ISO20000 gives ITIL the balls it needs to be successful

[Today as a change we have a guest blog post from Don Page. Don is a long-time ITIL person who has contributed much over the years. This post originally appeared as a comment on this blog, but I think it is important enough to move it up to a post.]

Firstly I love reading ITIL Sceptic; the passion, expertise and honesty of individuals, the stupidity and self interest of others.

As one of ITIL's biggest supporters and critics I have reached a stage where I am very frustrated with the whole “ITIL journey”, its hype; its promised outcomes.

ITIL v3 addresses a number of v2 shortfalls; with a strong focus on the much needed areas of continual improvement (CSI), service life-cycle with greatly improved change control. I must confess however that reading the full ITIL v3 book set is greatly contributing to curing my insomnia.

I now strongly believe ISO20000 is the right strategy to ensuring a more successful ITIL based service improvemnt program.

It’s not ITIL that fails; it’s the organisations and people implementing it.

To be really successful ITIL requires accountablity; personal accountability, accountability to collegues, to the department and customers. ISO20000 gives you that accountability or as i say "ISO20000 gives you balls"

I believe I am suitably qualified and experienced to comment on both ITIL & ISO20000. In our company we try to practice what we preach, we have attained ISO20000 certification; with our 3rd audit in due in April.

ISO20000 continues to help us to improve the services we deliver to the business and customers, we know there is always room for improvement. Its become part of our culture, staff see the benfits and activly use it to demonstrate what a great job they do and the value they add (which they have to present each month).

Yes, it has been a difficult and often stressful journey. It’s not easy to take a long hard look at the way you do things, be honest about your strengths and weaknesses, take some hard decisions, then make improvements (and continue to do so), compare your performance against a worldwide standard and then be externally audited to prove our adherence to it.

You don’t have to go for formal certification, but I strongly believe we have the responsibility to give our business, stakeholders and customers confidence that we are a professional service provider. If it was your company, you’re paying the salaries; wouldn’t you want to have this confidence.

Why not go to the board or CEO and ask them if they believe it’s the right thing to do, 9/10 will say YES. ISO20000 is a business decision not an IT decision.

ITIL talks of process, which is after all, is the way we are “supposed to work”. It should not be a discussion of whether we follow it or not. Our only responsibility is to contribute to making it better.

We work on the premise – “If you can’t prove it – you don’t do it”.

People have said to me, maybe in a few years, when have “implemented ITIL”, we will go for ISO20000, well forget it; you need to get an auditable culture of continual improvement and accountability in at the start because its considerably more difficult and time consuming later on, trust me I know what i am talking about from hard experience.

My advice to anyone is starting on their “ITIL journey”, is to start with ISO20000 as your governance framework (use it as your minimal critical requirements).

The “shall’s” of a standard instantly remove a lot of the problems and difficulties faced by managers in their quest to deliver a world class service (example: - "all changes SHALL be recorded" - not should or depending on who, what or maybe; but SHALL).

In a nutshell, these are my ISO20000 vs.ITIL high level arguments.

Don’s ISO20000 vs. ITIL arguments

  • ITIL is not prescriptive and is difficult to maintain momentum without adequate governance controls – ISO20000 IS
  • ITIL does not Insist on continual improvement – ISO20000 DOES
  • ITIL does not Insist on evidence to prove quality and progress - ISO20000 DOES
  • ITIL quality cannot be internally or externally audited or benchmarked - ISO20000 quality CAN
  • ITIL is not being demanded by business - Governance controls, auditability & accountability ARE
  • In conclusion: “ISO/IEC 20000 should be made obligatory for every IT Service provider (internal or external)

    You have a responsibility to your organisation, stakeholders and customers to highlight the valuable contribution of your service provider - you know it makes sense”

    Don Page


    ISO 20000 can be proven, ITIL can only be claimed

    The main difference between an ISO 20000 project and an ITIL project lies in the proof: numerous organizations claim to have 'done' ITIL, but when I see what they have accomplished in practice.... Not so with ISO 20000: you either have it (with the certificate to proof it) or you don't. And if you have it, there has been a qualified independent auditor that was convinced, and not your own consultant ;-)
    Achieving ISO 20000 is much more difficult than 'doing' ITIL. That's why the ISO organization came up with the idea of introducing the concept of incremental certification.
    The road towards ISO 20000 can be taken, using ITIL as the wheels. So the one doesn't exclude the other.
    The lack of architectural design is something both have in common, so you'll need your own TomTom for that - but then again: we all need a challenge, don't we?

