1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 20000-3:2012 Information technology Service management Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1BS ISO/IEC 20000-3:2012 BRITISH STAN
2、DARD National foreword This British Standard is the UK implementation of ISO/IEC 20000-3:2012. It supersedes PD ISO/IEC TR 20000-3:2009, which is withdrawn. The UK participation in its preparation was entrusted to T e c h n i c a l C o m m i t t e e I S T / 1 5 , S o f t w a r e a n d s y s t e m s
3、e n g i n e e r i n g . A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 201
4、2. Published by BSI Standards Limited 2012. ISBN 978 0 580 77545 1 ICS 03.080.99; 35.020 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 November 2012. Amend
5、ments issued since publication Date T e x t a f f e c t e dBS ISO/IEC 20000-3:2012Reference number ISO/IEC 20000-3:2012(E) ISO/IEC 2012INTERNATIONAL STANDARD ISO/IEC 20000-3 First edition 2012-08-15Information technology Service management Part 3: Guidance on scope definition and applicability of IS
6、O/IEC 20000-1 Technologies de linformation Gestion des services Partie 3: Recommandations pour la dtermination du primetre et lapplicabilit de lISO/CEI 20000-1 BS ISO/IEC 20000-3:2012 ISO/IEC 20000-3:2012(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2012 All rights reserved. Unless otherwise specified, n
7、o part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case post
8、ale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2012 All rights reservedBS ISO/IEC 20000-3:2012 ISO/IEC 20000-3:2012(E) ISO/IEC 2012 All rights reserved iiiContents Page Foreword iv Introduction . v 1 S
9、cope 1 2 Normative references 1 3 Terms and definitions . 1 4 Fulfilling the requirements specified in ISO/IEC 20000-1 2 5 Applicability of ISO/IEC 20000-1 2 5.1 Who can use ISO/IEC 20000-1? 2 5.2 Governance of processes operated by other parties 3 5.3 The extent of technology used to deliver servic
10、es 4 6 General principles for the scope of an SMS . 4 6.1 Introduction 4 6.2 The scope of the SMS . 5 6.3 Agreements between customers and the service provider 5 6.4 Scope definition parameters 6 6.5 Validity of scope definition . 6 6.6 Changing the scope 7 6.7 Supply chains and SMS scope 7 6.8 Inte
11、grating or aligning with other management systems . 8 Annex A (informative) Main points on scope of the SMS, applicability and conformity to ISO/IEC 20000-1 . 9 Annex B (informative) Scenario based scope definitions 11 Annex C (informative) Types of conformity assessments 25 Bibliography 26 Figures
12、Figure B.1 Scenarios 1 and 2: Relationship with suppliers 12 Figure B.2 Scenario 3: Relationship with lead suppliers and sub-contracted suppliers . 12 Figure B.3 Scenario 4: Scope definition 13 Figure B.4 Scenario 5: Scope definition 14 Figure B.5 Scenario 6: Scope definition 15 Figure B.6 Scenario
13、7: Scope definition 17 Figure B.7 Scenario 8: Scope definition 18 Figure B.8 Scenario 8: Redrawn to show Supplier 4, part of Organization V . 19 Figure B.9 Scenario 9: Scope definition 9 . 20 Figure B.10 Scenario 10: Scope definition 21 Figure B.11 Scenario 11: Scope definition 22 BS ISO/IEC 20000-3
14、:2012 ISO/IEC 20000-3:2012(E) iv ISO/IEC 2012 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC partici
15、pate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental
16、and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. Th
17、e main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies
18、casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 20000-3:2012 was prepared by Joint Technical Committee ISO/IEC JTC 1,
19、 Information technology, Subcommittee SC 7, Software and systems engineering. This first edition of ISO/IEC 20000-3 cancels and replaces the first edition of ISO/IEC TR 20000-3:2009, which has been technically revised to align with ISO/IEC 20000-1:2011. ISO/IEC 20000 consists of the following parts,
20、 under the general title Information technology Service management: Part 1: Service management system requirements Part 2: Guidance on the application of service management systems Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1 Part 4: Process reference model Technical Rep
21、ort Part 5: Exemplar implementation plan for ISO/IEC 20000-1 Technical Report 1 Part 7: Guidance on the application of ISO/IEC 20000-1 to the cloud 2 Part 10:Concepts and terminology Technical Report 2 Part 11: Guidance on the relationship between ISO/IEC 20000-1:2012 and related frameworks: ITIL 3T
22、echnical Report 21Under review as a second edition Technical Report. 2Under development. 3ITIL is a Registered Trade Mark of the Cabinet Office. BS ISO/IEC 20000-3:2012 ISO/IEC 20000-3:2012(E) ISO/IEC 2012 All rights reserved vIntroduction ISO/IEC 20000-1 specifies requirements for a service managem
23、ent system (SMS). Operating the processes in a particular system or service environment will result in specific skill, tool and information requirements, even though the process attributes are unchanged. There are no requirements in ISO/IEC 20000-1 that relate to organizational structure, size and t
24、ype of organization. The requirements in ISO/IEC 20000-1 do not change with organizational structure, technology or service. Service management processes can cross many organizational, legal and national boundaries as well as different time zones. Service providers can rely on a complex supply chain
25、 for the delivery of services. Service providers can also provide a range of services to several different types of customers, both internal and external. A complex supply chain can make the agreement and application of scope a complex stage in the service providers use of ISO/IEC 20000-1. This part
26、 of ISO/IEC 20000 takes the form of examples, guidance and recommendations. It should not be quoted as if it were a specification of requirements. Particular care should be taken to ensure that declarations of conformity are not misleading. BS ISO/IEC 20000-3:2012BS ISO/IEC 20000-3:2012 INTERNATIONA
27、L STANDARD ISO/IEC 20000-3:2012(E) ISO/IEC 2012 All rights reserved 1Information technology Service management Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1 1 Scope This part of ISO/IEC 20000 includes guidance on scope definition, applicability and demonstration of confor
28、mity to the requirements specified in ISO/IEC 20000-1. The guidance in this part of ISO/IEC 20000 will assist the service provider to plan service improvements and/or prepare for a conformity assessment against ISO/IEC 20000-1. This part of ISO/IEC 20000 will assist in establishing if ISO/IEC 20000-
29、1 is applicable to a service providers circumstances. It illustrates how the scope of an SMS can be defined, irrespective of whether the service provider has experience of defining the scope of other management systems. Guidance on types of conformity assessment and assessment standards is included.
