Service Management Plan
ISO/IEC 20000 Toolkit Version 6 ©CertiKit 2016
Service Management Plan
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document The Service Management Plan is a key part of the SMS and sets out the organisation’s intentions over the planning period.
Areas of the standard addressed The following areas of the ISO/IEC 20000:2011 standard are addressed by this document: 4.5 Establish and improve the SMS 4.5.2 Plan the SMS (Plan)
General Guidance The structure of the Service Management Plan is largely dictated by the standard although the contents may be split into several documents if desired. You will need to take the time to tailor this document so that it accurately represents what you believe will be achievable in the next 12 months (or whatever planning horizon you decide upon).
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO/IEC 20000 Toolkit Version 6 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select,
Version 1
Page 1 of 17
[Insert date]
Service Management Plan
Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional
Version 1
Page 2 of 17
[Insert date]
Service Management Plan
advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 17
[Insert date]
Service Management Plan
[Replace with your logo]
Service Management Plan
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 17
SMS-DOC-045-1 1 [Insert date]
[Insert date]
Service Management Plan
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 17
Date
[Insert date]
Service Management Plan
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
SERVICE MANAGEMENT PLAN .......................................................................................................... 8 2.1 SCOPE OF SERVICE MANAGEMENT SYSTEM (SMS) .................................................................................. 8 2.2 SERVICE REQUIREMENTS .......................................................................................................................... 8 2.3 SERVICE MANAGEMENT OBJECTIVES........................................................................................................ 8 2.3.1 Quality ............................................................................................................................................ 8 2.3.2 Value ............................................................................................................................................... 9 2.3.3 Capability ....................................................................................................................................... 9 2.3.4 Cost ................................................................................................................................................. 9 2.3.5 Productivity and Resource Utilisation ............................................................................................ 9 2.3.6 Risk Reduction ................................................................................................................................ 9 2.4 GOVERNANCE OF PROCESSES OPERATED BY OTHER PARTIES ................................................................ 10 2.5 KNOWN LIMITATIONS ............................................................................................................................. 10 2.6 POLICIES, STANDARDS, STATUTORY AND REGULATORY REQUIREMENTS AND CONTRACTUAL OBLIGATIONS ................................................................................................................................................... 10 2.7 FRAMEWORK OF AUTHORITIES, ROLES AND RESPONSIBILITIES .............................................................. 11 2.8 NECESSARY RESOURCES TO ACHIEVE OBJECTIVES ................................................................................ 11 2.8.1 Human Resources ......................................................................................................................... 11 2.8.2 Technical Resources ..................................................................................................................... 11 2.8.3 Information Resources .................................................................................................................. 11 2.8.4 Financial Resources ..................................................................................................................... 11 2.9 APPROACH TO WORKING WITH OTHER PARTIES ..................................................................................... 11 2.10 INTERFACES BETWEEN SERVICE MANAGEMENT PROCESSES ............................................................. 12 2.11 RISKS TO THE ACHIEVEMENT OF OBJECTIVES .................................................................................... 14 2.11.1 Approach to Management of Risks .......................................................................................... 14 2.11.2 Risk Acceptance Criteria ......................................................................................................... 15 2.12 TECHNOLOGY USED TO SUPPORT THE SMS ....................................................................................... 17 2.13 SMS IMPROVEMENT........................................................................................................................... 17
List of Figures FIGURE 1 - RISK CLASSIFICATION MATRIX ................................................................................................................ 15
List of Tables TABLE 1 - SERVICE QUALITY INDICATORS ................................................................................................................... 8 TABLE 2 - PROCESSES OPERATED BY OTHER PARTIES ................................................................................................ 10 TABLE 3 - RISKS TO THE ACHIEVEMENT OF OBJECTIVES ............................................................................................ 16
Version 1
Page 6 of 17
[Insert date]
Service Management Plan
1 Introduction The effective management of service has always been a priority for the [Service Provider], knowing as it does the high degree of reliance that [Organization Name] delivery functions place upon IT systems. However, there is still much to be gained by [Organization Name] and by [Service Provider] in introducing industry-standard good practice processes, not the least of which is the ability to become more proactive in our approach to IT service management and to gain and maintain a better understanding of our Customers’ needs and plans. This document represents a design for the enhancement of existing IT Service Management processes and will be further updated on at least an annual basis thereafter as [Organization Name] and its IT Service Management needs develop. The International Standard for IT Service Management, ISO/IEC 20000, was announced by the ISO and IEC in 2005 and updated in 2011. The processes and procedures required by ISO/IEC 20000 are heavily based on the best practice contained in the IT Infrastructure Library (ITIL) which has expanded significantly from its early days as central government guidance into an internationally recognised best practice specification. [Organization Name] has started on the road to adoption of ITIL and has completed staff training to Foundation qualification level. As part of this process it has decided to pursue full certification to ISO/IEC 20000 in order that the effective adoption of ITIL may be validated by an external third party.
