Sunday, September 20, 2009

ISO20K: Alice in Service Management Wonderland

Alice in Service Management Wonderland
Frameworks, methods and standards: complementing or competing each other?

‘Would you tell me, please, which way I ought to go from here?’
‘That depends a good deal on where you want to get to,’ said the Cat.
‘I don’t much care where—’ said Alice.
‘Then it doesn’t matter which way you go,’ said the Cat.
‘—so long as I get somewhere,’ Alice added as an explanation.
‘Oh, you’re sure to do that,’ said the Cat, ‘if you only walk long enough.’


We’re doing ITIL… we’re doing CobiT… we’re doing Balanced Scorecard… we’re doing CMMI… we’re doing MOF… we’re doing 6 Sigma… we’re doing T-MAP, we’re doing every single framework and method that’s available out there, but we’re still not sure whether or not we’re doing the right thing!


As a Service Management trainer and consultant it’s amazing and sometimes almost eerie when you come across yet another organization that seems to do and have it all and still doesn’t seem to get it quite right.

Spending bucket loads of money and wearing out dozens of highly capable and initially motivated staff many organizations seem to be (or feel) totally lost in a maze of promising-the-world frameworks and we-know-it-all-better methods. What all these organizations, maybe even including your own organization, have in common is that they’re all desperately, and often with valid and good intentions, trying to:

  • increase the quality of their IT Services;

  • decrease, or at least manage, the costs of providing their IT Services; and

  • align their IT organization with the rapidly changing business requirements.


Because most of us are facing or are already dealing with increased global competition, rapidly changing customer demands and expectations, shortening product and service lifecycles, ever increasing complexity of IT Infrastructures, and truckloads of data waiting to be translated into useful information and ultimately organizational wisdom.

As the author I probably feel as much confused as you do! What’s the optimal path (most efficient and most effective) forward? Is ITIL version 3 the answer, or should we stick with ITIL version 2? What about this MOF thing? Surely many of you are running a large percentage of their nodes on the wIntel platform, and the Microsoft Operations Framework may just be what you need, but then again there’s also ISACA’s CobiT. By the time I’ve finished this article someone in the world has probably come up with yet another framework or method.

I don’t claim having the ultimate answer, but I do think it’s time for a complete and total mind shift where organizations move from focusing on Service Management frameworks and methods to focusing on Service Management standards. ISO/IEC 20000 has been locked up in the cupboard for way too long and hasn’t as yet received the credit is deserves. Let’s have a tea party with ISO/IEC 20000 and ask Alice to come along.

This article’s intention is to give you an overview of where ISO/IEC 20000 positions itself and how it interacts with the various existing frameworks and methods, more specifically how it interacts with the ITIL framework. I could have chosen any other framework, but feel more comfortable with ITIL as I was spoon fed and grew up with ITIL from the day I could walk and talk.

In this article we’ll take a closer look at the current dilemma facing most, if not all, organizations. You’ll be provided with a succinct description of ISO/IEC 20000, and we’ll discuss training and literature as well as the certification and accreditation that are inherent to the standard. We’ll examine the costs, benefits and risks and also take a brave and daring step into the not too distant future. Where possible we’ll compare the standard with ITIL v3 and leave it up to you the reader to compare when applicable to other frameworks and methods.


Having a bit of a marketing background, I’ve been taught to show you pain and then give you pleasure. So where’s the pain? The pain lies in organizations investing enormous amounts of valuable dollars in a plethora of frameworks, methods and training, without achieving the reward that’s telling them: “you’re on track – for now”. Yes, I had to add “for now” as nothing is static in glamorous business world, and complacency often kicks in before you’ve even said your ABC.

So, you think you’re doing ITIL (it’s a bit like: “So, you think you can Dance”)? Far worse even; some organizations think they’re ITIL compliant. There’s no such thing as being ITIL compliant! You cannot be compliant with a highly flexible and dynamic framework – maybe in fairytales, but surely not in the real and highly complex world. ITIL doesn’t mandate anything. You can do with it whatever you want, and still call yourself an ITIL-ised or ITIL-based organization.

So, what’s the answer? Do you care where you’re going? Do you care whether or not you’re doing the right things and things right? If you care, then surely something should tell you exactly what to do! And that my dear reader is exactly what the ISO/IEC 20000 standard is all about. It doesn’t give you should/s, but is gives you shall/s. It provides you clear answers and to-the-point direction, whereas most (not all) frameworks and methods are wishy-washy, woolly, fluffy and directionless. Tell me what to do, and stop beating around the bush. Give me the standard, and give it to me now!


The ISO/IEC 20000 standard has been around since December 2005, and has recently (February 2007) been adopted by Standards Australia as the Australian National Standard for IT Service Management. The ISO/IEC 20000 standard (by many referred to as ISO20K) is a result of ISO (International Organization for Standardization) and IEC (International Electro-technical Commission) working together in a joint technical committee (JTC). Leveraging of BS15000 as an existing British Standard ISO20K was fast tracked into an International Standard for IT Service Management.

