Information technology - Service management - Part 2: Guidance on the application of service management systems (ISO/IEC 20000-2:2019, identical + ISO/IEC 20000-2:2019/Amd 1:2020, identical)

2Scope / Description

1.1 Scope This document provides guidance for implementing a Service Management System (SMS) based on ISO/IEC 20000-1. It includes examples and recommendations to help organizations interpret and apply ISO/IEC 20000-1, including references to other parts of the ISO/IEC 20000 series and other relevant standards. Figure 1 illustrates an SMS whose contents correspond to the chapters of ISO/IEC 20000-1; it does not represent a hierarchical structure, sequence, or levels of authority. Figure 1 — Service Management System The chapter structure is designed to present requirements coherently; it is not intended as a model for documenting an organization's policies, objectives, and processes. Each organization may determine how to integrate requirements into its processes. The relationship between the organization and its customers, users, and other interested parties influences how processes are implemented. However, the organization's planned SMS cannot exclude any requirement defined in ISO/IEC 20000-1. In this document, the term "service" refers to services within the scope of the SMS. The term "organization" refers to the organization within the scope of the SMS. The organization within scope may be part of a larger entity, such as the IT department of a large enterprise. The organization manages and provides services to customers and may also be referred to as the service provider. This document clearly distinguishes the use of "service" or "organization" for other purposes. The term "provided," as used in this document, may be interpreted as all service lifecycle activities performed in addition to routine operational activities. Service lifecycle activities include planning, design, transition, delivery, and improvement. 1.1 Application The guidance in this document is general and intended for application by any organization implementing an SMS, irrespective of the organization's type or size or the nature of the services provided. Although this document can be applied regardless of an organization's type, size, or the nature of its services, ISO/IEC 20000-1 has its roots in IT. It is intended for managing services using technology and digital information. Examples in this document illustrate different ways of applying ISO/IEC 20000-1. The service provider is responsible for the SMS and therefore cannot require another party to fulfill the Chapter 4 and Chapter 5 requirements of ISO/IEC 20000-1:2018. For example, an organization cannot require another party to provide top management and demonstrate top management commitment, nor to demonstrate oversight of parties involved in the service lifecycle. Some activities described in Chapters 4 and 5 of ISO/IEC 20000-1:2018 may be performed by another party under the organization's management. For instance, an organization may ask another party to develop, as a key SMS document, an initial service management plan. Once the plan is developed and agreed upon, the organization is responsible for it and maintains it. In such examples, the organization engages other parties to carry out specific short-term activities. The organization retains responsibility, rights, and obligations regarding the SMS. Consequently, the organization can demonstrate compliance with all Chapter 4 and Chapter 5 requirements of ISO/IEC 20000-1:2018. For Chapters 6 to 10 of ISO/IEC 20000-1:2018, the organization may demonstrate compliance by fulfilling all requirements itself. Alternatively, the organization may demonstrate that it is responsible for compliance when other parties are involved in meeting the Chapter 6 to 10 requirements. The organization can demonstrate oversight of other service lifecycle parties (see Section 8.2.3). For example, the organization may demonstrate the existence of measures for a party that provides infrastructure components or operates a data center, including the incident management process. An organization cannot demonstrate compliance with ISO/IEC 20000-1 requirements if all services, service components, or processes within the scope of the SMS are provided or maintained by other parties. However, if other parties provide or maintain only some services, service components, or processes, the organization can usually demonstrate compliance with ISO/IEC 20000-1 requirements. The scope of this document does not include specifications for products or tools. Nevertheless, ISO/IEC 20000-1 and this document may be used to develop or procure products or tools that support SMS operation. 1.2 Structure This document follows the chapters of ISO/IEC 20000-1 and, starting from Chapter 4, presents each chapter or section in three parts: a) Required activities: a summary of the activities required in this section of ISO/IEC 20000-1. Note that this summary does not repeat the requirements of ISO/IEC 20000-1 nor add new requirements; it simply describes the activities. b) Explanation: an explanation of the purpose of the section and practical guidance on its content, including examples and recommendations for applying the requirements of ISO/IEC 20000-1. Where appropriate, references are made to other parts of the ISO/IEC 20000 series and to other relevant standards. c) Additional information: guidance on roles and responsibilities and on documented information supporting SMS operation. Additional relevant information may also be included here.