Version 1
Page 7 of 17
[Insert date]
Service Management Plan
2 Service Management Plan 2.1
Scope of Service Management System (SMS)
For the purposes of ISO/IEC 20000 certification within [Organization Name], the boundaries of the managed service are defined as follows: “[All] IT services provided by [Service Provider] to [all] business units within [Organization Name] at [all] locations� Details of the IT services provided can be found within [Service Provider] Service Catalogue and a list of business units/stakeholders within the Business Relationship Management Plan.
2.2
Service Requirements
Customer requirements for IT services are documented separately by customer and by each of the services within the Service Catalogue. These requirements are reviewed at least annually and upon major changes to the business or IT services provided via the Design and Transition of New or Changed Services process.
2.3
Service Management Objectives
In discussion with customers and based upon their documented requirements, [Service Provider] has agreed targets for the continual improvement of the IT service in the following areas. 2.3.1
Quality
The main indicators of service quality that are detailed in the SLA are set out below with a schedule for continuous improvement. Service Level System Availability Incident management
Information Security
Description Percentage availability of key systems Percentage of low priority incidents resolved within 3 days Number of major incidents per month Number of security incidents per month
Last Year 98.5%
This Year 99.0%
80%
85%
3
2
5
3
Table 1 - Service quality indicators
Version 1
Page 8 of 17
[Insert date]
Service Management Plan
Success against these targets will be monitored as part of the ongoing service reporting cycle. 2.3.2
Value
Objectives concerned with value aim to increase the benefit that the business derives from the IT services provided. [Set out ways in which you will either improve the performance benefit the business gets from IT services or how you will remove constraints that prevent the business from gaining maximum benefit. For example making applications available from home or on mobile devices enhances the performance of the user and removes a geographical constraint.] 2.3.3
Capability
The following objectives are designed to increase the capabilities inherent in [Service Provider] and its staff. 2.3.4
Increase ITIL training by 50% Increase the percentage of procedures that are documented to 85% Cost
[Service Provider]’s objectives with regard to the cost of the IT services provided are as follows: [Set out this year’s targets with regard to IT cost, perhaps broken down by service, including anticipated savings if appropriate]. 2.3.5
Productivity and Resource Utilisation
[Summarise targets for resource utilisation, possibly based on numbers of IT staff, productivity measures (e.g. number of incidents resolved per person per day) or on ratios of IT staff to users etc.] 2.3.6
Risk Reduction
[Describe what you aim to achieve in reducing the risk to the business of IT services not being available, or not secure enough, or lacking performance etc.]
Version 1
Page 9 of 17
[Insert date]
Service Management Plan
2.4
Governance of Processes Operated by Other Parties
The following processes or parts of processes are operated by third parties, either internal or external. The document(s) referenced gives details of how the governance of the process is demonstrated in accordance with the Service Management Policy. Process
Third Party
Internal/ External External
Incident ABC Help Desks Management Release and [Organisation Internal Deployment Name] XYZ Management Department
Document Reference X: ABC Contract.doc X: XYZ OLA.doc
Table 2 - Processes operated by other parties
2.5
Known Limitations
The following limitations are expected to have an impact on the Service Management System this year: [There may be various constraints that limit what is achievable this year within IT service management e.g. limited budget, re-organisation or policy decisions. State what these are and what their impact may be]
2.6
Policies, Standards, Statutory and Regulatory Requirements and Contractual Obligations
This service management plan must comply with the following policies, standards and external requirements:
The ISO/IEC 20000 international standard for IT service management The contractual obligation to source all hardware from ABC company Compliance with the Payment Card Industry Data Security Standard The Data Protection Act The Freedom of Information Act Etc.
