Exemplar Global – PIM 2020

Privacy Information Management

PRIVACY INFORMATION
MANAGEMENT –
REQUIREMENTS AND GUIDELINE

ISO/IEC 27701:2019

Exemplar Global – PIM

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 1 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Service Management System (SMS)

TRAINING PLAN
(Exemplar Global-IT-2018)

TIME MINUTES ACTIVITY

08.45 - 09.00am 15  Opening (Introduction)
09.00 - 09.30am 30  Section 1: 20000-10:2018 Service Management Concepts and
09.30 - 10.00am 30 Vocabulary
10.00 - 10.30am 30  Section 2: Clause 4: Context of the organisation
 Section 3: Clause 5: Leadership

10.30 - 10.45 15 Morning Tea
10.45 – 11.15am 30  Section 4: Risk assessment, Service Management Objectives and
11.15 - 11:45am 30 Service Management PlansSection 5: Support - Resources,
Competence, Awareness, Communication, Documented information
11:45 – 12:15pm 30 and Knowledge Management
 Section 6: Service Catalogue, Asset, Configuration, Business
12:15 – 12:45pm 30 Relationship, Service Level and Supplier Management
 Section 7: Budgeting, Demand and Capacity Management

12.45 – 1.30pm 45 Lunch

01.30 - 2.00pm 30  Section 8: Change, Transition, Release and Deployment Management

02.00 - 2.30pm 30  Section 9: Incident, Service Request and Problem Management
02.30 - 03.00pm 30  Section 10: Availability, Continuity and Security Management
03.00 - 03.15pm 15  Section 11: Performance Evaluation and Continual Improvement

03.15 - 3.30pm 15 Afternoon Tea

03.30 – 5.00pm 90  Assessment

Please note that times may vary due to delegate numbers, time taken on individual days, etc.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 2 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

TRAINING OBJECTIVES

At the end of the workshop the delegates will be able to demonstrate knowledge competence to:

a. Understand changes in the 2018 version and get an overview of the standards.

b. Understand Terms and Definitions of Service Management System.

c. Understand the application of the requirements of ISO 20000 within an

organization’s service management system.

d. Understand the organization and its context, and its approach to achieving the
intended outcomes of the SMS.

e. Understand the relationship of the SMS, including delivering managed services, to

the service management processes.

f. Identify situations within their own organizations that are compliant or non-
compliant with the Service Management standard; and

g. Identify processes within their own organisations that must be controlled or

improved.

Source:
Source: Exemplar Head Office; Document Ref: TCF 102 Edition 5 of 01/Nov/2018.
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 3 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Competency # 1: Understand the application of the requirements of ISO 20000 within an organization’s service
management system.
Performance Criteria
1.1 Understand the intent and requirement of each clause of ISO 20000 within the context of the organization.
1.2 Evaluate the documented information required by ISO 20000 and the interrelationships between the SMS
processes - planning, policy and objectives.
1.3 Understand the evidence needed to demonstrate conformity to the requirements of ISO 20000.
1.4 Assess that SMS terminology and sector specific terminology is correctly used.
1.5 Analyze the effectiveness of the entire service management system, including the process approach used to
establish, implement, maintain and improve the effectiveness of management system.
1.6 Understand the relationship between legal compliance and ISO 20000 conformity and determine that it is
demonstrated in the context of an audit in the given business/industry sector.
1.7 Determine relevant external and internal issues related to the purpose of the organization and affect its ability to
achieve intended outcomes.
1.8 Understand how top management demonstrates leadership and commitment to the SMS.
1.9 Determine that responsibilities and authorities for relevant roles are assigned and communicated.
1.10 Understand how competence is determined, achieved, assessed as effective, with evidence of competence
maintained.
1.11 Understand how awareness for those working under the organization’s control takes place.
1.12 Understand how internal and external communication is determined, including what, when, with whom, and how
communication occurs.
1.13 Determine that the service management system includes the required and necessary documented information to
support its effectiveness, and such documented information is adequately controlled and protected.
1.14 Determine that the organization has maintained the knowledge necessary to support the operation of the SMS and
services

Competency # 2: Understand the organization and its context, and its approach to achieving the intended
outcomes of the SMS.
Performance Criteria
2.1 Understand how SMS risks and opportunities are determined in relation to legal and other requirements, existing
controls and the context of the organization.
2.2 Understand how the organization plans the service management system in relation to the service management
policy, objectives, risks, opportunities and service requirements.
2.3 Understand the scope of the SMS and its applicability based on the organizational context.
2.4 Determine the objectives of the service management system and the plans to achieve them.

Competency # 3: Understand the relationship of the SMS, including delivering managed services, to the service
management processes.
Performance Criteria
3.1 Determine the service portfolio of an SMS in terms of service delivery, planning the services, control of parties in
the service lifecycle, service catalog management, asset management and configuration management.
3.2 Understand how business relationship, supplier and service level management are performed.
3.3 Evaluate the capability of budgeting and accounting, demand management and capacity management to meet the
requirements of the SMS.
3.4 Evaluate the capability of change management, planning new or changed services, design and release/deployment
management to ensure the integrity of the SMS and its services.
3.5 Understand how incident, problem and service request management are performed.
3.6 Understand how service assurance is performed, including service availability, service continuity and SMS.
3.7 Processes needed for the monitoring, measurement, analysis and evaluation of the SMS and its services are
determined.
3.8 Determine that the organization has processes in place to react to nonconformities and that continual improvement
is realized.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 4 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

What is Service Management?

We are familiar with the difference between manufacturing and servicing. There are organisations that are
pure manufacturers, pure service providers or a combination of the two. For example, if you sell a software
application with provision for post-sales service, you may need to troubleshoot the application when the
customer calls you. This standard applies not to the software development activity but to the services part of
your activities.

SUPPLIER ORGANIZATION CUSTOMER

NOTE 1: Suppliers include designated lead suppliers but not their sub-contracted suppliers.
NOTE 2: In the 2018 version, the term ‘service provider’ has been replace by the word ‘organization’.

What is an SMS (Service Management System)?

(Ref: ISO/IEC 20000-1:2018 Service Management – Concepts and Vocabulary Clause 5.2)

An SMS directs and controls the service management activities of the organization. It includes policies,
objectives, plans, processes, documented information and resources to achieve the service
management objectives of the organization and to fulfil the service requirements. An SMS should
direct and control the service management activities of the organization to design, transition, deliver,
manage and improve services.
An SMS can provide increased control, greater effectiveness and a means to identify and address
opportunities for improvement within the organization. An SMS can directly contribute to the efficient and
effective management of services and service components, providing value and reducing the potential risk of
failure by the organization.
The effectiveness of an SMS relies on:
a) a focus on agreed service requirements;
b) strong leadership supporting the SMS and communicating its importance to interested parties;
c) end to end management of services involving:
1) the organization;
2) internal or external customers;
3) internal and external suppliers;
4) other interested parties;
d) an integrated process approach;
e) commitment to continual improvement.

The design and establishment of an SMS can be influenced by the service requirements, the type of
services and service management objectives, among others, which may be revised over time as the
organization evolves.
ISO/IEC 20000-1 is generic and intended to be applicable to all organizations, regardless of the
organization's type or size, or the nature of the services delivered. Typically, ISO/IEC 20000-1 is used across
various business sectors and services such as telecommunications, finance, transportation, cloud, facilities
management, business process outsourcing, information technology and many other services. The
requirements for an SMS specified by ISO/IEC 20000-1 can be readily adopted for each organization to fit
the sector, size and type of services. An organization can only claim conformity if all requirements in
ISO/IEC 20000-1 have been met.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 5 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Why Have a Service Management System (SMS)?

(Ref: ISO/IEC 20000-10:2018 Service Management – Concepts and Vocabulary Clause 5.5)
1 General benefits of an SMS
When organizations implement an SMS, the ability to apply consistent and well understood management
principles can be demonstrated to customers and other interested parties.

Benefits realised from the adoption of an SMS can include but are not limited to:
a) improving service performance and the value provided by the organization to the business and
customers through the implementation and continual improvement of the SMS and services;
b) reducing cost, effort and disruption to services;
c) ensuring the SMS components are aligned with business objectives and that they provide value to the
business;
d) ensuring the service management activities meet the business needs and fulfil service requirements in
the scope of the SMS;
e) facilitating confidence of the business and customers with services delivered using an SMS based on
ISO/IEC 20000-1;
f) reducing risks through the use of an agreed risk management approach;
g) enabling improved coordination between an organization, internal suppliers, external suppliers and other
parties;
h) supporting the Requirement, implementation, operation and maintenance of a comprehensive set of
integrated service management processes;
i) enabling an improved recognition of roles, responsibilities and relationships to support the SMS and the
services;
j) providing a common language for service management;
k) ensuring that personnel understand what is expected of them, are supported to develop required
competencies and are recognised for their contribution.

An SMS based on ISO/IEC 20000-1 can enable the business by ensuring that the services support the
business and do not detract the business staff from performing their true roles. A poor service can lead to
business staff spending time trying to fix the service or to get around the issues instead of doing their own
job.

2 Benefits from independent assessment of an SMS against ISO/IEC 20000-1

An organization can choose to be independently assessed against the requirements specified in ISO/IEC
20000-1. This can have many benefits including external recognition of their ability to continually improve
and to deliver services by fulfilling service requirements and the achievement of customer satisfaction. In an
environment where services are sourced from a number of different suppliers, this assurance is increasingly
important.
Independent assessment can facilitate process compliance so that all the benefits of best practice service
management can be gained. Instead of staff operating processes in an inconsistent way, they will have clear
processes within the context of a management system conformant to ISO/IEC 20000-1, which will be
assessed regularly.
An SMS can be integrated with other management systems such as a quality management system(QMS)
(ISO 9001) and Information Security Management System(ISMS) (ISO/IEC 27001). The integrated
management system can facilitate efficiencies of management practice and cost savings for auditing. Other

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 6 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

management systems such as IT asset management system (ITAM) (ISO/IEC 19770-1) can also be
integrated.
3. Benefits related to different service management scenarios
Service management can be implemented in many different ways leading to a variety of benefits. Table 1
gives examples of different service management implementation scenarios and the potential benefits which
can be realised. Each successive scenario includes the benefits from the previous scenario. The scenarios
shown in the Table below are not all examples of fully implementing an SMS. Only scenarios 4 and 5
completely fulfil the requirements specified in ISO/IEC 20000-1. (This sentence is highlighted for
training purposes. The standard does not highlight this sentence).