    Companies that want to take up the challenge of going for the ISO 20000 certificate, and prove their competence as a service organization, can soon find some relief in the next ITSM Library publication that's coming off the printers: "Implementing ISO/IEC 20000 Certification, The Roadmap". It contains guidance from a team of experts (including lead author David Clifford and 18 co-authors) and was reviewed by 40 matter experts from all over the world. And what's more: it also contains 6 detailed case descriptions on projects that successfully achieved the certificate (including Don's):
    - Electronic Data Systems IT Outsourcing
    - Fujitsu FIP Corporation
    - ING Service Centre Budapest (SCB)
    - Marval
    - NCS Pte Ltd, Singapore
    - Nippon Securities Technology Co., Ltd, Japan

    The very practical way the Roadmap is described may just be the thing that companies need to get over the threshold and take the ISO 20000 route. And they can still use ITIL as their wheels...
    The road finally has a goal.

    Don't believe in ISO20k as it is now

    Just my 2cents, i don't really believe on ISO20K as it is know today. Jan, you talk about case studies and reality cases (companies that have obtained the certification). My opinion is that the trick is in the scope of the certification. I don't believe that any company can get the certification for the full scope of IT services, just because
    a)it is impossible (and probably inefficient and unprofitable) and
    b)it doesn't cover the service lifecycle (because this concept has been added to the BOK after the ISO20K has been released). Just because you are not covering the service lifecycle, you can not get into the scope those services that are being created.

    So I do believe more in incremental certifications like CMMI (but still no CMMI-SVC)

    Don, you said
    "To be really successful ITIL requires accountablity; personal accountability, accountability to collegues, to the department and customers. ISO20000 gives you that accountability or as i say "ISO20000 gives you balls""

    so to be really successful, your ITIL requires governance, and not ISO20K

    Just my toughs...

    Incremental Assessment for IT Services that compares to CMMI

    Carnegie Mellon University has actually developed a great incremental assessment for IT Services called the eSourcing Capability Model. It can be used to assess IT services whether they are internally or externally sourced and it includes both a service provider model and assessment as well as a client model. It also addresses the sticky governance issues that arise in trying to apply ITIL in a multi-vendor environment. eSCM contains both a best practices model and a rigorous assessment methodology. Check it out here:

    SPICE and ITIL

    I can't say too much at this stage, but expect ISO/IEC in the next couple of years to adopt a maturity based model as part of the approach to assesing service managemenr.


    ISO 20000 Maturity assesment

    I remember that Jenny Dugmore announced at the itSMF Conference in Brighton (november 2007) that there will indeed be a form of maturity assessment or rather staged approach to the final goal: full certification. She mentioned end of 2008, beginning of 2009. Maybe we can get her to comment...?


    Maarten Bordewijk
    Getronics PinkRoccade

    Maturity assessment


    Work is certainly underway on developing the staged approach, which will be aligned with SPICE. I think 2009 is much more likely than 2008. I would be wary of seeing it as a staged way of achieving full certification, each stage will be valid in its own right, and I would expect that an organization achieving the highest level would be operating at a higher level than the strict requiremnts of certification demand.


    compare apples with apples

    Antonio - this is the Skeptic site, so I understand principal scepticism. But this also is a site for logical reasoning, getting away from the hype.
    You're absolutely right about that scoping issue. But think about this: take the very same organization with the very same scope and ask yourself what it would mean if they said "we do ITIL" or "we have achieved the ISO 20000 certificate". See what I mean?

    And the service lifecycle is a nice move in the right direction, but it has the same fundamental flaw as ever. ITIL still covers the supply side, and the functional management domain is left where it is. ITIL now slightly touches upon a very few aspects of that domain, but it's still technology management. And to be able to manage the REAL information service lifecycle, you'll need to cover the entire information management domain: if you start out in the wrong direction, it's almost impossible to repair and get back on the right track. That's where all the billions are wasted in IT.

    And I don't think we're ready to have success in governance as yet. We'll first have to tackle the basics of functional management before that will be possible. It's a matter of evolution: you start down under at the right side of the 3x3 model (SAME) and you slowly move up to the left top where governance is. Have you read the article in the Novatica magazine?
    Interesting though to see that the new ISO standard for IT governance will be published soon....

    ok, agreed on the first one. Lets go for the second!

    Jan, now that we agree on the scoping issue, lets move into the second sentence: as you said, take the very same organization with the very same scope and ask yourself what it would mean if they said "we do ITIL" or "we have achieved the ISO 20000 certificate". See what I mean?

