ITSMF - Exercises and Answer - Print One Site

BS 15000 Auditor Certificate

Syllabus and Qualification Framework.

This qualification will cover the BS 15000 Service Management Certificate for Auditors. Knowledge is required of auditing principles, IT organisations and ITIL Service Management principles. This knowledge is covered in auditing training and certification processes. This qualification will build on that basic auditing and IT knowledge especially with regard to the contents of the BS 15000 standard and its use.

1. LEARNING OBJECTIVES

Holders of the itSMF Service Management Certificate for Auditors will have demonstrated their competence in and ability to:

Understand the content of the BS 15000 Standard, its documentation and the use and scope of the standard

Assist and advise organisations in assessing their readiness for BS 15000 certification

Lead and conduct BS 15000 certification audits Lead and conduct BS 15000 surveillance audits

2. SYLLABUS

1. Background to the BS 15000 standard and Certification Scheme

The candidate understands the development of the BS 15000 standard and the BS 15000 Certification Scheme.

Specifically the candidate can describe and explain: the IT Infrastructure Library (ITIL®), its books, their content and their use the BS 15000 standard, its documents and their use the inter-relationship between ITIL and BS 15000 the BS 1500 Certification Scheme and the organisations involved and their roles

2. BS 15000 Part1

The candidate is able to explain the sections contained within BS 15000 Part1 and their content and relevance to organisations seeking to achieve certification.

The candidate is able to: explain the relevance of Part 1 of the standard within the certification process understand and explain the specification and its usage describe the processes involved and the process groupings within Part 1 of the

standard understand and explain the mandatory requirements of the standard understand and explain the mandatory requirements of each of the processes and

process groups identify the documentation and evidence required to achieve certification explain the difference between an observation and a non-conformance

Document Number 15-05-002 ©itSMF 2005 of 13


3. BS 15000 Part2

The candidate is able to explain the sections contained within BS 15000 Part2 and their content and relevance to organisations seeking to achieve certification.

The candidate is able to: explain the relevance of Part 2 of the standard within the certification process describe the processes involved and the process groupings within Part 2 of the

standard understand and explain the Code of Practice and its usage

4. Achieving BS 15000

The candidate is able to identify and explain the steps involved in the certification of organisations against BS 15000.

The candidate can: understand and explain the steps involved in the certification process assess an organisation’s readiness for certification and produce a gap analysis

report

5. Use of Service Management Toolsets

The candidate understands the relevance and importance of the Service Management toolset in achieving certification.

The candidate is able to: understand and explain the importance of the Service Management toolset in

achieving certification identify deficiencies in tools and their implementation assess the importance of process automation and the role of the tool in automation

6. Eligibility and scoping

The candidate understands and can explain the issues associated with eligibility and scoping of organisations seeking to achieve certification.

The candidate is able to: assess the eligibility or ineligibility of an organisation with regard to certification determine and define the scope the certification for eligible organisation produce proposed appropriate scoping statements for eligible organisations

7. Other areas of assistance

The candidate is aware of other sources of information, knowledge and expertise with regard to the BS 15000 standard and the certification scheme.

The candidate is able to: name and describe other sources of information on the BS 15000 standard and

the certification scheme identify useful web sites and their relevance to BS 15000

The recommended minimum number of hours training in the above syllabus is 12 hours.



Group Assignment 1

You have been asked to assist a colleague who has conducted a pre-assessment audit of an organisation wishing to achieve BS 15000 certification. He has attended site and produced the following summary of his findings in two areas and has asked you to advise him as to what he should feed back to the client in terms of their BS 15000 capability. The organisation was requested to provide all documentation, records and reports but none other than those detailed were provided by the client organisation, together with access to the internally available web server.

For both part A and B below, please identify all: non-conformances areas of concern, further questions and additional information required

Part A: The overall management system section– report contents:

There is an overall documented Service Management policy containing details of the overall direction and the objectives and a copy is available on an internally available web server. The contents of the policy and IS staff responsibilities with regard to their role in the policy have been communicated to IS. The Service Delivery Manager owns the document and is responsible for its content, implementation and resourcing. Evidence and reports of internal reviews of the overall Service Management activity were submitted and are produced on an irregular basis.

Documented Service Level Agreements (SLAs) were also stored on the internally available web server together with the documentation for all of the other Service Management processes, procedures, roles and responsibilities. A document management system was used although it was noted that one or two documents had no version numbers.

Part B: Availability and IT Service Continuity Management – report contents:

Server availability reports have been produced for all servers within the organisation over the last twelve months and were stored on the web server. All SLAs were examined and contained details of the response time targets to be achieved during both normal situations and recovery situations. Both Availability and Continuity Plans were available, although the Availability Plan was last revised thirteen months ago.

All occurrences of service unavailability for major service outages are recorded and investigated with evidence of corrective action having been taken in some cases.

The Service Continuity plans, contains all contact details, recovery procedures and details of the return to normal working process. Multiple copies of all plans are stored on recovery sites, although the recovery sites were not visited. A schedule of continuity tests is also contained on the web server and all plans are tested annually. All tests are observed with reports of failures and abnormalities recorded and actioned.