Number Implementation scenarios Example Potential outcomes and benefits

1 SMS not fully implemented. Just two processes — Specific functional benefits of each
Some service management implemented, such as process within the limits of implemented
processes implemented. incident and change areas
management.
2 SMS not fully implemented. All processes in — Increased availability
All service management ISO/IEC 20000-1, — Control provided by each process
processes implemented separately Clause 8. — Improved management of services
with no process integration.
3 SMS not fully implemented. Change management — Increased effectiveness with full benefits
can now operate fully of each process
All service management with configuration — Consistency
processes integrated. management and — Traceability
release & — Control provided across processes
deployment — Ability to restore service according to an
management. IT service continuity plan
— Ability to manage SMS requirements for
service delivery
— SLAs related to the service requirements
are agreed with the customer and managed
— Business relationship improved
— Suppliers managed in a consistent and
controlled way
4 SMS fully implemented with all SMS policies, — Continual improvement of service
service management processes objectives, plans, performance and value provided to the
integrated. documentation, business and customers
resources, top — Service focused on policies and objectives
No independent assessment management related to the services and business
against ISO/IEC 20000-1. commitment, defined strategy/objectives
scope. — Increased service & business productivity
— Continual improvement of service quality
including reliability
— Better co-ordination of all parties from
users/customers to external suppliers,
internal suppliers and other interested
parties
— Increased control of SMS and services,
measurements and reporting
— Top management commitment
demonstrated
— Staff responsibilities are clear, improved
staff morale
— Implemented improvement cycle
— Agreed service requirements and
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 7 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

documented SMS
— Improved control of external suppliers and
other parties in the supply chain
— Optimised and controlled costs
— Reduced risks, regular risk assessment
— Documented process for future reference
and standardization
5 SMS fully implemented with all Full assessment — SMS is operated and maintained
service management processes every 3 years, — Continual improvement assured
integrated. surveillance — Independent proof of good practice and
assessment every commitment to service management and
Independent assessment against year. service excellence
ISO/IEC 20000-1. — Internationally recognised
— Competitive advantage
— Increased business and customer
confidence
— Improved reputation

ISO/IEC 20000 Family of Standards

(Ref: ISO/IEC 20000-10:2018 Service Management – Concepts and Vocabulary Clause 6.1)

ISO/IEC 20000 consists of several interrelated parts, which are all aligned with ISO/IEC 20000-1. The
parts are either International Standards or Technical Reports.
ISO/IEC 20000 (all parts) is designed for use by organizations providing services to either internal or
external customers. A key focus of an SMS is to enable an organization to deliver services that fulfil the
business needs and service requirements agreed between the organization and its customers.
ISO/IEC 20000 (all parts) can enable organizations to understand what needs to be in place to
enhance the quality of services delivered to their customers, both internal and external.
All parts of ISO/IEC 20000 will be updated to maintain alignment with ISO/IEC 20000-1:2018, with
the exception of ISO/IEC 20000-6 which is compatible with both ISO/IEC 20000-1:2018 and ISO/IEC
20000-1:2018.
ISO/IEC 20000-7 is currently under development. There is no ISO/IEC 20000-8 standard in the
ISO/IEC 20000 series.
ISO/IEC TR 20000-4:2010, Process reference model, is being withdrawn because it is out of date.
ISO/IEC TS 15504-8, An exemplar process assessment model for IT service management, the related
process assessment model, is also out of date. They will be replaced with documents in a different
series: ISO/IEC 33054 and ISO/IEC 33074.
ISO/IEC TR 20000-9:2015, Guidance on the application of ISO/IEC 20000-1 to cloud services, is being
withdrawn because it applies to the 2018 edition of ISO/IEC 20000-1.
ISO/IEC 20000-10 provides information on all of the parts of the ISO/IEC 20000 series, benefits,
misperceptions and other related standards. ISO/IEC 20000-10 lists the terms and definitions
included in this document in addition to terms not used in this document but used in other parts of the
ISO/IEC 20000 series.
The parts of ISO/IEC 20000 and the relationships between them are illustrated in Figure 1.
Note: TR - Technical Reference (not yet approved as an ISO standard)
Exemplar - One that is worthy of imitation; a model.
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 8 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 9 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Plain English Explanation

Among the ISO 20000 family of standards, ISO/IEC 20000-1:2018 is the only standard that can be used for
third party certification. The rest may be used as additional guidelines.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 10 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Service Management System Requirements ISO/IEC 27001: 2019

Contents
Introduction
1 Scope
2 Normative references
3 Terms, definitions and abbreviations
4 General
4.1 Structure of this document
4.2 Application of ISO/IEC 27001:2013 requirements
4.3 Application of ISO/IEC 27002:2013 guidelines
4.4 Customer
5 PIMS-specific requirements related to ISO/IEC 27001
5.1 General
5.2 Context of the organization
5.2.1 Understanding the organization and its context
5.2.2 Understanding the needs and expectations of interested parties
5.2.3 Determining the scope of the information security management system
5.2.4 Information security management system
5.3 Leadership
5.3.1 Leadership and commitment
5.3.2 Policy
5.3.3 Organizational roles, responsibilities and authorities
5.4 Planning
5.4.1 Actions to address risks and opportunities
5.4.2 Information security objectives and planning to achieve them
5.5 Support
5.5.1 Resources
5.5.2 Competence
5.5.3 Awareness
5.5.4 Communication
5.5.5 Documented information
5.6 Operation
5.6.1 Operational planning and control
5.6.2 Information security risk assessment
5.6.3 Information security risk treatment
5.7 Performance evaluation
5.7.1 Monitoring, measurement, analysis and evaluation
5.7.2 Internal audit
5.7.3 Management review
5.8 Improvement
5.8.1 Nonconformity and corrective action
5.8.2 Continual improvement
6 PIMS-specific guidance related to ISO/IEC 27002
6.1 General
6.2 Information security policies
6.2.1 Management direction for information security
6.3 Organization of information security
6.3.1 Internal organization
6.3.2 Mobile devices and teleworking
6.4 Human resource security
6.4.1 Prior to employment
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 11 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

6.4.2 During employment

6.4.3 Termination and change of employment
6.5 Asset management
6.5.1 Responsibility for assets
6.5.2 Information classification
6.5.3 Media handling
6.6 Access control
6.6.1 Business requirements of access control
6.6.2 User access management
6.6.3 User responsibilities
6.6 Access control
6.6.1 Business requirements of access control
6.6.2 User access management
6.6.3 User responsibilities
6.6.4 System and application access control
6.7 Cryptography
6.7.1 Cryptographic controls
6.8 Physical and environmental security
6.8.1 Secure areas
6.8.2 Equipment
6.9 Operations security
6.9.1 Operational procedures and responsibilities
6.9.2 Protection from malware
6.9.3 Backup
6.9.4 Logging and monitoring
6.9.5 Control of operational software
6.9.6 Technical vulnerability management
6.9.7 Information systems audit considerations
6.10 Communications security
6.10.1 Network security management
6.10.2 Information transfer
6.11 Systems acquisition, development and maintenance
6.11.1 Security requirements of information systems
6.11.2 Security in development and support processes
6.11.3 Test data
6.12 Supplier relationships
6.12.1 Information security in supplier relationships
6.12.2 Supplier service delivery management
6.13 Information security incident management
6.13.1 Management of information security incidents and improvements
6.14 Information security aspects of business continuity management
6.14.1 Information security continuity
6.14.2 Redundancies
6.15 Compliance
6.15.1 Compliance with legal and contractual requirements
6.15.2 Information security reviews
7 Additional ISO/IEC 27002 guidance for PII controllers
7.1 General
7.2 Conditions for collection and processing
7.2.1 Identify and document purpose
7.2.1 Identify and document purpose
7.2.2 Identify lawful basis

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 12 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

7.2.3 Determine when and how consent is to be obtained

7.2.4 Obtain and record consent
7.2.5 Privacy impact assessment
7.2.6 Contracts with PII processors
7.2.7 Joint PII controller
7.2.8 Records related to processing PII
7.3 Obligations to PII principals
7.3.1 Determining and fulfilling obligations to PII principals
7.3.2 Determining information for PII principals
7.3.3 Providing information to PII principals
7.3.4 Providing mechanism to modify or withdraw consent
7.3.5 Providing mechanism to object to PII processing
7.3.6 Access, correction and/or erasure
7.3.7 PII controllers' obligations to inform third parties
7.3.8 Providing copy of PII processed
7.3.9 Handling requests
7.3.10 Automated decision making
7.4 Privacy by design and privacy by default
7.4.1 Limit collection
7.4.2 Limit processing
7.4.3 Accuracy and quality
7.4.4 PII minimization objectives
7.4.5 PII de-identification and deletion at the end of processing
7.4.6 Temporary files
7.4.7 Retention
7.4.8 Disposal
7.4.9 PII transmission controls
7.5 PII sharing, transfer, and disclosure
7.5.1 Identify basis for PII transfer between jurisdictions
7.5.2 Countries and international organizations to which PII can be transferred
7.5.3 Records of transfer of PII
7.5.4 Records of PII disclosure to third parties
8 Additional ISO/IEC 27002 guidance for PII processors
8.1 General
8.2 Conditions for collection and processing
8.2.1 Customer agreement
8.2.2 Organization’s purposes
8.2.3 Marketing and advertising use
8.2.4 Infringing instruction
8.2.5 Customer obligations
8.2.6 Records related to processing PII
8.3 Obligations to PII principals
8.3.1 Obligations to PII principals
8.4 Privacy by design and privacy by default
8.4.1 Temporary files
8.4.2 Return, transfer or disposal of PII
8.4.3 PII transmission controls
8.5 PII sharing, transfer, and disclosure
8.5.1 Basis for PII transfer between jurisdictions
8.5.2 Countries and international organizations to which PII can be transferred
8.5.3 Records of PII disclosure to third parties
8.5.4 Notification of PII disclosure requests

