About the ITSM Library The publications in the ITSM Library cover best practice in IT management and are published on behalf of itSMF International. The IT Service Management Forum (itSMF) is the association for IT service organizations, and for customers of IT services. itSMF’s goal is to promote innovation and support of IT management; suppliers and customers are equally represented within the itSMF. The Forum’s main focus is exchange of peer knowledge and experience. Our authors are global experts. The following publications are, or soon will be, available. Introduction, Foundations and Practitioners books • Foundations of IT Service Management based on ITIL® [V2] (Arabic, Chinese, German, English, French, Italian, Japanese, Korean, Dutch, Brazilian Portuguese, and Russian; Danish and Spanish) • Foundations of IT Service Management based on ITIL® (V3, English, Dutch; translations in Japanese, German, French, Spanish to be published end of 2007 / early 2008) • IT Service Management – An Introduction (NOTE: V2, being replaced by V3, only a few languages left) • IT Service Management – An Introduction (V3, English, Dutch; translations in Japanese, German, French, Spanish to be published end of 2007 / early 2008) • IT Services Procurement based on ISPL – An Introduction (Dutch) • Project Management based on PRINCE2™ 2005 Edition (Dutch, English, German) • Release & Control for IT Service Management, based on ITIL® – A Practitioner Guide (English) IT Service Management – best practices • IT Service Management – best practices, part 1 (Dutch) • IT Service Management – best practices, part 2 (Dutch) • IT Service Management – best practices, part 3 (Dutch) • IT Service Management – best practices, part 4 (Dutch) Topics & Management instruments • Metrics for IT Service Management (English) • Six Sigma for IT Management (English) • The RfP for IT Outsourcing – A Management Guide (Dutch) • Service Agreements – A Management Guide (English) • Frameworks for IT Management (English, German, Japanese) • IT Governance based on CobiT® – A Management Guide (English, German) Pocket guides • ISO/IEC 20000 – A Pocket Guide (English, German, Japanese, Italian, Spanish, formerly BS 15000 – A Pocket Guide) • IT Services Procurement based on ISPL – A Pocket Guide (English) • IT Service CMM – A Pocket Guide (English) • IT Service Management – A summary based on ITIL® (V2, Dutch) • IT Service Management – A Pocket Guide (v3, English, Dutch; translations in Japanese, German, French, Spanish to be published end of 2007 / early 2008) • IT Service Management based on ITIL – A Pocket Guide (V3, English, Dutch; translations in Japanese, German, French, Spanish to be published end of 2007 / early 2008) • IT Service Management from Hell!! (V2, English) • IT Service Management from Hell. Based on Not – ITIL (V3, English) • Six Sigma for IT Management – A Pocket Guide (English) • Frameworks for IT Management – A Pocket Guide (English, Dutch) For any further enquiries about ITSM Library, please visit www.itsmfbooks.com, http://en.itsmportal.net/en/books/itsm_library or www.vanharen.net. IT Service Management An Introduction A publication of itSMF International IV Colophon Title: IT Service Management – An Introduction Authors: Jan van Bon (chief editor ITSM Library for itSMF International) Arjen de Jong (co-author, Inform-IT) Axel Kolthof (co-author, Inform-IT) Mike Pieper (co-author, Inform-IT) Eric Rozemeijer (co-author, Quint Wellington Redwood) Ruby Tjassing (co-author, Inform-IT) Annelies van der Veen (co-author, Inform-IT) Tieneke Verheijen (co-author, Inform-IT) Copy editor Jayne Wilkinson Publisher: Van Haren Publishing, Zaltbommel, www.vanharen.net Design & layout CO2 Premedia bv, Amersfoort - NL ISBN: 978 90 8753 051 8 Edition: First edition, first impression, September 2007 © Crown copyright. Published under license from the Controller of Her Majesty’s Stationery Office. ITIL Glossaries/Acronyms © Crown Copyright Office of Government Commerce. Reproduced with the permission of the Controller of HMSO and the Office of Government Commerce. ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office”. ©itSMF-International 2007 All rights reserved. No part of this publication may be reproduced in any form by print, photo print, microfilm or any other means without written permission by the publisher. Although this publication has been composed with much care, neither author, nor editor, nor publisher can accept any liability for damage caused by possible errors and/or incompleteness in this publication. TRADEMARK NOTICES ITIL® and PRINCE2™ are Registered Trade Marks and Registered Community Trade Marks of the Office of Government Commerce, and are Registered in the U.S. Patent and Trademark Office. CobiT® is a registered trademark of the Information Systems Audit and Control Association (ISACA)/IT Governance Institute (ITGI). The PMBoK® is a registered trademark of the Project Management Institute (PMI). Foreword It is with great pride that I present this completely redesigned version of “IT Service Management – An Introduction”. This book marks a milestone in the development of ITSM thinking. The first edition of this introduction to IT Service Management was written in the late nineties of the last century. In the mean time a lot has changed, not only in terms of technology aspects of IT, but especially in the management thereof. Outsourcing has become a commodity, and the business has developed a serious interest in the creation and support of customer-focused information services. The most familiar industry standard, ITIL®, was completely rewritten and now supports a much higher and more mature view on the development and delivery of IT services. But other frameworks have emerged as well, and provide valuable contributions to the required end-to-end perspective on the information support for the business. And last but not least, we finally have an internationally accepted standard for ITSM: ISO/IEC 20000. All these changes have provided valuable input for this new edition. By means of a modular approach, the book was created for readers with various goals. Readers, interested in an end-to-end view on ITSM, covering a broad range of relevant sources, can read and use the book from cover to cover. They will find high-level views on the nature of ITSM and can zoom in to relevant sources as much as they want. Readers who are specifically interested in ITIL, in the context of a wider view, can concentrate on the two chapters that deal with ITIL material, and can then pick additional topics from the rest of the chapters. Readers who are interested in specific elements of ITSM can select parts of relevant chapters, and use this introduction book as a reference guide in their own approach. They can then read more detailed information in other publications of the ITSM Library, in ITIL core books, or in other dedicated publications. The book was produced the same way other publications of the ITSM Library were produced: a broad team of expert editors, expert authors and expert reviewers contributed to a comprehensive text, and a lot of effort was spent on the development and review of the manuscript. Normally this would assure that practical guidance would be used throughout the book. The fact that the completely revised ITIL publications were released recently, in June 2007, disabled part of that process: there was no practical experience with any of the books available to the editorial team. This means that the book will be upgraded with additional knowledge and insight, once the world can provide this practical experience with ITIL V3. The information on the Service Lifecycle, one of the core additions in the ITIL V3 books, has been concentrated in one chapter, allowing for a dedicated introduction to this view. The information on the processes, functions and other activities, is concentrated in a separate chapter, supporting the approach along the ITIL lifecycle view, but also supporting other approaches that may be more process-focused. The entire book supports an end-to-end and user-centric approach, the way modern organizations work. The broad content will give the reader a good overview of applicable methods and techniques, considerations and points of interest, advise, checklists and templates for the successful introduction of the information service function. VI For many years, “IT Service Management – An Introduction” has been a core element in the important series of management guides that is titled the ITSM Library, and we expect this new edition will