is the online magazine of BSI Group, highlighting the vital role that standards play in today's business environment by helping organizations improve quality, save money, reduce risk and be more sustainable. Features include interviews with leading business figures, as well as news on the latest developments in management systems, standards, testing, healthcare and certification.
How to get IT to meet your needs: ISO/IEC 20000
26 Aug 2011
Topics: IT Service Management (ITSM), IT Infrastructure Library (ITIL), ITSMF, ISO/IEC 20000, Outsourcing
IT has become central to virtually every business process. But it is not always oriented towards delivering what the business needs.
Some critics argue that IT is still too often viewed as a cost centre and that technology alone doesn't deliver value. As Brian Flora puts it in his blog for CIO.com, "Technology is beneficial to a business only to the extent that it facilitates the delivery of a service. The ROI on a piece of hardware is zero - it is the service or services provided that generate the ROI."
How can organizations ensure that the IT services they pay for are truly generating ROI? The answer seems to lie in making sure that IT is business led and aligned to customer needs. This customer orientation can be achieved when businesses adopt IT Service Management.
Turning it around
Broadly speaking, IT Service Management is an approach based on what the customer wants, rather than on what the technology can deliver. "The IT department needs to be right in the centre of what the business is trying to achieve, at a strategic decision-making level. That way, it has visibility of what the business wants to do early on," says David Fatscher, BSI's Sector Development Manager in ICT. "The emphasis on the word 'service' says that the IT department has to recognize the business as its customer, not the other way round."
What, in practice, does managing IT services with a customer orientation look like? Well, for example, calls to the help desk would be logged, fixed and then reviewed together - not just fixed in isolation and filed away individually. By taking this overview approach, the IT department can look for patterns and proactively fix an underlying problem, more effectively underpinning the functions of the business.
Conversely, if ITSM isn't used, in the worst case scenario an outsourced IT service provider may have a commercial incentive not to find an underlying problem, as it would reduce the number of help desk calls. Good business for the IT provider, but of no value whatsoever to its customer.
ITSM as a discipline has been with us since about the mid-1990s. It was then that the UK government began to outsource IT services to private sector providers, and became concerned about comparing what different IT providers could offer on a level playing field.
This gave rise to a series of publications, produced by the then Central Computer and Telecommunications Agency (CCTA). These publications set out a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to a business and became collectively known as the IT Infrastructure Library (ITIL).
Today, ITIL is the most widely adopted approach to ITSM in the world - a recent estimate says there are around 150,000 users of ITIL worldwide. That's not to say it's the only methodology, but without question it reigns as the most influential and best known.
What's important is that ITIL advocates that IT services must be aligned to the needs of the business and underpin the core business processes. IT should be seen as a strategic asset that works for and with the business to create value. Alongside the publications, a variety of training courses and certifications have been developed to certify individuals and help organizations with effective implementation.
A standard is born
Arguably, the existence of ITIL negated the need for a standard. However, the IT Service Management Forum (itSMF) felt otherwise, and this led to the development of a British Standard, BS 15000, that was subsequently adopted as international standard ISO/IEC 20000 for IT Service Management in 2005.
What does the standard do that ITIL alone doesn't? ISO/IEC 20000 is based on ITIL - ITIL best practices form the foundation of the standard - but, whereas ISO/IEC 20000 stipulates requirements, ITIL provides guidance.
It follows that ITIL has no mechanism for third-party assessment of organizations. This cuts two ways: organizations that scrupulously apply ITIL have no way to demonstrate their achievement compellingly to the market; meanwhile organizations not applying ITIL comprehensively can still make claims based on their ITIL-certified staff. The lack of third-party verification weakens ITIL somewhat.
In addition, the regular third-party reviews that happen within certification to ISO/IEC 20000 mean that the quality of the implementation is regularly audited and benchmarked: this drives the momentum of improvement. Moreover, continuing certification to the standard requires evidence of that continual improvement. The standard means that the implementation of ITSM is more rigorous and continuous improvement more embedded. And, as an international standard, the ISO provides a truly international platform for a common understanding of ITSM worldwide.