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 13 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

8.5.5 Legally binding PII disclosures

8.5.6 Disclosure of subcontractors used to process PII
8.5.7 Engagement of a subcontractor to process PII
8.5.8 Change of subcontractor to process PII
Annex A PIMS-specific reference control objectives and controls (PII Controllers)
Annex B PIMS-specific reference control objectives and controls (PII Processors)
Annex C Mapping to ISO/IEC 29100
Annex D Mapping to the General Data Protection Regulation
Annex E Mapping to ISO/IEC 27018 and ISO/IEC 29151
Annex F How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
F.1 How to apply this document
F.2 Example of refinement of security standards

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 14 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Note:
1. Text in ‘italics’ in a grey box is a requirement stated in ISO/IEC 20000-1:2018. Only these are to be used
in audits.
2. PLAIN ENGLISH EXPLANATION is our way of explaining the requirements. It cannot be used for
audits.
3. The ‘audit tools’ are samples only. Please prepare your own checklists based on your experience. This
manual will give a ‘starting point’ only. Only clauses 4 to 10 are auditable. Clauses 1, 2 and 3 are for
information only. For example, the auditee organization may not use a specific term given in clause 3.
It is not a non conformity.

ISO/IEC 20000-1:2018
Introduction
0.1 General
Almost every organization processes Personally Identifiable Information (PII). Further, the quantity and types
of PII processed is increasing, as is the number of situations where an organization needs to cooperate with
other organizations regarding the processing of PII. Protection of privacy in the context of the processing of PII
is a societal need, as well as the topic of dedicated legislation and/or regulation all over the world.
The Information Security Management System (ISMS) defined in ISO/IEC 27001 is designed to permit the
addition of sector specific requirements, without the need to develop a new Management System. ISO
Management System standards, including the sector specific ones, are designed to be able to be implemented
either separately or as a combined Management System.
Requirements and guidance for PII protection vary depending on the context of the organization, in particular
where national legislation and/or regulation exist. ISO/IEC 27001 requires that this context be understood and
taken into account. This document includes mapping to:
— the privacy framework and principles defined in ISO/IEC 29100; — ISO/IEC 27018;
— ISO/IEC 29151; and
— the EU General Data Protection Regulation.
However, these can need to be interpreted to take into account local legislation and/or regulation.
This document can be used by PII controllers (including those that are joint PII controllers) and PII processors
(including those using subcontracted PII processors and those processing PII as subcontractors to PII
processors).
An organization complying with the requirements in this document will generate documentary evidence of how it
handles the processing of PII. Such evidence can be used to facilitate agreements with business partners where
the processing of PII is mutually relevant. This can also assist in relationships with other stakeholders. The use
of this document in conjunction with ISO/IEC 27001 can, if desired, provide independent verification of this
evidence.
This document was initially developed as ISO/IEC 27552.
This document applies the framework developed by ISO to improve alignment among its Management System
Standards.

0.2 Compatibility with other management system standards

This document enables an organization to align or integrate its PIMS with the requirements of other
Management System standards.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 15 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Plain English Explanation

Annex SL was just the next available sequence number when ISO first published it in October 2012.
ISO/IEC Directives, Part 1, consolidated ISO Supplement is a guide for all National Standards bodies. It has
many annexures – A, B, C, D, …..AA, AB,…….SA, SB, ……..SK, SL, SM, ……..TA, TB, ……….. The
original publication that defined the generic framework (i.e., a common format) for all Management System
Standards(MSS) was originally known as ISO Guide 83. In 2012, it was incorporated as one of the
Annexures of the generic ISO/IEC Directives, Part 1. It will be useful for those organizations that follow
more than one MSS, as the requirement of the MSS are common. It helps the organisation to achieve the
Integrated Management System framework seamlessly. The term ‘SL’ does not have any meaning or
expansion. It was the ‘next available’ reference in 2012.

Among the ISO 20000 family of standards, ISO/IEC 20000-1:2018 that is based on Annex SL and is the only
standard that can be used for third party certification. The rest may be used as additional guidelines.

There is no need to document a Service Management Manual. In practice we see that a number of
organizations have documented a Manual that aligns with each clause of the standard. That is not
required. For example, only three policies are required: Service Management Policy, Information
Security Policy and Change Management Policy. Other important documents are, for example, Scope
of SMS, Service Management Objectives, Service Management Plan and Service Catalogue.

In a Quality Management System(QMS), an organization that does not design a product or a service can
claim exclusion for clause 8.3 of ISO 9001:2015. But in Service Management System(SMS), it is not
possible to exclude requirements of any clause.

ISO/IEC 20000-1:2018
1.2 Application
All requirements specified in this document are generic and are intended to be applicable to all
organizations, regardless of the organization’s type or size, or the nature of the services delivered.
Exclusion of any of the requirements in Clauses 4 to 10 is not acceptable when the organization claims
conformity to this document, irrespective of the nature of the organization.
Conformity to the requirements specified in this document can be demonstrated by the organization
itself showing evidence of meeting those requirements.
The organization itself demonstrates conformity to Clauses 4 and 5. However, the organization can be
supported by other parties. For example, another party can conduct internal audits on behalf of the
organization or support the preparation of the SMS.

Alternatively, the organization can show evidence of retaining accountability for the requirements
specified in this document and demonstrating control when other parties are involved in meeting the

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 16 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

requirements in Clauses 6 to 10 (see 8.2.3). For example, the organization can demonstrate evidence of
controls for another party who is providing infrastructure service components or operating the service
desk including the incident management process.
The organization cannot demonstrate conformity to the requirements specified in this document if other
parties are used to provide or operate all services, service components or processes within the scope of
the SMS.
The scope of this document excludes the Requirement for products or tools. However, this document can be
used to help the development or acquisition of products or tools that support the operation of an SMS.
Plain English Explanation
This means Clauses 4 and 5 are mandatory within the organisation. Clauses 6 to 10 may be outsourced
except for 9.3 Management Review which is carried out by the top management. Management review can
be done for internal processes and also for outsourced processes.

 ISO 9001:2015 has an 'exclusion' facility limited to Clause 8.

 ISO/IEC 20000-1:2018 has the Statement of Applicability to justify exclusion of a few controls.
 But this type of exclusion of any clause is not permitted in ISO/IEC 20000-1:2018.

ISO/IEC 20000-1:2018
2 Normative reference
There are no normative references in this document.

Plain English Explanation

Informative reference: conforming to this is not required.

Normative reference: conforming to this is mandatory unless you provide a justification for exclusion.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 17 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

3 Terms and Definitions

3.1 Terms specific to management system standards

This contains 21 definitions that are common to all the management systems. For example, top
management, nonconformity, interested party and audit. Please read ISO 9000:2015.

3.2 Terms specific to service management

3.2.1
asset
item, thing or entity that has potential or actual value to an organization (3.1.14)
Note 1 to entry: Value can be tangible or intangible, financial or non-financial, and includes consideration of risks
(3.1.20) and liabilities. It can be positive or negative at different stages of the asset life.

Note 2 to entry: Physical assets usually refer to equipment, inventory and properties owned by the organization.
Physical assets are the opposite of intangible assets, which are non-physical assets such as leases, brands, digital
assets, use rights, licences, intellectual property rights, reputation or agreements.

Note 3 to entry: A grouping of assets referred to as an asset system could also be considered as an asset.

Note 4 to entry: An asset can also be a configuration item (3.2.2). Some configuration items are not assets.

[SOURCE: ISO/IEC 19770-5:2015, 3.2, modified — Note 4 to entry contains new content.]
3.2.2
configuration item
CI
element that needs to be controlled in order to deliver a service (3.2.15) or services
3.2.3
customer
organization (3.1.14) or part of an organization that receives a service (3.2.15) or services
EXAMPLE Consumer, client, beneficiary, sponsor, purchaser.

Note 1 to entry: A customer can be internal or external to the organization delivering the service or services.

Note 2 to entry: A customer can also be a user (3.2.28). A customer can also act as a supplier.

3.2.4
external supplier
another party that is external to the organization that enters into a contract to contribute to the
planning, design, transition (3.2.27), delivery or improvement of a service (3.2.15), service component
(3.2.18) or process (3.1.18)
Note 1 to entry: External suppliers include designated lead suppliers but not their sub-contracted suppliers.

Note 2 to entry: If the organization in the scope of the SMS is part of a larger organization, the other party is external to
the larger organization.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 18 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

3.2.5
incident
unplanned interruption to a service (3.2.15), a reduction in the quality of a service or an event that has
not yet impacted the service to the customer (3.2.3) or user (3.2.28)
3.2.6
Information Security
preservation of confidentiality, integrity and availability of information
Note 1 to entry: In addition, other properties such as authenticity, accountability, non-repudiation and reliability
can also be involved.

[SOURCE: ISO/IEC 27000:2018, 3.28]

3.2.7
Information Security incident
single or a series of unwanted or unexpected SMS (3.2.6) events that have a significant probability of
compromising business operations and threatening SMS
[SOURCE: ISO/IEC 27000:2018, 3.31]
3.2.8
internal supplier
part of a larger organization (3.1.14) that is outside the scope of the SMS (3.2.23) that enters into a
documented agreement to contribute to the planning, design, transition (3.2.27), delivery or
improvement of a service (3.2.15), service component (3.2.18) or process (3.1.18)
EXAMPLE Procurement, infrastructure, finance, human resources, facilities.

Note 1 to entry: The internal supplier and the organization in the scope of the SMS are both part of the same
larger organization.

