ITI and ISO 20000 - A Comparison

ITI and ISO 20000 - A Comparison

ITI and ISO 20000 - A Comparison
 ITI and ISO 20000 - A Comparison

Best practices vs. standard

Back to basics: ITIL is a library, a set of best practices, described processes and functions in a service lifecycle path. It is mostly descriptive, not prescriptive. Life is full of possibilities with ITIL. You can, but you don’t have to, implement any of the processes. Or all. Or none. Although ITIL was often addressed as a de facto standard in IT Service Management (ITSM), it is important to state that ITIL is a best practices library; it is NOT a standard. ITIL is full of advice, what you could, sometimes should do, what would be best and so on. It does not have hard requirements about what HAS to be done in order to comply. Therefore, ITIL is not fully auditable.
ISO/IEC 20000, on the other hand, is an auditable norm. The 2011 version has 256 hard requirements which have to be met. It provides a full set of processes a company HAS to implement if it wishes to obtain a certificate. A bit more precisely, the norm has two main parts:
  • ISO/IEC 20000-1 – requirements, what SHALL be done
  • ISO/IEC 20000-2 – code of practice, a guidance as to HOW it should be done in more detail
Download Also:

Certification of individuals vs. certification of organizations

Another important aspect: the ITIL certification path is created for individuals. People study and pass foundations, intermediate and expert levels. They get the certificate and take it with them. ISO/IEC 20000 is focused on the IT Service Organization. It helps to capture knowledge about IT Service as an intellectual property of the company, and helps individual employees to get by in a day-to-day IT Service realm by following a set of simple but strict rules established during a process of preparation for the certification. 

An overview of ITIL..

ITIL has come quite a long way from the previous V3 version where we had only 10 processes and one function. In its current version, ITIL is based on five volumes representing the five service lifecycle stages addressing some 26 processes and four functions. For the new people in the house, let’s have a quick overview of lifecycle stages and processes/functions:   ITIL experienced a significant increase of content volume in 2007 when version V3 was introduced, and more still in a 2011 refresh. 
The big difference is a strong turn toward copyrighting, probably in order to finance the growing ITIL food chain: publishers, authorized training organizations, examination boards, etc.  On the other hand, creating this volume of relevant knowledge and best practices was a remarkable effort and one has to think about the future.

And a bit about ISO 20000 
A 2011 edition of ISO/IEC 20000 addressed some of the changes in ITIL 2011 and also adhered to other neighbouring ISO norms. This motivated a lot of IT Service organizations to consider ISO20k as a service management improvement tool. Here is a quick schematic diagram of ISO/IEC 20000 processes:

1-BASIC OVERVIEW  ITIL is a best practices framework, regarded in five service lifecycle stages: Strategy, Design, Transition, Operation and CSI.  ISO/IEC 20000 adopts a PDCA (Plan, Do, Check, Act) Deming lifecycle, similar to other ISO norms. This can also be observed parallel to a 7-Step CSI improvement process in ITIL CSI. Processes are organized into groups: Service Delivery, Relationship, Resolution and Control.


Further into the text, you'll find an explanation of the relationship between ITIL and ISO 20000, for each group of processes:  Strategy, Design, CSI / 6. Service Delivery  SLM or Service Level Management (6.2) lives both in ITIL Design stage and in ISO20k Service Delivery process group. It is a mature ITSM process (one of four ITIL key processes), but a very delicate one, depending on all other Service Delivery processes. ISO20k provides a strict set of 14 requirements described briefly in a code of practice. 
For a deep understanding of the process, one needs experience and knowledge of ITIL processes. For example, one of the requirements is to agree with the customer on a catalogue of services containing dependencies between services and service components. This requires an in-depth knowledge of ITIL; foundations-level knowledge will not suffice here.

6.2 Service Reporting was a distinct process in a CSI book of previous ITIL V3 edition; but, in the new 2011 edition, it was decided that reporting activities are too important for most of the processes in all lifecycle stages and shouldn’t be dealt with as a single process. So, bits and pieces of Service Reporting can be found in all processes, like in SLM, and as a METHOD in ITIL CSI book, not a process.  In ISO20000 Service Reporting it has only five requirements, but they are rather demanding, and they all make sense.

IT Service Continuity Management and Availability Management in ITIL are combined in ISO20k as 6.3 Service Continuity and Availability Management, which makes sense when you implement a strict auditable process. It is internally divided into three chapters: requirements, plans and monitoring & testing. Altogether, there are 18 strict requirements.  ITIL Capacity Management is an important process in Service Design. 
In ISO20k it is described in 6.5 by six requirements, the one concerning Capacity Plan being the most demanding. ITIL elaborates in detail about resource, service and business capacity management.  6.4 Budgeting and Accounting for IT Services is parallel to ITIL’s Service Strategy’s Financial Management process, where, besides Budgeting and Accounting, a Charging procedure is described.