continue to hold that position. Jan van Bon Chief Editor ITSM Library for itSMF International VII Ackowledgements This publication is the result of the co-operation of many experts from the field, in many different countries, representing users, providers, government, trainers, examiners, and itSMF chapters. It was based on an itSMF publication in the Netherlands, developed as an introduction to IT Service Management, first published in April 1999. The book was originally initiated by Georges Kemmerling (Quint Wellington Redwood), and built by a Dutch itSMF project team, under the guidance of chief editor Jan van Bon. Since 1999, this project team of reviewers and co-authors has extended and improved the book, in a series of new editions, expressing the developments in the field of IT Service Management. In May 2002 the first translation was published, in English. This first global edition was soon followed by a second, improved, version, audited by selected itSMF members, cooperating in the itSMF International Publications Committee (IPESC), each representing an itSMF chapter. In addition to that, the global edition was reviewed by several experts from vendor and user organizations, and by representatives of the OGC. This resulted in the very first internationally endorsed itSMF publication, supported by the entire itSMF community, and accepted as a high quality introduction to ITIL® and IT Service Management. The book provided excellent services as an aid in understanding the published best practices in the field of IT Service Management, concentrated in and around ITIL publications, in many countries. Since 2002, several other translations appeared. Each of these translations was developed and audited by a team of experts in the targeted language region, if possible under the guidance of an itSMF chapter. In all cases, a terminology translation table was determined, before translating the text. Translations were delivered in English, German, French, Spanish, Russian, Chinese, Japanese, Italian, Korean, Brazilian-Portuguese, Arabic, and Danish. In 2007, this book was heavily rewritten, due to significant changes in the published sources on IT Service Management. A team of expert authors and editors who work for itSMF has produced the updated text (see the colophon). A special thanks goes to Eric Rozemeijer (Quint Wellington Redwood), who temporarily joined this itSMF team and provided a serious contribution to the development of the updated text. As with all publications in the ITSM Library, a broad Review Team was composed, representing experts from various disciplines, covering user organizations, training organizations, consultancy organizations, global leaders in the IT service industry, and individual experts. This assured the reflection of the most widely accepted views on IT Service Management, and the alignment to leading sources. The team that reviewed this publication had to work under considerable time pressure and was handicapped by the fact that the updated ITIL V3 publications were still very fresh and had not been tested in practice - which will take years. Some of the members of the Review Team will keep working on the text of the first edition, providing material for further improvement in the second edition. The reviewers that finished this first review are the following: • John van Beem, ISES International, Netherlands • Aad Brinkman, Apreton, Netherlands VIII • Peter Brooks, PHMB Consulting, itSMF South Africa • Rob van der Burg, Microsoft, Netherlands • Judith Cremers, Getronics PinkRoccade Educational Services, Netherlands • Robert Falkowitz, Concentric Circle Solution, itSMF Switzerland • Rosario Fondacaro, Quint Wellington Redwood, Italy • Peter van Gijn, LogicaCMG, Netherlands • Jan Heunks, ICT Partners, Netherlands • Linh Ho, Compuware Corporation, USA • Ton van der Hoogen, ToTZ Diensten, Netherlands • Kevin Holland, NHS, UK • Matiss Horodishtiano, Amdocs, itSMF Israel • Wim Hoving, BHVB, Netherlands • Brian Johnson, CA, USA • Georges Kemmerling, Quint Wellington Redwood, Netherlands • Kirstie Magowan, itSMF New Zealand • Steve Mann, OpSys - SM2, itSMF Belgium • Reiko Morita, Ability InterBusiness Solutions, Inc., Japan • Jürgen Müller, Marval Benelux, Netherlands • Ingrid Ouwerkerk, Getronics PinkRoccade Educational Services, Netherlands • Ton Sleutjes, CapGemini, Netherlands • Maxime Sottini, Innovative Consulting, itSMF Italy • Patricia Speltincx, OpSys, Belgium • Takashi Yagi, Hitachi Ltd., itSMF Japan Their contributions are highly appreciated and, due to their detailed review, have improved the quality of the book considerably. Given the desire for a broad consensus in the IT Service Management field, new developments, additional material and contributions from ITSM professionals are welcome. They will be discussed by the editors and where appropriate incorporated into new editions. Any comments can be sent to the Chief Editor of the ITSM Library, Jan van Bon, email: j.van.bon@inform-it.org. IX Contents Colophon��������������������������������������������������������������������������������������������������������������������������IV Foreword���������������������������������������������������������������������������������������������������������������������������V Ackowledgements�����������������������������������������������������������������������������������������������������������VII 1 Introduction������������������������������������������������������������������������������������������������������� 1 1.1 1.2 1.3 1.4 1.5 1.6 Information Technology in a fast changing world�����������������������������������������������������1 Why this book������������������������������������������������������������������������������������������������������������2 itSMF International����������������������������������������������������������������������������������������������������2 Differences with previous editions����������������������������������������������������������������������������3 Structure of the book������������������������������������������������������������������������������������������������4 How to use this book������������������������������������������������������������������������������������������������5 2 Services and Organizations���������������������������������������������������������������������������� 7 2.1 People - Process - Technology - Partners - Information�����������������������������������������7 2.1.1 Customer-Provider paradigm for Information Support��������������������������������9 2.1.2 SoD - Separation of Duties������������������������������������������������������������������������� 10 2.1.3 The Management Paradigm����������������������������������������������������������������������� 11 2.1.4 The 3x3 matrix for Information Support����������������������������������������������������� 12 2.1.5 Management of processes������������������������������������������������������������������������� 13 2.1.6 Teams, roles and positions in ITSM����������������������������������������������������������� 17 2.1.7 Tools used in ITSM������������������������������������������������������������������������������������� 18 2.2 What is an IT service?��������������������������������������������������������������������������������������������� 18 2.2.1 Components of an IT service��������������������������������������������������������������������� 19 2.2.2 Service types����������������������������������������������������������������������������������������������22 2.3 Organization and Policies���������������������������������������������������������������������������������������23 2.3.1 Vision, objectives and policies�������������������������������������������������������������������23 2.3.2 Planning horizon ����������������������������������������������������������������������������������������25 2.3.3 Culture���������������������������������������������������������������������������������������������������������26 2.3.4 Human Resource Management������������������������������������������������������������������26 2.3.5 Business Relationship Management����������������������������������������������������������28 2.4 Communication in IT service organizations�����������������������������������������������������������29 3 IT Service Management��������������������������������������������������������������������������������� 31 3.1 What is IT Service Management?