2A2
-
Upload
diana-de-lara-del-rey -
Category
Documents
-
view
26 -
download
2
Transcript of 2A2
2012
Upgrading to
ISO/IEC 20000-1:2011
at
Oxford University Press
Presenters
• Karl Andrews
• Oxford University Press
• IT Service Desk Manager
• ISO 20000 Process Owner
• Lynda Cooper
• ISO/IEC 20000-1:2011 project editor
• ITIL Master
• Independent consultant and trainer
Agenda
• Introduction
• OUP ISO/IEC 20000 certification
• ISO/IEC 20000 2011 edition
• The upgrade project
• OUP view of the changes
• Questions
• Note – ISO/IEC 20000 will be referred to as ISO20000
Introduction to OUP
• Oxford University Press is a department of
the University of Oxford established in 1633.
• Our mission is to further the University's
objective of excellence in research,
scholarship, and education by publishing
worldwide.
• Globally we employee almost 6000 people,
with offices in 50 countries making us the
largest University Press in the world.
OUP ISO20000
certification
Karl Andrews
Oxford English Dictionary
Definition of Standard
• An authoritative or recognized exemplar
of correctness, perfection, or some
definite degree of any quality.
• A definite level of excellence, attainment,
wealth, or the like, or a definite degree of
any quality, viewed as a prescribed object
of endeavour or as the measure of what is
adequate for some purpose.
Why ISO20000 at OUP?
• Mature ITIL organisation
• Greater dependency on IT to deliver
innovative new services
• Demonstrate value for money and justify
further investment
• Prove that OUP provides IT Services to a
world-class level
Benefits for OUP
• Seen as a professional IT Service provider
• Defined processes and procedures to improve the
quality of service to our customers
• Reduction in incidents
• The same for less, increase efficiency and removal of
waste
• Engaged employees through continual improvements
• Supported new business developments
Summary of key changes in
ISO/IEC 20000-1 2011 edition
Lynda Cooper
Service Management System
PDCA methodology
Service provider
Service provider team
External supplier
Sub-contracted
supplier
Internal group Customer acting as a
supplier
Management of other parties
Customer Interested
parties
Managed by
supplier, not
service provider
Supplier
management
Managed
by SLM
Managed
by SLM
Service provider
Service provider team
External supplier
Sub-contracted
supplier
Internal group Customer acting as a
supplier
Governance of processes operated by
other parties
Customer Interested
parties
Governance of
processes operated by
other parties
Design and Transition of new or
changed services Request for change,
proposal for new or
changed service
Removal,
Transfer,
Major
impact
Design and
transition of new
or changed
services
process
Release and
deployment
management
process
Change
management
process
Configuration
management
process
Yes
No
Change Policy
For certified organizations who have already been certified within the Scheme before the 1st June 2011: ‘Audits and re – certifications of already certified organizations will still
be permitted using Part 1 (ISO/IEC 20000 – 1:2005) for a 24 month period to allow organizations the time to adapt to meet the new requirements. After 01 June 2013, only audits and re – certifications using the ISO/IEC 20000 – 1:2011 will be accepted.’
Qualifications for foundation, practitioner and auditor are now only available
for the 2011 edition.
