FitSM Guide Achieving Compliance With ISO IEC 20000-1

Guide: Using FitSM to achieve compliance
with ISO/IEC 20000-1

Version 1.0
This document is a guide to achieving compliance against the International Standard ISO/IEC 20000-
1:2011 for a Service Management System (SMS) by using the FitSM approach. It provides a mapping
between the requirements from FitSM-1 (Edition 2015, Version 2.0) and ISO/IEC 20000-1:2011
(Second Edition, released in 2011).
Comments & usage guidance

 This guide may be useful for IT service providers seeking compliance against the
requirements of ISO/IEC 20000-1 for their Service Management System (SMS), for example as
part of an initiative aiming at a certification of the SMS by an external certification body.
 In the tables provided by this guide, all requirements from FitSM-1 are first mapped with the
corresponding clauses in ISO/IEC 20000-1. Following this, it is summarized, …
o which additional requirements, uncovered by FitSM-1, are specified by ISO/IEC
20000-1. For example, for certain requirements in ISO/IEC 20000-1 no analogous
requirements are specified by FitSM-1.
o how ISO/IEC 20000-1 extends the requirements covered by FitSM-1. For example, if a
requirement is covered by both FitSM-1 and ISO/EC 20000-1, it is often likely that
ISO/IEC 20000-1 is more demanding in the way that the standard provides more
details on the intended implementation.
This work is licensed under a Creative Commons

Attribution-NoDerivs 4.0 International License.
www.fitsm.eu
Guide: Using FitSM to achieve compliance with ISO/IEC 20000-1
Document control
Document Title Guide: Using FitSM to achieve compliance with ISO/IEC 20000-1
Document version 1.0
Release date 2016-09-01
Table of Contents
1. Introduction ........................................................................................................................................ 1
2. FitSM-1 & ISO/IEC 20000-1 Mapping .................................................................................................. 1
2.1 General requirements ....................................................................................................................... 1
2.2 Process-specific requirements .......................................................................................................... 9
3. Documented procedures required by ISO/IEC 20000-1 ................................................................... 27
4. Records required by ISO/IEC 20000-1............................................................................................... 28
FitSM was co-funded by the European Commission under contract number 312851.
1. Introduction
Both FitSM-1 and ISO/IEC 20000-1 specify requirements for a service management system (SMS). Since FitSM-1 follows a more lightweight approach
compared to ISO/IEC 20000-1, the requirements of FitSM-1 can be regarded as an adapted subset of the requirements covered by ISO/IEC 20000-1. The
following sections and tables show, how the FitSM-1 requirements map with the ISO/IEC 20000-1 requirements, and which additional or extended
requirements from ISO/IEC 20000-1 (not explicitly covered by FitSM-1) must be fulfilled, if for example an IT service provider strives for a certification of
their SMS against ISO/IEC 20000-1, but wants to use FitSM-1 as their core ITSM framework / standard.
2. FitSM-1 & ISO/IEC 20000-1 Mapping

2.1 General requirements
FitSM-1 req. code FitSM-1 requirements (based on FitSM- Corresponding Additional requirements ISO/IEC Extended requirements ISO/IEC
1, Edition 2015, Version 2.0) ISO/IEC 20000- 20000-1:2011 20000-1:2011 in the context of
1:2011 clause(s) existing FitSM-1 requirements
GR1 Top  GR1.1 Top management of the 4.1 Management Ensure that the importance of fulfilling Extended requirements in the
Management organisation(s) involved in the delivery responsibility service requirements, statutory and context of GR1.1:
Commitment & of services shall show evidence that they regulatory requirements and
4.1.1 Inputs to be considered for a
Responsibility are committed to planning, contractual obligations is
Management management review:
implementing, operating, monitoring, communicated.
commitment
reviewing, and improving the service  customer feedback
Ensure that risks to services are
management system (SMS) and services. 4.1.2 Service  service and process
assessed and managed.
They shall: management performance and
policy conformity
 Assign one individual to be
 current and future
accountable for the overall SMS 4.1.3 Authority,
resource levels
with sufficient authority to responsibility
 current and future
exercise this role and
human and technical
 Define and communicate goals
1
 Define a general service communication capabilities