��������������������������������������������������������������������������� 31 3.1.1 Introduction������������������������������������������������������������������������������������������������� 31 3.1.2 Scope and relative position of management domains������������������������������32 3.1.3 Processes, projects, programs and portfolios������������������������������������������34 3.1.4 Services and Quality ����������������������������������������������������������������������������������35 3.1.5 IT Governance���������������������������������������������������������������������������������������������39 3.2 Organizational maturity�������������������������������������������������������������������������������������������40 3.2.1 Quality model: EFQM���������������������������������������������������������������������������������� 41 3.2.2 Maturity model: CMMI��������������������������������������������������������������������������������42 3.2.3 The World Class IT Maturity Model������������������������������������������������������������43 3.2.4 Standard: ISO/IEC 20000���������������������������������������������������������������������������44 3.2.5 Customer maturity��������������������������������������������������������������������������������������44 3.3 Benefits and risks of ITSM frameworks������������������������������������������������������������������46 3.4 Standards, best practices and useful frameworks������������������������������������������������� 47 3.4.1 Definitions��������������������������������������������������������������������������������������������������� 47 3.4.2 Training and certification���������������������������������������������������������������������������� 47 4 ITIL - The IT Service Lifecycle����������������������������������������������������������������������� 49 4.1 Introduction to ITIL��������������������������������������������������������������������������������������������������49 4.1.1 Organizations����������������������������������������������������������������������������������������������50 4.2 ITIL exams���������������������������������������������������������������������������������������������������������������52 4.3 Service Lifecycle: concept and overview���������������������������������������������������������������54 4.3.1 Basic concepts�������������������������������������������������������������������������������������������54 4.3.2 The Service Lifecycle����������������������������������������������������������������������������������56 4.3.3 ITIL Library��������������������������������������������������������������������������������������������������58 4.4 Service Strategy������������������������������������������������������������������������������������������������������59 4.4.1 Introduction�������������������������������������������������������������������������������������������������59 4.4.2 Basic concepts�������������������������������������������������������������������������������������������62 4.4.3 Processes and other activities�������������������������������������������������������������������69 4.4.4 Organization������������������������������������������������������������������������������������������������ 81 4.4.5 Methods, techniques and tools������������������������������������������������������������������88 4.4.6 Implementation�������������������������������������������������������������������������������������������93 4.5 Service Design������������������������������������������������������������������������������������������������������ 105 4.5.1 Introduction����������������������������������������������������������������������������������������������� 105 4.5.2 Basic concepts����������������������������������������������������������������������������������������� 110 4.5.3 Processes and other activities����������������������������������������������������������������� 113 4.5.4 Organization���������������������������������������������������������������������������������������������� 120 4.5.5 Methods, techniques and tools���������������������������������������������������������������� 122 4.5.6 Implementation����������������������������������������������������������������������������������������� 124 4.6 Service Transition�������������������������������������������������������������������������������������������������� 128 4.6.1 Introduction����������������������������������������������������������������������������������������������� 128 4.6.2 Basic concepts����������������������������������������������������������������������������������������� 129 4.6.3 Processes and other activities����������������������������������������������������������������� 130 4.6.4 Organization���������������������������������������������������������������������������������������������� 135 4.6.5 Methods, technology and tools���������������������������������������������������������������� 139 4.6.6 Implementation����������������������������������������������������������������������������������������� 140 4.7 Service Operation������������������������������������������������������������������������������������������������� 143 4.7.1 Introduction����������������������������������������������������������������������������������������������� 143 4.7.2 Basic concepts����������������������������������������������������������������������������������������� 143 4.7.3 Processes and other activities����������������������������������������������������������������� 147 4.7.4 Organization���������������������������������������������������������������������������������������������� 155 4.7.5 Methods, techniques and tools���������������������������������������������������������������� 168 4.7.6 Implementation����������������������������������������������������������������������������������������� 168 4.8 Continual Service Improvement��������������������������������������������������������������������������� 173 4.8.1 Introduction����������������������������������������������������������������������������������������������� 173 4.8.3 Processes and other activities����������������������������������������������������������������� 179 XI 4.8.2 4.8.4 4.8.5 4.8.6 Basic concepts.......................................................................................... 174 Organization���������������������������������������������������������������������������������������������� 182 Methods, techniques and tools���������������������������������������������������������������� 185 Implementation����������������������������������������������������������������������������������������� 192 5 Functions and Processes for IT Service Management���������������������������� 203 5.1 Introduction ����������������������������������������������������������������������������������������������������������203 5.1.1 Process, service and customer-focused organizations��������������������������203 5.1.2 Processes and process models ��������������������������������������������������������������204 5.1.3 Process, line and ‘miscellaneous activities’���������������������������������������������206 5.1.4 Functions and processes�������������������������������������������������������������������������208 5.1.5 An overview of function and process clustering�������������������������������������� 212 5.1.6 Order of presentation������������������������������������������������������������������������������� 217 5.2 Functions and processes�������������������������������������������������������������������������������������� 218 5.2.1 Financial Management����������������������������������������������������������������������������� 219 5.2.2 Service Portfolio Management (SPM)������������������������������������������������������ 224 5.2.3 Demand Management������������������������������������������������������������������������������227 5.2.4 Business Relationship Management (BRM)���������������������������������������������230 5.2.5 Service Catalogue Management��������������������������������������������������������������233 5.2.6 Service Level Management����������������������������������������������������������������������236 5.2.7 Capacity Management����������������������������������������������������������������������������� 240 5.2.8 Availability Management��������������������������������������������������������������������������� 246 5.2.9 IT Service Continuity Management����������������������������������������������������������253 5.2.10 Information Security Management�����������������������������������������������������������258 5.2.11 Supplier Management������������������������������������������������������������������������������263 5.2.12 Transition Planning and