Posted February 23rd, 2010 by Geoff Harmer

Are you seeking to gain certification for your organization for two or more of these standards at some stage over the next few years?

  • ISO 20000 (IT service management)
  • ISO 27001 (information security)
  • ISO 9001 (quality)
  • ISO 14001(environmental management)
  • ISO 22000 (food safety)
  • OHSAS 18001 (occupational health and safety)

 Were you aware that each of these certifications requires a management system to be in place?

 If you create a common management system that will be acceptable for each certification requirement you will save time, effort and cost, but also improve efficiency.

The publically availably specification PAS 99, published in 2006 by the British Standards Institute (BSI), tells you how to set about creating a common management system. This column will look at PAS 99 and show you how to use it, with the aid of an example.

Background

Back in 2001, ISO produced a guide on management system standards, justifying why they were needed and indicating the content: ISO Guide 72:2001. It was used as the basis for management system standards written subsequently.

It indicated that a management system standard needed to cover the following categories:

  1. policy
  2. planning
  3. implementation and operation
  4. performance assessment
  5. improvement
  6. management review

Each of the standards, such as ISO 20000, and ISO 27001, has its own specific requirements. However, each standard needs each of these six categories to be covered.

All we need to do is to analyse each standard under these six categories and spot the commonality and differences; then we can write a common management system that covers all of the standards for which we wish to gain certification for our organization. Easy! That is what PAS 99 shows us how to do in great detail.

PAS 99: Specification of Common Management System Requirements

PAS 99 (using ISO Guide 72 as its basis) shows how each of these six content categories can be built into one common management system that can be used for each standard.

Essentially, PAS 99 provides a detailed generic set of requirements for a management system standard (covering 3+ pages) and then shows which clauses in each standard are relevant.

A two-page table in PAS 99 shows the comparable clause numbers for PAS 99 and for each of the six international standards covered by PAS 99. Once you know what is common and what is different you can ensure your management system complies. A simple idea that is relatively straightforward to implement.

Example for ISO 20000 and ISO 27001

Here’s an example (in the style of the PAS 99 document) showing how the two categories of policy and management review in PAS 99 line up with ISO 20000 and ISO 27001, which are the two standards most relevant to ITSM.

content category

common management system requirement

PAS 99 description

ISO 20000 clause numbers

ISO 27001 clause numbers

policy

general requirements

3 clauses

3

4.1, 4.2

management system policy

1 clause (covers 5 policies)

3.1, 4.4.1

5.1

management review

general

3 clauses

3.1(g)

7.1

input

1 clause (covers 8 sources of input)

absent

7.2

output

1 clause (covers decisions and actions on improvement)

absent

7.3

 

Now let’s take a detailed look at the row (highlighted in pink) in the table.

It is for management review: general

PAS 99 (paraphrased) says:

  1. top management reviews at planned intervals for suitability, adequacy and effectiveness
  2. assessment of improvement possibilities including changes to the management system itself.
  3. keeping records that reviews took place

ISO 20000 clause 3.1(g) says:

“Conduct reviews of service management at planned intervals to ensure suitability adequacy and effectiveness.”

ISO 27001 clause 7.1 says:

“Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness.

This review shall include assessing opportunities for improvement and the need for changes to the information security management system (ISMS), including the information security policy and information security objectives.

The results of the reviews shall be clearly documented and records shall be maintained”.

I think you can readily see that in this case these are almost completely the same.  Hence, a common management system section for management review: general might be written as follows:

Management review: general

“Management reviews of (service management system / ISMS) shall be conducted at planned intervals (at least annually) to ensure continuing suitability, adequacy and effectiveness.

 Reviews shall include assessment of improvement opportunities including the need for changes to the (service management system / ISMS) including policy and objectives.

The results of the reviews shall be clearly documented and records shall be maintained.”

 Requirements that are not common need to be addressed.

 Here, I have spotted that only ISMS (ISO 27001) needed the management reviews to be conducted at least annually and that only ISMS (ISO 27001) needed policy and objectives to be included in the assessment of improvement opportunities. I have concluded that also adopting such approaches for service management system (ISO 20000) was appropriate and likely to be beneficial and so both ISO 20000 and ISO 27001 would have the same management system for management review: general.  This will not be the case for all PAS 99 clauses, variations from the common management standard will be necessary to accommodate differences.

