I’ve just returned from the International standards meeting – with my brain fizzing with ideas and the events of last week. Preparing for the meeting is incredibility time consuming, and the meeting itself packs a huge amount of work into six days.
It was a Plenary meeting – they happen only once a year and it is this type of meeting where most of the important decisions are made so we need to debate and agreed on a very wide range of topics. The ballots on four documents had also just finished, each ballot being accompanied by comments which we needed to resolve and agree changes to the next edition.
The other thing that was on the agenda was the result of the market research carried out JTC1/SC7’s “Study Group 1099”, which looked at what was required for service and systems management standard, and how these should be integrated with the other standards used by the IT industry. This included the survey announced in my blog April 3rd 2009. Not only were the results very interesting to the study group, but they were discussed during the meeting and we now have agreement to move forward on the recommendations.
Everyone who did the survey had the chance to ask for a summary of the results and this will be sent out within the week to everyone that asked for it. The headlines are.......:”The service management industry does not want proliferation of standards, methods or frameworks that rely on different approaches, use different terms and have different scopes. Too much choice is not a good thing. The most common request for improvements was for more easily understood text”. This request wasn’t just about International standards, it was also about other standards, methods and frameworks used in the IT service management industry.
We were asked for official ISO documents that showed how standards such as ISO/IEC 20000-1 (IT service management), ISO/IEC 27001 (Information security) and of course the widely used ISO 9001, each relate to each other. That’s the relatively easy part. They are all international standards, all the copyright is owned by ISO. They are all management system standards so there are common features. Mapping one to another can be at the level of sub- clauses containing similar requirements. It’s already possible to have a common quality management system across all three, but mapping across them and perhaps including the mapping in the 20000 series would make this easier.
Your recommendations for improvements didn’t stop there – you also wanted closer alignment, which was the term used for adopting the same terms across all standards, methods and frameworks and ensuring the scope was the same for all aligned documents. The most common suggest ion was for there to be alignment between ISO/IEC 20000 and ITIL or COBIT. ISO/IEC 27001 was also of interest.
The final requirement was for some documents to be actually integrated. This was normally that the clause with security requirements in ISO/IEC 20000-1 should be based on ISO/IEC 27001, so that being certified under ISO/IEC 27001 meant that there would normally be a ‘tick in the box’ for the security clause when being audited under ISO/IEC 20000-1.
We’d guessed ahead on what would be requested for some topics. Work has just started on ISO/IEC 90006, which is to be guidance on the application of ISO 9001:2000 to the next version of ISO/IEC 20000-1. We have also just nominated two technical specialists to be co-editors for ISO/IEC 27013, which is guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001. I’m so convinced that this is a good idea that I’ve volunteered to be (again) one of the technical editors, along with a new member of the service management committee, who represents the Ivory Coast. This is an information security group project. They had identified that the information security standard and the service management standard were often used together, so they asked us to get involved.
One of the most important recommendations from the market research and the survey is that we are setting up an additional ad hoc committee that I will be chairing. This committee is tasked with talking to the owners of other service management documents on establishing options for cooperative working to delivery mapping, alignment and integration of a coherent set of standards, methods and frameworks for the IT service management industry. This is cooperative work on documents where the copyright is owned by different organisations. We will also be in touch with the committee that develops ISO 9001 – the “grandfather” of all management system standards, and a strong influence on both ISO/IEC 20000-1 and ISO/IEC 27001, although both of these can be used separately. I’m really excited at the prospect of what we may be able to achieve – not the least because it was what many of you asked for during our research.
We believe that knowing what the IT service management industry wants is hugely important. When planning what we do to the current editions of ISO/IEC 20000 series we should have a clear view of what is needed (and wanted), not what we decide is a good idea. One of my personal mantras has always been ‘standards development should be market driven, not supply led’. I’m hoping that the international standards group will want to make the survey a repeat event, perhaps not every year, but certainly every two years so that we can continue to develop a business plan influenced by the results.
