.3.2)
c) availability plan (6.3.2). Note that the service continuity and availability plans can be combined or separate
d) capacity plan (6.5)
e) audit programme (220.127.116.11) including criteria, scope, frequency and methods. Also to be documented are the objectives of internal audits and management reviews (18.104.22.168)
f) plan to implement an improvement (22.214.171.124). This is for each individual improvement
g) New or changed service plan (5.2). This is for each new or changed service. For removal of service, a removal plan is produced
h) Release plan (9.3). This is for each release.
Process descriptions and documented procedures
Clause 4.3.1 requires ‘documented service management processes’. The required processes are those in Clauses 5 to 9. There are also processes in clause 4 which require a documented description e.g. resource management, documentation management.
Clause 4.3.1 also requires documented procedures required by this part of ISO/IEC 20000. The required procedures are:
a) communication procedures;
b) control of documents;
c) control of records;
d) planning and conducting internal audits;
e) management of improvements;
f) procedures to be used for the delivery of new or changed services;
g) procedures to support the budgeting and accounting for services process;
h) procedures to be implemented in the event of a major loss of service as part of the service continuity plan;
i) procedures to enable predictive analysis of capacity;
j) managing service complaints;
k) managing contractual disputes;
l) managing incidents from recording to closure;
m) managing major incidents;
n) managing the fulfilment of service requests from recording to closure;
- o) identifying problems and minimizing or avoiding the impact of incidents and problems;
p) recording, controlling and tracking configuration items;
q) recording, classifying, assessing and approving requests for change;
r) managing emergency changes;
s) managing emergency releases.
There are a few documented definitions required. These are as follows:
a) service complaint (7.1). This is often defined in the SLA
b) major incident (8.1). This is often defined in the SLA
c) types of CI (9.1). This is usually defined in the configuration management process
d) emergency change (9.2). This is often defined in the SLA
e) emergency release (9.3). This is often defined in conjunction with the definition of emergency change.
Other key documents
The other key documents required by the standard are:
a) service requirements (4.1.4)
b) catalogue of services (4.3.1, 6.1)
c) service level agreements (4.3.2, 6.1)
d) documented agreements (6.1). This applies specifically to agreements between internal groups or customers acting as suppliers that are providing some service components or operating a process or part of a process. These can be known as operational level agreements (OLAs)
e) description of each service report, including its identity, purpose, audience, frequency and details of the data source(s) (6.2)
f) risks to service continuity and availability of services (6.3.1)
g) opportunities for improvement, including corrective and preventive actions (126.96.36.199)
h) design of new or changed services (5.3) for each new or changed service
i) information security controls including the risks to which they relate (6.6.2) and those controls for external organisations (6.6.3)
j) customers, users and interested parties of the services (7.1)
k) supplier contracts (7.2)
l) roles of, and relationships between, lead and sub-contracted suppliers (7.2).
Records are required to enable control and provide evidence of conformity to the requirements of the standard (4.3.1). Records can be paper based or kept on tools. Examples of records are minutes of management review meetings, incident records on a service desk tool and service reports.
Other possible documents
Clause 4.3.1 also refers to ‘additional documents, including those of external origin, determined by the service provider as necessary to ensure effective operation of the SMS and delivery of the services’. Examples of such documents are user manuals from a software tool vendor or the ISO/IEC 20000 standard itself.
In summary, there are many documents required by the standard but this should not be seen as a chore. It is important to remember the hierarchy of policy, plan, process and procedure. Everything must align with the relevant policies. Process specific plans must align with the service management plan. Processes document what is to be done. Procedures support processes with more detail of how activities are to be done. All documents are there to enable the service provider to operate and deliver an excellent high quality service.
Lynda Cooper, an independent consultant and trainer, is one of the first people in the world to hold the ITIL Master qualification. Lynda sits on the BSI committee for IT service management (ITSM) and is one of the authors of ISO/IEC 20000. Lynda sits on various ISO/IEC committees and is the project editor for ISO/IEC 20000-1 and ISO/IEC 90006.