Right now my organisation's involvement with ISO/IEC 20000 is:


ISO 20K is difficult to stop

The coming of ISO 20000 is not decided by IT people. What will most likely happen is this.

1) Big IT Service buyers will start to mention ISO 20K directly or indirectly in their Request for Proposals. Having a certificate simplifies the screening process and proves that the External Service Provider (ESP) can at least convince auditors of having ITSM processes.
2) All ESPs scramble to get the certificate as they are afraid of losing bids because ofmissing certificate but it takes some time.
3) All ESPs start promoting their certificates.
4) All people who work for or with the ESPs need to understand ISO 20K

In my market we are now between 1 and 2

ESPs ahead of the game

If you look at a list of certified organisations you'll see the suppliers have been going down the certification route for a long time. I agree it will become a feature of RfPs - though bear in mind we might see some tightening of rules over what aspects of a service can be certified - so if an ESP is only providing the helop desk, for instance, it might not actually be certifiable.

ISO20000's fatal flaw re credibility

Right now ISO20000's fatal flaw re credibility is the loophole that alolows rtghe scope of certificvation to be tightly resticted. I have heard of a service provider certified in a limited scope within one client then start talking broadly about how they are ISO20000 certified.

So RFPs will have to be very explicit.

But I entirely agree this will probably be the process ... unless ISO9000 offers an alternative.

20000 and 9000

The same thing used to happen with ISO 9000.

What is the alternative for ISO 20000 though? You can't be certified for something you don't do so to use my example the only way a third party help desk provider could achieve ISO 20000 is if they provided the full range of SM processes/capabilities somewhere within their service portfolio, even if not to that specific customer - or for the customer to go for certification themselves which means they would have to prove they had management control over the help desk, but is probaly closer to the original intent of the standard.

Tight definition of certification for an internal IT department is not a bad way to start - for instance getting certification for a new service entering production.

one service to one customer??

"the only way a third party help desk provider could achieve ISO 20000 is if they provided the full range of SM processes/capabilities somewhere within their service portfolio"

My understanding is that you can certify to ISO20000 for one service to one customer??

Up for debate

It is a question that has been subject to much debate and needs clarification. Part of the intent was to avoid the pick and choosing that goes on in some ITIL implementations that keads to the important bits being left out. It also raises the question of whether you should look at the amturity level of an individual process or whether you should look at overall maturity.

Scoping of certification is an area of confusion

There is so much misunderstanding about this. Yes, a single service provided to a single customer can be the scope of certification, however the service itself is *not* what is certified. What is being certified is the service management system used to provide the service. Therefore, the service being provided will be underpinned by all the familiar processes like incident, problem, config, etc along with others maybe less familiar like PDCA, management responsibility etc etc.

So to take the example of a Service Desk, if as a Service Provider it gets certified to ISO/IEC 20000 (pedantic I know) we can be confident that the management system used to provide it meets the standard. Lots of people get confused by the fact it is providing, in ITSM terminology, an 'incident management' service. That is wholly irrelevant. The certification tells us that the Service Desk has sufficient capacity, continuity etc etc and, to really make the point, if one of the Service Desk operators has a failure of their PC, there is an incident management process in place to restore their service. It doesn't matter whether the Service Desk does something we would recognise as incident management, call fulfilment or sells double glazing. It is a service underpinned by an ITSM system that conforms to the requirements of the standard, not the service itself, that is certified

Ian Whyte, Bishops Beech Ltd

watch the sales boys trumpet

Great clarification, thanks.

In larger service providers it is not unusual for the systems to actually be different from client to client, especially those SPs who just "take over" the existing infrastructure and run it, and perhaps eventually absorb it - a not uncommon model.

So just because Service Desk as provided to client A is ISO20000 cert may not mean much to a new prospective client. But watch the sales boys trumpet how "we are ISO20000 certified"

This is a known problem and being looked at by ISO. The sooner fixed the better.

More work for Chokey???

You said:
But watch the sales boys trumpet how "we are ISO20000 certified"

Hmmmm. It sounds like it'll just give Chokey the Chimp more to round out his day, when not busy dealing with crap factoids! ;-)


Perhaps we should have a 20000-CrapWatch for inflated compliance claims. trouble is they tend to be verbal, dropped in to sales presentations. Written claims usually have all the fine print.

The positive side of 20k

I think the positive thing in ISO 20000 is that means a lot more effort than just saying you are ITIL compliant. In my experience the sales people tell that "Yes we are 100% ITIL compliant but production people and customers tell that there is no process in place.

With 20k they need to either A) really put a major effort on process improvement of B) work hard on cheating the auditors.

Syndicate content