management policy  risks
4.1.4
 Conduct management reviews  results and follow-up
Management
at planned intervals actions from audits
representative
 results and follow-up
 GR1.2 The service management policy
4.5.4.3 actions from previous
shall include:
Management management reviews
 A commitment to fulfil customer review  status of preventive and
service requirements corrective actions
 A commitment to a service-  changes that could
oriented approach affect the SMS and the
 A commitment to a process services
approach  opportunities for
 A commitment to continual improvement
improvement
Extended requirements in the
 Overall service management
context of GR1.2:
goals
Ensure that the service
management policy provides a
framework for establishing and
reviewing service management
objectives
---  --- 4.2 Governance Ensure that all processes or parts of ---
2
of processes them, which are operated by other

operated by parties (i.e. internal groups, customers
other parties or suppliers) are identified. Ensure
that governance of these processes is
demonstrated by ...
 demonstrating accountability
for the processes and
authority to require
adherence to the processes,
 controlling the definition of
the processes, and interfaces
to other processes,
 determining process
performance and compliance
with process requirements,
 controlling the planning and
prioritizing of process
improvements.
GR2  GR2.1 The overall SMS shall be 4.3 --- Extended requirements in the
Documentation documented to support effective Documentation context of GR2.2:
planning. This documentation shall management
Ensure that all procedures
include:
4.3.1 Establish required by ISO/IEC 20000-1 are
3
 Service management scope and maintain documented. *)

statement (see GR3) documents
*) A full list of documented
 Service management policy (see
4.3.2 Control of procedures required by ISO/IEC
GR1)
documents 20000-1 is provided in section 3
 Service management plan and
of this guide.
related plans (see GR4) 4.3.3 Control of
records Extended requirements in the
 GR2.2 Documented definitions of all
context of GR2.4:
service management processes (see PR1-
PR14) shall be created and maintained. Ensure that ...
Each of these definitions shall at least
 documents of external
cover or reference:
origin are identified and
 Description of the goals of the their distribution
process controlled,
 Description of the inputs,  the unintended use of
activities and outputs of the obsolete documents is
process prevented and suitable
 Description of process-specific identification to them is
roles and responsibilities applied, if they are
 Description of interfaces to retained.
other processes
 Related process-specific policies
as applicable
 Related process- and activity-
4
specific procedures as required
 GR2.3 The outputs of all service

management processes (see PR1-PR14)
shall be documented, and the execution
of key activities of these processes
recorded.
 GR2.4 Documentation shall be

controlled, addressing the following
activities as applicable:
 Creation and approval

 Communication and distribution
 Review
 Versioning and change tracking
GR3 Defining The GR3.1 The scope of the SMS shall be 4.5.1 Define --- ---
Scope Of Service defined and a scope statement created. scope
Management
GR4 Planning  GR4.1 A service management plan shall 4.1.1 Determine and provide the human, Extended requirements in the
Service be created and maintained. Management technical, information and financial context of GR4.2:
Management commitment b) resources needed to:
 GR4.2 The service management plan Additional elements to be
(PLAN)
shall at minimum include or reference: 4.5.2 Plan the  establish, implement and included in or referenced from
5
 Goals and timing of SMS (Plan) maintain the SMS and the the service management plan:
implementing the SMS and the services, and continually
4.4.1 Provision of  service requirements
related processes improve their effectiveness
resources  known limitations which
 Overall roles and responsibilities  enhance customer
can impact the SMS
 Required training and 4.4.2 Human satisfaction
 policies, standards,
awareness activities resources
statutory and regulatory
 Required technology (tools) to
requirements and
support the SMS
contractual obligations
 GR4.3 Any plan shall be aligned to other  human, technical,
plans and the overall service information and
management plan. financial resources
necessary to achieve the
service management
objectives
 approach to be taken
for working with other
parties involved in the
design and transition of
new or changed services
for the interfaces
between service
management processes
and their integration
6
with the other