 PAS 99 is a 15-page document and can be purchased online at BSI Shop and other quality standards vendors. It is also available in Italian and Spanish translations.

 © 2010 Geoff Harmer

 

You are not watching this post, click to start watching
No votes yet

Comments

Anonymous (01/03/2010)

So, where does the IBM Tivoli Unified Process (ITUP) with PRM-IT fall within this logic?

Geoff Harmer (06/03/2010)

Thanks for your comment and the name of a tool and framework that is new to me. I have no experience of this tool other than recently downloading it to look at it.

Background
IBM's Tivoli Unified Process (ITUP) tool based on IBM's Process Reference Model for IT (PRM-IT) is a freely downloadable web-based tool.
( http://www-01.ibm.com/software/tivoli/governance/servicemanagement/itup/... )

It provides detailed documentation for PRM-IT processes that are based on (aligned with?) those used in ITIL V3 & V2, COBIT, CMMI and other well-known frameworks. Its database is read-only, so if you don't want to use the processes "as-is" but want to develop your own, then you need to buy IBM ITUP Composer.

Addressing your Question
I looked specifically at ISO 20000

The ITUP tool includes a mapping from ISO 20000 to PRM-IT processes that provides documentation for the processes used in ISO 20000 (that ISO20000 groups under):
- Service Delivery Processes,
- Business Relationship Management
- Resolution Processes
- Control Processes
- Release Processes

Assuming these documented processes are compliant with ISO 20000 rather than solely ITIL, then ITUP looks a useful free tool, for sure. Even if the processes are not 100% compliant with ISO 20000, it will be a good basis.

However, those processes are NOT the service management system that is also required to meet ISO 20000 certification,
The service management system specifies:
- Management Responsibility
- Documentation Requirements
- Communication, Awareness and Training

The service management system, is NOT a process.

( To see what is contained in ISO 20000, particularly the service management system, please see "ISO 20000 on a single page! free download at www.maatconsulting.com)

As far as I could tell, ITUP does not provide documentation for a service management system although many of the requirements could be met by putting in place some of the other PRM-IT processes.

PAS 99 helps you to "unify" a service management system across ISO 20000 and other standards e.g. ISO 27001 as listed in the original column.

I'd welcome confirmation or correction of my viewpoint from anyone at IBM, or elsewhere, who has used IBM Tivoli ITUP for ISO 20000 certification and can comment on its usability.

Geoff

Anonymous (14/04/2010)

Hi Geoff

An interesting article that appears - co-incidently - to be one in a small flurry across various networking outlets. Some of the other comments I have read mention PAS 99 but none has made the statement - which I wholeheartedly agree with - that Requirements are not all "common". I also fully agree with the point about having a common approach reducing duplication etc etc.

After several years working the standards "matrix" - a significantly larger cross-reference one than you were able to include - I spent time developing software (called smart-ISO) that evidences that there is a better way. The outcome is that it is not unthinkable to have a Co-ordinated (Common) management system approach to at minimum 9k 14k 18k 22k and 27k. I'm also looking at adapting now towards 20k, 26k and 28k and see no real reason why not.

I have chosen to base my CMS approach on 9k format (not 99) as that now appears to be forming the most "common approach" and most companies start at 9k and work outwards. However, I also do so because I make maximum use of the process flow requirements of 9k (and others now) to cover ALL company processes. I then use that same structure to carry out risk assessments that require the identification of "hazards" that include Q and S and E and IS "issues" and then link Non-Conformance and Inspection back to the proceses to create the continuous improvement system that will "continuously improve".

However, I'd like to expand or deepen the concept and suggest that if some work were done to PAS 99 to make it more "Co-ordinated (Common) then we could begin to approach a system where companies COULD be certified to A (singular) "Management" System with "addendum" certification stamps (on the same certificate) for Q and S and E and IS etc etc. I know this may revolutionize the whole MS and certification approach but I suggest that it would make it far more encouraging to smaller companies to consider (not being forced) to operate to and gain such MS accreditation???

Happy to converse some more if there is any synergy with where your thinking is going.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <br><p>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.