6.6 Information Security Management is one of the most elaborate ISO20k processes.
 Companies which have ISO/IEC 27001 Information Security Management System adopted would benefit significantly from it here. They can simply refer to it for most of the requirements. Careful here, the scope of 20k and 27001 should be at least similar. Business organizations not having an ISMS should put forth much more effort than the size of ITIL Service Design chapter indicates.

Design / 7. Relationship Processes
7.1 Business Relationship Management and 7.2 Supplier Management are Quality Management System terms which also appeared in ITIL V3 Service Design in 2005. No news here in 2011 edition.
Operation / 8. Resolution Processes
 ITIL’s Request Fulfillment (new in ITIL V3) and Incident Management are combined in ISO20k 8.1 Incident and Service Request Management. It is definitely a thoroughly elaborated process in the history of ITSM. Due to its firefighting nature, it is usually the first one to be implemented in a new ITSM organization. IM is also a key process in ITIL.  Another key process in ITIL is Problem Management. 
As opposed to Incident Management, PM is a simple process performed by expensive people. Problem Management in ITIL was rather straightforward, yet contradictory. What is reactive PM, how is proactive PM done, how is the Problem being identified? These are the little things that changed in subsequent ITIL editions. Even in ISO20k we experienced some minor conceptual changes. Nevertheless, this should be one of the easiest processes to implement, if nine simple requirements are followed. On the other hand, if adequate attention is given to Problem Management, it will reward the service organization twofold with all the benefits mentioned in ITIL.

ITIL V3 had a single Service Desk function (It was called HelpDesk in V1) for ages, and now there are V3 more functions in V3: Operations, Application and Technical management. ISO20k is process oriented; no functions are defined in it. If a service organization wishes to implement these functions, it has to refer to ITIL.
Transition / 9. Control Processes
Configuration Management was a key process in ITIL V3. Everything depended on this: do we know what we have, where it is, how it works and who changed it. Configuration Management provides key info for all ITSM key processes. There are 14 strict requirements in ISO20k clause 9.1. Any ITSM organization that has been in the market for a few years has developed a Configuration Management process.

9.2 Change Management: Twenty-four requirements in ISO 20k should indicate the importance of this process. In a young SM company, diagnostics for most of the incidents starts with “What did you change?” This is a killer key process in ITIL and it is usually recognized right after the implementation of Incident Management. A rule of thumb: 80% of incidents are there because of bad Change Management.

Release and Deployment Management. In both former editions, ITIL and ISO20k, it was called Release Management. To describe it better, “deployment” was appended to a process name. Now we have a better image of what it is: Physically performing changes after the change process is done. That’s called deployment. Service Organization has to manage the people, resources and services impacted. One Change can be done in multiple Releases, and one Release can come from multiple Changes. In practice, most of the ISO20k auditors will approve combining change and release management process.

How do ITIL and ISO 20000 fit together?

In an ITSM pyramid things are layered in the following order:     
ISO/IEC 20000 provides strict requirements (WHAT) and a simple code of practice (HOW). The story is further expanded by ITIL experience and best practice framework as a detailed guidance about processes and functions. At the base are basic in-house procedures and work instructions, from core business and other implemented standards/methodologies (ISO, PMI…)  Both stories came from the same place and both got refreshed in 2011. How well do they fit together and have they grown apart? In a nutshell, ISO 2000 emerged initially from ITIL V3, and did not evolve much in volume, but requirements got much more realistic in 2011. On the other hand, ITIL was inflated almost double in V3, so the 2011 refresh also was more about quality then quantity.

An IT Service organization can use ITIL to implement ITSM processes according to best practices, and ISO20k can be used for implementation and measurement of essential processes.  The pyramid can be approached from both sides. A question for you: in the current maturity stage, what would you do first it in your organization – would you go for ITIL implementation or ISO/IEC 20000 certification?

Related Topics:
The best answer to this would be – implement them together. ISO 20000 can be used for implementation and measurement of essential high-level processes, while ITIL is perfect for details – it is invaluable when it comes to developing every step in ITSM processes.
The Author: Ala'a Elbeheri
                                           Ala'a Elbeheri
A versatile and highly accomplished senior certified IT risk management Advisor and Senior IT Lead Auditor with over 20 years of progressive experience in all domains of ICT.  
• Program and portfolio management, complex project management, and service delivery, and client relationship management.      
• Capable of providing invaluable information while making key strategic decisions and spearheading customer-centric projects in IT/ICT in diverse sectors.    
• Displays strong business and commercial acumen and delivers cost-effective solutions contributing to financial and operational business growth in international working environments.      
• Fluent in oral and written English, German, and Arabic with an Professional knowledge of French.  
• Energetic and dynamic relishes challenges and demonstrates in-depth analytical and strategic ability to facilitate operational and procedural planning.  
• Fully conversant with industry standards, with a consistent track record in delivering cost-effective strategic solutions.    
• Strong people skills, with proven ability to build successful, cohesive teams and interact well with individuals across all levels of the business. Committed to promoting the ongoing development of IT skills  throughout an organization.

Post a Comment

Previous Post Next Post