components of the SMS
for the management of
risks and the criteria for
accepting risks
 how the effectiveness of
the SMS and the
services will be
measured, audited,
reported and improved
GR5  GR5.1 The service management plan 4.5.3 Implement --- ---
Implementing shall be implemented. and operate the
Service SMS (Do)
 GR5.2 Within the scope of the SMS, the
Management
defined service management processes
(DO)
shall be followed in practice, and their
application, together with the adherence
to related policies and procedures, shall
be enforced.
GR6 Monitoring  GR6.1 The effectiveness and 4.5.4 Monitor Ensure that an audit programme is Extended requirements in the
And Reviewing performance of the SMS and its service and review the planned, taking into consideration the context of GR6.2:
Service management processes shall be status and importance of the
7
Management measured and evaluated based on SMS (Check) processes and areas to be audited, as Ensure that the selection of
(CHECK) suitable key performance indicators in well as the results of previous audits. auditors and conduct of audits
4.5.4.1 General
support of defined or agreed targets. Ensure that audit criteria, scope, ensures objectivity and
4.5.4.2 Internal frequency and methods are impartiality, and that auditors
 GR6.2 Assessments and audits of the
audit documented. do not audit their own work.
SMS shall be conducted to evaluate the
level of maturity and compliance. Ensure that nonconformities are
communicated, prioritized and
responsibility allocated for
follow-up actions.
GR7 Continually  GR7.1 Nonconformities and deviations 4.5.5 Maintain Ensure that a policy on continual ---
Improving Service from targets shall be identified and and improve the improvement of the SMS and the
Management corrective actions shall be taken to SMS (Act) services is in place, including
(ACT) prevent them from recurring. evaluation criteria for opportunities
4.5.5.1 General
for improvement.
 GR7.2 Improvements shall be planned
and implemented according to the
Continual Service Improvement
Management process (see PR14).
8
2.2 Process-specific requirements

FitSM-1 req. FitSM-1 requirements Corresponding Additional requirements ISO/IEC Extended requirements ISO/IEC 20000-
code (based on FitSM-1, Edition ISO/IEC 20000- 20000-1:2011 1:2011 in the context of existing FitSM-1
2015, Version 2.0) 1:2011 clause(s) requirements
PR1 Service PR1.1 A service portfolio 5 Design and Ensure that the changes to services with Extended requirements in the context of
Portfolio shall be maintained. All transition of new the potential to have a major impact on PR1.1/PR1.2:
Management services shall be specified as or changed services or the customer are
Ensure that the service requirements for
(SPM) part of the service portfolio. services determined by the change
new or changed services are identified.
management policy agreed as part of
PR1.2 Design and transition 5.1 General
the change management process. Ensure that planning for new or changed
of new or changed services
5.2 Plan new or services contains or includes a reference to at
shall be planned. Following the completion of the
changed services least:
transition activities, report to
PR1.3 Plans for the design
5.3 Design and interested parties on the outcomes  activities to be performed by the
and transition of new or
development of achieved against the expected service provider and other parties
changed services shall
new or changed outcomes. including activities across interfaces
consider timescales,
services from the service provider to other
responsibilities, new or
parties
changed technology, 5.4 Transition of
 human, technical, information and
communication and service new or changed
financial resources
acceptance criteria. services
 identification, assessment and
 PR1.4 The organisational management of risks
structure supporting the  dependencies on other services
delivery of services shall be  testing required for the new or
identified, including a changed services
potential federation  expected outcomes from delivering
structure as well as contact the new or changed services,
points for all parties
9
involved. expressed in measurable terms
Extended requirements in the context of