3.2.9
known error
problem (3.2.10) that has an identified root cause or a method of reducing or eliminating its impact on
a service (3.2.15)
3.2.10
problem
cause of one or more actual or potential incidents (3.2.5)
3.2.11
procedure
specified way to carry out an activity or a process (3.1.18)
Note 1 to entry: Procedures can be documented or not.

[SOURCE: ISO 9000:2015, 3.4.5]

3.2.12
record, noun
document stating results achieved or providing evidence of activities performed
EXAMPLE Audit (3.1.1) reports, incident (3.2.5) details, list of training delegates, minutes of meetings.

Note 1 to entry: Records can be used, for example, to formalize traceability and to provide evidence of
verification, preventive action and corrective action (3.1.5).
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 19 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Note 2 to entry: Generally, records need not be under revision control.

[SOURCE: ISO 9000:2015, 3.8.10, modified — EXAMPLE has been added.]

3.2.13
release, noun
collection of one or more new or changed services (3.2.15) or service components (3.2.18) deployed
into the live environment as a result of one or more changes
3.2.14
request for change
proposal for a change to be made to a service (3.2.15), service component (3.2.18) or the SMS (3.2.23)
Note 1 to entry: A change to a service includes the provision of a new service, transfer of a service or the removal
of a service that is no longer required.

3.2.15
service
means of delivering value for the customer (3.2.3) by facilitating outcomes the customer wants to
achieve
Note 1 to entry: Service is generally intangible.

Note 2 to entry: The term service as used in this document means the service or services in the scope of the SMS
(3.2.23). Any use of the term service with a different intent is distinguished clearly.

3.2.16
service availability
ability of a service (3.2.15) or service component (3.2.18) to perform its required function at an agreed
time or over an agreed period of time
Note 1 to entry: Service availability can be expressed as a ratio or percentage of the time that the service or
service component is actually available for use compared to the agreed time.

3.2.17
service catalogue
documented information about services that an organization provides to its customers
3.2.18
service component
part of a service (3.2.15) that when combined with other elements will deliver a complete service
EXAMPLE Infrastructure, applications, documentation, licences, information, resources, supporting services.

Note 1 to entry: A service component can include configuration items (3.2.2), assets (3.2.1) or other elements.

3.2.19
service continuity
capability to deliver a service (3.2.15) without interruption, or with consistent availability as agreed
Note 1 to entry: Service continuity management can be a subset of business continuity management. ISO 22301
is a management system standard for business continuity management.

3.2.20
service level agreement
SLA
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 20 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

documented agreement between the organization (3.1.14) and the customer (3.2.3) that identifies
services (3.2.15) and their agreed performance
Note 1 to entry: A service level agreement can also be established between the organization and an external
supplier (3.2.4), an internal supplier (3.2.8) or a customer acting as a supplier.

Note 2 to entry: A service level agreement can be included in a contract or another type of documented
agreement.

3.2.21
service level target
specific measurable characteristic of a service (3.2.15) that an organization (3.1.14) commits to.

3.2.22
service management
set of capabilities and processes (3.1.18) to direct and control the organization’s (3.1.14) activities and
resources for the planning, design, transition (3.2.27), delivery and improvement of services (3.2.15) to
deliver value (3.2.29)
Note 1 to entry: This document provides a set of requirements that are split into clauses and sub-clauses. Each
organization can choose how to combine the requirements into processes. The sub-clauses can be used to define
the processes of the organization’s SMS.

3.2.23
service management system
SMS
management system (3.1.9) to direct and control the service management (3.2.22) activities of the
organization (3.1.14)
Note 1 to entry: An SMS includes service management policies (3.1.17), objectives (3.1.13), plans, processes
(3.1.18), documented information and resources required for the planning, design, transition (3.2.27), delivery
and improvement of services to meet the requirements (3.1.19) specified in this document.

3.2.24
service provider
organization (3.1.14) that manages and delivers a service (3.2.15) or services to customers (3.2.3)
3.2.25
service request
request for information, advice, access to a service (3.2.15) or a pre-approved change
3.2.26
service requirement
needs of customers (3.2.3), users (3.2.28) and the organization (3.1.14) related to the services (3.2.15)
and the SMS (3.2.23) that are stated or obligatory
Note 1 to entry: In the context of an SMS (3.2.23), service requirements are documented and agreed rather than
generally implied. There can also be other requirements such as legal and regulatory requirements.

3.2.27
transition
activities involved in moving a new or changed service (3.2.15) to or from the live environment
3.2.28
user
individual or group that interacts with or benefits from a service (3.2.15) or services
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 21 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Note 1 to entry: Examples of users include a person or community of people. A customer (3.2.3) can also be a
user.

3.2.29
value
importance, benefit or usefulness
EXAMPLE Monetary value, achieving service outcomes, achieving service management (3.2.22) objectives
(3.1.13), customer retention, removal of constraints.

Note 1 to entry: The creation of value from services (3.2.15) includes realizing benefits at an optimal resource level
while managing risk (3.1.20). An asset (3.2.1) and a service (3.2.15) are examples that can be assigned a value.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 22 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Service Management System Requirement ISO/IEC 20000-1: 2018

4. Context of the organisation

ISO/IEC 20000-1:2018- 4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect
its ability to achieve the intended outcome(s) of its SMS.

NOTE The word “issue” in this context can be factors which have a positive or negative impact. These are
important factors for the organization in the context of its ability to deliver services of an agreed quality to its
customers.

Plain English Explanation.

Clause 4.1: The organization requires to evaluate the relevant issues, both internal and external, that may
have an impact while meeting the objective. By defining the relevant issues to its purpose, the organisations
can set directional goal for establishing their framework. In addition, the internal and external issues that
might affect the potential to meet the expected outcomes are understood.

This sets the stages as given below:

- Understanding the external context
- Understanding the internal context
- Understanding the purpose and intended outcome of the MSS
- Analysing the factors to be considered to meet those objectives.
ISO 31000:2013 is the standard for Risk Management Guideline.

Audit tool
Whom to meet: Top Management

Which documented information to review:

Organisation Chart, Organisation objective, Broad overview of processes, applicable legal requirements,
Contracts, SLAs

Audit Questions:
1. Who are the customers?
2. Who are the suppliers?
3. Who are regulators?

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 23 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
a) the interested parties that are relevant to the SMS and the services;
b) the relevant requirements of these interested parties.

NOTE The requirements of interested parties can include service, performance, legal and regulatory
requirements and contractual obligations that relate to the SMS and the services.

Plain English Explanation.

Who are the “interested parties”?
In ISO terminology the term “interested parties” is the same as “stakeholder”.

interested party (preferred term) and stakeholder (admitted term)

person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or
activity. The indicative list is given below:
External
- Legal authorities
- Clients / customers
- Contractors / suppliers
- Public
Internal
- Internal organisational units
- Executive management
- Board of directors
- Employees

Regulations: At least one member in the audit team must have knowledge of local applicable
legislation.

In order to design and build a management system, it is necessary to determine the relevant interested parties
both internal and external interested parties and consider their service level requirements. At this stage
clearer understanding is established in identifying the interested parties to the organisation that are
appropriate to the SMS. Once the interested parties are identified, their requirements are drawn. Usually
the requirement of Legal, Business, and Finance etc in the Statement of Applicability are drawn from this
understanding. The same can be used for doing the Risk Assessment.

Audit tool
Whom to meet: Top Management

Which documented information to review:

Organisation Chart, Organisation objective, Broad overview of processes, applicable legal requirements,
Contracts, SLAs

Audit Questions:
1. What are the SMS requirements in the contracts?
2. What are the SMS requirements in SLA?
3. What are the legal requirements related to SMS?
Example: National Privacy Principles, Australia, NESA, UAE, Data Protection Act, UK & EU.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 24 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 4.3 Determining the scope of the SMS

The organization shall determine the boundaries and applicability of the SMS to establish its scope.

When determining this scope, the organization shall consider:

a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2; and
c) the services delivered by the organization.

The definition of the scope of the SMS shall include the services in scope and the name of the organization
managing and delivering the services.

The scope of the SMS shall be available and be maintained as documented information.

NOTE 1 ISO/IEC 20000-3 provides guidance on scope definition.

NOTE 2 The SMS scope definition states the services which are in scope. This can be all or some of the services
delivered by the organization.

Plain English Explanation.

The organisation has to define the scope and boundaries for SMS to meet internal and external requirements.
The scope and boundaries determines the applicability of SMS in terms of the
- region,
- location i.e physical address
- department / function,
- technology
- resources,
- contractors etc.,

Traditionally the scope of SMS focuses on IT department. But SMS is applicable to all the departments
wherever information is processed either manually or electronically. The following are some of the sample
scope statements. Providing information such as referencing to Service Catalogue with its version number
and referencing to the ISO/IEC 20000-1:2018standard will add clarity to the scope statement.

Sample scope statements:

Sample 1
Management of SMS in providing application support, software development IT infrastructure management,
data-centre management and helpdesk services to internal users. This is in accordance with the Service
Catalogue version 1.1 of 15th October, 2018.

Sample 2
Management of SMS in providing internet banking to customers for it head office and branch locations. This
is in accordance with the Service Catalogue version 1.3 of 10 th October, 2018.

Sample 3
Management of SMS in hosting servers on behalf of customers using cloud computing technology. This is
in accordance with the Service Catalogue version 2.0 of 15 th November, 2018.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 25 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Audit tool
Whom to meet: CISO / Management Representative
Which documented information to review:
 Scope diagram, Scope document, MOUs/SLAs/OLAs related to SMS
 Type of assets at each location, Business areas excluded from Scope of SMS and justification for their
exclusion.

Audit Questions:
1. How do you make sure the scope covers internal and external requirements?
2. Location addresses and number of persons at each location within the scope.
Auditors need to confirm the following:
1. Does the Scope covers only Management of IT infrastructure or business?
2. If so, what are business processes covered?

