(t) ISO 20000 Gap Analysis | CompanyCertification® Scheme

2011 version

SERVICE MANAGEMENT SYSTEM (SMS):

	Yes	No
Can you provide evidence of top management's commitment to planning, establishing, implementing, operating, monitoring, reviewing, maintaining, and improving the SMS and the services?
Do you have SMS in place?
Do you have a SMS policy in place?
Do you have implemented documented procedures for communication?
Does your top management appoint a member of the service provider's management who has the overall responsibility for the SMS?
Do you have a procedure for document and record control?
Do you have records of education, training, skills and experience of your human resources needed to establish, implement and maintain the SMS and the services?
Do you have a defined scope of the SMS?
Do you have a SMS plan in place?
Do you have methods for monitoring and measuring the SMS and the services?
Is Management review performed at planned intervals?
Is there a policy on continual improvement of the SMS and the services?
Is there a documented procedure including the authorities and responsibilities for identifying, documenting, evaluating, approving, prioritizing, managing, measuring and reporting of improvements?
Are opportunities for improvement, including corrective and preventive actions, documented?

INCIDENT AND SERVICE REQUEST MANAGEMENT

INCIDENT AND SERVICE REQUEST MANAGEMENT:

	Yes	No
Is the Incident and Service Request Management process set, so that process steps, interfaces to other processes, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Does a documented procedure for managing incidents and service request exists?
Can personnel involved in the incident and service request management process access all information resources that are required (Service request management procedures, Known errors, Problem resolutions, CMDB)?
Are customers informed of the progress of their reported incident or service request?
Does documented and agreed definition of a major incident exist with every customer?

PROBLEM MANAGEMENT

PROBLEM MANAGEMENT:

	Yes	No
Is the Problem Management process set, so that process steps, interfaces to other processes, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Does a documented procedure for managing problems exist?
Are data and trends on incidents and problems analyzed to identify known errors, root causes and their potential preventive actions?
Are problems requiring changes to a CI resolved by raising a request for change?

CONFIGURATION MANAGEMENT

CONFIGURATION MANAGEMENT:

	Yes	No
Is the Configuration Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Are Configuration Items (CIs) defined and is a Configuration Management Database (CMDB) in place?
Is a configuration baseline of the affected CIs taken before deployment of a release into the live environment?
Are master copies of CIs recorded in the CMDB stored in secure physical or electronic libraries referenced by the configuration records (this includes at least documentation, license information, software and, where available, images of the hardware configuration)?

CHANGE MANAGEMENT

CHANGE MANAGEMENT:

	Yes	No
Is the Change Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Is the Change Management policy in place?
Does a definition of change to a service with the potential to have a major impact exist?
Is there a documented procedure for requests for change?
Is a definition of an emergency change documented and agreed with the customer(s)?
Is a request for change in place?
Are approved changes developed and tested?
Does a schedule of change exist?
Do you review changes for effectiveness and take actions if needed?

RELEASE AND DEPLOYMENT MANAGEMENT

RELEASE AND DEPLOYMENT MANAGEMENT:

	Yes	No
Is the Release and Deployment Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Is a release policy established and agreed with customers?
Is deployment of new or changed services and service components into the live environment planned with the customer and interested parties?
Does a definition of an emergency release exist and is it documented and agreed with the customer?
Are emergency releases managed according to a documented procedure that interfaces to the emergency change procedure?
Are releases built and tested prior to deployment?
Are activities required to reverse or remedy an unsuccessful deployment of a release planned and (where possible) tested?
Are unsuccessful releases investigated and agreed actions taken?

DESIGN AND TRANSITION OF NEW OR CHANGED SERVICES

DESIGN AND TRANSITION OF NEW OR CHANGED SERVICES:

	Yes	No
Is the Design and Transition of New or Changed Services process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Do all new services and changes to services with the potential to have a major impact on services or the customer use this process?
Does the Change Management process control assessment, approval, scheduling and reviewing of new or changed services in the scope of Design and Transition of New or Changed Services process?
Is planning for the new or changed services agreed with the customer and interested parties?
Is the plan for the removal of the service(s) made (valid for services that are to be removed)?
Are new or changed services designed and documented?
Are new or changed services tested to verify that they fulfill the service requirements and documented design?
Are new or changed services verified against service acceptance criteria agreed in advance by the service provider and interested parties?
Is the release and deployment management process used to deploy approved new or changed services into the live environment?