PR1.4:
Ensure that other parties who will contribute

to the provision of service components for
new or changed services are identified.
Ensure that their ability to fulfil service
requirements is evaluated, the results of this
evaluation recorded and necessary actions
taken.
PR2 Service  PR2.1 A service catalogue 6.1 Service level Ensure that changes to documented Extended requirements in the context of
Level shall be maintained. management service requirements, the service PR2.1:
Management catalogue, SLAs and other documented
 PR2.2 For all services The catalogue of services shall include the
(SLM) agreements are controlled by the
delivered to customers, dependencies between services and service
change management process.
SLAs shall be in place. components.
 PR2.3 SLAs shall be

reviewed at planned
intervals.
 PR2.4 Service performance

shall be evaluated against
service targets defined in
10
SLAs.
 PR2.5 For supporting

services or service
components provided by
federation members or
groups belonging to the
same organisation as the
service provider or external
suppliers, OLAs and UAs
shall be agreed.
 PR2.6 OLAs and UAs shall be

reviewed at planned
intervals.
 PR2.7 Performance of
service components shall be
evaluated against
operational targets defined
in OLAs and UAs.
PR3 Service  PR3.1 Service reports shall 6.2 Service Ensure that decisions are made and Extended requirements in the context of
Reporting be specified and agreed reporting actions taken based on the findings in PR3.3:
Management with their recipients. service reports. Ensure that agreed
Ensure that service reporting covers:
actions are communicated to
11
(SRM)  PR3.2 The specification of interested parties.  information about major incidents,
each service report shall deployment of new or changed
include its identity, purpose, services and the service continuity
audience, frequency, plan being invoked
content, format and method  workload characteristics including
of delivery. volumes and periodic changes in
workload
 PR3.3 Service reports shall
 trend information
be produced. Service
 information about customer
reporting shall include
satisfaction and service complaints
performance against agreed
targets, information about
significant events and
detected nonconformities.
PR4 Service  PR4.1 Service availability 6.3 Service Ensure that changes to the service Extended requirements in the context of
Availability & and continuity requirements continuity and availability and continuity plans are PR4.1:
Continuity shall be identified taking availability controlled by the change management
Ensure that agreed service continuity and
Management into consideration SLAs. management process.
availability requirements include:
(SACM)
 PR4.2 Service availability 6.3.1 Service Ensure that service continuity plans,
 access rights to the services
and continuity plans shall be continuity and contact lists and the CMDB are
 service response times
created and maintained. availability accessible when access to normal
 end to end availability of services
requirements service locations is prevented.
 PR4.3 Service availability
and continuity planning 6.3.2 Service Ensure that the impact of requests for
12
shall consider measures to continuity and changes on the service continuity and PR4.3:
reduce the probability and availability plans availability plans is assessed.
Additional elements to be included in or
impact of identified
6.3.3 Service Ensure that service availability and referenced from service continuity plans:
availability and continuity
continuity and continuity plans are tested against the
risks.  procedures to be implemented in
availability availability and continuity
the event of a major loss of service,
 PR4.4 Availability of services monitoring and requirements, and re-tested after
or reference to them
and service components testing major changes to the service
 availability targets when the plan is
shall be monitored. environment.
invoked
 recovery requirements
 approach for the return to normal
working conditions
--- --- 6.4 Budgeting Ensure that interfaces are defined ---
and accounting between the budgeting and accounting
for services for services process and other
(corporate) financial management
processes.
Ensure that policies and documented

procedures are in place for:
 budgeting and accounting for

service components including
at least assets (including
13
licences) used to provide the

services, shared resources,
overheads, capital and
operating expenses, externally
supplied services, personnel,
facilities
 apportioning indirect costs and
allocating direct costs to
services, to provide an overall
cost for each service
 effective financial control and
approval
Ensure that costs are budgeted,

monitored and reported against the
budget.
Ensure that information are provided to