Support��������������������������������������������������������������267 5.2.13 Change Management������������������������������������������������������������������������������� 271 5.2.14 Service Asset and Configuration Management (SACM)��������������������������280 5.2.15 Release and Deployment Management���������������������������������������������������290 5.2.16 Service Validation and Testing�����������������������������������������������������������������298 5.2.17 Evaluation��������������������������������������������������������������������������������������������������304 5.2.18 Knowledge Management��������������������������������������������������������������������������307 5.2.19 Event Management ���������������������������������������������������������������������������������� 311 5.2.20 Incident Management������������������������������������������������������������������������������� 316 5.2.21 Request Fulfillment�����������������������������������������������������������������������������������322 5.2.22 Problem Management������������������������������������������������������������������������������325 5.2.23 Access Management��������������������������������������������������������������������������������332 5.2.24 Monitoring and Control�����������������������������������������������������������������������������335 5.2.25 IT Operations��������������������������������������������������������������������������������������������340 5.2.26 Service Desk��������������������������������������������������������������������������������������������342 5.2.27 CSI Improvement Process������������������������������������������������������������������������346 5.2.28 Service Reporting�������������������������������������������������������������������������������������355 6 Introduction to ISO 20000���������������������������������������������������������������������������� 359 6.1 Why is this subject relevant?��������������������������������������������������������������������������������359 6.2 What is ISO 20000’s history?��������������������������������������������������������������������������������360 XII 6.2.1 What is its current context? ���������������������������������������������������������������������361 6.3 What is ISO 20000?����������������������������������������������������������������������������������������������362 6.3.1 Targets/aims���������������������������������������������������������������������������������������������362 6.3.2 Specification���������������������������������������������������������������������������������������������363 6.3.3 Accreditation, certification and training���������������������������������������������������366 6.3.4 Scope�������������������������������������������������������������������������������������������������������� 370 6.3.5 Process model������������������������������������������������������������������������������������������ 370 6.4 Requirements and Objectives������������������������������������������������������������������������������� 372 6.4.1 Requirements for a management system������������������������������������������������ 372 6.4.2 Planning and implementing service management����������������������������������� 372 6.4.3 Planning and implementing new or changed services���������������������������� 373 6.4.4 Service delivery processes���������������������������������������������������������������������� 374 6.4.5 Relationship processes����������������������������������������������������������������������������377 6.4.6 Resolution processes������������������������������������������������������������������������������� 378 6.4.7 Control processes������������������������������������������������������������������������������������ 379 6.4.8 Release management�������������������������������������������������������������������������������380 6.4.9 Processes and procedures required��������������������������������������������������������381 6.4.10 Documents required���������������������������������������������������������������������������������383 6.4.11 Records required��������������������������������������������������������������������������������������383 7 Standards and Frameworks related to IT Service Management������������385 7.1 7.2 7.3 7.4 Introduction to frameworks�����������������������������������������������������������������������������������385 Inventory of relevant frameworks �������������������������������������������������������������������������386 How can frameworks be applied in IT Service Management�������������������������������387 An ‘umbrella framework’ for Information Management����������������������������������������388 7.4.1 Quality Management and Business Process Management��������������������388 7.4.2 Quality Improvement��������������������������������������������������������������������������������389 7.4.3 IT Governance�������������������������������������������������������������������������������������������389 7.4.4 Information Management�������������������������������������������������������������������������391 7.4.5 Project Management��������������������������������������������������������������������������������392 7.5 Description of the frameworks �����������������������������������������������������������������������������394 7.5.1 TQM – Total Quality Management������������������������������������������������������������396 7.5.2 EFQM – the European Foundation for Quality Management Excellence Model���������������������������������������������������������������������������������������������������������������������399 7.5.3 ISO 9000 – Quality Management Systems����������������������������������������������401 7.5.4 TOGAF™ - The Open Group Architecture Framework����������������������������404 7.5.5 TickIT - Quality management for IT����������������������������������������������������������406 7.5.6 ISO/IEC 19770 Software Asset Management �����������������������������������������408 7.5.7 ISO/IEC 15504 - SPICE����������������������������������������������������������������������������� 410 7.5.8 ISO/IEC 27001 - Information Security Management Systems���������������� 412 7.5.9 CMMI��������������������������������������������������������������������������������������������������������� 414 7.5.10 Six Sigma�������������������������������������������������������������������������������������������������� 416 7.5.11eSCM-SP v2: eSourcing Capability Model for Service Providers, version 2��������������������������������������������������������������������� 419 7.5.12IT Balanced Scorecard – the management system for strategic performance and results��������������������������������������������������������������������������422 XIII 7.5.13 7.5.14 7.5.15 7.5.16 7.5.17 7.5.18 7.5.19 7.5.20 7.5.21 7.5.22 7.5.23 7.5.24 7.5.25 AS 8015-2005 - Australian Standard for Corporate Governance of IT���� 424 CobiT����������������������������������������������������������������������������������������������������������426 M_o_R – Management of Risk�����������������������������������������������������������������429 Generic Framework for Information Management�����������������������������������431 BiSL – the Business Information Services Library�����������������������������������433 ISPL – the Information Services Procurement Library�����������������������������436 eTOM - the enhanced Telecom Operations Map�������������������������������������439 ASL – the Application Services Library���������������������������������������������������� 441 MSP – Managing Successful Programmes����������������������������������������������444 PRINCE2 – PRojects IN Controlled Environments�����������������������������������446 PMBoK – the Project Management Body of Knowledge�������������������������449 IPMA Competence Baseline��������������������������������������������������������������������� 451 Company specific standards (MOF, HP ITSM ref model, IPW, ISM, etc.) ������������������������������������������������������������������������������������������������������������������454 References��������������������������������������������������������������������������������������������������������������������455 Glossary������������������������������������������������������������������������������������������������������������������������459 Index...............................................................................................................................507 XIV Chapter 1 Introduction 1.1 Information Technology in a fast changing world Developments in IT have had a tremendous effect on the business market