Get 4 FREE months of Conformio to implement ISO 27001

What are the content and purpose of the ISO 20000 SMS Plan?

Most probably, you have heard the saying that every journey begins with one first step. If you are implementing an ISO 20000-based Service Management System (SMS), the first step (or, certainly, one of the first) would be to make a plan for the SMS.

Here I don’t mean a Project Plan to keep your SMS implementation under control, but a document that will explain how the Service Management System will be set. The SMS Plan, as a document, is not only a logical step in the SMS implementation, but also a requirement of the ISO 20000 standard. Let’s see more details about the plan.

SMS Plan – What is it, and what’s its purpose?

The SMS Plan is a document that reflects the company’s approach to IT Service Management (ITSM). The aim of such a plan is to define the scope, requirements, responsibilities, and resources needed to run the services. Or, we can say that the SMS Plan is the ID card of the SMS.

If you check the requirements of the standard, you’ll notice that there are some other plans that are mandatory while building and running the SMS. These are the plans specific for certain processes, like the Capacity Plan, Availability Plan, Service Continuity Plan, etc. Compared to these other plans, the SMS Plan is a high-level document to which all other plans need to be aligned. For example, in the SMS Plan it should be described how the company defines the responsibilities in the scope of the processes included in the SMS, or how to approach risk management, etc. Further details are then defined in the scope of each particular process.


The content of the SMS Plan

ISO 20000-1 (SMS requirements) is quite extensive in defining requirements for the SMS Plan. These requirements can be grouped as follows:

  • All aspects of the service – considering technology used to support the SMS, the scope of the SMS and limitations that can impact the SMS, and related policies, standards, and frameworks in place.
  • Service requirements – the SMS Plan, including related policies, should be lined up with the service requirements (i.e., customer/business requirements in the background).
  • Human side – roles, responsibilities, and authorities should be defined, as well as relationships with other (third) parties.
  • Processes and their interfaces – defined processes need to have clear responsibilities and authorities, as well as defined interfaces with other processes in the scope of the SMS (e.g., what information, how often, and how it will be passed from one process to another).

There is one element of the SMS that I’d like to mention separately – the scope. Defining the scope of the SMS is mandatory according to the standard (see the article How to define the scope of the SMS in ISO 20000 to learn more about the scope). According to the standard’s requirements (clause 4.5.1), the scope should be included in the SMS Plan. Because the SMS Plan provides a 360-degree view of your IT Service Management, including the definition of the scope (e.g., at the beginning of the SMS Plan document) is also a good idea.

Who do you need?

First of all, let’s see – who is responsible for the SMS Plan? The standard assigns top management to be responsible for the SMS Plan. But, let’s think about this. Top management has overall responsibility for the SMS, and they will not have enough time to deal with “details” such as the SMS Plan. Process managers have responsibility for various processes (and associated plans) in the scope of the SMS, so a management representative (or, sometimes called “SMS manager”) is the logical choice to be responsible for the SMS Plan.

What would this person’s responsibilities include? Let’s start from the beginning – creating the plan. There are many inputs needed to create the plan, so the management representative will need to communicate with process owners, line management (in IT), other functions inside IT and the company (e.g., finances/controlling), etc. Once created, the plan needs be (regularly) reviewed and updated (if needed). Because the SMS Plan is one of the main elements of the SMS, it’s good practice to review and authorize changes to it during the management review meeting, particularly if you scope is changing (as mentioned earlier – the scope is part of the SMS Plan).

Besides the person responsible for the SMS Plan, in order to keep the SMS running as planned in the SMS Plan, process managers for all required processes will be needed. Because there are many processes you need to implement, particular care should be taken while assigning responsibilities for multiple processes to one person. This article (although written for ITIL, it’s very useful for ISO 20000 as well): What ITIL roles can be combined in one person? can help you make these decisions.

Keep everything synchronized

So, because the SMS Plan covers all parts of the SMS, it provides an excellent opportunity to set clear rules and guidelines for your SMS. Namely, a clear, concise, and understandable SMS Plan will eliminate ambiguity and prevent a situation in which each process owner defines their own risk approach, authority model, role description, etc.

And, the result – a managed SMS – will certainly be appreciated by your customers. But, they aren’t the only ones. Your own people will work in a controlled and well-led environment. From my experience, most employees like that. Additionally, a managed SMS provides an excellent foundation for new services and customers. I’m sure you don’t need to ask your management whether or not they like that.

Use this free Project plan for ISO 20000 implementation to set your Service Management System in place.

Advisera Branimir Valentic
Author
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.