the change management process to
support the costing of requests for
changes.
PR5 Capacity  PR5.1 Service capacity and 6.5 Capacity Ensure that changes to the capacity Extended requirements in the context of
Management performance requirements management plans are controlled by the change PR5.3:
(CAPM) shall be identified taking management process.
Additional elements to be included in or
14
into consideration SLAs. referenced from capacity plans:
 PR5.2 Capacity plans shall  current and forecast demand for services
be created and maintained.  expected impact of agreed requirements
for availability, service continuity and
 PR5.3 Capacity planning
service levels
shall consider human,
 time-scales, thresholds and costs for
technical and financial
upgrades to service capacity
resources.
 potential impact of statutory,
 PR5.4 Performance of regulatory, contractual or organizational
services and service changes
components shall be  potential impact of new technologies
monitored based on  procedures to enable predictive analysis
monitoring the degree of
capacity utilisation and
identifying operational
warnings and exceptions.
PR6 Information PR6.1 Information security 6.6 Information Ensure that internal information Extended requirements in the context of
Security policies shall be defined. security security audits are conducted and that PR6.2:
Management management audit results are reviewed to identify
 PR6.2 Physical, technical Ensure that the approach to information
(ISM) opportunities for improvement.
and organizational 6.6.1 Information security risk management and the criteria
information security security policy for accepting risks are defined.
controls shall be
6.6.2 Information Extended requirements in the context of
15
implemented to reduce the security controls PR6.3:

probability and impact of 6.6.3 Information Ensure that the risks to which information
identified information security changes security controls relate are described as part
security risks. and incidents of the documentation of these controls.
 PR6.3 Information security Ensure that information security controls

policies and controls shall with external organizations that have a need
be reviewed at planned to access, use or manage the service
intervals. provider's information or services are
documented, agreed and implemented.
 PR6.4 Information security
events and incidents shall
be given an appropriate
priority and managed
accordingly.
 PR6.5 Access control,

including provisioning of
access rights, for
information-processing
systems and services shall
be carried out in a
consistent manner.
PR7 Customer  PR7.1 Service customers 7.1 Business Ensure that changes to documented Extended requirements in the context of
Relationship relationship service requirements are controlled by
16
Management shall be identified. management the change management process. PR7.5:

(CRM)
 PR7.2 For each customer, Ensure that changes to the SLAs are co- Ensure that the definition of a service
there shall be a designated ordinated with the service level complaint is agreed with the customer.
contact responsible for management process.
managing the customer
relationship and customer
satisfaction.
 PR7.3 Communication
mechanisms with customers
shall be established.
 PR7.4 Service reviews with

the customers shall be
conducted at planned
intervals.
 PR7.5 Service complaints

from customers shall be
managed.
 PR7.6 Customer satisfaction

shall be managed.
PR8 Supplier  PR8.1 Suppliers shall be 7.2 Supplier Ensure that service levels are agreed Extended requirements in the context of
Relationship with suppliers to support and align with
17
Management identified. management the SLAs between the service provider PR8.4:
(SUPPM) and the customers.
 PR8.2 For each supplier, Ensure that the contracts with suppliers
there shall be a designated Ensure that roles of, and relationships reflect current requirements.
contact responsible for between, lead and sub-contracted
managing the relationship suppliers are documented. Verify that
with the supplier. lead suppliers are managing their sub-
contracted suppliers to fulfil contractual
 PR8.3 Communication
obligations.
mechanisms with suppliers
shall be established. Ensure that changes to contracts with
suppliers are controlled by the change
 PR8.4 Supplier performance
management process.
shall be monitored.
PR9 Incident &  PR9.1 All incidents and 8.1 Incident and --- Extended requirements in the context of
Service Request service requests shall be service request PR9.2:
Management registered, classified and management
When prioritizing incidents and service
(ISRM) prioritized in a consistent
requests, ensure that the impact and
manner.
urgency of the incident or service request are
 PR9.2 Prioritization of taken into consideration.
incidents and service
requests shall take into
PR9.7:
account service targets from
SLAs. Ensure that top management is informed of
18
 PR9.3 Escalation of incidents major incidents, and a designated individual

and service requests shall responsible for managing the major incident
be carried out in a is appointed. After the agreed service has
consistent manner. been restored, ensure that a major incident
review is performed to identify opportunities
 PR9.4 Closure of incidents
for improvement.
and service requests shall
be carried out in a
consistent manner.
 PR9.5 Personnel involved in

the incident and service
request management
process shall have access to
relevant information
including known errors,
workarounds, configuration
and release information.
 PR9.6 Users shall be kept

informed of the progress of
incidents and service
requests they have
reported.
 PR9.7 There shall be a