during the last decade. Since the appearance of extremely powerful hardware, highly versatile software and super-fast networks, all connected to each other worldwide, organizations have been able to develop their information-dependent products and services to a greater extent, and to bring them to the market much faster. These developments have marked the transition of the industrial age into the information age. In the information age, everything has become faster and more dynamic, and everything is connected. Traditional hierarchical organizations often have difficulties in responding to this rapidly changing market, and this has led to current trends for organizations to become flatter and more flexible. The focus has shifted from vertical silos to horizontal processes, and decision-making powers are increasingly bestowed on the employees. It is against this background that the work processes of IT Service Management have arisen. An important advantage of process-oriented organizations is that processes can be designed to support a customer-oriented approach. This has made the alignment between the IT organization (responsible for supplying information) and the customer (responsible for using these information systems in their business) increasingly significant. Over the last couple of years, this trend has attracted attention under the title of Business-IT Alignment (BITA). As organizations gained more experience with the process-oriented approach of IT Service Management, it became clear that the process must be managed coherently. Furthermore, it was obvious that the introduction of a process-oriented work method meant a big change for the primarily line and project-oriented organizations. Culture and change management proved to be crucial elements for a successful organizational design. Another important lesson learned was that the IT organization must not lose itself in a process culture. Just like the one-sided project-oriented organization, a one-sided process-oriented organization was not the optimum type of business. Balance was, as always, the magic word. In IT Service Management - An Introduction addition, it became clear that the customer-oriented approach required that an end-to-end and user-centric approach must be followed: it was of no help to the user to know that ‘the server was still in operation’ if the information system was not available at the user’s workplace. IT services must be viewed in a larger context. The need for the recognition of the Service Lifecycle, and the management of IT services in light of that lifecycle, became a concern. Due to the fast growing dependency of business upon information, the quality of information services in companies is being increasingly subjected to stricter internal and external requirements. The role of standards is getting more and more important, and frameworks of ‘best practices’ help with the development of a management system to meet these requirements. Organizations that do not have control of their processes, will not be able to realize great results on the level of the Service Lifecycle and the end-to-end-management of those services. Organizations that do not have their internal organization in order, will also not achieve great results. For these reasons, all these aspects are handled alongside each other in the course of this book. 1.2 Why this book This book offers detailed information for those who are responsible for strategic information issues, as well as for the (much larger) group who are responsible for setting up and executing the delivery of the information systems. This is supported by both the description of the Service Lifecycle, as documented in ITIL® version 3, and by the description of the processes that are associated with it. Elementary issues around service management are reviewed in detail, and standards and frameworks are also dealt with. This gives the reader a broad overview of usable methods and techniques, considerations and points of interest, advice, and templates for the successful introduction of the information service function. 1.3 itSMF International The target group for this publication is anyone who is involved or interested in IT Service Management. A professional organization, working on the development of the IT Service Management field, has been created especially for this target group. The IT Service Management Forum (itSMF) is a global, independent, internationally recognized not-for-profit organization dedicated to IT Service Management. itSMF is wholly owned and principally run by its membership. It consists of a growing number of national chapters, each with a large degree of autonomy, but adhering to a common code of conduct. The itSMF is a major influence on, and contributor to, industry best practices and standards worldwide, working in partnership with a wide, international range of governmental and standards bodies. itSMF International is the controlling body of the itSMF national chapters and sets policies and provides direction for furthering the overall objectives of itSMF, for the adoption of IT Service Management (ITSM) best practice and for ensuring adherence to itSMF policies and standards. Introduction This introductory book is a publication of itSMF International, in the ITSM Library series. The book fits in well with the mission of itSMF International: The mission of itSMF International is to support the development of IT Service Management (ITSM) through strategic direction, co-ordination of effort and the sourcing of expertise and financial support with strategic partners. This mission can be translated into the following publishing activities: itSMF Publishing activities: •publishing supporting material on accepted best practice •publishing material that represents ‘new thought’ in the ITSM field •ensuring that, through all activities, including the publication of relevant material, itSMF assists organizations in the implementation of solutions that will deliver real value to them By publishing this detailed and many-faceted introduction to the field of IT Service Management, ITSMF International offers a valuable contribution to the development of the subject. 1.4 Differences with previous editions The ‘Introduction to IT Service Management’ book has played a key role in the distribution of ideas on IT Service Management for years. The title has been translated into thirteen languages and is recognized as the most practical introduction to the leading ‘best practices’ in this field. Earlier editions of the Introduction book focused on the content of three books from the ITIL® series (version 2): Service Support, Service Delivery and Security Management and placed them in a broader context of quality management. ITIL, although widely used, was actually never in the public domain1, but there were few restrictions on its use in practice. This has been acknowledged as one of the main reasons for ITIL’s wide acceptance. With the transfer of the management, publication, and qualifications of ITIL to the APM Group (for qualifications) and TSO (for publications), a significant shift in the market has occurred. ITIL is now operationally run by commercial organizations that control the use of ITIL by providers in the market, through regulations in the areas of copyright, branding and accreditations. This does not influence the use of ITIL within organizations to a great extent, but it does have a specific effect in the provider market. As a result of this operational shift, various reactions in the market can be observed. On the one hand, there is more interest in the independent ISO/IEC 20000, the official standard for IT service organizations. Meanwhile, providers are responding by addressing the general field of IT Service Management more, including the Service Lifecycle approach of ITIL version 3, and also by choosing their own approach or model. 1Based on the definition in Cambridge Advanced Learner’s Dictionary: ’If something such as a book, song, computer program, etc. is in the public domain, no one has the right to control its use and anyone may use it without charge.’ IT Service Management - An Introduction The book before you is a reflection of this shift: it contains information about ISO/IEC 20000, as well as about ITIL and other relevant standards and frameworks that are relevant for the broad field of IT Service Management. In addition, it contains detailed information about the individual IT Service Management processes which can be used in the individual approach of the reader. The continuous development of the field is, to a large degree, supported by a uniform language. The communication between companies all over the world is served expressly by unambiguous terminology and accompanying definitions. This terminology is based on the terms that are mentioned in ISO/IEC 20000, in the ITIL Glossary, and in the main terms of the other standards and frameworks. The various itSMF chapters use a common list of English terms that are translated into their own language. In this way, the communication between and within various language domains is supported. As a result of continuous development of best practices, various terms have disappeared between the introduction of ITIL version 2 and 3, and a large number of new terms have been added to version 3. As many of these concepts are part of the scope of an IT Service Management training or exam, they have been included in the relevant descriptions. For a definitive list of concepts, readers should refer to the various training and exam programs. 1.5 Structure of the book This book starts with an introduction into the backgrounds and general principles of IT Service Management (Chapter 1). It describes the parties who play a role in the development of best practices and standards for IT Service Management, and which basic premises and standards are used. In Chapter 2 a number of important paradigms for IT service organizations are examined. This includes how organizations deal with services, what the services are, how organizations operate and what the role of communication is. In Chapter 3 there are details of a series of elementary concepts from IT Service Management (service, project, program, quality, governance, maturity, standards, etc.). These elements are used in the next chapter. The chapter offers information about management systems, maturity, definitions and terminology. In Chapter 4, ITIL version 3 is explored. The basic premises for the IT Service Lifecycle are discussed, followed by an overview of the five different phases of that lifecycle: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. The main points of each phase are presented in a consistent way to aid readability and clarity, so that the text is clear and its readability is promoted. Each section follows a consistent structure: • Introduction • Basic concepts • Processes and other activities • Organization • Methods, techniques and tools • Implementation Introduction Chapter 5 examines the processes for IT Service Management. First, the necessity for using process models is examined, after which the differences between core processes, supported processes and functions are reviewed. After that, the various systems for process clustering are discussed. The chapter then offers detailed information on an extensive series of processes and functions. Chapter 6 gives a detailed review of ISO/IEC 20000, the standard for IT Service Management. Chapter 7, finally, offers information on a large number of additional standards and frameworks for IT (service) management. These standards and frameworks provide a foundation for managing aspects and elements from the IT world, but also for managing general matters that apply to all fields, such as quality systems. The Appendices provide useful sources for the reader. A Reference list of used sources is provided, as well as the official ITIL Glossary. The book ends with an extensive Index of relevant terms, that will support the reader in finding relevant text elements. 1.6 How to use this book Those who are primarily interested in ITIL can read about the background of IT Service Management in Chapters 1, 2 and 3, followed by the ITIL lifecycle in Chapter 4, and then select processes and functions from Chapter 5. Those who are not ready for a lifecycle approach, or who prefer a process approach, can read the background of IT Service Management in Chapters 1, 2 and 3, and add their own selection of processes and functions from Chapter 5 as well as, if so desired, information from another framework. Those who wish to concentrate on the ISO/IEC 20000 approach can read the background of IT Service Management in Chapters 1, 2 and 3, then read Chapter 6 on ISO/IEC 20000, and use as much as they want from relevant processes in Chapter 5. In this way, this new edition of the Introduction book aims to provide support to a variety of approaches to IT Service Management. IT Service Management - An Introduction Chapter 2 Services and Organizations When setting up service organizations, a series of paradigms can be used which are widely accepted in the market. Some of the main paradigms are reviewed successively over the following pages. 2.1 People - Process - Technology - Partners - Information A widely accepted paradigm for defining the core focus areas in organizational improvement is the paradigm of Process, People, Technology, which is also called People/Process/Product (Note: ITIL uses both). In addition to these three, a fourth focus area is often recognized: the ‘P’ from Partners, based on the fact that only a few organizations can completely manage their information support by themselves. In the end, all these domains are only there to facilitate the fifth component: the ‘I’ from Information (Figure 2.1). The core message of the resulting combined paradigm is that we always need to address all of these elements within the organization, to make sure that we reach an optimal information result. People Process Information Technology Partners Figure 2.1 Focus areas for organizational change, P-P-T-P-I: People, Process, Technology, Partners and Information IT Service Management - An Introduction There is a logical order in creating these four areas (PPTP) in a new organization on behalf of the targeted ‘I’ of the information support function. However, real greenfield situations are extremely rare in practice. In organizational change, we usually have to deal with existing organizations, with established patterns for these four focus areas. In theory (greenfield situation), the most logical order might be: first the PPT set in the order of Process (set your identity and goals), People (organize and establish the organization), Technology (choose the required equipment to realize this), and then choose Partners or do it all yourself (determine your make or buy strategy) to get to the resulting ‘I’ for Information. The first P stands for Process. This refers to what the organization does, in terms of the structured sets of activities. This relates directly to the identity of the organization and its products or services: what is the core business of the organization, what is its market, what does the organization have to do to be in business. Describe the processes of the organization and you will know its kind of business: is this a machine factory, an insurance company, an energy plant, a retail organization, a government department? Within specific markets we will find similar processes within similar organizations. The best organizations often have the best designed processes and are in control of their performance by means of managing those processes in the most effective way. This applies to IT service organizations as well as to any other type of organization. And although the processes may vary a bit from IT service organization to IT service organization, it is broadly accepted that we can find ‘best practices’ for these processes, which are generic for the entire IT services market. The second P stands for People. This refers to the organizational specifications: who does what? How are responsibilities and authorizations distributed over the staff and the teams? What skills and competences do we need to deliver the processes? What are the local cultural and behavioral standards and policies to be used? Processes depend upon People, eg based on the granularity of the organization. We find much more variation in the second P (People) than in the first P (Process). The People dimension is highly influenced by culture, by local preferences of a manager, by law, by financial strength of the organization and by various other factors. We can find centralized organizations, decentralized/ distributed organizations, and any kind of mix of those. The specific position of the organization can change in time: moving people and reorganizing your company seems to be a national sport from time to time in many countries. But the processes will not normally vary with these reorganizations: an insurance company will still be an insurance company, a transport company will still be a transport