Version 1
Page 10 of 17
[Insert date]
Service Management Plan
2.7
Framework of Authorities, Roles and Responsibilities
The roles and responsibilities relating to the management of the Service Management System are defined in a separate document, Service Management Roles, Responsibilities and Authorities.
2.8
Necessary Resources to Achieve Objectives
In order to achieve the objectives set out in this service management plan, the following resources will be required. 2.8.1
Human Resources
[Set out the current IT staff structure and state any additional resources that may be required e.g. contractors or secondments] 2.8.2
Technical Resources
[What hardware and software will be needed to meet your objectives e.g. new service desk system, event monitoring software] 2.8.3
Information Resources
[State what additional information you will need e.g. new reports from existing systems, access to external sources such as subscriptions to organisations like the itSMF] 2.8.4
Financial Resources
[What additional budget, if any, will you need to meet your objectives? When is it required and is it capital or revenue?]
2.9
Approach to Working with Other Parties
[Organization Name] [Service Provider]will work closely with other parties involved in the design and transition of new or changed services in order to ensure that quality standards are maintained. [Set out how you intend to work with suppliers in the context introducing new systems including how your service management processes will interface with them e.g. for change management and Release and Deployment management]
Version 1
Page 11 of 17
[Insert date]
Service Management Plan
2.10 Interfaces Between Service Management Processes The processes of Service Management are closely related to each other, with outputs from one being inputs to another. There is no overall process model in existence as part of Good Practice, but the following sections give an indication of the ways in which the processes interact within [Service Provider]. Service Desk Function The Service Desk acts as the focal point for a number of processes, particularly Incident and Request, Problem, Change and Configuration Management. The Service Desk system supports these processes. Incident Management Multiple incidents logged at the Service Desk may result in a Problem being raised. The Incident Management function will use information from Change and Configuration Management to assess and resolve incidents, and such resolution may require a change to be implemented via Change Management. Problem Management Problems are largely raised from incidents and may also have a significant relationship with Availability Management in identifying the root cause of a lack of system availability. Change Management The Change Management function relies upon the data in the Configuration Management Database to assess the impact of changes, just as Configuration Management relies upon Change Management to keep its records up to date. Change Management also has a strong link to Release and Deployment Management and will need to liaise with the Service Desk to keep its staff aware of changes that may impact service. Configuration Management Configuration Management underpins many of the other processes including Incident, Problem, Change, Capacity and Availability Management by providing accurate information about installed hardware, software and documentation. Supplier Management Efficient management of suppliers is vital for effective Service Level Management and the achievement of SLA targets. It is also important to Budgeting and Accounting in providing information to allow accurate budgeting. Various other processes provide input to Supplier Management, including Incident, Problem, Change and Configuration Management.
Version 1
Page 12 of 17
[Insert date]
Service Management Plan
Service Level Management & Reporting Defining and achieving service levels relies heavily upon many of the other processes, particularly Capacity, Availability, Problem and Incident Management. Business Relationship Management This process requires accurate information from Service Level Management and Reporting and many of the other processes contribute to encouraging a good relationship with the business. Budgeting and Accounting for IT Services The Capacity Planning process provides information regarding upcoming upgrades to Budgeting and Accounting and an interface with Service Level Management allows the cost implications of different Service Levels to be explored. Service Management Planning Service Management Planning covers all of the processes of Service Management and benefits from feedback from each of them via the Service Improvement process. Release and Deployment Management Release and Deployment Management has a strong interface with Configuration and Change Management as it uses and updates configuration data and makes use of the Change Management process to achieve its aims. Capacity Management This process has inputs from Service Level Management and Configuration Management amongst others and provides information to Budgeting and Accounting and Change Management. Service Continuity and Availability Management Availability Management has an interface with both Incident and Problem Management as sources of issues and to Service Level Management for the setting of objectives and reporting against them. The Service Continuity Plan must be kept up to date and this is achieved via the Change Management process. Many of the other processes provide input to the Plan such as Capacity, Availability and Budgeting and Accounting. Design and Transition of new or changed services This process links in with Change Management in that it provides a co-ordination function into which individual changes fit. It also ensures that issues to do with the support of a new or changed service are addressed, including Capacity, Availability, Incident and Problem Management.