definition of major incidents
19
and a consistent approach

to managing them.
PR10 Problem  PR10.1 Problems shall be 8.2 Problem --- Extended requirements in the context of
Management identified and registered management PR10.2:
(PM) based on analysing trends
Ensure that problems requiring changes to a
on incidents.
CI are resolved by raising a request for
 PR10.2 Problems shall be change.
investigated to identify
Ensure that the effectiveness of problem
actions to resolve them or
resolution is monitored, reviewed and
reduce their impact on the
reported.
services.
 PR10.3 If a problem is not

permanently resolved, a
known error shall be
registered together with
actions such as effective
workarounds and
temporary fixes.
 PR10.4 Up-to-date
information on known
errors and effective
workarounds shall be
20
maintained.
PR11  PR11.1 Configuration item 9.1 Configuration Ensure that the information from the Extended requirements in the context of
Configuration (CI) types and relationship management CMDB are provided to the change PR11.1/11.2/11.3:
Management types shall be defined. management process, to support the
Ensure that the information recorded for
(CONFM) assessment of requests for changes.
 PR11.2 The level of detail of each CI include at least:
configuration information Ensure that master copies of CIs
 description of the CI
recorded shall be sufficient recorded in the CMDB are stored in
 relationship(s) between the CI and
to support effective control secure physical or electronic libraries
other Cis
over CIs. referenced by the configuration
 relationship(s) between the CI and
records, including at least
 PR11.3 Each CI and its service components
documentation, licence information,
relationships with other CIs  status
software and images of the hardware
shall be recorded in a  version
configuration.
configuration management  location
database (CMDB). Ensure that there is a defined interface  associated requests for changes
between the configuration  associated problems / known errors
 PR11.4 CIs shall be
management process and a (corporate)
controlled and changes to
financial asset management process.
CIs tracked in the CMDB.
 PR11.5 The information

stored in the CMDB shall be
verified at planned intervals.
 PR11.6 Before a new release
21
into a live environment, a

configuration baseline of
the affected CIs shall be
taken.
PR12 Change  PR12.1 All changes shall be 9.2 Change Ensure that a change management Extended requirements in the context of
Management registered and classified in a management policy is established that defines: PR12.6:
(CHM) consistent manner.
 CIs which are under the control Ensure that the schedule of change is used as
 PR12.2 All changes shall be of change management the basis for planning the deployment of
assessed and approved in a  criteria to determine changes releases.
consistent manner. with potential to have a major
impact on services or the
 PR12.3 All changes shall be
customer
subject to a post
implementation review and Ensure that the removal of a service
closed in a consistent and transfer of a service from the
manner. service provider to the customer or a
different party are classified as a change
 PR12.4 There shall be a
with the potential to have a major
definition of emergency
impact.
changes and a consistent
approach to managing Ensure that requests for changes are
them. analysed at planned intervals to detect
trends. Ensure that the results and
 PR12.5 In making decisions
conclusions drawn from the analysis are
22
on the acceptance of recorded and reviewed to identify

requests for change, the opportunities for improvement.
benefits, risks, potential
impact to services and
customers and technical
feasibility shall be taken into
consideration.
 PR12.6 A schedule of
changes shall be
maintained. It shall contain
details of approved
changes, and proposed
deployment dates, which
shall be communicated to
interested parties.
 PR12.7 For changes of high

impact or high risk, the
steps required to reverse an
unsuccessful change or
remedy any negative effects
shall be planned and tested.
PR13 Release &  PR13.1 A release policy shall 9.3 Release and Ensure that the definition of an Extended requirements in the context of
23
Deployment be defined. deployment emergency release is agreed with the PR13.1:

