Required ISO 20000 Documents

Clause
Document Type Documentation ISO 20000 Standard
ISO20000
Service Management policy 3.1 a
Service Improvement policy 4.4.1

Budgeting & Accounting policies

- For all components 6.4 a

Required 6.4 b
- Apportioning indirect costs
Policies - Efective financial control 6.4 c
Information Security policy 6.6
Configuration item definition 9.1
Emergency Change Policy 9.2
Release policy 10.1

Service Management plans 4.1

Management Review plans 4.3

Audit Programme 4.3

Service Improvement 4.4.2

Required Planning for new and changed 5
Plans services
Business plan 6.3
Avalilability and Service 6.3
Continuity plans
Capacity plan 6.5
Configuration Management 9.1
Release plan 10.1

Management of Improvement 4.4.2

Budgeting & Acccounting

- For all components 6.4 a
- Apportioning indirect costs 6.4 b
- Effective financial control 6.4 c
Complaints process 7.2

Required
Processes
Required Customer Feedback 7.2
Processes Supplier Management 7.3
- Contract Review 7.3
- End of Service 7.3
- Contractual Dispute 7.3
Communication process 7.3
Major Incident Management 8.2

Change Management 9.2

Emergency Release 10.1

Document Control 3.2

Audit Procedure 4.3

Service Capacity Monitoring & 6.5

Performance

Security Incident Investigation 6.6

Required
Procedures Incident Management 8.2
Problem Management 8.3
Configuration Control 9.1
Configuration Audit 9.1

Control of Emergency Changes 9.2

Release Management 10.1

Service Level Management 6.1

Service Reporting 6.2

Service Continuity and 6.2

Availability Management
Capacity Management 6.4
Additional Information Security
Core 6.5
Management
Processes Business Relationship 7.2
Management
Incident Management 8.2
Problem Management 8.3
Configuration Management 9.1
Release Management 10.1

Scoping 1

Additional
System
Additional Risk Management 3.1
System Competence, Awareness, 3.3
Elements Training

Management System Integration N/A

Risk Management analysis 3.1

Corrective and Preventative 4.4
Action Reports
Service Level Agreements 6.1
Service Reporting 6.2

Continuity / Availability Records 6.3

Budgeting and Accounting 6.4

records
Required
Records* Capacity management records 6.5

Security Control records 6.6

Security Risk Assessment 6.6
Security Incident Reporting 6.6
Customer service review 7.2
records
Supplier SLA's and service level 7.3
target reviews
Incident Records 8.2
Problem records (known error 8.3
database)
*only core Configuration Management 9.1
system Database
records Configuration Audit Results 9.1
Change Records 9.2
Release records 10.1

Management Representative 3.1

System Business relationship manager 7.2
Roles Supplier contract manager 7.3
Senior responsible owner -2, 3.1
*required ISMR -2, 6.6.6.

not at draft stage

approximately 50% (rough draft only)
60 - 80 % (developed draft, with limited records)
90 % + (limited revisions required)
Required ISO 20000 Documentation Summary

ISO System Mapping and Ownership

Probable Department
ISO 9001 or ISO 27001 clause
Ownership

ISO 27001 4.2.1 Establish the

ISMS; control A 5.1.1

ISO 9001 Management Review

9.6; ISO 27001 Review 7
ISO 9001 Audit Requirements
8.2.2; ISO 27001 Audit Controls
control 15.3.1

ISO 27001 Business Continuity

Planning controls 14.1.3, 14.1.4

ISO 9001 8.5.1 Continual

Improvement; ISO 27001 (same)
8.1

ISO 9001 Customer

Communication 7.2.3
ISO 9001 Customer Satisfaction
8.2.1
ISO 27001 Third party service
review, control A 10.2.2

ISO 27001 Change Management

control A 10.1.2; Change Control
Procedure A 12.5.1

ISO 9001 Control of Documents

and Records 4.2.2, 4.2.3; ISO
27001 4.3.2 and 4.3.3
ISO 9001 Internal Audit 8.2.2; ISO
27001 6

ISO 27001 Incident

Responsibilities and Procedures
control A 13.2.1

ISO 27001 Change Management

control A 10.1.2; Change Control
Procedure A 12.5.1
ISO 27001 System acceptance
control A 10.3.2

ISO 27001 Business Continuity

controls A 14.1.1 - 14.1.5
ISO 27001 Capacity Management
control A 10.3.1

ISO 9001 Scope 1; ISO 27001

Scope 1
 ISO 27001 Establish the ISMS
4.2.1
ISO 9001 (same) 6.2.2; ISO
27001 (same) 5.2.2
ISO 9001 Compatability with other
management systems 0.4; ISO
27001 (same) 0.3

mited records)
cumentation Summary

Standard clause detail

Description in clause

Establish the service management policy, objectives and plans

General policy

Budgeting and accounting for all components including IT assets shared

resoursces overheads externally supplied service people insurance and
licences
Apportioning indirect costs and allocation direct costs to services
Effective financial control and authorization

Informatiion Security management

Configuration management
Change management, system should include standard, normal, and
emergency changes
Release management process

Plan service management

Monitoring measuring and reviewng

monitoring measuring and reviewing

Management of improvements

Planning and implementing new or changed services

Service continuity and availability management

Service continuity and availability management

Capacity management
Configutation mangement
Release management process

Management of improvements

Process requirements do not cover charging

For all components including IT assets, shared resources, overhead,
externally supplied services, people, insurance, and licenses
Apportioning indirect costs and allocation diret costs to services
Effective financial control and authorization

Business relationship management

Business relationship management

Supplier mangement

Supplier mangement
Supplier mangement
Supplier mangement
Supplier management
Incident mangement

Change management, requires formal approval of normal changes and a

forward schedule of changes

Release mangement process

Documentation requirements

Monitoring, measuring, and reviewing

Capacity management

Information security management

Incident management
Problem management
Configuration management
Configuration management

Change management

Release management process

Relates to Service Reporting and Business Relationship Management

Relates to Service Level Management and Business Relationship
Management
Essentially Business Continuity Management with additional scope related
to availability

ISO 27001 system should cover all requirements

Relates to Service Level Management and Service Reporting

Must provide input to Problem Management

Must interrelate with Incident, Change, Problem, and Release

management processes

System can be limited in scope

Requirement to assess risks to service provision

Stated requirements are general

Guidance on integrating systems

Relates to risks to service management, form is not specified

Should integrate 9001 and 27001 procedures

Required for each service, targets are also required

Must relate to SLA targets

Contact list and BCM system test records

Charging not covered; monitoring and reporting costs against budgets is

required; requires interface with change mangement
Need to "monitor service capacity, tune service performance, and provide
adequate capacity"
Current Risk Treatment records are not complete
Should be updated at regular intervals
Security incident record keeping is not sufficient

Regular review meeting minutes would cover this requirement

Both regular review of the target performance and a general, annual

review of each supplier is required
Major incidents must be managed separately

All staff involved with incident resolution must have access to these

Must interrelate with Incident, Change, Problem, and Release

management processes
Recording deficiencies, corrective actions, and reporting is required
Requires classifications (ex: major, standard, routine, emergency)
Success and failure of releases must be assessed

plans policy and objectives

maintance a good relation service providor and customer
Contract and evidence documents
Relation in ISO 9001 and ISO 27001
Information Security Management
Company Reference
Remarks
Document