Informationsteknik: allmänt

Kommittébeteckning: SIS/TK 303 (IT-system och IT-tjänster)
Källa: ISO
Svarsdatum: den 6 jan 2019
Se merSe mindre
 

1.1 General

This document provides guidance on the application of an SMS based on ISO/IEC 20000-1. It provides examples and recommendations with examples to enable organizations to interpret and apply ISO/IEC 20000-1, including references to other parts of ISO/IEC 20000 and other relevant standards.

Figure 1 illustrates an SMS with the clause content of ISO/IEC 20000-1. It does not represent a structural hierarchy, sequence, or authority levels. It shows that the guidance for Clause 8, Operation of the SMS, has been split into sub-clauses to reflect the service lifecycle.

The structure of clauses is intended to provide a coherent presentation of requirements, rather than a model for documenting an organization’s policies, objectives, and processes. Each organization can choose how to combine the requirements into processes. The relationship between each organization and its customers, users, and other interested parties influences how the processes are implemented. However, 179 an SMS as designed by an organization cannot exclude any of the requirements specified in ISO/IEC 20000-1.

The term ‘service’ as used in this document refers to the services in the scope of the SMS. The term ‘organization’ as used in this document refers to the organization in the scope of the SMS. The organization manages and delivers services to customers and can also be referred to as a service provider. Any use of the terms ‘service’ or ’organization’ with a different intent is distinguished clearly in this document. It should be noted that the organization in the scope of the SMS can be part of a larger organization, for example an IT department of a large corporation. The term ‘delivered’, as used in this document, can be interpreted as all of the service lifecycle activities that are performed in addition to daily operational activities. Service lifecycle activities include planning, design, transition, and improvement.

1.2 Application

The guidance in this document is generic and is intended to be applicable to any organization applying an SMS, regardless of the organization's type or size, or the nature of the services delivered.

The service provider is accountable for the SMS and therefore cannot ask another party to fulfill the requirements of Clauses 4 and 5 of ISO/IEC 20000-1. For example, the organization cannot ask another party to provide the top management and demonstrate top management commitment or to demonstrate the control of parties involved in the service lifecycle.

Some activities in Clauses 4 and 5 may be performed by another party under the management of the organization. For example, organizations can engage other parties to conduct internal audits on their behalf. Another example is when an organization asks another party to create the initial service management plan. The plan, once created and agreed, is the direct responsibility of and is maintained by the organization. In these examples, the organization is using other parties for specific short-term activities. The organization has accountability, authorities, and responsibilities for the SMS. The organization can therefore demonstrate evidence of fulfilling all of the requirements of Clauses 4 and 5 of ISO/IEC 20000-1.

For clauses 6 – 10 of ISO/IEC 20000-1, an organization can show evidence of meeting all of the requirements itself. Alternatively, an organization can show evidence of retaining accountability for the requirements when other parties are involved in meeting the requirements in Clauses 6 to 10 of ISO/IEC 20000-1. Control of other parties involved in the service lifecycle should be demonstrated by the organization (see 8.2.3). For example, the organization can demonstrate evidence of controls for another party who is providing infrastructure service components or operating the service desk including the incident management process.

The organization cannot demonstrate conformity to the requirements in ISO/IEC 20000-1 if other parties are used to provide or operate all services, service components or processes within the scope of the SMS. However, if other parties provide or operate only some of the services, service components, or processes, the organization can normally demonstrate evidence of meeting the requirements specified in ISO/IEC 20000-1.

The scope of this document excludes the specification of products or tools. However, ISO/IEC 20000-1 and this document can be used to help with the development or acquisition of products or tools that support the operation of an SMS.

1.3 Structure

This document follows the clauses in ISO/IEC 20000-1 and, from clause 4 onwards, provides three sections per clause or sub-clause:

a) Required activities: a summary of the activities required by this clause in ISO/IEC 20000-1—note that this does not replicate the requirement statements in ISO/IEC 20000-1 or add new requirements, but simply describes the activities;

b) Explanation: an explanation of the purpose of the clause and practical guidance on clause contents, including examples and recommendations with examples on how to implement the requirements of ISO/IEC 20000-1;

c) Other information: guidance on roles and responsibilities and on documented information supporting the implementation of an SMS. Further relevant information may also be included.

Kommittébeteckning: SIS/TK 303 (IT-system och IT-tjänster)
Källa: ISO
Svarsdatum: den 6 jan 2019
Se merSe mindre
 

This document includes guidance on the scope definition and applicability to the requirements specified in ISO/IEC 20000-1.

This document can assist in establishing whether ISO/IEC 20000-1 is applicable to an organization’s circumstances. It illustrates how the scope of an SMS can be defined, irrespective of whether the organization has experience of defining the scope of other management systems.

The guidance in this document can assist an organization in planning and preparing for a conformity assessment against ISO/IEC 20000-1.

Annex A contains examples of possible scope statements for an SMS. The examples given use a series of scenarios for organizations ranging from very simple to very complex supply chains.

This document can be used by personnel responsible for planning the implementation of an SMS, as well as assessors and consultants. It supplements the guidance on the application of an SMS given in ISO/IEC 20000-2.

Requirements for bodies providing audit and certification of an SMS can be found in ISO/IEC 20000-6:2017 which recommends the use of this document.

Se merSe mindre
 

This document gives guidelines for how to process and resolve potential vulnerability information in a product or service.

This document is applicable to vendors involved in handling vulnerabilities.