Note: Management of an IT Data Centre or specific part of IT infrastructure can be the Scope of SMS but
not just the IT infrastructure.

A report template used in Certification Audit – Stage 1 is given below:

Audited Clauses
4.3 Scope of SMS
Document Name:       Version Number:       Date:      

Scope is clear in terms of:

Characteristics of business areas, example
Organisation, for example, legal entity is
Location, for example
External SMS requirements
Internal SMS requirements
Exclusion from scope of SMS
Scope of SMS is clear and justification for exclusion is acceptable.
Yes ☐ No☐
Findings/Observations/Opportunities for Improvement

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 26 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 4.4 Service management system

The organization shall establish, implement, maintain and continually improve an SMS, including the
processes needed and their interactions, in accordance with the requirements of this document.

Plain English Explanation

There is no emphasis on the Plan, do, check and act cycle in the Standard. Therefore the organisation can
adopt any model of process improvement which is mentioned earlier.

The management system is required to be established, implemented, maintained and continually improved.
In order to achieve these processes, policies, procedures and interaction amongst each other are developed.

Third Party Certification Stage 1 can start only after the organization has completed one cycle to establish,
implement, maintain and continually improve an SMS, for example, one PDCA cycle.

Audit tool
Whom to meet:
Management Representative

Which documented information to review:

SMS Project Plan

Audit Questions:
When did you start the SMS Project?
When did you issue the set of SMS policies?
Have you completed an internal SMS audit?
Have you completed a Management Review and discussed the internal SMS audit findings?

Stage 2 - Implementation Review:

If you meet a contracted employee, you can confirm that the contract includes the requirements for SMS
responsibilities. Also confirm that the contracted employees are aware of the SMS policy.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 27 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

5. Leadership
ISO/IEC 20000-1:2018- 5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the SMS by:
a) ensuring the service management policy and the service management objectives are established and are
compatible with the strategic direction of the organization;
b) ensuring that the service management plan is created, implemented and maintained in order to support
the service management policy, and the achievement of the service management objectives and service
requirements;
c) ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the
services;
d) ensuring that what constitutes value for the organization and its customers is determined;
e) ensuring there is control of other parties involved in the service lifecycle;
f) ensuring the integration of the SMS requirements into the organization’s business processes;
g) ensuring that the resources needed for the SMS and the services are available;
h) communicating the importance of effective service management, achieving the service management
objectives, delivering value and conforming to the SMS requirements;
i) ensuring that the SMS achieves its intended outcome(s);
j) directing and supporting persons to contribute to the effectiveness of the SMS and the services;
k) promoting continual improvement of the SMS and the services;
l) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of
responsibility.

NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the
purposes of the organization’s existence.

Plain English Explanation.

The standard clearly mentions in the Introduction that the clauses are not placed in the order of their
importance or imply the order of implementation, it clearly indicates that the leadership and commitment
plays a significant role in implementation. And that may be one of the reasons to place this clause before the
actual processes of implementation requirements are listed.

SMS audit starts here. Immediately after the opening meeting we have a brief meeting with the top
management to confirm their commitment and support to SMS.

Audit tool
Whom to meet: Top Management

Which documented information to review: The SMS Policy, SMS objectives for each department, email or
other communication for top management to employees about the importance of SMS.

Note: This audit is a difficult one for beginners. We suggest that the beginners observe a few top
management interviews conducted by experience auditors before doing such interviews independently.
Always start your conversation with generic topics such as business trend, market share etc. that are related
to the business. Then you can continue with open ended questions about SMS. For example, you may avoid
asking questions such as “When did you attend the last Management Review Meeting?”, because they attend
so many management meetings and may not remember the operational details. About writing audit notes, we
suggest you write your audit notes after the interview is finished and not during the interview.

Audit Questions:
There two basic questions.
1. What have they given to the SMS in terms of resourcing, approval of policy, communication etc.?
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 28 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

2. What has the SMS given back to them i.e., are they getting feedback about what is going right and
what is going wrong in SMS?

Note: Verify that resources provided and their relevant management roles to improve the SMS are defined.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 29 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

5.2 Policy

ISO/IEC 20000-1:2018- 5.2.1 Establishing the service management policy

Top management shall establish a service management policy that:
a) is appropriate to the purpose of the organization;
b) provides a framework for setting service management objectives;
c) includes a commitment to satisfy applicable requirements; and
d) includes a commitment to continual improvement of the SMS and the services.

5.2.2 Communicating the service management policy

The service management policy shall:
a) be available as documented information;
b) be communicated within the organization; and
c) be available to interested parties, as appropriate.

Plain English Explanation

This is normally a 1-page statement. The policy that is established should be appropriate for the purpose and
not too generic, i.e, if it s bank, it must suit a bank. It should Support the development of an SMS with a
management framework, resourcing and a policy framework. It must include a commitment to satisfy
applicable legal and regulatory requirements related to MSS and emphasise continual improvement of SMS.

The SMS policy is a documented information, communicated and should be made available to the interested
parties.

A few organisations also have the practice of issuing an extract of the SMS Policy and displaying that at
critical locations so that it is communicated to all employees and contractor.

Also, cross check with Annexure A 5.1.1 – a set of SMS policies.

Requirements of clause 5.2 and Control A 5.1.1 may be met with a single implementation by approving the
one page statement and about 5 to 10 pages of security policies, for example, password, email, back up, etc.

Audit tool
Whom to meet: Management Representative
Which documented information to review: SMS policy, The set of SMS policies. Communication mail to
all employees. Intranet access to relevant third party staff.

Audit Questions:
How do you align organisational objective with SMS objective?
1. What is the purpose of SMS? Is that relevant to the nature of business within the SMS scope?
2. Does the policy include a statement on continual improvement of the SMS?
3. To whom, when and how the policy has been communicated?
4. Can you define a brief statement on management intent and support to SMS?
5. Can you provide details of SMS awareness training to employees and contractors?
6. What are the legal, regulatory and contractual requirements?
7. Can you show me the references to risk assessment method and risk acceptance criteria?
8. How the references to other policies are related to SMS policy?

Note: If the organization is also audited by external auditors, they may insist on a ‘statement of assertion’,
for example, each employees has acknowledged that he/she has read and understood the contents of the SMS
policy. This related to understanding and meeting requirements of external parties.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 30 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

5.3 Organization roles, responsibilities and authorities

ISO/IEC 20000-1:2018- 5.3 Organizational roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for roles relevant to SMS and
theservices are assigned and communicated within the organization.

Top management shall assign the responsibility and authority for:

a) ensuring that the SMS conforms to the requirements of this document;
b) reporting on the performance of the SMS and the services to top management.

Plain English Explanation

The term ‘Management Representative’ is not used in the standard. There could be more than one level of
SMS champions managing SMS within the organization. Also, earlier versions of the standard had a
requirement that the Management Representative’ had to be from the organization, i.e, this role could not be
outsourced. These requirements were rigid. Another reasons could be that the title CISO, Chief SMS Officer,
may not be found in every organisation. The organization may be using other titles, for example, Chief Risk
Officer, Security Administrator, Manager – GRC, Program Manager or any other designation/title.

SMS Auditor should confirm the following requirements:

 Top management should assign the responsibilities to specific persons and communicate to the
appropriate person/s about the SMS responsibilities and authorities.
 Define the reporting relations, the contents, and the periodicity of the reports.
 Determine SMS resource requirements for each phase of SMS roll out.

Audit tool
Whom to meet: Management Representative

Which documented information to review?

Email from CXO nominating the Management Representative and other team members.

Audit Questions:
May I see the authorisation letter / email nominating the MR?
When was the approval given?

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 31 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

6. Planning
ISO/IEC 20000-1:2018 - 6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) give assurance that the SMS can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects;
c) achieve continual improvement of the SMS and the services.

6.1.2 The organization shall determine and document:

a) risks related to:
1) the organization;
2) not meeting the service requirements;
3) the involvement of other parties in the service lifecycle;

b) the impact on customers of risks and opportunities for the SMS and the services;
c) risk acceptance criteria;
d) approach to be taken for the management of risks.

6.1.3 The organization shall plan:

a) actions to address these risks and opportunities and their priorities;
b) how to:
1) integrate and implement the actions into its SMS processes;
2) evaluate the effectiveness of these actions.
NOTE 1 Options to address risks and opportunities can include: avoiding the risk, taking or increasing the risk in
order to pursue an opportunity, removing the risk source, changing the likelihood or consequence of the risk,
mitigating the risk through agreed actions, sharing the risk with another party or accepting the risk by informed
decision.
NOTE 2 ISO 31000 provides principles and generic guidance on risk management.

Plain English Explanation

This clause addresses the planning requirement of risks and opportunities. It requires developing assurance
methods to prevent, reduce the undesired effects. This clause emphasizes the proactive approach that is
required to be carried as prevention solution. It is always preferred that correction and corrective action are
taken after the risk has been assessed.

The planning will focus on

- How the organization plans to prevent, or reduce, undesired effects?
- How the organization ensures that it can achieve its intended outcomes and continual improvement?
- What will be done to address this
- Who will do and when it will be done

RISK ASSESSMENT
- Any Risk Assessment method can be used.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 32 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018 - 6.2 SMS objectives and planning to achieve them

6.2.1 Establish Objectives
The organization shall establish SMS objectives at relevant functions and levels.
The SMS objectives shall:
a) be consistent with the SMS policy;
b) be measurable;
c) take into account applicable requirements,
d) be monitored;
d) be communicated; and
e) be updated as appropriate.

The organization shall retain documented information on the SMS objectives.

6.2.2 plan to achieve objectives

When planning how to achieve its SMS objectives, the organization shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed; and
e) how the results will be evaluated.

Plain English Explanation

- The requirements for the planning objectives are narrated in greater detail. The planning objectives are
to be consistent with the SMS policy, measurable (if practicable), consider applicable requirements,
monitored, communicated, and updated as appropriate. They have to be established at relevant functions
and levels.

- Developing measuring technique and constantly evaluating the effectiveness can demonstrate that the
management system is continually improving.

