Get 4 FREE months of Conformio to implement ISO 27001

12 steps for ISO 20000 implementation

If you dig into the content of ISO 20000-1 (requirements for the Service Management System, i.e., SMS), questions will start to pop up. And, maybe one of the most interesting ones is certainly “How to implement all this?” Well, although it sounds complex, if you approach your implementation systematically, it shouldn’t be too complex.

In this article, I’ll explain the workflow of the ISO 20000 implementation. By making the decision to implement the standard’s requirements, you already took the first significant steps. If you would like to learn more about the main reasons why companies don’t implement ISO 20000, read the article What are the most common ISO 20000 implementation myths?


The implementation steps

What I‘d suggest for you to do is – be systematic. This means that you should avoid ad-hoc solutions, i.e., decisions. If you change implementation direction too often, that will create chaos. Here are 12 implementation steps set in logical order:

  1. Obtain management support – That’s your first battle, to convince your management to support the implementation. Why? They need to allow funds and, besides money, you need a strong sponsor. That should be your management.
  2. Establish the project – That’s not a mandatory step, but it will significantly increase the efficiency of the implementation. That’s because you have a clear goal, people (and other resources), a time plan, inputs, outputs … etc. Project Management is your tool (being responsible for the implementation) to keep things under control and achieve the desired results (implementation of the SMS and certification against ISO 20000-1).
  3. Perform assessment and gap analysis – This is one more step that is not mandatory. But, it’s highly advisable to perform a gap analysis and check your existing management system against ISO 20000 requirements. I’m pretty sure you are managing incidents or changes even without ISO 20000 in place. So, check what’s missing to comply with the standard and you will not have to do those things once again (and, not to forget – you will shorten implementation time and save resources – monetary as well as non-monetary ones).
  4. Define scope, management intention, responsibilities – This is the phase when you need to set the foundations of your SMS and define the direction of all further activities. So, in this step you will define the scope and policy of the SMS. Read the article How to define the scope of the SMS in ISO 20000 to learn more about the scope of the SMS.
  5. Implement support procedures – These are “non-productive” procedures, i.e., the ones that are not involved in daily operations of your SMS, but they have an indirect effect on them. These are, e.g., Procedure for document and record control, Internal audit procedure and checklist, Communication procedure … etc.
  6. Generate process / function documentation – Now, the “party” starts. The previous steps were used to set up the management system. Now, you have to add all the processes required by the standard. You will use previous experience, i.e., knowledge you have, external help, tools, etc. for the implementation. If you decided to use the project approach, this is where it will be most beneficial.
  7. Implement processes and/or functions – This is the same as with the previous bullets. This is the time when theory goes into practice. Additionally to (hopefully) well-prepared process documentation, your managerial skills will come to the surface.
  8. Perform training and awareness programs – It’s important that all people involved in the SMS are aware of their tasks, and that they have the same understanding (about the purpose, i.e., goals and processes) of the SMS and “speak the same language” (e.g., when a user reports malfunctioning in some of the services – it’s an incident).
  9. Operate the SMS – As I already mentioned, your (or the person who is the SMS manager) managerial skills are important not only during the implementation, but also afterwards. Remember, once you implement the SMS, it will support IT services used by your customers. And that can be tricky. So, you have to be good at managing those services, i.e., running the SMS.
  10. Create the Continual Service Improvement concept – Besides the fact that it’s one of the requirements, it’s also one of the facts in everyone’s’ (including the SMS) life – changes are continual. And, that’s a good thing. It will improve the performance of the SMS and make customers happy.
    Implement the Continual Service Improvement concept – Once you define your continual service improvement concept – implement it. And, keep it running even if you have to improve it (from time to time).
  11. Conduct the internal audit – This step will tell you how well you have done so far. Find someone objective (who was not part of the implementation) to perform the audit.
  12. Management review – this is one of the mandatory steps and your conclusion of the implementation project. And, as much as I experienced, your management would like to know what’s going on. Make good preparation (you have many requirements in the standard, and that will help you successfully prepare for the meeting).

And, that’s it. You are done. What is left are audits:

Stage 1 certification audit (Documentation review) – Before the certification audit, your certification body will visit you and check the SMS. This is your chance for an open talk where you can only gain. They will tell you what they think about your work, i.e., what you need to improve.

Stage 2 certification audit (Main audit) – This is your “big moment.” Auditor(s) will visit you and tell you that everything is perfect, isn’t it? I hope so. Anyway, this step is your final step and I hope it will verify your successfully implemented SMS.

Is that all?

More or less – yes. There could be some smaller deviations, but in essence, the above-mentioned steps will bring you to finish the implementation. You may have noticed that the first set of steps were SMS set-up related. Then came processes and functions definition and implementation. Although management confirms the desired results, continual improvement is your “destiny.” It never stops, on the contrary – it should ensure you are getting better day by day.

Use this free  Diagram of ISO 20000-1:2011 implementation process to manage your ISO 20000 implementation.

Advisera Branimir Valentic
Author
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.