Management management customer.
 PR13.2 The deployment of Ensure that the release policy is agreed with
(RDM)
new or changed services customers and states the frequency and
and service components to types of releases.
the live environment shall
be planned with all relevant
PR13.2:
parties including affected
customers. Ensure that release planning is coordinated
with the change management process and
 PR13.3 Releases shall be
includes references to the related requests
built and tested prior to
for changes, and problems / known errors
being deployed.
which are being closed through the release.
 PR13.4 Acceptance criteria
for each release shall be
PR13.2:
agreed with the customers
and any other relevant Ensure that a controlled acceptance test
parties. Before deployment environment is used for the building and
the release shall be verified testing of releases.
against the agreed
acceptance criteria and
PR13.6:
approved.
Ensure that incidents related to a release in
 PR13.5 Deployment
the period following deployment are
preparation shall consider
measured. Ensure that analysis includes an
steps to be taken in case of
24
unsuccessful deployment to assessment of the impact of the release on

reduce the impact on the customer, and the results and
services and customers. conclusions drawn from the analysis are
recorded and reviewed to identify
 PR13.6 Releases shall be
opportunities for improvement.
evaluated for success or
failure.
PR14 Continual  PR14.1 Opportunities for 4.5.5.2 --- Extended requirements in the context of
Service improvement shall be Management of PR14.1:
Improvement identified and registered. improvements
Ensure that opportunities for improvement
Management
 PR14.2 Opportunities for are prioritized.
(CSI)
improvement shall be
evaluated and approved in a
PR14.1/14.2:
consistent manner.
Ensure that, in managing improvements, the
following activities are addressed:
 setting targets for improvements in

quality, value, capability, cost,
productivity, resource utilization and
risk reduction
 ensuring that approved
improvements are implemented
 revising the service management
25
policies, plans, processes and

procedures, where necessary
 measuring implemented
improvements against the targets
set and, where targets are not
achieved, taking necessary actions
 reporting on implemented
improvements
26
3. Documented procedures required by ISO/IEC 20000-1

FitSM-1, according to GR2.2, does not require any specific process- or activity-specific procedures. Instead, FitSM-1 leaves it up to the IT service provider to
decide, which specific procedures should be documented as part of the SMS to support repeatable, consistent execution of processes and their activities.
In contrast to FitSM-1, ISO/IEC 20000-1 requires a set of specific procedures (including the authorities and responsibilities) to be documented to achieve full
compliance with the standard. The following is a list of these procedures, as specified in ISO/IEC 20000-1:2011, together with the number of the section /
clause in ISO/IEC 20000-1 where the requirements for the respective procedures are defined:
 Procedure for (general) communication (4.1.3)

 Procedure for the control of documents (4.3.2)
 Procedure for the control of records (4.3.3)
 Procedure for managing audits (i.e. planning and conducting audits, reporting results and maintaining audit records) (4.5.4.2)
 Procedure for managing improvements (i.e. identifying, documenting, evaluating, approving, prioritizing, managing, measuring and reporting of
improvements) (4.5.5.1)
 Procedure(s) to be implemented in the event of a major loss of service, as part of a service continuity plan (6.3.2 a)
 Procedure for budgeting and accounting for service components (6.4 a)
 Procedure for apportioning indirect costs and allocating direct costs to services (6.4. b)
 Procedure for financial control and approval (6.4 c)
 Procedure(s) for predictive capacity / performance analysis, as part of a capacity plan (6.5 f)
 Procedure to manage service complaints from the customer (7.1)
 Procedure to manage contractual disputes between the service provider and suppliers (7.2)
 Procedure for incident recording (8.1 a)
 Procedure for incident prioritization (8.1 b)
 Procedure for incident classification (8.1 c)
 Procedure for updating incident records (8.1 d)
 Procedure for incident escalation (8.1 e)
 Procedure for incident resolution (8.1 f)
 Procedure for incident closure (8.1 g)
 Procedure for managing the fulfilment of service requests (8.1)
 Procedure for informing the customer and interested parties and escalating, if service targets cannot be met (8.1)
27
 Procedure for classifying and managing major incidents (8.1)

 Procedure for problem identification (8.2 a)
 Procedure for problem recording (8.2 b)
 Procedure for problem prioritization (8.2 c)
 Procedure for problem classification (8.2 d)
 Procedure for updating problem records (8.2 e)
 Procedure for problem escalation (8.2 f)
 Procedure for problem resolution (8.2 g)
 Procedure for problem closure (8.2 h)
 Procedure for recording, controlling and tracking versions of Cis (9.1)
 Procedure for recording, classifying, assessing and approving requests for changes (9.2)
 Procedure for managing emergency changes (9.2)
 Procedure for managing emergency releases (9.3)
4. Records required by ISO/IEC 20000-1

