Leveraging ITAM and ITSM – ITAM as a Foundation for ISO/IEC 20000 IT Service Management

By Krzysztof Baczkiewicz, Eracent

The ISO/IEC 20000-1 IT Service Management System certification means that an IT service provided by an internal or external IT service provider has been verified as sufficient and acceptable. Not surprisingly, a well-planned ITAM program is a very good foundation for achieving this certification with minimal additional effort.

The Role of 20000

The ISO/IEC 20000 standard series is a classification tool for assessing the IT services an organization provides. It can be either an internal IT service or a service provided as a core business of an organization because it makes no difference to the standard. The IT Service is to be delivered the same way.

Unlike the ITIL model, the standard does not provide guidance on how to implement an IT service. ISO/IEC 20000-1 simply provides a definition of an IT service. The definition allows the clients of the IT service to know that the service is managed at least at a globally agreed minimum level. It also can be used by an IT service provider as a checklist to confirm if their service is considered a managed service or not. The document does not ensure that the IT service is perfect, just that it is at an acceptable level for clients.

Another value of the standard is that it has a certification. For commercial IT service providers, this certificate allows them to prove that what they sell is on a generally accepted level. In practice, it usually means that the level is high. This is something that can attract or retain clients, as they know that the product being offered has been checked by an independent auditor. Sometimes the certification is a contractual requirement or a condition in a tender. In some countries, conformance to the standard is even required by law for government contractors.

The certification may convince the organization to not outsource if the internal IT service providers are certified. If an internal IT department has the ISO/IEC certification, it may raise the prestige of the organization. This is particularly true in entities where the IT department’s work is critical for customers, like in banks.

What is the 20000 Standard?

The phrase “management system” in the name of the standard “IT Service Management System” is often treated as filler and is not considered to be important. In the ISO world, this phrase carries a significant burden. Management systems in the ISO standards have strict requirements, including being audited and written differently than other standards. Furthermore, there is a current initiative with the goal of unifying all the common parts of the ISO management systems. It will be regulated by a document called “Guide 83”.

Defining a management system results in a set of interrelated organizational elements, like processes, controls, roles and responsibilities, tools, etc., that work together to achieve the goals set for the management system. The common requirements for management systems include, but are not limited to:

  • PDCA cycle (Plan, Do, Check, Act)
  • Management support
  • Documented processes, activities and other information
  • Training and communication with the staff
  • Continual Improvement

It is important to remember that a management system is not about making things work; it is about managing things. Therefore, ISO management systems talk about a framework in which the actual work is done.

In addition to the core management system elements, the ISO/IEC 20000 defines the IT Service Management processes. These processes do not differ much from the processes outlined in other ITSM frameworks like ITIL, and the definitions include:

  • Delivery processes: These are the processes that enable the level of service required such as service level management, continuity, availability, capacity and financial management
  • Relationship processes: These processes deal with entities outside the service provider organization including the business (or clients) and suppliers
  • Resolution processes: These processes are used when something goes wrong, whether it is an incident or an underlying problem
  • Control processes: These processes help ensure that nothing is broken during the normal lifecycle of a service, typically during the configuration, change and release management processes

One of the most common and unfortunately most important misinterpretations of the ISO/IEC 20000 standard is the definition of scope. Usually, when a management system is implemented, it is a management system covering the whole organization, or at least an entire organizational or geographical location. In the case of ISO/IEC 20000, the organization in scope is the IT Service Provider only. If the IT Service is the core business of the organization, then the entire organization stays within the scope and this case is similar to other standards. When the IT Service Provider is an internal IT department, then only this department is within the scope, and the rest of the organization is considered to be the set of the IT service clients. This concept is often forgotten and causes misunderstandings.

IT Asset Management Supports ITSM

The mission for IT Asset Management (ITAM) and IT Service Management (ITSM) is to add value from IT to the user organization. The difference between them is based on where the value is rooted. In IT Asset Management, the value is derived from the possession and utilization of IT Assets. The more effectively they are used, the greater the value they provide. In IT Service Management, the value is seen in the service provided. In practice, both lead to the same results from their different perspectives.

Having said that, it is not difficult to imagine how the two disciplines view each other. ITAM sees ITSM as the way to make the best use of the assets. ITSM sees ITAM as an enabler that makes sure the required assets are available as well as the information about them. Depending on the organizational structure and culture, IT may focus on ITSM, ITAM or a different focus. Each might be a separate unit with a different focus that may compete or cooperate with the other. Regardless of the focus, IT Asset Management provides a good foundation for performing other IT activities with the special consideration of IT Service Management.