    The difference between both companies is that in the second one you are sure that there are specific processes in place with a minimum requirements, and that those processes are audited periodically, BUT

    1.- they must say "we have achieved the ISO 20K certificate for this and this and this service in this and this locations", but since "vendors are the first", and they *are* vendors, they are not going to be so precise, so be sure that the customers (their customers) will be dissapointed, and probably the acceptance of the certificate will be decreasing over time.

    2.- it depends on the "good mood" of the evaluator. ISO 20K says things like "you must have a CMDB" or "you must have financial management of your IT Services" or "you must have a Service Catalogue in place", and... what are the meanings of those words? The one that is understood by the evaluator. (please, dont' forget that, at least the Spanish version of ISO 20K, when I reviewed it, does not define the concept SERVICE

    3.- requires full compliance of the ISO20K processes, so they must have the full set in place. from my point of view, this will mean that a)they have a really mature and impressive company, or b)their proccesses are not good, and this leaves me to

    4.- nobody guarrantees that they have good processes. probably they have the minimum set of controls and optimizations that lets them to have the certification... why? because in reallity they didn't want to implement and operate a financial management process, or a customer relationship ptocess... but if they didn't, they couldn't achive the desired logo.

    So the main questions are:

    a) why do the companies want to achieve the ISO 20K certification? (to sell better, or to provide better services?) if it is to sell better, nothing motivates a good IT Service Management. and if it is to provide better services, you don't need a certification.

    b) why a monolithic certification? (and this is really the main point and the root cause of all this long response) companies can not implement and operate processess in a monolithic way, it has been described time after time as a Critical Failure Factor. This is why I think that ISO 20K would be really a good and interesting certification if it could be stagged and progressive, based in maturity models like CMMI certification.

    my glass is half full

    I guess we agree on most of this. But there is one major difference: my glass is half full. I mean this: I've worked through the ITIL books, in all versions, from cover to cover, and backwards, and again, for almost 20 years now, and the same for ISO 20000 since a couple of years. Both have serious design flaws. But 1) this hurts less in ISO 20000, since that standard doesn't require ITIL: you can use any guidance you like, as long as you achieve the required results, and 2) there is no measurement for the statement "we do ITIL", and there IS for ISO 20000 - weak as it might be in some cases, but still - there is a formal standardized check.
    And yes - I also know companies that went for an ISO certificate, just to be able to check a box in a quote form. But I always hold on to the belief that they will have had to go through the exercise, and that the good ones will learned something from that. And you simply can't say that for any ITIL project: that would be completely dependent upon the project, the ideas of the manager, the consultant, etcetera. As I stated before; there are plenty of companies that claim to have done ITIL, when in fact they have not implemented more than one or two functions, and two - or at the most three - processes. And in fact they may even never have looked at the other functions and processes. Now THAT is something you can't say about a company that went through the ISO 20000 certification.

    ISO20000 for Vendors ?

    Just looking at the list.. Seems to be a strong dominance of Vendors (or services or equipment)..

    I can seem a business case for ISO certification if you are addressing a market that values and/or requires certification. Certainly in Japan, Singapore that is the case. The stick (or carrot if you want) in that case is it is a price of entry into the market.

    But for wholly internal service providers, I cannot see the value proposition.


    Brad Vaughan

    vendors always go first

    Of course the list will be dominated by vendors. At least in the beginning. If ISO 20000 will be accepted as "the thing to do" for an internal IT department, then the vendors will be outnumbered. The reason for the fast adoption by vendors is clear: they have a commercial advantage over competitors that haven't (yet) been able to demonstrate their capability along the ISO line. I expect the number of internal departments that go for a certificate to grow soon. In the continuous battle over the outsourcing threat, having achieved the ISO 20000 standard will be an excellent argument to survive.

    Respecfully decline

    As with all generalizations, the applicability of ISO standards is pretty limited. To evangelise that all organizations should implement 20000 is a grave mistake, in my opinion.

    That being said, I have never implemented ISO20000, but I have some experience with some of the other ISO audits. I have never been involved in a ISO audit, where the sole purpose of the process was not to get the certification. The goal of a tangible improvement in anything was not even being considered. And the reviewed were even more so the same "dog and pony" show. Mostly this was because the motivation for getting the certification was to conform to some government regulation, market standard or some compliance requirement.