company, a bank will be a bank. This underlines the crucial role of the first P: if you are in control of your processes, you can reorganize easily without losing grip on your performance. The T stands for Technology (sometimes called Product). If we know what we have to do (process) and we know who we have in place to do that (people), we will need the infrastructure and the tools, the methods and techniques, to reach an optimal result. A carpenter is as good as his tools: without good equipment we cannot deliver high performance. On the other hand: a fool with a tool is still a fool. Services and Organizations The third P stands for Partners. This is related to the widely accepted ‘sourcing’ strategy adopted in modern organizations. The sourcing strategy is based on the concept of ‘make or buy’, where the strategic approach is to choose what is the right mix between buying products and services from external providers and creating them internally. In practice, it is almost impossible to work without external providers, which makes the Partner domain increasingly important. The I stands for Information, the actual target for this paradigm. If we know the information flows within and between the other focus areas, the organization is largely characterized. Information is based on data that are handled in the processes by people, using the technology to process the data. Users utilise the data and add value by combining and processing them, creating meaningful information to be used in business processes. Most often, organizational change projects are focused at one or two areas, and we often see that organizational change starts in the Technology domain (buying a tool). Neglecting one or more of these focus areas is a risk for the outcome of the project: the management system will suffer from inefficiencies, incompleteness and it may not realize the projected results at all. It is urgently advised that all focus areas be addressed, preferably in the explained order of analysis. A number of additional paradigms, which are useful when addressing these focus areas, are described in the following paragraphs. 2.1.1 Customer-Provider paradigm for Information Support The Customer-Provider paradigm refers to the fundamental split between the domains of customer and provider (Figure 2.2). IT service organizations are basically considered to be providers of information services, and therefore always have one or more customers. The provision of these services is the one and only goal of the provider, and alignment to the customer domain should be maximized. To support a clear and manageable relationship between customer and provider, both parties should agree on the SMART1 specification of the services that should be provided. The provider then delivers the agreed services. According to the agreement, users can request for support and for specific volumes of the agreed services. And, of course, there should be some kind of compensation (payment, funding) for the provider, to cover the cost of delivering the services: even if the provider is an internal cost centre, the organization will have to create funding for the incurring cost. The agreed services are based on customer requirements and are limited by the provider’s capacity, capability and availability to provide the required services. The actual services delivered are most often a compromise in terms of the required quality and the available finances. The principle of the Customer-Provider paradigm is iterative: the provider on his turn is the customer for his sub-provider, who is the customer for the sub-sub-provider, and so forth. 1SMART stands for Specific, Measurable, Achievable (or Appropriate), Realistic (or Relevant), Timely (or Timebound). 10 IT Service Management - An Introduction The principle is also an N-to-N relationship: a customer can have more than one provider, and a provider can have more than one customer. CUSTOMER AGREEMENT PROVIDER Requests PROVIDER users IT Services PROVIDER Payment Figure 2.2 The Customer-Provider paradigm for Information Support 2.1.2 SoD - Separation of Duties Another widely accepted management paradigm is SoD: Separation of Duties. In this context, it simply says that - to be in control - an organization should distinguish between setting goals and realizing them. Both elements should be managed by separate responsibility domains, to prevent situations of conflicting interests. Judging the results of a project or work should always be done by a party that is not also responsible for delivering that result. SoD is one of the basic principles of any audit. For Information Support this comes down to having one responsibility domain responsible for determining which IT service should be delivered, and another domain for delivering that required service (Figure 2.3). In Information Support, the resulting domains are recognized as the Information Management domain (IM) and the Information Technology domain (IT). The Information Management domain sets the information requirements on behalf of the Business and makes sure they are realized. The Information Technology domain realizes the IT services and facilitates the use of the required IT services. An organization can plot a Demand Organization and a Supply Organization according to these two domains, but the borders need not necessarily align: it is not uncommon for the Supply Organization to cover part of the Information Management responsibility domain (middle column). Services and Organizations 11 Business Information Technology Business activities Information management Information technology use design and control facilitate Figure 2.3 Separation of Duties 2.1.3 The Management Paradigm Another widely accepted paradigm is the Management Paradigm (Figure 2.4): all activities of an organization are managed from a specific perspective, in terms of: 1. long-term goals (strategic level: setting directions) 2. mid-term objectives (tactical level: design and control) 3. short-term achievements (operational level: realization) Organizations should make sure that they manage their activities from each of these perspectives. Organizations that ‘forget’ to manage from either one of these management perspectives will, most likely, not realize their goals or only at unnecessary high cost. ST R E AT GI C Setting the directions identity, value creation, relations, goals, conditions L CA TI C TA Direct and control the organization for the realization of goals organize, direct, control L NA IO T A ER OP Realize the goals within chosen directions and arrangements operate, realize Figure 2.4 The Management Paradigm 12 IT Service Management - An Introduction 2.1.4 The 3x3 matrix for Information Support The combination of the Separation of Duties paradigm and the Management Paradigm provides us with a very interesting management model: the 3x3 matrix for Information Support (Figure 2.5). INFORMATION TECHNOLOGY USE DESIGN/CONTROL FACILITATE DESIGN/CONTROL DIRECT TACTICAL OPERATIONAL OPERATE STRATEGIC BUSINESS Figure 2.5 The 3x3 matrix for Information Support The 3x3 matrix is known (with slightly different labels and slightly different explanations) under several different names2. Either way, they prove to be very useful to explain the role of IT Service Management, the scope of standards and frameworks of best practice in IT (Service) Management, and many issues on the sourcing of IT services. The 3x3 matrix is used as a high-level model for many discussions on the organization of Information Support responsibilities. For example, it highlights the question of where the responsibility for Information Demand and Information Supply is located in the organization (Figure 2.6). Basically this comes down to a question of how the Information Management domain is organized: A.Stuck-in-the-middle - Information Management is positioned at equal distance from the Business and the Information Technology domain, in many instances emblematic for organizations trying to implement Information Management as a liaison function. The result is fairly often an Information Management function ‘stuck in the middle’: missionaries talking to a brick wall at the Business side, renegades for the Technology side, and peacekeeping troops 2The 3x3 model was published as ‘A generic model for information management’ in the magazine Management en Informatie in 1997, as ‘BII’ in the Dutch Yearbook IT Service Management 1998, as ‘MIP’ in the World Class IT Service Management Guide 2000 and in The Guide to IT Service Management 2002, as ‘Generic Framework