The Asset Management program is powerful because the program places controls over the most important elements of IT and provide the information about those elements. Information includes quantities, attributes, locations and statuses of many types of IT assets. Then IT Asset Management program tracks assets throughout the lifecycle, providing information about what and where they are as well as the related information like users, the organizations that own them, associated costs, and how they are used. Furthermore, it makes sure that all relevant legal and contractual requirements around hardware and software usage are met. It also provides a means of controlling relationships with suppliers and many, if not all, aspects of financial management. Finally, ITAM has its own management system providing advantages like communication, documentation and management structure.

The general requirements for the management system in the ISO/IEC 20000-1 are described in section four of the standard and are not hard to find. Many of these requirements are covered by the general management activities performed while managing IT assets. For example, these activities and artifacts include:

  • Management review
  • Internal audit
  • Organization scheme and other documentation
  • Documentation management
  • Definition and analysis of client requirements and demands
  • Process and project management
  • Process documentation practice
  • Improvement plan

A good IT Asset Management program has them all, so it is just a matter of some tuning, like adding some points to the management review agendas to meet the requirements of the international ITSM standard.

There are, however, some points in the standard that are explicitly fulfilled when ITAM is in place. The first is 4.1.4 d which explicitly requires a management representative to ensure that the assets are managed. Also, the 4.4 section describes resource management that is based on asset management. Next is the Deming cycle or PDCA. Planning (point 4.5.2) is the core practice of ITAM. Creating a service catalogue requires using the ITAM plans extensively. Implementation (point 4.5.3) requires management of resource allocation. The management system revision process (point 4.5.4) requires setting and collecting Key Process Indicators (KPIs) and other metrics. Finally, the improvement plan (point 4.5.5) may be common for all IT management initiatives.

ITAM Supports Transition and Service Changes

The transition and change of a service processes are a natural choice to be supported by an ITAM program. Metrics about current and potential capacity come directly from the information tracked about assets. What’s more, an IT Asset Management program can provide a reliable snapshot of the level of infrastructure readiness for the new or changed service. Planning the new or changed service also requires some of ITAM’s knowledge about the organization’s IT asset acquisition processes.

When the change is finally performed, it is a common practice for ITAM to track and control the progress and results of a change. This process perfectly aligns with the requirements of the ITSM standard. However, it is important to remember that the CMDB, which is required by the ITSM standard, is not an asset registry as the CMDB contains additionally relationships between assets.

ITAM and Delivering a Service

Making sure that the service is delivered to the client requires knowing if the service actually works. Who knows that better than the operational asset tracking staff? Disaster recovery planning is also often part of their job. The ITSM standard requires budgeting in the same point, where it tracks the costs related to assets. Finally, the standard mentions capacity control, which is obviously part of the operational ITAM practice.

ITAM and Relationship Processes

Going through IAITAM’s IBPL, vendor management is one of the core areas of ITAM. This is one of the most natural parts of managing the asset base. However, meeting the requirements of the ISO/IEC 20000 standard may require a little mindset switch. The same switch may be required when managing the way the IT interacts with the service clients, including their own organization.

Other 20000 Processes Requirements

The areas that require the most work when developing the ISO/IEC 20000 management system based on an ITAM program are the processes traditionally seen as the core IT Service Management processes. The incident and problem management disciplines exist in many ITAM programs, but have a different focus and practices. In the ITSM standard, incident and problems must be aligned to the service levels, a separate process described in the document. Even though the ITAM program does not contain the incident and problem management processes, it definitely supports the processes by providing the most valuable information to the service desk team – the information about what is broken.

What More is Required for 20000?

As outlined in this article, having a good ITAM program in place is a solid base for building an ISO/IEC 20000 IT Service Management System. However, compliance to the standard requires some additions. The first thing is to add some service focus. In IT Service Management, a different product is being provided or sold and different values are measured. The standard requires a service management focus and it must be added to meet the requirements.

Also, the path to certification requires some more effort that is purely related to the ISO management systems. First, the standard text has to be known by both the managers and the staff. It is needed as a checklist to make sure the requirements are constantly met. Then, it is good to have someone on board who understands how the auditors perform their work. Knowing something is different from passing an exam. It is also good idea to have a third party conduct an assessment prior to submitting for the final certification. Finally, choose a good certification body that has an accreditation. The value of the certification exists only if it can be confirmed by a truly independent party.

A new version of the ISO/IEC 20000-1 standard was released in the spring of 2011 and is known officially as ISO/IEC 20000-1:2011. The update does not change the content significantly, so if someone uses this document for guidance, the prior (ISO/IEC 20000-1:2005) version is still valid.