Version 1
Page 13 of 17
[Insert date]
Service Management Plan
Human Resources This process ensures that the skills to deliver all of the other processes are in place and so underpins the process model in general. Information Security Management Security will be considered as part of a new or changed service and when assessing changes. Security requirements will also be reflected in SLAs.
2.11 Risks to the Achievement of Objectives Risk is the happening of an unwanted event, or the non-happening of a wanted event, which affects a business in an adverse way. Risk is realised when:
the objectives of the business are not achieved the assets of the business are not safeguarded from loss there is non-compliance with organisation policies and procedures or external legislation and regulation the resources of the business are not utilised in an efficient and effective manner the confidentiality, integrity and availability of information is not reliable
2.11.1 Approach to Management of Risks
To assess the risk and determine the treatment, [Organization Name] will examine the threat, the probability that the risk will take place and the impact of that threat. A 5-point scale will be used to describe the probability of a risk taking place and to describe the impact that it is likely to have. The 5-point scale for the risk, ranges from 1=improbable to 5=almost certain; the 5-point scale for the impact, ranges from 1=negligible to 5=very high. The risk matrix allows us to prioritise our risks so that they can be managed more effectively. The risk classification used will be the score obtained from multiplying the probability that the risk will occur and the impact it is likely to have. The risk and the impact scale range from 1 to 5, so the minimum score will be 1 and the maximum score will be 25.
Version 1
Page 14 of 17
[Insert date]
Service Management Plan
RISK SCORE 5 HIGH 4
Risk Likelihood
MEDIUM
3
2 LOW 1
1
2
3
4
5
Risk Impact
Figure 1 - Risk classification matrix
2.11.2 Risk Acceptance Criteria
The risk matrix in Figure 1 shows the classifications of risk, where green indicates an acceptable threshold of risk as the risk is minimal or/and the impact is minimal. The yellow indicates that the risk threshold is medium as the risk is larger as is the impact; so containing those risks is more important than addressing those in the green. The red area indicates the risks that are of the highest priority as both the impact and the risk are relatively high, so measures to contain them must be of the highest priority and countermeasures must be in place for these risks. The overall intention of the risk assessment and proposed treatments is to reduce the classification of the risks by at least one level e.g. HIGH down to MEDIUM or MEDIUM down to LOW. This is not always possible as sometimes although the score is reduced, it remains in the same classification e.g. reducing the score from 8 to 6 means it still remains a MEDIUM level risk. The organisation may decide to accept these risks even though they remain at a MEDIUM rating. The priorities of the items in the Service Improvement Plan are determined by the highest priority of the risk assessment items addressed e.g. if 3 items are addressed by a single action and one is MEDIUM and two LOW, then the priority of the action will be MEDIUM.
Version 1
Page 15 of 17
[Insert date]
Service Management Plan
The following risks have been identified to the plans to achieve the service management objectives set out in this document. These will be managed and updated as the project progresses. Ref.
Risk
1.
Resources may not be available to take on the proactive elements of ISO/IEC 20000 that are not currently being carried out. Timescales to implement the service improvements necessary to achieve ISO/IEC 20000 may not be long enough given the degree of change and show sufficient track record for the audit IT staff fail to adopt the new processes – changes not logged, problems not identified etc. IT management are not sufficiently involved in the creation of the new quality system to carry it forward once certification gained
2.
3.
4.
Likelihood Impact
Score Classification
Treatment
Table 3 - Risks to the achievement of objectives
Version 1
Page 16 of 17
[Insert date]
Service Management Plan
2.12 Technology Used to Support the SMS The Service Management System relies upon a number of key technologies in order to manage documentation, keep records and measure and report on the services delivered. These technologies are:
Service desk system Asset discovery tool Document management system/ filing system Network monitoring/event management system SQL Reporting tool Etc.
2.13 SMS Improvement The effectiveness of the SMS will be measured via key metrics for each of the processes involved. These metrics will be based as far as possible on customer requirements and will be compiled and reviewed on a quarterly basis. The reports produced are defined in the Service Reporting Policy. The SMS will be subject to internal audits against ISO/IEC 20000 with the intention of identifying any non-conformities prior to the annual external surveillance audits. These internal audits are set out in the Procedure for Service Management Audits. Improvements to the SMS will be identified and managed via the process documented in the Procedure for Continual Service Improvement.
Version 1
Page 17 of 17
[Insert date]