30、 The scenarios and examples given use a series of commonly found and practical service provider circumstances. This part of ISO/IEC 20000 will be useful for consultants and assessors. It supplements the guidance on the application of ISO/IEC 20000-1 given in ISO/IEC 20000-2. 2 Normative references T
31、he following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC
32、20000-1:2011, Information technology Service management Part 1: Service management system requirements 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 20000-1 apply. BS ISO/IEC 20000-3:2012 ISO/IEC 20000-3:2012(E) 2 ISO/IEC 2012 All rights reserv
33、ed4 Fulfilling the requirements specified in ISO/IEC 20000-1 The service provider should take into account that demonstrating conformity is only possible by fulfilling all requirements in ISO/IEC 20000-1. To do this the service provider should demonstrate that: a) all processes in ISO/IEC 20000-1 ar
34、e documented; b) all processes produce the desired outcomes; c) the outcomes of service management are appropriate to support business needs and customer requirements; d) the SMS is managed to fulfil service requirements; e) the “Plan-Do-Check-Act“ (PDCA) methodology is used for the continual improv
35、ement of the SMS and services; f) the service provider has governance of processes operated by other parties. 5 Applicability of ISO/IEC 20000-1 5.1 Who can use ISO/IEC 20000-1? ISO/IEC 20000-1:2011, Clause 1.2 describes the application of the standard. A broad range of service providers can use an
36、SMS based on ISO/IEC 20000-1. ISO/IEC 20000-1 can apply to internal and external, large and small, commercial and non-commercial service providers. The applicability of ISO/IEC 20000-1 is independent of how the service is funded. None of the requirements in ISO/IEC 20000-1:2011, Clauses 4 to 9 can b
37、e excluded from an assessment when a service provider claims conformity to ISO/IEC 20000-1:2011. The service provider should have overall control of the SMS by fulfilling all the requirements of ISO/IEC 20000-1, Clause 4. The service provider can use other parties to support part of its fulfilment o
38、f Clause 4 requirements. For example, using a consultancy organization to support the development of the service management plan or to conduct internal audits. The service provider can fulfil all requirements in ISO/IEC 20000-1:2011, Clauses 5 to 9 directly or by involving other parties. Other parti
39、es can be: a) suppliers; b) internal groups; c) customers (when acting as suppliers). In ISO/IEC 20000-1:2011, Definition 3.35, a supplier is an organization or part of an organization that is external to the service providers organization. A supplier can enter into a contract with the service provi
40、der to contribute to the design, transition, implementation, delivery, maintenance, improvement and management of services or processes. In ISO/IEC 20000, suppliers include lead suppliers but not sub-contracted suppliers. Lead suppliers should manage sub-contracted suppliers on behalf of the service
41、 provider, under a formal arrangement. An internal group is part of the same organization as the service provider, but not under the direct control of the service provider. An internal group should have a documented agreement with the service provider, specifying the internal groups contribution to
42、the services delivered by the service provider. A customer, when acting as a supplier, is part of an organization that receives a service but also contributes to the operation of the service providers SMS. For example, a customer can manage a service desk and BS ISO/IEC 20000-3:2012 ISO/IEC 20000-3:
43、2012(E) ISO/IEC 2012 All rights reserved 3operate part of the incident and service request management process. The contribution made by the customer should be under the terms of a documented agreement between the service provider and customer (when acting as a supplier). Whenever other parties are i
44、nvolved, the service provider should have governance of all processes within the scope of the SMS. This is described in Clause 5.2 of this part of ISO/IEC 20000, for processes operated by other parties. If other parties operate only a minority of the processes, the service provider can normally fulf
45、il the requirements in ISO/IEC 20000-1. If the service provider relies on other parties for operation of the majority of the processes, the service provider can have difficulty in fulfilling all the requirements in ISO/IEC 20000-1. A service provider that does not fulfil all requirements of ISO/IEC
46、20000-1:2011, based on service delivery to external customers, can aim to fulfil those requirements based on service delivery to its own organization. It can be that ISO/IEC 20000-1 is not appropriate for a service provider and that another standard is more suitable. For example, ISO 9001, or a stan
47、dard covering only some aspects of service management. 5.2 Governance of processes operated by other parties 5.2.1 Processes operated by other parties The service provider should identify processes or parts of processes operated by other parties. The service provider should then ensure that contract
48、s or documented agreements include its governance of the processes in the scope of the SMS that are operated by other parties. For example, the service provider is able to verify that the other party is adhering to agreed processes. 5.2.2 Accountability and adherence The service provider should demo
49、nstrate that it is both accountable and responsible for fulfilling the requirements of ISO/IEC 20000-1:2011, Clause 4.2, for all processes. This should include the processes operated by other parties. The service provider should have the authority to enforce adherence to the agreed processes operated by other parties. The service provider should also be able to demonstrate that top management are committed to the SMS. EXAMPLE 1 If another party is responsible for resolution of an