It was a very busy week but we made very good progress with the new Part 3, Guidance on scoping, applicability and conformity assessment. It passed its last ballot and during the meeting there was agreement that Part 3 had gone through all the necessary technical editing stages and now only needs to have some minor editorial corrections before it is sent to ISO for publication.
We also made a lot of progress with Part 4, the IT service management process reference model that is being developed as the basis for an IT service management process assessment model. Aligning and integrating a management system standard like ISO/IEC 20000-1 with a five level process reference model and process assessment model has been a difficult undertaking. Looking back, despite all the excellent work done by the committee members it was far harder than we expected. We were encouraged to persists - it would not be sensible of us to do market research, identify that the IT service management industry wanted a coherent and integrated set of standards and then to ignore what was requested and produce standalone documents. So yet again the feedback from the survey was valuable.
The two approaches are both useful but also very different. It would be much easier if the requirements in the management system standard mapped neatly onto the same level of maturity or capability, but they don’t. The requirements in the management system standard are equivalent to different levels, ranging from some level 2 through to some level 5.
It’s also very hard to map requirements such as “management responsibilities” which are not clearly process based as, for example, is the incident management process. It becomes necessary to ‘translate’ some requirements into processes without losing the spirit and intent of the requirement in the management system.
Having struggled initially to identify the problem we had a breakthrough last week and have not only identified an effective way of doing this, this was thoroughly tested during the meeting and we have also made a great deal of progress in completing it. The result will be Part 4 going through its next ballot in much better state. Once the process reference model is stable we can complete the process assessment model. Fulfilling this vision of an integrated set of international IT service management standards will mean an organisation can use either the management system or the multi-level assessment, or even better they can use one to support the other, without any need to force a fit between the two different approaches. The IT serviced management process reference model and process assessment model will also still work with others in the ISO/IEC 15504 series, which is frequently referred to as ‘SPICE’.
We also agreed that Part 5 – an example implementation plan for implementing the changes needed to meet the requirements of ISO/IEC 20000-1. This is about to go to the last ballot with the expectation that all technical issues have been resolved. It has been written so that there will need to be little or no change to the wording when a new version of Part 1 is produced and replaces the original service management system requirements published in late 2005.
The IT service management group is now the largest in SC7 and has an unusually wide range of national representatives, with more countries joining each meeting. We’ve become a logistic problem for the meeting organisers – not only do we need a very large room for when we all meet together, we also often split into specialist groups to work on different parts of the 20000 series. The growth in membership is to due to the international importance of IT service management. This is ensuring we understand the different views of the industry as a whole and cultural and language barriers that create problems for adoption of the 20000 series. I have learned far more about the English language than my teachers ever managed to get into my head at school.
We’ve made progress with the revisions of this Part 1, with the largest specialist sub-group always being the one focused on Part 1. Resolution of technical review comments has traditionally been done at face to face meetings, not an easy task to achieve with only two meetings a year. Instead there has now been official recognition of the need for us to use electronic meetings, supported by collaborative tools. The IT service management group has volunteered to be part of a pilot. We will still follow strict procedures to ensure all members have an equal opportunity to become involved.
It wasn’t all easy last week – the silliest things can cause problems: while I was at the meeting both my phone and laptop developed problems. Getting the laptop fixed was easy – getting the phone sorted out was a nightmare. This saga continues back here and is an example of how to deliver really bad service to a long term customer – who is unlikely to be a customer for much longer.
The rest of the time at the meeting was hard work but it was worth the effort. And again many thanks for completing the survey, it was very much appreciated and as you will see over the coming months, we listened very carefully.
Any feedback and comments are always welcome!
1st June 2009
I enjoyed your article on the ISO plenary meeting from last week. I would very much be interested in participating in the committee for ISO/IEC 27013. We have a huge stake in ISO 20000 and ISO 27001 and I would like to assist in this endeavor.
Thanks for your consideration,