The standard consists of the following two key parts:

  1. Part 1 – Specification: The specification outlines those aspects of IT Service Management that an organization must comply with in order to withstand the all-seeing eye of the external auditors.

  2. Part 2 - Code of practice: The code of practice provides guidance and recommendations on how to meet the requirements as set by the specification.

Any organization, public, private, not-for-profit, can use ISO/IEC 20000 to design, develop, implement, maintain and improve a quality IT Service Management environment, and if it wishes to do so, pursue full accreditation as ultimate proof to its customers and own staff showing that the IT Service Management organization is on track, and is committed to stay on track.

ISO/IEC 20000 is not about accreditation, it’s about committing your organization and yourself to a mind-set and destiny called “managing quality”.


When comparing ISO20K to some other ITSM frameworks and methods, it seems relatively young, nevertheless there’s strong evidence in the form of ever growing support, training and literature that it’s here to stay, and that one day it may even push ITIL from its favorite number-one spot.

As it currently stands training is (made) available on three levels:

  1. Foundation Level: This training is geared towards giving you the ISO/20K language, concepts and bare bones. Remember: “Stronger foundations carry heavier loads”.

  2. Professional Level: Training on this level focuses on (five) specific parts of the standard including support, delivery, management, alignment and control of IT Services. The professional training provides each specific team with the capabilities of making the organization ready to be ultimately assessed against the standard (if and when required).

  3. Consultant/Manager, Auditor Level: At the highest level there’s an opportunity to specialize as manager/consultant or auditor. It may be evident that there’s a bit of a conflict of interest between these two main streams, as consultants should not be auditing themselves, and auditors should not give advice but merely gauge the status quo against a set standard.

Remember that ISO/20K is not necessarily about becoming accredited – it’s about committing to quality, in body and soul, when it comes to delivering IT Services.


As the ISO20K specification and code of practice outline to a large extend what needs to be done rather than how to do it, a purpose written set of publications, very similar to IT Infrastructure Library (ITIL), is made available through the British Standards Institute. A number of these publications (see below) are also used as part of the above mentioned ISO/IEC 20000 training modules.

The following publications are part of the “Achieving ISO/IEC 20000” series:

  • Management, decisions and documentation (BIP 0030)

  • Why People Matter (BIP 0031)

  • Making Metrics Work (BIP 0032)

  • Managing end-to-end service (BIP 0033)

  • Finance for service managers (BIP 0034)

  • Enabling Change (BIP 0035)

  • Keeping the service going (BIP 0036)

  • Capacity Management (BIP 0037)

  • Integrated Service Management (BIP 0038)

  • The differences between BS15K and ISO/IEC20K (BIP 0039)

Rest assured that any framework, any method, and any set of publications can be used, as long as the right bits and pieces are carefully selected that align with the ISO20K standard. The “Achieving ISO/IEC 20000” series makes this selection process just a wee bit easier.


Although not necessarily 100% accurate - as always “It Depends” which dictionary you use - I would like to make a distinction between certification and accreditation.

Certification: To supply an individual with credentials or authority.

This means that as an individual level you can get certified against the various ISO/IEC 20000 training levels. The certification stays with you, wherever you decide to go. Your organization may not be ISO/IEC 20000 accredited as such, but you are still recognized as for example a certified ISO20K Service Delivery professional.

Accreditation: To supply an organization, or part thereof, with credentials or authority.

This means that the organization, or part thereof, can get accredited against the ISO/IEC 20000 standard. The accreditation is not bound to any individual, but the organization, or part thereof.

What part of the organization becomes accredited depends on the scope of the assessment exercise.

Having both certified ISO20K staff and your ISO20K certificate framed on the wall (being ISO/IEC 20000 accredited) means you’re recognized a champion in the arena of quality management leaving the other players (for many of you read “competition”) struggling and desperately trying to keep up.


There are few things that come for free in this world, and ISO/IEC 20000K surely isn’t one of them. Fortunately it’s not only about spending money, but often saving even more, sometimes even your very existence. What do you prefer? A well managed Change Management process with properly kept change records, or delivering services that don’t work and ending up with frustrated and turning-your-back-on-you customers? The choice is yours my friends.

So, what are the costs? Here’s a comprehensive overview of some of the cost items you’ll be facing:

  • Consultants (could be done by internal staff):

    • Pre self-assessment or assessment performed by a recognized consultancy organization (what gaps need fixing?)

    • Changes (read improvements) to made based on identified gaps using ISO20K as benchmark

    • Post self-assessment or assessment performed by a recognized consultancy organization (are the gaps fixed?)

  • Auditors (cannot be done by internal staff, unless accreditation is not the aim of the game):

    • Pre-assessment (scoping the assessment, team composition, etc.)