Ultimately, the greater credibility of ISO/IEC 20000 certification has meant that procurers of IT services, especially in the public sector, now increasingly look for the certification more than they look for ITIL alone.
As long ago as 2003, the UK's National Programme for IT built a requirement for BS 15000 certification into contracts with its suppliers for the National Care Records Service. And as recently as September 2010, the US Airforce started requiring ISO/IEC 20000 certification from sourcing providers to its Enterprise Integration and Services Management (EISM) system. This is only the first of several US federal agencies set to require certification to the standard from their IT service providers.
Putting it into practice
ISO/IEC 20000 can bring important benefits. Brazilian firm Prodesp believes passionately that understanding the information and communication needs of its clients enables it to supply innovative solutions that contribute to the efficiency and quality of public sector services.
Prodesp provides information and communication technology solutions and principally data centre services to the government of São Paulo, the biggest state of Brazil. Besides its headquarters in Taboão da Serra, in the metropolitan region of São Paulo, the company has underlined its customer focus by decentralizing. Many of its 1,800 employees now work in units that operate in the offices of customers, providing closer and more effective alignment to deliver what its customers want.
Prodesp has also worked with BSI to achieve certification to ISO/IEC 20000 as well as to ISO 9001 and ISO/IEC 27001. "Using these standards maximizes our results and minimizes the risks to our business and to that of our customers," says Douglas Viudez, Director of Production and Services at Prodesp. "In addition, in a market where competition is growing and customers are increasingly demanding, the certifications are a point of differentiation. They demonstrate that we make a strategic investment in developing our products and services, and customers value this."
Moreover, Viudez notes that customers are always looking to add value to their products and services, and indeed they will do so if they work with suppliers who use best practice and seek continuous customer-oriented improvement. Consequently, "We know that what Prodesp does contributes to the success of our customers' products and services," he says. "The certifications ensure the value we can give customers is always maximized."
The certifications, including to ISO/IEC 20000 IT Service Management, play a key role in delivering what the customer needs, rather than in delivering technology alone.
Business Standards © 2010. Editorial produced by Caspian Publishing in association with The British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
While there was a time when companies would never consider working alongside the competition, today's marketplace demands a more flexible approach. Collaboration is fast becoming par for the course. For example, large government contracts often require expertise that goes far beyond any one company's capacity to deliver. Forming a consortium brings together the right experience in the right place, and it can mean the difference between winning or losing a tender.
Gerda, a leading developer and manufacturer of products for the security industry, has become the first company to be awarded the Kitemark for thief-resistant lock assemblies, in line with BS 10621:2007 Thief resistant dual-mode lock assembly.
Sapphire earns a standards hat-trick
Sapphire Energy Recovery, the waste processing and resource recovery business owned by Lafarge Cement, has achieved certification to three management systems standards (ISO 9001 Quality management, ISO 14001 Environmental management and BS OHSAS 18001 Health and safety management) from BSI. Sapphire is the UK's leading processor of used tyres, and sources and manages the logistics of a range of waste-derived fuels and raw materials for the cement industry.
Airbus in the UK has achieved certification to BS 25999, the Business Continuity Management (BCM) standard, following an audit from BSI. The certification covers Airbus? wing manufacturing site in Broughton, North Wales and becomes the first aerospace manufacturing company to receive certification to this standard by BSI.
Monarch Airlines chooses BSI for its European Union Emission Trading System (EU ETS) verification
Monarch Airlines has selected BSI as its provider of verification services against the requirements of the EU ETS directive. This comes in response to the industry's requirement to monitor its CO2 emissions and demonstrate compliance with the directive by submitting a verified annual emissions report by 31 March every year from 2011 onwards.
Question: This year marks the 25th anniversary of data protection regulation in the UK. Does the fact that such legislation exists mean that standards do not have a big role to play in the data protection puzzle?
First of all, the fact that there is legislation in place does not mean standards do not have a role to play. Quite the contrary: in many cases, standards offer a framework for businesses to better prepare and comply with legislation.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