- Other Management System Standards(MSS), for example, OHSAS 45001:2018 use the terms
‘objectives’ and ‘programmes’ to achieve those objectives. This is conceptually similar to ‘selection of
controls’ and a ‘risk treatment plan’ but at a higher level of MSS objectives. To achieve specific
objectives we need to have a ‘programme’, i.e., a series of projects to implement the overall MSS
within which ‘selection of controls’ and ‘risk treatment’ will be specific projects. If we have an
overall SMS project plan based on specific goals for the SMS project, that would satisfy the
requirements of this clause.

Audit tool
Whom to meet: Top Management

Which documented information to review:

Risk Assessment Document, Risk treatment plan, Metrics document, Responsibility matrix, KPIs, KRAs

Audit Questions:
1. What are your measurement criteria for Incident response?
2. How are the resource requirements calculated to achieve the security objective?

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 33 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018 - 6.3 Plan the service management system

The organization shall create, implement and maintain a service management plan. Planning shall take into
consideration the service management policy, service management objectives, risks and opportunities,
service requirements and requirements specified in this document.
The service management plan shall include or contain a reference to:
a) list of services;
b) known limitations that can impact the SMS and the services;
c) obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how
these obligations apply to the SMS and the services;
d) authorities and responsibilities for the SMS and the services;
e) human, technical, information and financial resources necessary to operate the SMS and the services;
f) approach to be taken for working with other parties involved in the service lifecycle;
g) technology used to support the SMS;
h) how the effectiveness of the SMS and the services will be measured, audited, reported and improved.

Other planning activities shall maintain alignment with the service management plan.

Plain English Explanation

Audit tool
Whom to meet: Top Management

Which documented information to review:

Service Management Plan, Risk Assessment Document, Risk treatment plan, Metrics document,
Responsibility matrix, KPIs, KRAs

Audit Questions:
1. What are your measurement criteria for Incident response?
2. How are the resource requirements calculated to achieve the security objective?

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 34 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

7. Support
7.1 Resources
ISO/IEC 20000-1:2018 - 7.1 Resources
The organization shall determine and provide the human, technical, information and financial resources
needed for the establishment, implementation, maintenance and continual improvement of the SMS and the
operation of the services to meet the service requirements and achieve the service management objectives.

Audit tool
Whom to meet: HR Manager, Facilities Manager, IT Manager, Purchase Manager

Which documented information to review:

Personnel records
Facilities maintenance records
IT procurement of IT Security hardware and software.

Audit Questions:
How many members are in the SMS project team?
How do you assess their competence to maintain IT security hardware and software?

ISO/IEC 20000-1:2018 - 7.2 Competence

The organization shall:
a) determine the necessary competence of persons doing work under its control that affects the performance
and effectiveness of the SMS and the services;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the
actions taken; and
d) retain appropriate documented information as evidence of competence.

NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the
reassignment of current employees; or the hiring or contracting of competent persons.

Plain English Explanation

Technical training for relevant areas is required for those managing security, i.e., SMS Project Team,
Incident Management Team, SMS Internal Audit Team, etc.
For example:
 Service Desk Tool administration
 On Boarding of staff
 Customizing service reports from the Service Desk tool
 Monitoring Data Centre environment
 Risk assessment
 Configuration and Change Management tool
Copies of professional certifications in service management should be maintained on the personnel files.

Audit tool
Whom to meet: Management Representative and Managers of Service Operations.

Which documented information to review:

Employee’s training certificate, previous employment references

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 35 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Audit Questions:
Conduct interviews with all employees on a sample basis to confirm that they are aware of SMS Policy.
Conduct interviews with technical staff to confirm that they are aware of their role in SMS.

ISO/IEC 20000-1:2018 - 7.3 Awareness

Persons doing work under the organization’s control shall be aware of:
a) the service management policy;
b) the service management objectives;
c) the services relevant to their work;
d) their contribution to the effectiveness of the SMS, including the benefits of improved performance;
e) the implications of not conforming with the SMS requirements.

Plain English Explanation

Awareness training is required for all employees. If all the employees are aware of SMS, the level of
compliance will be much higher. If they understand why they have to follow the policies and how
they are to be followed, the security posture of organisation will certainly show an upward trend.

Audit tool
Whom to meet: Management Representative. HR / Training Manager.

Which documented information to review:

Training attendance sheets and training feedback form.

Audit Questions:
1. Can you show me the Training calendar?
2. Verify the training content.

ISO/IEC 20000-1:2018 - 7.4 Communication

The organization shall determine the need for internal and external communications relevant to the
Services including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who will be responsible for the communication.

Plain English Explanation

Communication is an important element for any MSS. Other standards, for example, OHSAS 18001:2007
have detailed requirements for communication. Now these are of part of the requirements for all MSS.

Audit tool
Whom to meet: Management Representative.

Which documented information to review:

Communication chart – example:
What When To whom Who will do How to communicate
VPN usage monthly customer IT Manager email
SMS Policy Annually All employees HR-Training Class room
section
SLA terms Quarterly Suppliers Purchase Manager Face to face Meeting

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 36 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Audit Questions:

7.5 Documented information

ISO/IEC 20000-1:2018 - 7.5 Documented information

7.5.1 General
The organization’s SMS shall include:
a) documented information required by this document;
b) documented information determined by the organization as being necessary for the effectiveness of the
SMS.

NOTE The extent of documented information for an SMS can differ from one organization to another due to:
1) the size of organization and its type of activities, processes, products and services;
2) the complexity of processes and their interfaces;
3) the competence of persons.

7.5.2 Creating and updating

When creating and updating documented information, the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
c) review and approval for suitability and adequacy.

7.5.3 Control of documented information

7.5.3.1 Documented information required by the SMS and by this document shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

7.5.3.2 For the control of documented information, the organization shall address the following activities, as
applicable:
a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of legibility;
c) control of changes (e.g. version control);
d) retention and disposition.

Documented information of external origin determined by the organization to be necessary for the planning
and operation of the SMS shall be identified as appropriate and controlled.

NOTE Access can imply a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information.

Plain English Explanation

So far all MSS had two terms ‘documents’ and ‘records’. Now they are called as ‘documented information’.
 Approve documents before you distribute them.

 Have a suitable naming convention. Specify the current revision status of your documents.

 Review and re-approve documents whenever you update them.

 Provide the correct/relevant version of documents at points of use.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 37 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

 Monitor documents that come from external sources. Know how you will ensure you have the latest
issue.

 Prevent the accidental use of obsolete documents.

 Preserve the usability of your SMS documents.

 Clarify identification, storage, protection, retrieval, retention time and disposition.
 Ensure you do not throw your records away too early; they can be used to prove your organisation
was duly diligent in a court of law! Know what laws can be used in product litigation and the statute
of limitations pertinent to each law.
 Define the retention period, for example, 7 years for emails.
 Also, define on-line retention period and off-line retention period.

Audit tool
Whom to meet: All process owners and employees

Which documented information to review:

SMS Records in each process area.
Audit Questions:
1. What was the last update carried out?
2. How the revised versions are communicated to the employees?

ISO/IEC 20000-1:2018 - 7.5.4 Service management system documented information

The documented information for the SMS shall include:
a) scope of the SMS; b) policy and objectives for service management; c) service management plan;
d) change management policy, information security policy and service continuity plan(s);
e) processes of the organization’s SMS;
f) service requirements;
g) service catalogue(s);
h) service level agreement(s) (SLA);
i) contracts with external suppliers;
j) agreements with internal suppliers or customers acting as a supplier;
k) procedures that are required by this document;
l) records required to demonstrate evidence of conformity to the requirements of this document and the
organization’s SMS.

NOTE Clause 7.5.4 provides a list of the key documents for an SMS. There are other specified requirements in this
document for information to be held as documented information, to be documented or to be recorded. ISO/IEC
20000-2 provides additional guidance. However, the updated version has not yet been published.

Plain English Explanation

When you compare the 2011 version of the standard, here they have given a list of 12 key documents
required for an SMS. In addition, if you have access to soft copy of the standard, you should search for the
string ‘documented information’ or ‘record’ through the standard.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 38 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Here is a list of the clause references that we have compiled based on the string search in our soft copy:

Set # 1: ‘Documented Information’, OR Policy OR Service Management Objectives

If you go back to the Terms and Definitions, you will find the following definition:
---------------------------------------------------------------------------------------------------
3.1.6
documented information
information required to be controlled and maintained by an organization (3.1.14) and the medium on
which it is contained
EXAMPLE Policies (3.1.17), plans, process descriptions, procedures (3.2.11), service level agreements (3.2.20) or
contracts.
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to:
— the management system (3.1.9), including related processes (3.1.18);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records (3.2.12)).
Note 3 to entry: The original Annex SL definition has been modified by adding examples.
------------------------------------------------------------------------------------------------------------------------------
3.1.17
policy
intentions and direction of an organization (3.1.14) as formally expressed by its top management (3.1.21)
-------------------------------------------------------------------------------------------------------------------------------
5.1a Ensuring that the service management policy and service management objectives are established.
5.1b Ensuring that a Service Management Plan is established to support the service management
policy and the achievement of the service management objectives and service requirements;
5.2.1 Establishing the service management policy
5.2.2 Communicating the service management policy
6.2.1 Service Management Objectives
6.2.1a The service management objectives shall be consistent with the service management policy.
6.3 ….take into consideration policy, objectives …………
7.2 Competence
7.3a ….shall be aware of the service management policy
7.3b ….shall be aware of the service management objectives
7.5.1 Documented information determined by the organization (example SLA breach report)
7.5.2 Control over Creating and updating – this is applicable to all the documents and records.
7.5.3 Control over distribution - this is applicable to all the documents & records.
7.5.3.2 Documented information of external organization, for example ITIL 4 framework, ISO 20K.
7.5.4 the 12 items listed in the clause.
8.1 c documented information to the extent necessary, for example, Supplier re-evaluation records or
annual calendar of service availability and service continuity tests.
8.2.2 The organization shall propose changes where needed to align the services with the service
management policy, ………………. taking into consideration known limitations and risks.
8.5.1.1 change management policy
8.5.1.2a new services with the potential to have a major impact on customers or other services as
determined by the change management policy;
8.5.1.2b changes to services with the potential to have a major impact on customers or other services as
determined by the change management policy;
8.5.1.2c categories of change that are to be managed by service design and transition according to the
change management policy;
8.5.2.1 New or changed services and services that are to be transferred.
8.6.3 Records of problems shall be updated with actions taken. Changes needed for problem resolution
shall be managed according to the change management policy.
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 39 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

8.7.3.1 Information security policy

8.7.3.2 Information security risks to the SMS and the services shall be assessed
8.7.3.2 Information security controls shall be determined, implemented and operated to support the
information security policy.
9.1 Monitoring, measurement, analysis and evaluation
9.2 e evidence of implementation of the audit programme
9.3 evidence of the results of management reviews (Note: email summary is acceptable).
9.3f adherence to and suitability of the service management policy and other policies required by this
document;
10.1.2 Evidence of nature of non conformities and any subsequent actions taken (note: non conformities
may be found by either the process owner during monitoring or by an independent auditor).