Assignment Answers

Assignment 1

Part AProbable non-conformances:

Section 3.2Although there are references to ‘documentation’ there are no references to ‘records’ being available.

Section 3.3 1) The policy document does not appear to address the competence of staff2) The policy document does not appear to mention the need for continuous

improvement

Section 3.1g1) Internal reviews are being conducted on an irregular basis. The standard requires

these reviews to be conducted ‘at planned intervals’.

Section 3.21) Some documents had no version numbers. I would need to know more about the

specific documents to grade this non-conformance.

Observations1. Is the web server adequately backed up and is the information available as and

when required?2. The policy ‘is communicated to IS’. I would want to know more about how this is

specifically achieved and to whom.3. Does the policy cover ALL roles and responsibilities?4. Does it take into account risks and the business requirements?5. Is the Service Delivery Manager at a sufficient level of authority

PART BProbable non-conformances

Section 6.31) Not all unplanned non-availability is being investigated, only major service outages.2) No evidence of attempts to predict potential issues and therefore no preventative action being taken. (Note – the standard requires this ‘where possible’. There should be evidence to indicate that an attempt has been made, but perhaps no suitable opportunity was uncovered) 3) No evidence that the Business is involved in identifying the requirements or that appropriate risk assessments have been undertaken.4) No evidence that access rights and end-to-end availability have been considered.5) No evidence that the strategy is being revised annually.

Section 6.31) The Availability Plan was last revised 13 months ago. The standard requires annual

review. Check whether the document was reviewed but no revision actually needed or whether there is no revision planned.

Observations1) Corrective actions have been taken in some cases following investigations of service

outages. Further information required as to why not in all cases.2) A sample of the recovery sites should be visited to ensure the plan copies are

available, consistent, the correct version etc.3) Is the annual test of the plan in line with business requirements?4) Is the CMDB available off-site?



Group Assignment 2

You have been asked to assist a colleague who has conducted visits to three organisations wishing to achieve BS 15000 certification. He has visited each of the sites and discussed BS 15000 with each of the prospective clients and produced the following summary reports for each for each organisation. From these reports decide in each case whether the organisation is eligible for BS 15000 certification, together with any areas of concern. Produce a suitable scoping statement for the audit and the subsequent BS 15000 certificate, if the organisation is considered eligible for certification. If the organisation is not considered eligible, explain why.

Part A: Organisation 1- Scoping reportThis organisation is the internal IS department of a large Insurance Company. The IS department operates both of the organisation’s Data Centres and a Wide Area Network (WAN) linking both centres. IS provide support for all of the services run from within the Data Centres but use a number of hardware and software suppliers to assist them with the support and maintenance of most of the components. The WAN and the Local Area Networks (LANs) within the Data Centres are supported and maintained by a network service supplier together with Internet connections and their security. The network supplier also supports all of the desktop PC and laptop PC systems throughout all of the organisation’s regional offices and central offices, although maintenance of the PC hardware and the LANs is performed by another supplier. The telephone network and systems are also supported by the internal IS department, although hardware maintenance and maintenance of the telephone network are performed by another network service provider.

Part B: Organisation 2- Scoping reportThe second organisation is the IS organisation of a multi-national Food Manufacturer with Data Centres and offices in several countries in Europe. All of its six Data Centres are hosted and supported by a Global outsourcing organisation, including all of the applications and all aspects of IT continuity and recovery. The global outsourcer also runs the Service Desk service incorporating change and configuration management functionality. All of the PC systems and services, together with all telephony systems and services are also provided by the global outsourcing organisation, as part of the outsourcing contract. The multi-national network, interconnecting all of the Data Centres, the national and regional offices is provided by a global network service provider who is managed by the outsourced organisation. Together these two organisations provide availability, capacity and continuity management of the IT services.

Part C: Organisation 3- Scoping reportOrganisation number three is the internal IS organisation for a large retail chain. It operates three Data Centres, together with a WAN and numerous LANs. IS provide support for all of the applications software run on all of the systems but the support of the hardware and operating systems and Data Centre LANs is performed by the outsourcing company which owns and maintain the Data Centres. The outsourcing company also operate an outsourced Service Desk for the retail organisation. The WAN is supported and maintained by a network service supplier together with the Internet connections and their security. The retail organisation also supports all of the desktop PC and laptop PC systems throughout all of the organisation’s regional offices and central offices, although maintenance of the PC hardware and the LANs is performed by another supplier. The telephone network and systems are also supported by the retail organisation, although hardware maintenance and maintenance of the telephone network are performed by another network service provider.



Assignment Answers

Assignment 2

Part A

Eligible for Certification ? Probably yes

Scope “All services supplied from the Data Centres at (location A and location B) to the internal users based at (organisation’s) regional and central offices”

Would need a discussion as to whether the telephone service should be in scope.

Part B

Eligible for Certification ? Probably notHard to see what is actually carried out by the IT Department! No apparent management responsibility for several of the processes. Too much outsourcing?

Part C

Eligible for Certification ? Possibly, provided management control can be demonstrated.

