Incident Management Policy
ISO/IEC 20000 Toolkit Version 8 ©CertiKit
Incident Management Policy
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document sets out the organization’s policy with respect to incident management.
Areas of the standard addressed The following areas of the ISO/IEC 20000:2018 standard are addressed by this document: 8.6.1 Incident management
General Guidance This policy document may be used to set out the organization’s overall attitude to incident management and clarify the principles that should be followed. It is an opportunity to set incident management in the context of the business i.e. to emphasize the objective of minimizing business disruption. It may also help to define key policies to guide the incident management process, such as whether users must be contacted prior to incident closure and the approach to the re-opening of incident records.
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO/IEC 20000 Toolkit Version 8 ©CertiKit.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File
Version 1
Page 1 of 9
[Insert date]
Incident Management Policy
> Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional
Version 1
Page 2 of 9
[Insert date]
Incident Management Policy
advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 9
[Insert date]
Incident Management Policy
[Replace with your logo]
Incident Management Policy
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 9
SMS-DOC-086-1 1 [Insert date]
[Insert date]
Incident Management Policy
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 9
Date
[Insert date]
Incident Management Policy
Contents 1
INTRODUCTION ....................................................................................................................................... 7 1.1 1.2 1.3 1.4 1.5
2
PURPOSE ................................................................................................................................................... 7 SCOPE ....................................................................................................................................................... 7 GOVERNANCE AND REVIEW ...................................................................................................................... 7 POLICY COMPLIANCE ................................................................................................................................ 8 RELATED DOCUMENTS.............................................................................................................................. 8
POLICY STATEMENTS ........................................................................................................................... 9
Version 1
Page 6 of 9
[Insert date]
Incident Management Policy
1 Introduction 1.1
Purpose
The purpose of this policy document is to set out the expectations and intentions of the management of [Organization Name] in the area of incident management. This policy will inform and shape the processes, procedures, organizational structure and resourcing that are applied in support of incident diagnosis and resolution. Incident management is one of the most visible parts of the provision of IT services and often the only one with which users will have regular contact. It is therefore essential that this process is guided by a clear policy which is based on user requirements. 1.2
Scope
The scope of this policy is defined according to the following parameters: • • • •
Organizational o [List organizations and parts of those organizations covered] Geographical o [List locations from which incidents will be reported and managed] Services o [Define the services covered by the policy] Technical o [If necessary, cover the technology that may give rise to incidents covered by this policy]
This policy covers all incidents recorded by [Service Provider] in support of the customers and users of services defined in the service catalogue. The following areas are specifically excluded from this policy: [Describe any areas that need to be clearly stated as outside the scope]
1.3
Governance and Review
This policy has been defined by the Chief Information Officer with input from stakeholders and approved by the IT Steering Group. It will be reviewed on an annual basis and any amendments will be ratified by the IT Steering Group prior to publication.
Version 1
Page 7 of 9
[Insert date]
Incident Management Policy
1.4
Policy Compliance
Whilst success against some aspects of this policy will depend upon the resources, systems and processes put in place by management, compliance with this policy is largely mandatory for all employees of [Organization Name]. Where appropriate and at management discretion, instances of non-compliance may be subject to formal disciplinary action in accordance with organizational HR procedures. 1.5
Related Documents
The following documents are relevant to this policy and should be read in conjunction with it: • •
Incident Management Process Major Incident Management Process
Version 1
Page 8 of 9
[Insert date]
Incident Management Policy
Policy Statements
2
[Organization Name] policy with respect to the management of incidents is as follows: •
Incidents will be managed such that the impact to the business is minimized
•
All incidents must be recorded within the incident management system provided for this purpose. This will allow accurate information to be produced about the performance of the incident management process, including the level of resourcing that must be applied
•
Incidents must be resolved within timeframes acceptable to the business and documented in the relevant service level agreement
•
All incidents will be stored and managed in a single management system
•
Incidents must be classified according to an agreed scheme which allows for the production of accurate and useful management information
•
All incidents must be prioritized according to their urgency and impact and incidents will be addressed in priority order
•
The user will be consulted before an incident record is closed to ensure that it has been dealt with to their satisfaction
•
The user must be informed if an incident is likely to exceed its resolution timescale as defined in the SLA
•
All updates to an incident must be recorded against the relevant incident record
•
Major incidents must be managed according to the specialized procedure created for that purpose
•
All incidents must be allocated a unique incident reference number
•
Incidents will not be re-opened once closed. A new incident will be created, linked to the previous record so that history information is available
Version 1
Page 9 of 9
[Insert date]