1、BSI Standards Publication Information technology Service management Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services PD ISO/IEC TR 20000-9:2015National foreword This Published Document is the UK implementation of ISO/IEC TR 20000-9:2015. The UK participation in its preparatio
2、n was entrusted by Technical Committee IST/60, IT Service Management and IT Governance, to Subcom- mittee IST/60/2, IT Service Management. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary
3、 provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 86132 1 ICS 03.080.99; 35.020 Compliance with a British Standard cannot confer immunity from legal obligations. This Published
4、Document was published under the authority of the Standards Policy and Strategy Committee on 31 March 2015. Amendments/corrigenda issued since publication Date Text affected PUBLISHED DOCUMENT PD ISO/IEC TR 20000-9:2015Information technology Service management Part 9: Guidance on the application of
5、ISO/IEC 20000-1 to cloud services Technologies de linformation Gestion des services Partie 9: Application de lISO/IEC 20000-1 au services de cloud TECHNICAL REPORT ISO/IEC TR 20000-9 First edition 2015-02-15 Reference number ISO/IEC TR 20000-9:2015(E) ISO/IEC 2015 PD ISO/IEC TR 20000-9:2015 ii ISO/I
6、EC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an i
7、ntranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org
8、 Published in Switzerland ISO/IEC TR 20000-9:2015(E) PD ISO/IEC TR 20000-9:2015 ISO/IEC TR 20000-9:2015(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Applying ISO/IEC 20000-1 to cloud services . 2 4.1 Delivering and managing cloud services 2 4.2 Sce
9、narios 2 5 Scenarios . 2 5.1 Identify the context for service management of cloud services . 2 5.2 Establish strategy and plan for management of cloud services . 3 5.3 Provide a catalogue of cloud services . 5 5.4 Identify and manage service requirements for cloud services . 6 5.5 Design and develop
10、 a new cloud service 8 5.6 Establish a service relationship with the cloud customer 11 5.7 Establish a cloud service agreement .12 5.8 Onboarding the customer .14 5.9 Deliver and operate the cloud services .16 5.10 Monitor and report cloud services .18 5.11 Manage resources for cloud services 20 5.1
11、2 Check and improve the SMS and cloud services .22 5.13 Terminate a cloud service contract 24 5.14 Transfer a cloud service .25 5.15 Remove a cloud service 27 Bibliography .30 ISO/IEC 2015 All rights reserved iii PD ISO/IEC TR 20000-9:2015 ISO/IEC TR 20000-9:2015(E) Foreword ISO (the International O
12、rganization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the
13、 respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of inf
14、ormation technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the diff
15、erent types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC
16、shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this docume
17、nt is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade
18、(TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 40, IT Service Management and IT Governance. ISO/IEC 20000 consists of the following parts, under the general title Information technology Servic
19、e management: Part 1: Service management system requirements Part 2: Guidance on the application of service management systems Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1 Part 4: Process reference model Technical Report Part 5: Exemplar implementation plan for ISO/IEC 2
20、0000-1 Technical Report Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services Technical Report Part 10: Concepts and terminology Technical Report The following parts are under preparation: Part 6: Requirements for bodies providing audit and certification of service management syst
21、ems 1 Part 11: Guidance on the relationship between ISO/IEC 20000-1:2011 and related service management frameworks Technical Reportiv ISO/IEC 2015 All rights reserved PD ISO/IEC TR 20000-9:2015 ISO/IEC TR 20000-9:2015(E) Introduction ISO/IEC 20000 is the International Standard for service management
22、. It is based on practical industry experience and includes information to support identifying, planning, designing, changing, deploying, operating, supporting, and improving services for the business and customers. ISO/IEC 20000-1 specifies a service management system (SMS) as the means to achieve
23、the integrated management of the service management policies, objectives, plans, processes, process interfaces, documentation, and resources. A key focus of the SMS is to fulfil the service requirements and to deliver value. The implementation and coordinated integration of an SMS provides ongoing c
24、ontrol, greater effectiveness, efficiency and opportunities for continual improvement. It enables an organization to work effectively with a shared vision. The guidance in this part of ISO/IEC 20000 can be used by organizations that are involved in the provision or management of services that includ
25、e cloud services. It can also be of interest to organizations that are faced with changes to their existing services and support arrangements as part of a move to cloud computing. ISO/IEC 20000 can be used by service providers that offer dedicated or shared services to internal and external customer
26、s. Key benefits of adopting ISO/IEC 20000 for service providers that offer cloud services can include: a) greater credibility with internal or external customers of the organization, through delivery of reliable and cost effective services; b) the opportunity to build a service management system tha
27、t is based on a tried and proven best practice approach; c) ongoing control, greater effectiveness and efficiency as well as prioritized continual improvement of services and processes; d) improved communication within the cloud service provider organization, including a greater understanding by ser
28、vice management and specialist technical personnel of each others viewpoints; e) improved communication between the cloud service provider organization and cloud customers and users; Cloud services primarily focus on enabling access to shared resources, physical or virtual, that are scalable with on