Set # 2: Procedures
---------------------------------------------------------------------------------------------
3.2.11
procedure
specified way to carry out an activity or a process (3.1.18)
Note 1 to entry: Procedures can be documented or not. (highlighted for training purposes)

[SOURCE: ISO 9000:2015, 3.4.5]

---------------------------------------------------------------------------------------------

7.5.4 k Procedures that are required by this document.

8.5.2.2e Changes to the SMS including new or changed procedures. (Note: this is only a cross check and not
a new design procedure).
8.6.1 Major incidents shall be classified and managed according to a documented procedure.
8.7.2b procedures to be implemented in the event of a major loss of service;
8.7.2e procedures for returning to normal working conditions.

Set # 3: Record
---------------------------------------------------------------------------------------------
Terms and Definitions
3.2.12
record, noun
document stating results achieved or providing evidence of activities performed
EXAMPLE Audit (3.1.1) reports, incident (3.2.5) details, list of training delegates, minutes of meetings.

Note 1 to entry: Records can be used, for example, to formalize traceability and to provide evidence of
verification, preventive action and corrective action (3.1.5).

Note 2 to entry: Generally, records need not be under revision control.

[SOURCE: ISO 9000:2015, 3.8.10, modified — EXAMPLE has been added.]

---------------------------------------------------------------------------------------------
8.5.1.3 change records shall be analysed to detect trends.
8.6.1 records of incidents shall be updated with actions taken.
8.6.2 records of service requests shall be updated with actions taken.
8.6.3 records of service requests shall be updated with actions taken.

Audit tool
Whom to meet: The Program Manager / Management Representative

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 40 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Which documented information to review:

The set of 12 documents stated above in clause 7.5.4.
All records required by the standard.

Audit Questions:
1. What was the last update carried out?
2. How the revised versions are communicated to the employees?

ISO/IEC 20000-1:2018 - 7.6 Knowledge

The organization shall determine and maintain the knowledge necessary to support the operation of the SMS
and the services.
The knowledge shall be relevant, usable and available to appropriate persons.

NOTE Knowledge is specific to the organization, its SMS, services and interested parties. Knowledge is used and
shared to support the achievement of the intended outcome(s) and the operation of the SMS and the services.

Plain English Explanation

“Those who cannot remember the past are condemned to repeat it” – George Santayana

Knowledge management plays a key role in CSI. Within each service lifecycle stage, the knowledge portion
is captured as data points. It gives an understanding of service process and enable wisdom. Usually it is
referred as data to information to knowledge to wisdom. Each stage such as data capture and meaningful
transformation into information is important. Also from information the knowledge obtained is used to bring
wisdom, which will be used in decision making processes.

Audit tool
Whom to meet: The Knowledge Manager or equivalent position/ Management Representative

Which documented information to review:

Knowledge management database
All records required by the standard.

Audit Questions:
1. What is the process to identify data points for knowledge management?
2. Who is responsible for updating the knowledge management database?
3. For which decision making process the knowledge management database is used?
4. How do you convert data to wisdom?

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 41 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Operation of the service management system

8.1  Operational planning and control 8.4.2 Demand management
8.2  Service portfolio 8.4.3 Capacity management
8.2.1 Service delivery 8.5 Service design, build and transition
8.2.2 Plan the services 8.5.1 Change management
8.2.3 Control of parties involved in the service 8.5.2 Service design and transition
lifecycle
8.2.4 Service catalogue management 8.5.3 Release and deployment
management
8.2.5 Asset management 8.6 Resolution and fulfilment
8.2.6 Configuration management 8.6.1 Incident management
8.3 Relationship and agreement 8.6.2 Service request management
8.3.1 General 8.6.3 Problem management
8.3.2 Business relationship management 8.7 Service assurance
8.3.3 Service level management 8.7.1 Service availability management
8.3.4 Supplier management 8.7.2 Service continuity management
8.4 Supply and demand 8.7.3 SMS management
8.4.1 Budgeting and accounting for services

ISO/IEC 20000-1:2018- 8.1 Operational planning and control

The organization shall plan, implement and control the processes needed to meet requirements and to
implement the actions determined in Clause 6 by:
a) establishing performance criteria for the processes based on requirements;
b) implementing control of the processes in accordance with the established performance criteria;
c) keeping documented information to the extent necessary to have confidence that the processes have been
carried out as planned.
The organization shall control planned changes to the SMS and review the consequences of unintended
changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1).
The organization shall ensure that outsourced processes are controlled (see 8.2.3).
PLAIN ENGLISH EXPLANATION
(As with the other ISO standards, clause 8 is unique to each subject. In the 2011 version, we had clause 5
for Service design, clause 6 for Service Delivery processes, Clause 7 for BRM and Supplier Management
and Clauses 8 & 9 for Service Operations. In this version, all these clauses have been merged into Clause
8).

In clause 8.1 of this standard, the reference to clause 6 reiterates the need to do a service risk assessment and
then determine controls to reduce the risk to services.

Normally Key Performance Indicator (KPI) are the Performance criteria. In practice employees remember
their Key Result Areas(KRA) better than the organization’s KPI or the process KPIs. Therefore, when you
interview the auditee, it makes sense to get some information on both KPIs and KRAs. Then you should
ask for project plans and project tracking records. Performance reviews of employees will also indicate
compliance to this requirement in the standard.

‘documented information’ refers to ‘records’ or ‘artefacts’ or ‘logs’ or a similar evidence.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 42 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Clause 8.5.1. is about Change Management. In the 2011 version we had ‘change management’ in two
clauses: Service Design (cl 5) and Service Operations (cl 9). In this version it is a single clause. In this
version, all required are grouped under ‘Operations of the SMS’ which includes ITIL books of Service
Design, Service Transition and Service Operations.

The last requirement refers to Cl 8.2.3 – Control of parties involved in the service life cycle. In common
terminology they are ‘suppliers’ or outsourced parties. You should also look at requirements of 8.3.4
Supplier Management.

Audit Tool
To Meet: The Program Manager (i.e., Management Representative)
Documents/Procedures: Risk Treatment Plan/Service Management Plan, KPIs , KRAs
Records: KPI review, SLA compliance/breach report, Internal audit reports

Sample Questions:
Who is responsible controlling the planned changes to the SMS?
What is the action taken to verify that the processes have been carried out as planned?
When was the performance criteria established:
Why the review on the consequences of unintended changes has not been taken?
Show me: The changes made during the last month.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 43 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.2 Service Portfolio

8.2.1 Service delivery
The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The
organization shall perform the activities required to deliver services.

NOTE A service portfolio is used to manage the entire lifecycle of all services including proposed services,
those in development, live services defined in the service catalogue(s) and services that are to be removed.
The management of the service portfolio ensures that the service provider has the right mix of services.
Service portfolio activities in this document include planning the services, control of parties involved in the
service lifecycle, service catalogue management, asset management and configuration management.

Plain English Explanation

In ITIL v 3 there are provisions for Service Portfolio Management, Service Catalogue management. These
include retirement of services.
‘Service Portfolio’ is a common term used in the industry. In order to review compliance with this clause, it
is OK to ask: May I see your service portfolio? In common man’s terms, Service Portfolio has three sub
categories: Service Pipeline (planned for next quarter/next year. Etc.), Service Catalogue (existing/running
services) and Retired Services.
All activities and resources shall be coordinated by the organisation to ensure the smooth performance of the
activities that shall deliver services.

Audit Tool
To Meet: Service delivery manager
Documents/Procedures: Service portfolio, service lifecycle,
Records: Service catalogue management, asset management and configuration records

Sample Questions:
Who is responsible controlling the service catalogue?
What is the action taken to verify that all the services are listed in the catalogue?
When was the catalogue was compared with service life cycle.Why the services that are removed, has not
been updated in the catalogue?
How : How do you ensure that service portfolio contain both active, retired or planned services?
Show me: The latest service catalogue

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 44 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.2 Service Portfolio

8.2.2 Plan the services
The service requirements for existing services, new services and changes to services shall be determined and
documented.
The organization shall determine the criticality of services based on the needs of the organization,
customers, users and other interested parties. The organization shall determine and manage dependencies
and duplication between services.
The organization shall propose changes where needed to align the services with the service management
policy, service management objectives and service requirements, taking into consideration known limitations
and risks.
The organization shall prioritize requests for change and proposals for new or changed services to align
with business needs and service management objectives, taking into consideration available resources.

Plain English Explanation

“See first that the design is wise and just: that ascertained, pursue it resolutely: do not for one repulse forgo
the purpose that you resolved to effect” William Shakespeare.
All the requirements for the pre-existing, new and changed services shall be documented thoroughly. It may
include cost, timing, resource requirement and risks associated with the service design.
All services shall be prioritised based on relevant criteria such as the needs of the organisation, users,
customers, etc., and the services shall be assorted according to relevancy to one another and repetition. It
should be enabled that the services can be shared and reused across projects and services.

