BS-15000-2000.pdf

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BRITISH STANDARD BS 15000:2000 ICS 35.020 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW Specification for ITservice management Licensed Copy: sheffieldun sheffieldun, na, Fri Nov 24 03:27:07 GMT+00:00 2006, Uncontrolled Copy, (c) BSI This British Standard, having been prepared under the direction of the DISC Board, was published under the authority of the Standards Committee and comes into effect on 15 November 2000 BSI 11-2000 The following BSI references relate to the work on this standard: Committee reference BDD/3 Draft for comment 00/683007 DC ISBN 0 580 33233 0 BS 15000:2000 Amendments issued since publication Amd. No.DateComments Committees responsible for this British Standard The preparation of this British Standard was entrusted to Technical Committee BDD/3, ITservice management, upon which the following bodies were represented: British Computer Society (BCS) Central Computer and Telecommunications Agency (CCTA) IT Service Management Forum (itSMF) National Audit Office (NAO) Co-opted members Licensed Copy: sheffieldun sheffieldun, na, Fri Nov 24 03:27:07 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 15000:2000 BSI 11-2000i Contents Page Committees responsibleInside front cover Forewordii 1Scope1 2Normative reference1 3Definitions1 4General4 5Service design and management5 6Relationship processes7 7Resolution processes8 8Control processes8 9Release management9 Annex A (informative) Other sources of information11 Bibliography13 Figure 1 Ð Service design and management processes1 Licensed Copy: sheffieldun sheffieldun, na, Fri Nov 24 03:27:07 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ii BSI 11-2000 BS 15000:2000 Foreword This British Standard has been prepared by Technical Committee BDD/ 3. It is based on, and may be used in conjunction with, DISC PD 0005, A Code of Practice for IT Service Management, which provides guidance on best practice and supports the requirements of this standard. This standard may also be used in conjunction with DISC PD 0015, IT Service Management Ð Self-assessment Workbook, which contains a number of checklists designed to assist organizations assess the extent to which their ITservices conform to the requirements of this standard. The list of control objectives and controls contained in this standard is not exhaustive and an organization may consider that additional control objectives and controls are necessary to meet their particular business needs. The nature of the business relationship between the service provider and customer will determine how the requirements in this standard are implemented in order to meet the overall objective. The organization, or department within an organization, that is being assessed for compliance is required, as part of the process, to define their ªboundaryº of activities to be certified. The boundary needs to be approved by the auditor and, assuming certification is granted, appears on their certificate of compliance. Any organization seeking to rely on a service provider's claimed compliance with the standard should first ask to see their certificate so that they can check what is included within it. To summarize, the organization applying for certification has to comply with all the specified processes, but, by defining their boundary of certification, may choose to include or exclude customer or supplier activities as they wish. It is assumed that the execution of the provisions of this standard is entrusted to appropriately qualified and competent people. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Attention is drawn to the following legislation: Data Protection Act 1998. Computer Misuse Act 1995. Copyright, Designs and Patent Act 1988. BSI Committee BDD/3, whose constitution is shown in this British Standard, takes collective responsibility for its preparation under the authority of the Standards Board. The Committee wishes to acknowledge the personal contributions of: Jenny DugmoreService Matters Ltd. Shirley LacyChange IT Ltd. and representative of the BCS Don PageMarval Software Ltd. Ivor MacfarlaneGuillemot Rock Lynda CooperF.I. Group plc Ivor EvansIvory Consulting Ltd. Aidan LawesitSMF Martin CarrCCTA John GroomCCTA Ian PetticrewNAO The Committee also wishes to acknowledge the support of the British Broadcasting Corporation as sponsors of this standard. Summary of pages This document comrpises a front cover, an inside front cover, pages i and ii, pages 1 to 13 and a back cover. The BSI copyright notice displayed in this document indicates when the document was last issued. Licensed Copy: sheffieldun sheffieldun, na, Fri Nov 24 03:27:07 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 15000:2000 BSI 11-20001 1 Scope This standard specifies service management processes and forms a basis for the assessment of a managed IT service. It may be used by: Ð organizations seeking tenders for outsourced services; Ð organizations that require a consistent approach by all service providers in a supply chain; Ð existing providers to benchmark their IT service management; Ð as the basis for formal certification. The relationship between different service design and management processes is illustrated in Figure 1. Service Design and Management Processes Security Management Release Management Capacity Management Financial Management Supplier Management Business Relationship Management Configuration Management Change Management Incident Management Problem Management Service Level Management Service Reporting Availability and Service Continuity Control Processes Automation Resolution Processes Release Processes Relationship Processes Figure 1 Ð Service design and management processes 2 Normative reference The following normative document contains provisions which, through reference in this text, constitute provisions of this British Standard. The latest edition of this publication applies. DISC PD 0005, Code of Practice for IT Service Management. 3 Definitions For the purposes of this British Standard, the definitions given in DISC PD 0005, excepting the following, apply. 3.1 availability ability of a component or service to perform its required function at a stated instant or over a stated period of time NOTEAvailability is usually expressed as a ratio of the time that the service is actually available for use by the customers to the agreed service hours. 3.2 change management process of managing changes to the infrastructure or any aspect of services in a controlled manner, allowing approved changes to be made with minimum disruption Licensed Copy: sheffieldun sheffieldun, na, Fri Nov 24 03:27:07 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 2 BSI 11-2000 BS 15000:2000 1) ITILis a registered trade mark of the Central Computer and Telecommunications Agency (CCTA). 3.3 change record record containing details of which configuration items are affected and how they are affected by an authorized change 3.4 charging process of establishing charges in respect of business units and raising invoices 3.5 classification process of formally identifying incidents, problems and known errors by relevant categories such as origin, symptoms and cause NOTEThis is principally an internal process aimed at aiding root cause analysis. 