IT seem only to perform application support and support of the PCs and telephony so the certification could be scoped accordingly



SAMPLE PAPER

NAME: DATE:

Time allowed is ONE HOUR.

Answer all questions. There is only one correct answer for each question.

Mark the answer you have selected clearly, on the paper.If you want to change an answer, you must ensure that your final

selection is absolutely clear.

Section 1: Scope



1 BS 15000 Part 1 specifies:

A) A number of closely related service management processesB) The best way to co-ordinate a service management operationC) A methodology for ensuring that service management operates at the least possible costD) Best practice guidelines for service management

Section 2: Terms and Definitions

2 Which of these best describes what a service level agreement documents?

A) A list of targets which the service provider should meetB) Services and agreed service levelsC) The roles and responsibilities of the respective partiesD) Technical details of the infrastructure supported

Section 3: Management Responsibility

3 Which of these is NOT a specific requirement within the standard for a management system?

A) Establish the service management objectivesB) Ensure that customer requirements are determined and metC) Provide resources to improve service delivery and managementD) Communicate a corporate mission statement to all levels of the organisation

Section 4: Planning and Implementing Service Management

4 Plan – Do – Check - Act methodology can be applied to all BS 15000 processes. What does the ‘Check’ phase cover?

A) Confirm the plans have been implemented correctlyB) Implement the processesC) Monitor and measure processes and report the resultsD) Take actions to continually improve performance

Section 5: Planning and implementing new or changed services

5 Which process is responsible for performing a post implementation review following the introduction of new or changed services?

A) Service level managementB) Capacity managementC) Budgeting and accounting for IT ServicesD) Change Management



Section 6.1 Service Level Management

6 Which of these best describes the objective of the Service Level Management process?

A) To ensure that services are delivered at the maximum level of availabilityB) To continually review service levels in order to achieve the minimum costs possibleC) To define, agree, record and manage levels of serviceD) To ensure that areas of non-conformance are input to the service improvement plan

Section 6.2 Service Reporting

7 A service report needs to meet identified customer needs and requirements. A clear description of each service report is also required. Which of the following information should be included within this description?

1) The identity of the report2) The purpose of the report3) The name of the report originator4) The data source used

A) 2 and 4 onlyB) 1 and 3 onlyC) 1, 2 and 4 onlyD) All of them

Section 6.3 Availability and Service Continuity Management

8 Availability and service continuity plans are required to be reviewed at least:

A) MonthlyB) QuarterlyC) AnnuallyD) There is no specified period

Section 6.4 Budgeting & accounting for IT services

9 When budgeting and accounting for IT services, which of the following are required to be included in addition to IT assets?

1) Insurance2) Overheads3) Third party supplied services

A) 1 and 2 onlyB) 1 and 3 onlyC) 2 and 3 onlyD) All of them



Section 6.5 Capacity

10 Which of the following would you NOT expect to find being addressed in the capacity plan?

A) Costs for service upgradesB) Service Level AgreementsC) Evaluation of new technologiesD) Current capacity requirements

Section 6.6 Security

11 Identification and recognition of security breaches need to be dealt with in conjunction with which process(es)?

A) Incident managementB) Problem managementC) Availability and service continuity managementD) Service level management

Section 7.1 Business Relationship Management

12 How is a formal service complaint defined?

A) Any time a customer asks for escalation to be invokedB) Whenever an incident exceeds it’s target resolution timeC) By agreement with the customerD) The service provider provides the definition

Section 7.2 Supplier management

13 What is the objective of Supplier management?

A) To manage third party suppliers to ensure that their charges are minimisedB) To ensure that third parties do not sub-contract any part of the workC) To manage the relationship with third party suppliers so as to ensure transfer of the

contract to another party can be achieved in the event of a contractual disputeD) To manage third party suppliers to ensure the provision of seamless, quality services



Section 8.1 Incident Management

14 Which of the following activities would you NOT expect to find as part of the Incident management process?

A) Escalation B) PrioritisationC) Identification of underlying causesD) First line resolution

Section 8.2 Problem Management

15 Actions identified by Problem management to correct errors in the infrastructure will be processed by:

A) Problem managementB) Incident managementC) Availability managementD) Change management

Section 9.1 Configuration

16 When is a baseline of configuration items required to be taken?

A) Immediately following a major incidentB) As part of the testing of the service continuity planC) Before a release to the live environmentD) When Change management require information on the impact of a change request

Section 9.2 Change

17 Actions for improvement identified by Change management are recorded and passed to :

A) Release managementB) The Capacity planC) The service improvement planD) Configuration management

Section 10.1 Release Management

18 A Release policy would NOT include:

A) Frequency and type of releasesB) Roles and responsibilities for release managementC) Verification and acceptance of a releaseD) Back-out or remedial actions if the release is unsuccessful



Sample Paper Answer Key


1 A2 B3 D4 C5 D6 C7 C8 C9 D10 B11 A12 C13 D14 C15 D16 C17 C18 D

ITSMF - Exercises and Answer - Print One Site

Documents

Transcript of ITSMF - Exercises and Answer - Print One Site