for Information Management’ in the ITSM Library book ‘Frameworks for IT Management’. Publications came from the University of Amsterdam, and from individual authors. Some of the 3x3 models were derived from the Strategic Alignment Model (Henderson & Venkatraman, 1993), while others were strict combinations of the Separation of Duties Paradigm and the Management Paradigm. Here, the model is named 3x3 matrix (or 3x3 model) for Information Support. It is a public domain model, to be used freely by anyone. Services and Organizations 13 in the middle, missing a clear identity in their own mindset. In this scenario, Information Management will be an independent Demand Organization, loosely coupled with the Business. B.As an extension of the IT function - The Information Management responsibilities of the organization have largely been delegated to the Technology domain, where the IT services are produced. Although still often found in practice, this approach is not recommended: management tends to be expressing itself in terms of technology, not in terms of business values. And the information service provider is now controlling itself, which leaves the Business vulnerable in its relationships with suppliers. The organization has set Information Management at a distance, making it highly vulnerable to misalignment between Technology and the Business. C.As an extension of the Business function - Here, information is considered to be a business asset, and the relationship with Technology can be a contractual one: IT is a supportive function, to be managed as such, and conceivably governed via outsourcing. Moreover, Information Management is a shared business responsibility, while Information Management as a separate function is only accommodating and stimulating, but never leading. Information Management and Business responsibilities are tightly bound and IT can be regarded as a replaceable commodity, to be provided by any adequate supplier. A B C Figure 2.6 The position of the Information Management domain, between Business and Information Technology in the 3x3 matrix Matters of outsourcing are often initially considered for (parts of ) the IT domain. The Business wants to stay in control, and will initially hold on to the Information Management domain. Only when outsourcing has become a commodity, is the next step considered: outsourcing the IT function. This is a form of Business Process Outsourcing (BPO), where the ‘business information process’ is outsourced. 2.1.5 Management of processes Every organization aims to realize its vision, mission, strategy, objectives and policies, which means that appropriate activities have to be undertaken. For example, a restaurant will have to purchase fresh ingredients, the chefs will have to work together to provide consistent results, and there should be no major differences in style among the waiting staff. A restaurant will only be awarded a three-star rating when it manages to provide the same high quality over an extended period of time. This is not always the case: there will 14 IT Service Management - An Introduction be changes among the waiting staff, a successful approach may not last, and chefs often leave to open their own restaurants. Providing a constant high quality also means that the component activities have to be co-ordinated: the better and more efficiently the kitchen operates, the higher the quality of service that can be provided to the guests. In the example of the restaurant, appropriate activities include buying vegetables, bookkeeping, ordering publicity material, receiving guests, cleaning tables, peeling potatoes and making coffee. With just such an unstructured list, something will be left out and staff will easily become confused. It is therefore a better idea to structure the activities. Preferably these should be arranged in such a way as to allow us to see how each group of activities contributes to the objectives of the business, and how they are related. Such groups of activities are known as processes. If the process structure of an organization is clearly described, it will show: • what has to be done • what the expected inputs and results are • how we measure whether the processes deliver the expected results • how the results of one process affect those of another process. Processes can be defined in many ways. Depending upon the objectives of the creator, more or less emphasis will be put on specific aspects. For example, a highly detailed process description will allow for a high level of control. Superficial process definitions will illustrate that the creator does not care much about the way in which the steps are executed. Once the processes are defined, the roles, responsibilities and people can be assigned to specific aspects, bringing the process to the level of a procedure. Processes When arranging activities into processes, we do not use the existing allocation of tasks, nor the existing departmental divisions. This is a conscious choice. By opting for a process structure, we can often show that certain activities in the organization are unco-ordinated, duplicated, neglected or unnecessary. A process is a structured set of activities designed to accomplish a defined objective. Instead, we look at the objective of the process and the relationships with other processes. A process is a series of activities carried out to convert input into an output, and ultimately into an outcome; see the ITOCO model (Input-Throughput-Output-Control-Outcome) in Figure 2.7. The input is concerned with the resources being used in the process. The (reported) output describes the immediate results of the process, while the outcome indicates the long-term results of the process (in terms of meaningful effect). Through control activities, we can associate the input and output of each of the processes with policies and standards to provide information about the results to be obtained by the process. Control regulates the input and the throughput in case the throughput or output parameters are not compliant with these standards and policies. This produces chains of processes which show what input goes into the organization and what the result is, as well as monitoring points in the chains in order to check the quality of the products and services provided by the organization. Services and Organizations 15 The standards for the output of each process have to be defined, such that the complete chain of processes in the process model meets the corporate objective. If the output of a process meets the defined requirements, then the process is effective in transforming its input into its output. To be really effective, the outcome should be taken into consideration rather than focusing on the output. If the activities in the process are also carried out with the minimum required effort and cost, then the process is efficient. It is the task of process management to use planning and control to ensure that processes are executed in an effective and efficient way. We can study each process separately to optimize its quality. The process owner is responsible for the process results. The process manager is responsible for the realization and structure of the process, and reports to the process owner. The process operatives are responsible for defined activities, and these activities are reported to the process manager. standards and policies CONTROL INPUT THROUGHPUT OUTPUT efficiency OUTCOME effectiveness economical considerations realization of goals Figure 2.7 Process diagram, based on the ITOCO model The logical combination of activities results in clear transfer points where the quality of processes can be monitored. In the restaurant example, we can separate responsibility for purchasing and cooking, so that the chefs do not have to purchase anything and can concentrate on their core skill activities. The management of the organization can provide control on the basis of the quality of the process as demonstrated by data from the results of each process. In most cases, the relevant performance indicators and standards will already be agreed upon. The day-to-day control of the process can then be left to the process manager. The process owner will assess the results based on a report of performance indicators and whether they meet the agreed standard. Without clear indicators, it would be difficult for a process owner to determine whether the process is under control, and if planned improvements are being implemented. Processes are often described using procedures and work instructions.