3.6 configuration item (CI) component of an infrastructure or an item which is, or will be, under the control of configuration management NOTEConfiguration items may vary widely in complexity, size and type, ranging from an entire system including all hardware, software and documentation, to a single module or a minor hardware component. 3.7 configuration management process of identifying and defining the configuration items in a system, recording and reporting the status of configuration items and verifying the completeness and correctness of configuration items 3.8 cost actual or notional amount of expenditure incurred on, or attributable to, a specific service or business unit 3.9 document information in readable form, including computer data, which is created or received and maintained as evidence of the service provider's intentions with regards to service management NOTE 1In this standard, records are distinguished from documents by the fact that they function as evidence of activities, rather than evidence of intentions. NOTE 2Examples of documents include policy statements, plans, procedures, service level agreements and contracts. 3.10 impact measure of the scale and magnitude of an incident, problem or request for change 3.11 incident any event which is not part of the standard operation of a service and which causes or may cause an interruption to, or a reduction in, the quality of that service NOTEThis may include request questions such as ªHow do I.?º calls. 3.12 knowledge base repository containing data relevant to the execution of any of the service management processes and available to appropriate staff where and when required 3.13 known error incident or problem for which the root cause is known NOTEAll but this definition are identical to those definitions also used in ITIL1). ITIL1)offers a more detailed perspective and takes the definition a stage further to include the resolution (temporary or otherwise) of the error. 3.14 metric measurable element of a service process or function Licensed Copy: sheffieldun sheffieldun, na, Fri Nov 24 03:27:07 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 15000:2000 BSI 11-20003 3.15 problem unknown underlying cause of one or more incidents 3.16 record information in readable form, including computer data, which is created or received and maintained by the service provider as evidence of the performance of service management activities NOTE 1In this standard, records are distinguished from documents by the fact that they function as evidence of activities, rather than evidence of intentions. NOTE 2Examples of records include audit reports, requests for change, incident reports, individual training records and invoices sent to customers. 3.17 release collection of new and/or changed configuration items which are tested and introduced into the live environment together 3.18 request for change form or screen used to record details of a request for a change to any configuration item within a service or infrastructure 3.19 service improvement programme series of activities undertaken within an enterprise to identify and introduce measurable improvements within a specified service or work process 3.20 service level agreement (SLA) written agreement between a service provider and a customer that documents services and agreed service levels 3.21 service level management process of defining, agreeing, implementing and managing the levels of customer service 3.22 service management management of services to meet the customer's requirements 3.23 system integrated composite that consists of one or more of the processes, hardware, software, facilities and people that provides a capability to satisfy a stated need or objective 3.24 third-party supplier enterprises or groups, external to a service supplier's enterprise, which provide services and/or products that contribute to, or supplement, the overall service 3.25 workaround method of avoiding the impact of an incident or problem, either from a temporary fix or from a technique that means the customer is not reliant on a particular aspect of the service that is known to have a problem Licensed Copy: sheffieldun sheffieldun, na, Fri Nov 24 03:27:07 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 4 BSI 11-2000 BS 15000:2000 4 General 4.1 Establishing the boundaries of the managed service Objective: To define the boundary of the managed service. The scope of the managed IT service shall be defined. The boundaries shall be defined in terms of the characteristics of the organization, its location, assets and technology. 4.2 Service management planning Objective: To provide management direction and resources for implementing service management activities. A service management plan shall define: a) the scope of service management within the organization; b) the objectives that are to be achieved; c) the framework of management roles and responsibilities, including the management of third-party suppliers; d) the interfaces between service management activities and the manner in which activities are to be coordinated; e) the approach to be taken in identifying, assessing and managing risks so the defined objectives are achieved; f) the resources necessary to achieve the defined objectives. A service management plan shall include information concerning its implementation, maintenance and authorization. A cross-functional management forum shall provide support for prioritizing, planning and coordinating service management activities. Customers and third-party suppliers shall appoint individuals to act as points of contact for their organizations. Procedures that are developed for compliance with this standard shall also support the objectives of the service management plan and shall be auditable. 4.3 Professional competence Objective: To ensure that service management personnel are competent. Service management roles and the competencies necessary to discharge them effectively shall be defined. Service management personnel who are permanent employees of the service provider shall receive structured education and training in service management appropriate to their role(s). A record shall be maintained for each individual of training received and current competencies. Individuals' development needs shall be reviewed at least annually with the aim of maintaining competencies and developing them where appropriate. Service management personnel who are not permanent employees of the service provider shall be required by the service provider to furnish documentary evidence of their qualifications, skills and experience and to maintain the relevant competencies. NOTEThis may include agency personnel, contractors and consultants. Responsibility shall be assigned for managing these requirements. 4.4 Service quality Objective: To demonstrate evidence of continual improvement in the quality of the service. There shall be an ongoing programme of activities designed to monitor and improve the quality of the service. Metrics and targets shall be defined for each service management process and used as a basis for monitoring service quality. Formal methods shall be adopted that permit meaningful comparisons in service quality to be made, including the comparison of actual achieveme