    In the recent ten years I have experienced companies in India, Singapore, Thailand, Japan, China, Australia, US and many others... These have been in a range of industries (telco, finance, media, internet etc..) and a range of maturities (startups, Fortune 500's etc..). The one thing I have learnt is all companies have many of the same characteristics, but the devil is in the detail.

    The reason why ITIL is not implemented and should not be considered implementable is entirely the reason why it is a good concept (however I may feel about its execution). Companies mostly need guidance, mentoring and knowledge with the assumption that they have the motivation to get the job done. They do not need strict auditing and and standards control. The more defined the framework of the standard, the less applicable it becomes to delivering practical benefit.

    ISO "standards" are most often the stick used by regulators on business. "Recognized need" is the carrot that make adoption of ITIL successful.


    Brad Vaughan

    ISO 20000 Personal Certification

    What an interesting article. Lots of common sense in there.

    I also wonder how the new ISO 20000 PERSONAL certification scheme will shake things up. I do mean personal, rather than corporate level. EXIN now offer a progression of certificates for ISO 20000 education, just like APMG do for ITIL:

    On the educational front therefore, does this not make it a COMPETITOR to ITIL, or at least an educational ALTERNATIVE? It looks like it to me. And given all the plus points mentioned above, it might just get the upper hand.

    At the very least, it begins to put APMG under real pressure.

    The future is unwritten (Strummer).

    you can't implement ISO 20000

    Brad - there is a very common mistake going 'round in the IT sector, that has to do with the wrong application of frameworks and standards.
    There is a difference between something you can use to implement a capability, and something you can use to check whether your result is any good. People tend to use the measurement instruments for the implementing purpose and the other way 'round. For instance: COBIT and ISO 20000 are standards that describe what should be in place to achieve a certain level of quality. You shouldn't use these for implementation guidance.
    ITIL, SMBOK, IPW, ISM, etc, are frameworks that can be used to guide you through your implementation project. But they should not be used to measure your result.
    So as long as you don't care about proving your capability, you may be right. But as soon as you have to provide your capability - internal or external - you'll have to find a way to demonstrate that. And simply claiming "we do ITIL" doesn't mean much.
    There are no serious alternatives to ISO 20000 for the purpose of demonstrating your capability as a service provider. Of course that doesn't mean that this is a guarantee for satisfied customers: there's more to that. But it's the best fundament I can come up with.

    Dog and Pony Shows

    The problem is that the ITILV3 exams are even more of a Dog and Pony Show: the so called Bridging Exam more extreme than most -- if that's not a Dog and Pony Show I don't know what is. Many organizations looking at the issues of investing in Service Management best practice and training have a stark choice -- take up ITIL training and seeing staff taking their qualifications with them when they walk out the door -- or investing in something that can be proven and doesn't rely on individual members of staff sticking around.


    I absolutely hate ITIL training and certification.. I have hated this model since Certified Netware Engineers were being cloned at a rate of 1 a second 15 years ago..

    I believe in the concept of ITIL and agree with much of the content of the books, but Im not a big fan of the execution model. To keep the sayings coming, I do not want to "throw the baby out with the bath water" :) Use ITIL and "Adapt and Adopt" to your needs.. Do not "drink the itSMf Kool-aide".

    I think ISO is a big investment for a large part of the company landscape and it only promises proven compliance, it does not promise any form of benefit from execution. Its measuring execution and not result (see the previous post on KPI's and metric). This is a very risky proposition, you need both. I can show you many ways to execute ITIL that would meet a compliance standard but hinder an organization under a mass of process when all they need is a sliver of process.


    Brad Vaughan

    Controlled adapt and adopt


    It is a very valid criticism of ISO certification that it doesn’t look at outcomes.

    On the other hand part of the purpose of certification is that it forces organisations to look at the big picture, not just isolated elements of ITIL. The “adapt and adopt” approach is fine in an organisation that is already relatively mature, but unfortunately it also appeals to organisations that are very immature. In their hands it becomes an excuse for leaving out anything that is challenging, or for adopting a skin deep implementation of ITIL. Certification, good training, and decent consultancy advice are effective counters against this.

    What, though, is your beef with ITIL training? In the successful ITIL projects I've seen a good ITIL training programme has been central. The ITIL trainers’ community has also done much to improve the practical application of ITIL.

    I do understand that a bad training programme just throws the junior staff en masse through Foundation training, and doesn't connect the training to what is happening in the workplace. I also understand that there is an increasing tendency for training to be delivered by those with a more academic understanding of the subject, and of course there has been a little criticism of the v3 approach to training.

    Syndicate content