Fig. 1: YaSM and ISO/IEC 20000 Process and document templates for every ISO 20000 requirement.
One of the objectives when creating YaSM® was to provide a process model that is closely aligned with ISO/IEC 20000 ('ISO 20000'), the internationally acknowledged standard for service management.
Organizations often seek certification to ISO 20000 because it enables them to prove that they are customer-oriented, efficient and effective suppliers of services. The certification can thus be used for marketing purposes, or to gain access to customers and markets which require their service suppliers to be ISO 20000 certified.
Closely aligned with ISO/IEC 20000 - the YaSM model
ISO 20000 sets out "requirements for establishing, implementing, maintaining and continually improving a service management system (SMS)".
To meet these requirements, organizations typically must define and implement a set of service management processes which comply with the standard. But ISO 20000 does not prescribe specific processes, nor does it provide detailed descriptions that organizations could use as guidance.
Some more guidance can be found in the popular service management frameworks and approaches, such as ITIL®, CMMI-SVC®, COBIT®, VeriSM™, SIAM™, etc. But some of these frameworks provide only high-level descriptions of service management processes, while others are not well aligned with ISO 20000, especially regarding the requirements related to the service management system.
As a result, there is a need for detailed process descriptions that are based on established service management frameworks and concepts and, at the same time, offer better alignment with ISO 20000:
The YaSM process model provides such detailed descriptions as process templates in a graphical, easy-to-read format, including document templates for the policies and other documented information that usually needs to be prepared for the certification audit.
The YaSM service management model thus provides a solution for every ISO 20000 requirement, and implementing the YaSM processes is a straightforward approach for obtaining ISO 20000 certification.
ISO 20000 requirements and related service management processes
YaSM is designed to be well aligned with ISO 20000, and there are one or several related service management processes for every section in ISO/IEC 20000:2018, Part 1 (Mandatory requirements), as exemplified in the following tables:
A detailed cross-reference between the YaSM service management processes and every single ISO 20000 requirement is available in the form of the YaSM - ISO 20000 Bridge, an additional component to the YaSM Process Map.
The ISO 20000 Bridge makes the task of designing ISO 20000 compliant processes for your organization manageable.
High-level service management objectives are stated in the service management policy. More detailed objectives are established, for instance, in the form of strategic objectives, process and service objectives, project objectives, etc.
The service management processes, as defined and mandated through the process model, ensure alignment of planning activities with the various elements of the service management plan.
Planning is done at several levels: At the strategic level, at the level of services and processes, and at the level of individual projects or initiatives.
Evaluation of results is ensured, for example, through regular strategic reviews, service and process reviews, project reviews, etc.
Support of the SMS
Processes for ISO/IEC 20000 section 7: 'Support of the service management system'
Required resources are determined when planning initiatives for setting up - or upgrading - services or (parts of) the service management system. Such initiatives are typically managed through the strategic plan and the various service and process improvement plans.
Skills are managed through the human resources management process and documented in the sills inventory.
Awareness of service management policies is achieved through publication and communication of the policies, for example via a service management portal on the intranet.
Awareness of the list of services is ensured by making the service portfolio accessible throughout the organization.
The data model (a particular view of the process model) provides a complete overview of the documented information required by the SMS.
Operation of the SMS
Processes for ISO/IEC 20000 section 8: 'Operation of the service management system'
Descriptions of the services, their purpose and the intended outcomes are contained in the service portfolio and the service definitions.
Service catalogues are specific views of the service portfolio for particular customers and users.
Service requirements are determined during service design and documented in the service definitions.
Proposals to change services may originate from several processes, for example service strategy, customer relationship management or service improvement.
The types of CIs for which configuration information is maintained are defined in the configuration model.
Configuration information is recorded as configuration item (CI) records, as specified in the configuration model. Configuration information is typically stored in a database to allow control of access and traceability of changes.
The attributes to be recorded for each CI are specified in the configuration model.
Items that are under the control of change management, categories of change and criteria to determine risk levels are specified in the change policy. How changes are managed is described in the process model, which includes a detailed definition of the change management process.
Aspects to be considered when assessing proposed changes are specified in the change policy. Facts and arguments that lead to the approval or rejection of changes are documented in the change records.
Requirements for changes to resources and skills are determined during service design and documented in the service implementation blueprint.
Relevant service definitions are updated during service design. If required, customer and supporting agreements are updated in line with the service definitions as the new or changed services are implemented.
Services are built according to the specifications in the service definitions, requirements specifications and in the service implementation blueprint. The service build process includes activities to create test cases and perform tests, to verify if all service components have been deployed successfully, and to take corrective action if necessary.
Incidents are managed in the incident resolution process and documented in incident records.
Actions taken to resolve incidents are documented in incident records.
Service requests are managed in the incident and service request resolution process and documented in service request records.
Actions taken to resolve service requests are documented in service request records.
The problem resolution process performs data and trend analyses to detect problems. Any identified root causes and solutions are documented in problem records.
If possible, problem management will identify workarounds and document them in the problem records. If feasible, problem management provides support staff with incident models, containing detailed instructions on how to apply the workarounds in order to resolve specific types of incidents.
Known errors are documented in problem records with identified root causes and workarounds.
Service availability requirements and targets are specified in the service definitions attached to customer service agreements. The service implementation blueprint, created during service design, describes the technical and other measures to ensure service availability.
Service availability is monitored as part of service operation and documented in service quality reports. If availability targets are not met, the service improvement process will re-assess the risks to service availability and take corrective action if necessary.
Service continuity requirements are specified in the service definitions attached to customer service agreements.
The process for managing disaster events performs regular assessments of continuity risks and maintains a register of disaster events for which continuity mechanisms are to be put in place.
Security risks are assessed on a regular basis, resulting in an updated register of security risks. This register identifies the relevant security risks with the mechanisms and controls applied to mitigate the risks.
Security controls are designed and implemented through the service design and build processes or through the security management process. Security operation manuals provide guidance for the operation of the security controls.
Processes for ISO/IEC 20000 section 9: 'Performance Evaluation'
Service levels and their target values are specified during service design in the service definitions.
Monitoring and measurement for services is based on service levels.
Services are evaluated against service requirements during service reviews.
Process metrics are defined during process design.
Effectiveness and performance of the SMS is evaluated as part of the regular process reviews.
Monitoring and measurement for the service management processes is based on process metrics.
The service and process operation manuals contain instructions for monitoring and measuring, and determine when service and process reviews are to be performed.
Management reviews are held at regular intervals in the form of strategic assessments. The continued adequacy of the service management system and the services is also ensured through regular service and process reviews.
Processes for ISO/IEC 20000 section 10: 'Improvement'
Non-conformities are identified during service and process reviews. If corrective action is required, improvement initiatives are managed, for example, through the service and process improvement plans.
Furthermore, the compliance management process reviews compliance with standards and regulations at regular intervals and takes corrective action if necessary.
Evaluation criteria for potential service and process improvements are specified in the service management policies.
Improvement initiatives are only approved if submitted with clearly defined, measurable objectives and a business case.
[ISO, 2018] International Organization for Standardization: ISO/IEC 20000-1:2018, Information technology - Service management - Part 1: Service management system requirements. - Geneva, Switzerland, September 2018.