FitSM-1, according to GR2.3, requires the execution of key activities to be recorded. However, FitSM-1 leaves it up to the IT service provider to decide which
specific activities as part of an SMS are so vital that their execution should be recorded.
In contrast to FitSM-1, ISO/IEC 20000-1 requires a set of specific activities to be recorded and the respective records to be maintained to ensure traceability
of the activities, their execution and results. The following is a list of the records to be created and maintained, as specified in ISO/IEC 20000-1:2011,
together with the number of the section / clause in ISO/IEC 20000-1 where the requirements for the respective activities and records are defined:
 Records of education, training, skills and experience (4.4.2)

 Records of (the results of) internal audits / audit records (4.5.4.1)
 Records of (the results of) management reviews (4.5.4.1, 4.5.4.3)
 Records of the evaluation of other parties in their ability to fulfil the service requirements (5.2)
 Records of monitoring trends and performance against service targets (6.1)
 Records of monitoring the performance of internal groups or customers providing service components (6.1)
 Records of monitoring service availability (6.2)
 Records of tests of service continuity plans (6.3.3)
28
 Records of customer service complaints (7.1)

 Records of measuring supplier performance (7.2)
 Incident records (8.1)
 Service request records (8.1)
 Problem / known error records (8.2)
 Configuration records / records of CIs (9.1)
 Change records / records of requests for changes (9.2)
 Records of analyzing requests for changes (9.2)
 Records of analyzing releases for success (9.3)
29

FitSM Guide Achieving Compliance With ISO IEC 20000-1

Uploaded by

Copyright:

Available Formats

FitSM Guide Achieving Compliance With ISO IEC 20000-1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FitSM Guide Achieving Compliance With ISO IEC 20000-1

Uploaded by

Copyright:

Available Formats

Guide: Using FitSM to achieve compliance

with ISO/IEC 20000-1

Comments & usage guidance

This work is licensed under a Creative Commons

2. FitSM-1 & ISO/IEC 20000-1 Mapping

 Define a general service communication capabilities

of processes them, which are operated by other

 Service management scope and maintain documented. *)

specific procedures as required

 GR2.3 The outputs of all service

 GR2.4 Documentation shall be

 Creation and approval

with the other

2.2 Process-specific requirements

involved. expressed in measurable terms

Extended requirements in the context of

Ensure that other parties who will contribute

 PR2.3 SLAs shall be

 PR2.4 Service performance

 PR2.5 For supporting

 PR2.6 OLAs and UAs shall be

Ensure that policies and documented

 budgeting and accounting for

licences) used to provide the

Ensure that costs are budgeted,

Ensure that information are provided to

into consideration SLAs. referenced from capacity plans:

implemented to reduce the security controls PR6.3:

 PR6.3 Information security Ensure that information security controls

 PR6.5 Access control,

Management shall be identified. management the change management process. PR7.5:

 PR7.4 Service reviews with

 PR7.5 Service complaints

 PR7.6 Customer satisfaction

 PR9.3 Escalation of incidents major incidents, and a designated individual

 PR9.5 Personnel involved in

 PR9.6 Users shall be kept

 PR9.7 There shall be a

and a consistent approach

 PR10.3 If a problem is not

 PR11.5 The information

 PR11.6 Before a new release

into a live environment, a

on the acceptance of recorded and reviewed to identify

 PR12.7 For changes of high

Deployment be defined. deployment emergency release is agreed with the PR13.1:

unsuccessful deployment to assessment of the impact of the release on

 setting targets for improvements in

policies, plans, processes and

3. Documented procedures required by ISO/IEC 20000-1

 Procedure for (general) communication (4.1.3)

 Procedure for classifying and managing major incidents (8.1)

4. Records required by ISO/IEC 20000-1

 Records of education, training, skills and experience (4.4.2)

 Records of customer service complaints (7.1)

You might also like