In excess of two hundred organizations around the globe have followed the route to becoming ISO 20000 certified. This article attempts to trace out the steps that an organization may expect to follow in an attempt to become ISO/IEC 20000 certified.
Baseline Current Capabilities
Determining the current 'baseline' can be undertaken by using internal staff, although utilizing an external consultancy may perhaps provide a more 'independent' view as to the current organizations baseline. The areas to be reviewed include:
- Awareness: Achieving ISO/IEC 20000 requires all levels of the organization to have an awareness of the standard. The investment required by the organization to achieve accreditation may be considerable and furthermore requires commitment from the most senior management within the organization, which then permeates downwards to all members of staff. Awareness needs to exist within the 'fabric' of the organization, not simply when you know the auditors are due to visit, the value of ISO/IEC 20000 is worth far more than that.
- Evidence Gathering: Primarily documentation is sought to support the various policies, processes and procedures that support the organization and furthermore its intentions of becoming ISO/IEC 20000 accredited. In addition accessibility to the relevant documentation is important to the members of staff of the organization, which is often achieved by providing staff with access to the intranet. Induction courses for new and existing staff may also provide the opportunity to explain certain processes (ISO/IEC 20000), share information and how to obtain additional information, for example how to access various document repositories.
- Assessment: Utilising the ISO/IEC 20000 standard an in-depth assessment is undertaken of the organizations existing processes. Some external consultancies that provide ISO/IEC 20000 assessments are also able to provide a maturity measurement for each of the processes, which is often well received by senior management as it can assist with providing a high-level management summary. The assessment will cover the following areas:
- Service Delivery
- Capacity Management
- Service Level Management
- Service Reporting
- Information Security Management
- Service Continuity and Availability Management
- Budgeting and Accounting for IT services
- Control Processes
- Configuration Management
- Change Management
- Release Process
- Release Management
- Release Management
- Resolution Processes
- Incident Management
- Problem Management
- Relationship Processes
- Business Relationship Management
- Supplier Management
- Evidence Review: Having undertaken the 'Awareness Review, Evidence Gathering and Assessment' the next step is to collate the information, review the current 'state of play' of the organization and undertake a 'gap analysis' with regards ISO/IEC 20000. Having analyzed the information the next step is to provide a report.
- Prepare Report: The report provides details of areas that comply with ISO/IEC 20000 and those that require attention, and in some circumstances processes that need to be introduced into the organization. The report should contain recommendations on the next steps to take, potential benefits to be achieved and an indication of the number of man-days required to implement the recommendation. It may also be appropriate and of significant value to the organization to have a high-level project plan produced as a deliverable of the report. A final consideration is to have the high-lights of the report presented back to the Senior Management team.
- Project Board Sign-Off: The success of any ISO/IEC 20000 initiative requires the 'buying and commitment' of the most Senior Management team in the organization without this the project is destined to fail.
- Eliminate the Gaps: The project undertakes the activities to eliminate the gaps that were identified as part of the initial assessment. Depending on the timescales of the organization to achieve ISO/IEC 20000 certification there may be a necessity to employ third party ISO/IEC 20000 experienced resources, which may also assist to fast-track the elimination of some of the gaps.
- Prepare for Audit: As part of the preparation for the ultimate Audit it is recommended that a dry-run is undertaken. Engage an independent individual or organization that has not been involved with the project to date to undertake the audit with 'fresh-eyes'. A report should be produced detailing any observations that require attention.
- Certification Audit: The organization needs to contact a Registered Certification Body (RCB) and apply for certification. It should be noted that an RCB cannot be a company providing ITIL (Information Technology Infrastructure Library) consultancy due to the potential conflict of interest.
- Celebration and Communication: After considerable time, effort and commitment achieving certification is worthy of a celebration. Furthermore it is also worth shouting about your success from a commercial perspective, so consider promoting your success on your organizations website, marketplace publications, as well as on itilnews.com.
- Retain Certificate: Having achieved ISO/IEC 20000 certification the organization needs to continue to maintain its compliance.
- Surveillance Audit: To ensure compliance to ISO/IEC 20000 periodic 'surveillance audits' will take place. Failure of the audit may lead to the potential loss of the organizations ISO/IEC 20000 certification.
As part of ITILnews approach to continuous improvement, if from your experiences you feel the information above could be refined or expanded then please do not hesitate to contact us so that we may include the updates.