SERVICE LEVEL MANAGEMENT

SERVICE LEVEL MANAGEMENT:

	Yes	No
Is the Service Level Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Are services to be delivered agreed with the customer?
Is the catalog of services agreed with the customer?
Is one or more SLAs agreed with the customer for each service delivered?
Do SLAs include agreed service targets
Do SLAs include workload characteristics
Do SLAs include exceptions?
Are services and SLAs reviewed with the customer at planned intervals?
Do you monitor trends against service targets at planned intervals?
Do you monitor performance against service targets at planned intervals?
Do you have a documented agreement to define the activities and interfaces between the two parties for service components provided by an internal group or the customer, which is developed, agreed, reviewed and maintained?
Is performance of the internal group or the customer against agreed service targets and other agreed commitments monitored, at planned intervals?

SERVICE REPORTING

	Yes	No
Is a description of each service report documented and agreed with interested parties?

Does service reporting include at least::

	Yes	No
Performance against service targets
Relevant information about significant events, including at least major incidents, deployment of new or changed services and the service continuity plan being invoked
workload characteristics including volumes and periodic changes in workload
trend information
customer satisfaction measurements
service complaints?

SERVICE CONTINUITY AND AVAILABILITY MANAGEMENT

SERVICE CONTINUITY AND AVAILABILITY MANAGEMENT:

	Yes	No
Is the Service Continuity and Availability Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are risks to service continuity and availability assessed and documented?
Are service continuity and availability requirements identified and agreed with the customer and interested parties?
Are service continuity and availability plan(s) created, implemented and maintained?
Is availability of services monitored, are the results recorded and compared with agreed targets?
Are service continuity and availability plans tested against the service continuity requirements and are appropriate actions taken?
Are service continuity and availability plans re-tested after major changes to the service environment in which the service provider operates?

BUDGETING AND ACCOUNTING FOR SERVICES

BUDGETING AND ACCOUNTING FOR SERVICES:

	Yes	No
Is the Budgeting and Accounting for Services process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Is there a policy and documented procedure for Budgeting and Accounting for Services components?
Is there effective financial control and approval in place?
Is there monitoring and reporting of costs against the budget
Is there review of the financial forecasts
Is there costs management?

CAPACITY MANAGEMENT

CAPACITY MANAGEMENT:

	Yes	No
Is the Capacity Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Are capacity and performance requirements identified and agreed with the customer and interested parties?
Is the capacity plan created, implemented and maintained?
Is there in place monitoring of capacity usage, analysis of capacity data and tuning of performance?
Is there sufficient capacity to fulfil agreed capacity and performance requirements?

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT INFO:

	Yes	No
Is the Information Security Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Is there an information security policy in place?

Does management with appropriate authority take the following into consideration while approving an information security policy:

Does management communicate the information security policy and the importance of conforming to the policy to:

	Yes	No
appropriate personnel within the service provider,
appropriate personnel within customers
appropriate personnel within suppliers?

	Yes	No
Are information security controls implemented and operated on a physical, administrative and technical level?
Is effectiveness of information security controls reviewed and necessary actions and reports taken?
Are external organizations that have a need to access, use or manage the organization's information or services identified?
Are requests for change assessed to identify new or changed information security risks and potential impact on the existing information security policy and controls?
Are information security incidents managed using the incident management procedures, with a priority appropriate to the information security risks?

BUSINESS RELATIONSHIP MANAGEMENT

BUSINESS RELATIONSHIP MANAGEMENT:

	Yes	No
Is the Business Relationship Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Is there a designated individual who is responsible for managing the customer relationship and customer satisfaction for each customer?
Are communication mechanisms with the customer established?
Is performance of the services reviewed at planned intervals, with the customer?
Are changes to the documented service requirements controlled by the Change Management process?
Are changes to the SLAs coordinated with the Service Level Management process?
Is the definition of a service complaint agreed with the customer?
Do you measure customer satisfaction at planned intervals based on a representative sample of the customers and users of the services?

SUPPLIER MANAGEMENT

SUPPLIER MANAGEMENT:

	Yes	No
Is the Supplier Management process set, so that process steps, interfaces to other processes and functions inside the organization, roles and responsibilities are defined?
Are measurement and reporting set and regularly carried out?
Is there, for each supplier, a designated individual who is responsible for managing the relationship, the contract and performance of the supplier?
Do you agree on a documented contract with the supplier?
Do you agree with the supplier service levels to support and align with the SLAs between the service provider and the customer?
Do you verify that lead suppliers are managing their sub-contracted suppliers to fulfill contractual obligations?
Is performance of the supplier monitored at planned intervals?

	Yes	No
The service requirements,
Statutory and regulatory requirements
And contractual obligations?