The 2nd edition of ISO/IEC 20000-1 was published in April 2011. Adopting the standard will produce improvements in service management and service delivery leading to business benefits for organizations.
When considering certification to ISO/IEC 20000, one of the first things to be done is to define the scope of the service management system (SMS). Are you going to include all of your services, some of your services, only IT or more than IT? ISO/IEC 20000-1 includes requirements for defining scope and ISO/IEC 20000-3 includes guidelines.
The requirements for defining scope
ISO/IEC 20000-1 Clause 4.5.1 states the requirements for defining the scope of the SMS. It requires the scope statement to be included in the service management plan which will set the context for the whole plan.
There are two items that must be included in the scope statement:
name of the service provider delivering the services
the service(s) to be provided.
The name of the service provider can be the whole organization or can refer to the specific service provider area within the organization. For example, it can be ‘Organization A’ or ‘the IT department of Organization A’.
The services to be provided can be generically described as ‘all IT services’ or more specifically described e.g. all desktop services, all services to customer B, SAP support services.
There are four items that must be considered when defining the scope. These items can optionally be included in the scope statement:
location(s) where the service provider delivers the services
Taking each of these in turn, location of the service provider could be a data centre, an office or various sites. There may be several sites included in the scope or just one. Auditors usually like to specify the sites that are included in the scope.
The customer can be defined if it helps to define the scope e.g. all internal users, the finance department, external customers.
The customer location can be defined if the service is limited to specific locations for the customer e.g. all internal users at the head office site, all external customers in the UK.
The technology can support the definition of the services e.g. desktop services, application support services, SAP support service, telecoms services.
IT or beyond?
ISO/IEC 20000-1 is largely used for IT services. The definition of IT in this case is taken from ISO/IEC 38500:2008:
information technology (IT)
resources required to acquire, process, store and disseminate information
NOTE Includes Communication Technology (CT) and the composite term Information and Communication Technology (ICT).
From this we can see that IT can include hardware infrastructure, software applications, telecoms, cloud computing, networks and much more.
ISO/IEC 20000-1 has the term Information Technology on the title page but not throughout the standard. It can be applied to any service as long as all of the requirements can be met. There has been a certificate awarded for business process outsourcing services in India.
Guidelines for defining scope
The scope statement should be easy to understand and unambiguous.
There is no need to include the names of other parties involved in the services e.g. suppliers, or the names of the processes – they are defined in ISO/IEC 20000-1.
A service catalogue can be referenced in the scope statement but it is not good practice as it is not clear what the scope is. If the service catalogue is included because it is too complex to specify the scope in other ways, do not include the version or date as this may change if the catalogue is updated. If the catalogue is in the scope statement, then it is essential that all services in the catalogue meet the requirements of ISO/IEC 20000-1.
Exclusions can be included in the scope statement to aid clarity although this is unusual.
The scope can only be for a single legal entity. If all of the requirements are satisfied by two companies working together, then this is not a valid scope.
The commercial status is irrelevant to the scope. For example, the infrastructure could be owned, leased or in the cloud. The service provider can be internal or external to the customer. The terms of a contract cannot be used to reduce the service provider’s obligations to fulfil all the requirements of ISO/IEC 20000-1.
If the scope changes to add or remove services/locations, then the scope statement may need to be updated and the auditor will have to check that all of the requirements of ISO/IEC 20000-1 are still being met for the revised scope.
Format of scope statement
It is important to remember that it is the scope of the SMS that is being defined and certified. The scope statement can therefore be:
The SMS of <service provider> that delivers <services>.
A more complex scope statement can look like
The SMS of <service provider> that delivers <technology> <services> from <service provider location> to <customer> at <customer location>.
ISO/IEC 20000-3 provides further guidance on the definition of scope in the form of scenarios.
Lynda Cooper, an independent consultant and trainer, is one of the first people in the world to hold the ITIL Master qualification. Lynda sits on the BSI committee for IT service management (ITSM) and is one of the authors of ISO/IEC 20000. Lynda sits on various ISO/IEC committees and is the project editor for ISO/IEC 20000-1 and ISO/IEC 90006.