White Papers
ITIL & ISO/IEC 20000
Written by
Troy Vanderhyde & Glen Notman
The Manta Group
December 2007
Download the PDF version of this white paper here
ITIL and ISO/IEC 20000
ISO/IEC 20000 is the new international IT Service Management standard that enables IT organizations (whether in-house, outsourced or external) to ensure their IT service management processes are aligned with both the needs of the business and with international best practices.
When it comes to tools, technology, best practices and standards, business units are depending on you to provide optimal levels of service at a justifiable cost. Should you be working towards an ISO/IEC 20000 standard designation? Is a well functioning best practice framework all you need? What are the differences between ITIL and ISO/IEC 20000? Which is right for you? Should you have one or both? This whitepaper will summarize the key differences and similarities of ISO/IEC 20000 and ITIL V2 & V3. This can be a basis for determining which framework is right for you.
“Even if you’re on the right track, you’ll get run over if you just sit there.”
Will Rogers
What is ISO/IEC 20000?
ISO20000 is an international standard related to IT Service Management that allows IS and IT organizations around the world to collaborate as they provide fundamental services and products that help establish the credibility and capability of their companies. ISO/IEC 20000, which replaces BS 15000, allows the organization to prove to its customers and investors that it operates with integrity and security and that consistent, repeatable and measurable process are in place. These processes are managed with attention to continual quality improvement as dictated by the business.
This standard is based on and closely aligned with the IT Infrastructure Library (ITIL). ISO/IEC 20000 is a code that provides a means for consistently measuring and validating an organization's success in implementing best practices as defined by ITIL or similar frameworks. Organizations that are implementing ITIL will find themselves naturally moving towards ISO/IEC 20000 standards and are consequently able to increase their organizational credibility.
Achieving an ISO/IEC 20000 certification can certainly help provide a competitive edge over companies that do not presently meet this standard. ISO/IEC 20000 defines the key processes and identifies what needs to be in place. The challenge is determining whether the cost of achieving this certification is a value added benefit for your organization. See Figure 1.
Figure 1: ISO/IEC 20000
What is ITIL?
ITIL is a framework of documented best practices. Throughout its evolution, ITIL has always been focused on providing a framework to deliver consistent, repeatable and measurable processes. These processes need to be aligned with the needs and drivers of the business. ITIL became so widespread that it provided the basis for ISO/IEC 20000. As seen below, in figure 2 the original drivers for ITIL were aligning language and level setting practices. As it grew and evolved, there was a need to create a second version which aligned the multiple books into one cohesive reference set.
Traditionally ITIL practitioners and IT Service Managers focused on the production side of the shop. However within all the versions, many volumes have been written relating to improvement; inter operability of departments and IT and Business alignment. In a sentence, ITIL has always been about aligning the people, processes and technology platforms with the business needs.
Figure 2: ITIL growth and evolution
An emerging trend in business and IT is the need to consider solutions in a complete lifecycle. ITIL version 3 (v3) is a refocusing of the existing processes into a lifecycle framework. ITIL v3 is for mature ITIL and IT Service Management organizations. Benefits include aligning IT goals and objectives with the business and improving quality while reducing the cost of operations. ITIL v2 is completely embedded within V3. So much so that V3 assumes that your organization is fully versed and aware of the ITIL v2 language, process flow and relationships.
ITIL v3 assumes that the processes in place at your organization are managed with continual quality improvement.
ITIL has always been used as a guiding framework. It serves as a compass that enables IT organizations to leverage existing best practices and procedures, identify gaps in the overall delivery and make effective improvements. You can use ITIL in whole or in parts, based on your particular business needs.
Key Differences
ISO20000
“If an organization can truthfully assess all ten ITIL Service Support and Service Delivery processes and the Service Desk is functioning at a CMM Level 3, with some additional work on Supplier and Security Management then that organization will undoubtedly withstand and successfully pass an ISO 20000 audit.”
George Spaulding Author ITIL Continual ImprovementITIL
“Use ITIL In whole or in part it’s up to you and your organizational needs.”
Office of Governance and Commerce (OGC)
Using The Frameworks
Generally, practices that you currently employ are good practices. ISO and ITIL are tools that can be implemented to prove that what you are doing is actually working as designed. Further, they provide a basis for comparison and can identify gaps for improving overall effectiveness. It is not an “either or” decision. The two frameworks are complementary. Figure 3 shows how ITIL and ISO/IEC 20000 work together.
The specifications in ISO/IEC 20000 provide the vision and the overarching targets to put in place. The code of practice identifies what tangible objectives are needed. This code identifies the expected outputs and activities. ITIL v2 then describes the processes needed by your organization to prove ISO/IEC 20000 is in place and functioning in a controlled manner. Both work together to align your existing practices and procedures.
At the Manta group, we have identified an added value when CobIT (Control Objectives for IT) controls are used to manage and steer the processes. If ITIL is the compass, and the framework, and ISO/ IEC20000 is the target or destination, then CobIT provides the roadmap that identifies the progress and direction. In other words, CobIT helps to answer questions like “How do we know we are improving?” If the business needs are being achieved and the CobIT controls are being met, we
Figure 3: ITIL/ISO Support Triangle
Identifying The Need - Key Questions To Ask
It is important to know where you need to be in alignment with the business. ITIL has always used four simple questions to identify this placement. In relation to the strategy and performance indicators within your organization, ask yourself the following questions:
- Where are we now?
- Where do we need to be?
- How will we get there?
- How do we know we are there?
Graphically speaking (figure 4) below answers these questions and will help you make the appropriate governance decisions on where you need to be as an IT partner to the business.
These four questions will help you establish which framework is right for you. Does your organization look to your IT group to be a supplier, an enabler, or a partner? Is there a compelling business need or driver to prove your level of capability through an internationally recognized certification? If your current frameworks are meeting or exceeding the needs of the business, you may want to simply stay the course and continue to evolve your methods and practices at a pace acceptable to you and the business.
Figure 4 : Recognizing the Business Need
Remember that ITIL & ISO/IEC 20000 are only 2 of a myriad of enabling solutions that run concurrently and perpetually though your IT shop. The thought of managing the complexity and interoperability of various frameworks can be quite a challenge. At the Manta Group we refer to this task as “Managing your Best Practice IT Ecosystem”. This approach considers all People, Process and Technology components of your IT infrastructure. It considers your practices, appetite for risk, and controls in place for your organization. All of these frameworks, practiced properly, will add continual business value. It is important to look at the end-to-end lifecycle of your services, practice continual improvement and manage the infrastructure in alignment with the business needs. Integrated solutions are critical in being seen as a value added partner or supplier to the business.
So whatever decision you make, you must first consider the current and future needs of the business, your maturity level in ITIL v2, and weather a certification is a necessary component of your continued business operations. After this, a Best Practice Ecosystem can help you identify the next steps necessary to complete your vision.
Figure 5: The Manta Group’s IT Best Practice Ecosystem
