Manage Learn to apply best practices and optimize your operations.

ISO 20000 implementation: Addressing the common pitfalls

The ISO 20000 global standard includes the necessary requirements for an organization employing an IT service management system. Learn how to overcome common ISO 20000 implementation mistakes.

During the course of conducting an ISO 20000 audit, many companies realize they fall short due to various gaps in their processes. The following are some common pitfalls found by auditors after ISO 20000 implementations and some basic hints on how understanding and following the standard correctly can help you avoid them.

Existing processes and procedures do not align.

Aligning processes and procedures is accomplished in the planning and implementation phase. The methodology, known as Plan-Do-Check-Act (PDCA), can be applied to all processes, as follows:

  • Plan: Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization's policies.
  • Do: Implement the processes.
  • Check: Monitor and measure processes and services against policies' objectives and requirements and report the results;.
  • Act: Take actions on the differences and continually improve process performance.

Multiple service management plans may be used in place of one large plan or program. Where this is the case, the underlying service management processes should be consistent with each other. It should also be possible to demonstrate how each process and requirement is managed by linking it to the corresponding roles, responsibilities and procedures.

Some processes do not exist, others are not being used

ISO 20000 section 4.3 (monitoring, measuring and reviewing) states that in order to identify these process areas and improve upon them, a regular audit program must be planned. Users also need to take into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods must be defined in a procedure. The selection of auditors and conduct of audits must ensure objectivity and impartiality of the audit process. Auditors must not audit their own work.

Any significant areas of noncompliance or concern should be communicated to relevant parties and corrective action taken.

Various staff members do not understand the difference between process and procedure.

ISO 20000 Section 3.3 describes competence, awareness and training. In accordance with this section, a service provider should:

  • Determine the necessary competence for each role in service management.
  • Ensure that personnel are aware of the relevance and importance of their activities within the wider business context and how they contribute to the achievement of quality objectives.
  • Maintain appropriate records of education, training, skills and experience.
  • Provide training or take other action to satisfy these needs.
  • Evaluate the effectiveness of the actions taken.

Staff members still need to perform their "day job" responsibilities

According to ISO 20000 section 3.3, top management must ensure its employees are aware of the relevance and importance of their activities and how they contribute to the achievement of the service management objectives.

Your staff has to understand the importance of making the management system a way of life on the job, not just an extra task.

Staff members are reluctant to admit their level of understanding of the requirements.

Under ISO 20000 section 3.3, all service management roles and responsibilities shall be defined and maintained together with the competencies required to execute them effectively.

Staff competencies and training needs shall be reviewed and managed to enable staff to effectively perform their roles.

Scope creep

As organizations change and grow, the scope of the services provided under the ISO 20000 standard expands. However, the organization often times fails to expand their certification activities to cover any new services. This is known as an "extension to scope." This can be addressed by following the rules set forth in section 7.2.

ISO 20000 section 7.2 (business relationship) requires the service provider and customer to attend a review to discuss any changes to the scope, service-level agreement, contract (if present) or the business needs at least annually and shall hold interim meetings at agreed intervals to discuss performance, achievements, issues and action plans. These meetings shall be documented.

Not everything is recorded or measured, especially the performance of identified improvements.

According to ISO 20000 section 4.3 (monitoring, measuring and reviewing), the organization must apply suitable methods for monitoring and, where applicable, measuring service management processes. These methods must demonstrate the suitability of the processes to achieve planned results. Management must then conduct reviews at planned intervals to determine whether the service management requirements:

  • Conform with the service management plan and to the requirements of this standard;
  • Are effectively implemented and maintained.

Additionally, under section 4.4.2 (management improvements), all suggested service improvements shall be assessed, recorded, prioritized and authorized. The service provider must have a process in place to identify, measure, report and manage improvement activities on an ongoing basis.

John DiMaria is BSI Americas' product manager for risk standards specializing in ISO 27001 and ISO 20000. He is a Certified Holistic Information Security Practitioner and Six Sigma Black Belt.

Dig Deeper on IT governance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

This is a good concept, but with the changing times of training individuals to a set criteria( barriers) will developers a closed a mind . I have worked in the maintenance industry for many years! Where is the ISO for maintenance standards. The Red Seal qualification of trades persons will be decimated and changed to technical labor, with a set knowledge of application. I find that most industry will not adhere to proper maintenance standards. The education of maintenance labor is now a cost , not considered as a resource to adhere! It may be ISO standard but an evil to profit. The guided lines of safety are circumvented through cost and cut backs in staff. This in turn causes many work practices to be changed and layoffs begin to happen ( profit/people). The mind set of happiness in the work force becomes stifled , don't complain , maybe my job will last, or should I complain it may cost me my job.They will be called a whistle blowers not an controllable asset to company profit.