Certification and Qualification Schemes (APMG scheme – other schemes may vary)
Re
qu
ire
me
nts
Gu
ida
nce
Co
nce
pts
an
d
term
ino
log
y
Key
Normative
requirements
standard
Guidelines standardFixed line: SupportsGuidelines being
developed
ISO/IEC TR 20000-4:2010
Process reference model
ISO/IEC TR 20000-3:2009
Scope definition and
applicability of ISO/IEC 20000-1
ISO/IEC 20000-2:2012
Guidance on application of service
management systems
ISO/IEC TR 20000-5:2010
Exemplar implementation plan for
ISO/IEC 20000-1
ISO/IEC TR 20000-7
Guidance on the application of
ISO/IEC 20000-1 to the cloud
ISO/IEC TR 20000-11
Guidance on the relationship
between ISO/IEC 20000-1 and
related frameworks
ISO/IEC 20000-1:2011
Information technology - Service management system requirements
ISO/IEC TR 20000-10
Concepts and terminology
ISO/IEC 27013 Guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
ISO/IEC TR 90006 Guideline on the application of ISO 9001 to IT service management and its integration with ISO/IEC 20000-1
The ISO20000 series and related standards
ISO/IEC 20000-3:2012
BSI books
A guide to ISO/IEC 20000: The differences between the 2005 and the 2011 edition
A managers guide to service management
Introduction to the ISO/IEC 20000 series
ITSMF books
Planning and achieving ISO/IEC 20000 certification – pocket guide
http://blog.apmg–international.com/author/lynda–cooper/
Further information
The upgrade project
Karl Andrews
Lynda Cooper
ISO20000 2011 update project
2005 certified
• Initiate update project
Confirm scope
Identify other parties
Confirm governance
Update documents
Implement changes
• Provide evidence
2011 certified
Confirm 2011 audit with auditor
Pre-certification audit
Certification audit
Assumption: 2005 edition requirements are met
OUP Scope
The IT Service Management system for
application and infrastructure services
supporting the activities of the Oxford
University Press according to the Service
Catalogue of OUP Group IT Services
delivered from sites in Oxford and
Kettering
Upgrade project approach
1. Awareness and planning
1. Workshop - key differences and approach
2. Logistics for stage 2
3. Top management presentation
2. Assess changes needed and make the changes
3. Audits
1. Pre-certification audit (evidence based)
2. Final changes
3. Certification audit 2011 edition
Upgrade project – stage 2
• By process or sub-process
• Each process owner:
• Workshop 1 : Discuss differences and agree
required actions
• Revise all documentation
• Workshop 2: Review documentation, plan
implementation and required evidence
• Implement changes
• Workshop with other parties where required
• Raise awareness of how changes will impact
working together
• Investigate roles of suppliers and internal groups
Timeline
• Awareness
• Planning
1 - March
• Workshops
• Updating documents
• Implementing the changes
• Communication
2 – April/Sept
• Pre-certification audit
• Certification audit
3 – Oct/Nov
Surveillance audit in August for 2005 edition
The simplest upgrade areas
• Incident and service request
• Problem
• Capacity
• Budgeting and accounting for services
• Configuration
• Service reporting
• Business relationship
Medium level of changes
• Service level management
• Service continuity and availability
• Supplier management
• SMS general requirements
Service provider
Service provider team
External supplier
Internal group Customer acting as a
supplier
Governance of processes - OUP
Customer Interested
parties
There are suppliers
but they do not
operate any of the
processes
IT and business project groups
do not operate any of the processes
but interface with new/changed,
change, release, config. mgt
None
No impact But it took several meetings to understand what was meant and to determine if there were internal groups
Large level of change
• Information security management
• Ensure legal requirements are clear – data
protection, PCI, licensing
• Create information security objectives
• Risk management extended to cover all
services and more frequent assessments
• Controls present but need to be documented
• Controls for external parties – exemplary!
Large level of change
• Change management
• Expansion of change management policy
• Criteria to determine changes with the potential to
have a major impact on services or the customer
• Use of tasks in SM tool before RFC is raised
• SAP transport changes – dealt with through SAP
system and team with minimal workflow through the
change management process
• Ensure RFCs are assessed for impact on related
processes – continuity plan, availability plan,
information security etc
Large level of change
• Release and deployment management
• Scope of release process – project releases
• Other releases – in change process
• Overlap with design and transition of new or
changed services process
• Support of selection of changes to be run as
a project
The biggest change of all
• Design and transition of new or changed services
• Various workshops and presentation to IT board
• Identified by IT board as an area requiring
improvement - use the upgrade as an opportunity to
make step change
• Decision made to create a new position to own this
process and work closely with the Project groups to
ensure that all new or changed services are planned,
designed, developed, tested and implemented to meet
the ISO20000 requirements and ensure successful
service delivery
Project experiences - constraints
• Fitting this in with the day job
• Surveillance audit to 2005 edition in August –
do not implement new items until after this
audit
Lessons learned
• Allow lots of time to upgrade
• Bring in an expert – speeds up the process and
allows objectivity
• Try to make the changes as improvements
• Implement using change management
• Use the opportunity to make improvements and
step changes for weaker areas
Project outcome
• All simple, medium changes made and
implemented
• All large changes made and starting to be
implemented
• Design and transition of new or changed
services process, solution to meet new
requirements using release and change mgt. To
be improved into a separate process next year
• 2011 upgrade audit with DNV on Thursday!
OUP views of the updated standard
• ISO/IEC 20000:2011 has
• Provided greater clarity on all processes
• Strengthened the importance of design and
transition
• The project to upgrade has
• Saved time by using an expert
• Focused effort
• Simple, to the point, effective
Next steps to upgrade your
ISO20000 certification
31st May 2013 – last date for audit to
2005 edition
Upgrade activities for 2011 edition
Assessment against 2011 edition