    • Initial assessment (the official assessment by the auditors)

    • Surveillance (initially 6-12 months after granting accreditation, hereafter annually)

    • Re-assessment (six months before accreditation expires)

    • Scope extension (if required)

  • Miscellaneous:

    • Publications and supporting tools

    • Roles and staff needed

    • Accommodation for new staff

    • Training at the various levels

For the purpose of this article it’s really difficult to put a hard dollar value against the above mentioned list, as many factors, such as scope of the assessment (e.g. business units/geography covered) will influence the overall price tag.

Value proposition/benefits

Okay, so you’ve just been presented a comprehensive list of some of the cost items you’ll be facing when jumping on the ISO20K band wagon. On purpose I didn’t paint a world that can be admired through pink glasses only, but hopefully a more realistic one. Investing in quality costs money, but the following benefits, directly derived from ISO20K, should outweigh the costs and the risks.

  • Competitive advantage

  • Clear goals and targets to aim for

  • Improved internal and external relationships

  • Increased confidence by staff and customers

  • Frequent feedback on the state of quality provided

  • Instigates a change in mindset

  • Professionalizes culture

  • Consistency of service delivery

  • Focus-shift from reactive to proactive

  • Improved communication and reporting

  • Improved knowledge management

  • Independent assessment of your quality

  • Marketing opportunities

  • Reduced confusion on whether or not we’re doing the right thing

  • Clear and concise training and career opportunities

  • Focus-shift from technology to business drivers and enablers

  • Clear view on IT’s maturity and ability to perform well

  • Independence from other frameworks and methods

ISO/IEC 20000 is a true means, and at the time of writing this article probably the only means, of becoming completely frameworks and methods independent. Bygone are the days of proprietary process maturity assessments and to some degree also proprietary technology maturity assessments. Please realize that ISO20K can be used as a guideline to assess technology’s capabilities, but cannot be used to accredit the technology (read products). As such products cannot earn the status of being ISO20K compliant, but maybe some could be called ISO20K compatible.


The single biggest challenge often experienced by organizations implementing ITIL (or other frameworks) is the culture, and I guess this will be the same for organizations embracing ISO/IEC 20000, but to a lesser extent. I can almost hear you think: “Why to a lesser extent?” Frequent and substantial audits, especially linked to the official ISO/IEC 20000 accreditation leave no escape gates open, and no pages unturned. It’s often the lack of clear visibility of what should happen and what does happen in reality that creates a vacuum where non-conformities are allowed to breed and multiply. ISO/IEC 20000 is BIG BROTHER and the ever-watchful eye of Sauron - like it or not – it’s something we all need at times.

Some other problems you may well have to face are:

  • No sense nor urgency felt to jump on the ISO20K band wagon

  • Scope too wide or too narrow

  • Insufficient funding

  • No long-term commitment or involvement from senior management

  • No proper supporting products

  • Unclear how other standards (e.g. ISO9000) complement ISO/IEC 20000

  • Lack of vision, strategy and/or planning

  • Lack of ISO20K skills, knowledge and champions


The Caterpillar was the first to speak.
‘What size do you want to be?” it asked.
‘Oh, I’m not particular as to size,’ Alice hastily replied; ‘only one doesn’t like changing too often, you know.’
‘I don’t know,’ said the Caterpillar.

The future is change and change is the future. Is there a time in the future where all frameworks, methods and standards converge in a grand unifying service management theory? I sincerely hope so, but it may take another couple of decades before we finally get there. Until then playing it safe and becoming compliant to the International IT Service Management standard ISO/IEC 20000 doesn’t seem an illogical or wasted step into a future that will most definitely be filled with increased pressure on governance, compliance and standards.


However, when they had been running half an hour or so, and were quite dry again, the Dodo suddenly called out ‘The race is over!’, and they all crowded round it, panting, and asking ‘But who has won?’
This question the Dodo could not answer without a great deal of thought, and it stood for a long time with one finger pressed upon his forehead (the position in which you usually see Shakespeare, in pictures of him), while the rest waited in silence. At last the Dodo said ‘Everybody has won and all must have prizes.’

It’s not about ITIL being better than ISO20K, or CobiT whacking MOF around the ears. The message is making practical and optimal use of common sense and proven good, better and best practices. Depending on whether you’re able to work with a highly flexible framework or you need answers right here and right now, one solution may suit your organization better than others. The standard gives you clarity (what to do); the frameworks and methods provide you with substance (how to do it).

Personally I believe that there’s a very bright future for the ISO/IEC 20000 international standard for IT Service Management, and ignoring it and not joining the Queen-of-Hearts race could well put you behind the eight ball and cause irreversible or long term damage.

Frameworks, methods and standards are not the divine destination; it’s all the experiences you encounter on your journey implementing and using them that shape and form you as an individual or organization. Look back – take a lessons learned – and move forward.

Live long and prosper

Nanoo... Nanoo...


No comments:

Post a Comment