29、-demand self-service provisioning and administration. The cloud services can be used without the cloud customer having any knowledge of the location and other details of the infrastructure supporting those services. These services and resources can include networks, servers and storage systems and a
30、pplications that can be rapidly provisioned and released with minimal management effort or service provider interaction. Typical attributes of cloud environments include the ability to support dynamic establishment and modification of services and capabilities in a multi-provider environment and a f
31、ocus on automation to reduce manual intervention. The delivery and management of cloud services can require coordinated integration to ensure visibility and control of all the elements that contribute to services, including technology, processes, people and partners, or suppliers. An SMS that confor
32、ms to the requirements specified in ISO/IEC 20000-1 can be a powerful tool for service providers delivering cloud services to achieve high service quality, delivery of value, increased agility, and reduced risk. An SMS can be integrated with an information security management system based in ISO/IEC
33、 27001, which includes requirements for information security in more detail than those specified in ISO/IEC 20000-1. ISO/IEC 2015 All rights reserved v PD ISO/IEC TR 20000-9:2015 Information technology Service management Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services 1 Scop
34、e This part of ISO/IEC 20000 provides guidance on the use of ISO/IEC 20000-1:2011 for service providers delivering cloud services. It is applicable to different categories of cloud service, such as those defined in ISO/IEC 17788/ITU- T Y.3500 and ISO/IEC 17789/ITU-T Y.3502, including, but not limite
35、d to, the following: a) infrastructure as a service (IaaS); b) platform as a service (PaaS); c) software as a service (SaaS). It is also applicable to public, private, community, and hybrid cloud deployment models. The applicability of ISO/IEC 20000-1 is independent of the type of technology or serv
36、ice model used to deliver the services. All requirements in ISO/IEC 20000-1 can be applicable to cloud service providers. The structure of this part of ISO/IEC 20000 does not follow the structure of ISO/IEC 20000-1. The guidance is presented as a set of scenarios that can address many of the typical
37、 activities of a cloud service provider. The guidance in this part of ISO/IEC 20000 can also be useful for customers of cloud service providers. This part of ISO/IEC 20000 can be used as guidance for a cloud service provider in designing, managing, or improving an SMS to support cloud services. This
38、 part of ISO/IEC 20000 does not add any requirements to those stated in ISO/IEC 20000-1 and does not state explicitly how evidence can be provided to an assessor or auditor. The scope of this part of ISO/IEC 20000 excludes any specifications for products or tools. NOTE Additional guidance on the app
39、lication of ISO/IEC 20000-1 can be found in ISO/IEC 20000-2:2012. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references,
40、the latest edition of the referenced document (including any amendments) applies. ISO/IEC 20000-1:2011, Information technology Service management Part 1: Service management system requirements ISO/IEC/TR 20000-10:2012, Information technology Service management Concepts and vocabulary 3 T erms a nd d
41、efiniti ons For the purposes of this document, the terms and definitions provided in ISO/IEC/TR 20000-10 apply. TECHNICAL REPORT ISO/IEC TR 20000-9:2015(E) ISO/IEC 2015 All rights reserved 1 PD ISO/IEC TR 20000-9:2015 ISO/IEC TR 20000-9:2015(E) 4 Applying ISO/IEC 20000-1 to cloud services 4.1 Delive
42、ring and managing cloud services A cloud service provider should define the services using terminology that customers and other interested parties, such as suppliers, can understand. For cloud services this should take into account that many cloud customers can have little knowledge or understanding
43、 of technology. Defining different cloud services or providing a cloud service with several different options can help both service providers and customers make the best decision about which services are best aligned to their service requirements. Alignment between services delivered, service requir
44、ements, contractual obligations, business needs and customer requirements can enable cloud service providers and their customers to establish and maintain a successful relationship. Cloud service providers and cloud customers can share responsibility for the relationship and each party should take t
45、he necessary actions to achieve the results desired by the customer. Unambiguous service definitions can reduce discrepancies between customer expectations and service provider intention for the service. The service provider can find it easier to perform service management activities with the knowle
46、dge that the customer understands what is being delivered. By fulfilling the requirements specified in ISO/IEC 20000-1, the cloud service provider should be able to deliver services in alignment with both service targets and customer expectations. The cloud service provider wishing to demonstrate co
47、nformity to ISO/IEC 20000-1 should review its applicability using the guidance provided in ISO/IEC 20000-3. NOTE 1 Cloud service providers might find it helpful to refer to ISO/IEC 17788, which provides an overview of cloud computing along with a set of terms and definitions. NOTE 2 Cloud service pr
48、oviders might find it helpful to refer to ISO/IEC 17789, which specifies the cloud computing reference architecture. 4.2 Scenarios The scenarios in this part of ISO/IEC 20000 describe the service lifecycle utilizing terminology and examples familiar to cloud service providers. Each scenario includes
49、 references to the most relevant requirements specified by ISO/IEC 20000-1. There can be additional considerations for each of the scenarios beyond those referenced. Each scenario includes recommendations and examples of how the referenced clauses in ISO/IEC 20000-1 can be applicable to cloud services. All processes specified in ISO/IEC 20000-1 have been included in one or more of the scenarios described in this part of ISO/IEC 20000. 5 Scenarios 5.1 Identify the context for service management of cloud se