Any changes shall be made dependant on how it shall affect the service management policy, objectives and
requirements and other such risks. It should be ensured that the new services will be maintainable and cost-
effective.

All changes and proposals for new services shall be processed based on alignment with current needs and
objectives, and available resources. When changes are proposed involvement of the stakeholder and carrying
out changes without unexpectedly affecting the existing other service or stake holder are some of the main
considerations.

Audit Tool
To Meet: Service delivery manager
Documents/Procedures: Service portfolio, service plans
Records: Service catalogue management, asset management and service plans

Sample Questions:
Who is responsible determining the changes to the services?
What is the action taken to verify that the changes to services are documented ?
When was the alignment of the services with the service management policy done?
Why the critical services are not identified?
How: How do you determine the resource availability for the planned services?

Show me: The changes made during the last month to the services.
Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 45 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.2 Service Portfolio

8.2.3 Control of parties involved in the service lifecycle
8.2.3.1 The organization shall retain accountability for the requirements specified in this document and the
delivery of the services regardless of which party is involved in performing activities to support the service
lifecycle.
The organization shall determine and apply criteria for the evaluation and selection of other parties
involved
in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting
as a supplier.
Other parties shall not provide or operate all services, service components or processes within the scope of
the SMS.

The organization shall determine and document:

a) services that are provided or operated by other parties;
b) service components that are provided or operated by other parties;
c) processes, or parts of processes, in the organization’s SMS that are operated by other parties.
The organization shall integrate services, service components and processes in the SMS that are provided or
operated by the organization or other parties to meet the service requirements. The organization shall co
ordinate activities with other parties involved in the service lifecycle including the planning, design,
transition, delivery and improvement of services.

8.2.3.2 The organization shall define and apply relevant controls for other parties from the following:
a) measurement and evaluation of process performance;
b) measurement and evaluation of the effectiveness of services and service components in meeting the
service
requirements.
NOTE ISO/IEC 20000-3 provides guidance on the control of other parties involved in the service lifecycle.

Plain English Explanation

The organisation must retain accountability for the whole lifecycle of the service regardless of which party
fulfils the requirements pertaining to a service.

The organisation shall determine the criteria to be used for the evaluation and selection of the other parties,
i.e., suppliers. However, the service shall not be completely borne by other parties solely.

The organisation shall maintain a thorough record of all services, service components and any other related
processes that are completed by other parties.

All the processes and services done by other parties shall be integrated to the SMS and other services and
service requirements. They shall be coordinated with the relevant activities of the service lifecycle such as
planning, design, transition, delivery, etc.

The organisation shall establish control measures to the processes conducted by other parties. These controls
shall be measured from the evaluation of the process performance and from the efficacy of the services and
components rendered as per requirements.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 46 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Audit Tool
To Meet: Service delivery manager
Documents/Procedures: Service processes, outsourced services
Records: monitoring records of outsourced processes, performance records

Sample Questions:
Who is responsible for controlling the outsourced services?
What are the services provided and operated by other parties?
When was the measurement and evaluation of the effectiveness of services done recently?
Where are the service components that are provided by the other parties stored?
Why all the services that are provided by other parties are not identified?
How it is ensured that the review is carried out on service lifecycle into SLA for operational services?
Show me: The criteria for the evaluation and selection of other parties.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 47 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.2 Service Portfolio

8.2.4 Service catalogue management
The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall
include information for the organization, customers, users and other interested parties to describe the
services, their intended outcomes and dependencies between the services.
The organization shall provide access to appropriate parts of the service catalogue(s) to its customers,
users and other interested parties.

Plain English Explanation

The purpose of service catalogue management is to provide a single source of consistent information on all
of the agreed services, and ensure that it is widely available to those who are approved to access it.

In common man’s terms, Service Portfolio has three sub categories: Service Pipeline (planned for next
quarter/next year. Etc.), Service Catalogue (existing/running services) and Retired Services. But the
requirement of 8.2.4 is limited to a ‘Service Catalogue’. There is header 8.2 Service Portfolio that includes
‘Configuration Management’ and ‘Asset Management’. Also there is a Note on Service Portfolio. We do
not audit against ‘header’s or ‘NOTES’. They are just for information.

Hint: When there is a disagreement between the industry practice and the language used in the standard, we
have to go by the language used in the standard. Our audit is against the requirements of the standard and
not a benchmark assessment of the industry.
The standard requires that the Service Catalogue be split into three with unique access restrictions:
(1) Customers
(2) Users
(3) Other interested parties (e.g., suppliers, regulators)

Service catalogue management process provides accurate information about the services and their interfaces
and dependencies to support determining the SLA framework, identifying customer/business units that need
to be engaged by SLM and to assist SLM in communicating with customers regarding services provided.

In services provided to internal end user departments, customers and users are the same.
Audit Tool
To Meet: Service Manager.
Documents/Procedures:
Service Catalogue
Policy /email on which part of service catalogue should be accessible to users/customers, suppliers.
Records:
Customer feedback (email) about service hours
Customer request for new services / enhancement of services
Service Catalogue Review Reports
Sample Questions:
Who is responsible controlling the service catalogue?
What is the action taken to verify that all the services are listed in the catalogue?
When was the catalogue was compared with service life cycle.
Why the services that are removed, has not been updated in the catalogue? How do you ensure that service
catalogue is updated with services offered currently?
Show me: The latest service catalogue

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 48 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.2 Service Portfolio

8.2.5 Asset management
The organization shall ensure that assets used to deliver services are managed to meet the service
requirements and the obligations in 6.3 c).
NOTE 1 ISO 55001 and ISO/IEC 19770-1 specify requirements to support the implementation and operation
of asset and IT asset management.
NOTE 2 In addition, see configuration management when an asset is also a configuration item (CI).
Plain English Explanation
The assets must be maintained in good condition for proper performance of the service requirements and
obligations as established under clause 6.3.

ITIL define
Asset as any resource or capacity,
Customer asset as any resource or capacity used by a customer to achieve a business outcome and Service
asset as any resource or capacity used by a service provider to deliver services to a customer. It further adds
that two types of assets used by both service provider and customer are resources and capabilities.
Organisation uses them to create value in the form of goods and services. Resources are direct input for
production. Capabilities represent an organisation’s ability to coordinate, control and deploy resources to
provide value. Capabilities are typically experience-driven, knowledge-intensive, information-based and
firmly embedded within the organisation’s people, system, process and technologies. It is relatively easy to
acquire resources compared to capabilities.

Service providers need to develop distinctive capabilities to retain customers with value propositions that are
unique. However, capabilities by themselves cannot produce value without adequate and appropriate
resources.

Audit Tool
To Meet: Service Manager.
Documents/Procedures: Asset management process
Records: Asset list

Sample Questions:
Who is responsible to manage the assets?
What is the action taken to ensure adequate assets are available to meet the service requirement?
When was the Asset list last updated?
Where is the record showing configuration item information are updated with changes occured?
Why CBDB has not been updated with the current configuration of the service assets.
How do you ensure that Service Assets are connected to Configuration Management?
Show me: The latest asset list.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 49 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.2 Service Portfolio

8.2.6 Configuration management
The types of CI shall be defined. Services shall be classified as CIs.
Configuration information shall be recorded to a level of detail appropriate to the criticality and type of
services. Access to configuration information shall be controlled. The configuration information
recorded for each CI shall include:
a) unique identification;
b) type of CI;
c) description of CI;
d) relationship with other CIs;
e) status.
CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the
configuration information. The configuration information shall be updated following the deployment of
changes to CIs.
At planned intervals, the organization shall verify the accuracy of the configuration information. Where
deficiencies are found, the organization shall take necessary actions.
Configuration information shall be made available for other service management activities as appropriate.
Plain English Explanation

In this version, the term CMDB is not used. The standard only states ‘configuration information’.
Implementing a configuration management software alone is not sufficient. Regular update of CIs, linking
related CIs, conducting periodical verification are some of the tasks to be carried out.

ITIL narrates that service asset and configuration management works collaboratively with service catalogue
management to ensure that information in the configuration management system and information in the
service catalogue are appropriately linked together to prove a consistent, accurate and comprehensive view
of the interfaces and dependencies between services, customers, business processes and service assets and
CIs. ITIL v3 has a process for ‘standard change’ that can be approved by process owner. A few
organisations have already implemented this version.

Review all linkages between various change management processes and configuration management process.
Difference between maintaining a simple list of assets and a configuration is maintaining the relationship
between the assets in order to deliver effective service. And also to ensure update of necessary CIs when a
service is altered. eview software tool, if any, and review linkage between processes.

DML Definitive Media library is the secure library in which the definitive authorised versions of all media CIs are
stored and protected. It stores master copies of versions that have passed quality assurance checks.

DHS means Definitive hardware store. Review this facility(storage room), if available.

Instead of a CMDB audit, now there is a requirement to verify the accuracy of the configuration
information. Where deficiencies are found, the organization shall take necessary actions.

The verification can be conducted shortly after changes to the CMS, before and after changes to the IT
services or infrastructure, before a release or installation to ensure that the environment is as expected,
following recovery from disasters and after a return to normal apart from conducted at planned intervals or at
random intervals. Such verifications may be done by the process owner or a consultant or an independent
party. Review verification reports that were prepared after a major change in baseline.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 50 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Audit Tool
To Meet: Configuration Manager.
Documents/Procedures: Configuration management process,
Records: CI database,

Sample Questions:
Who is responsible to classify services as CIs?
What are the configuration information recorded for each CI?
When is the configuration information was verified for accuracy ?
Why the changes to CIs are not traceable?
How do you ensure that the CMDB is showing the current configuration items.
Show me: CI database

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 51 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.3 Relationship and agreement

8.3.1 General

The organization may use suppliers to:

a) provide or operate services;
b) provide or operate service components;
c) operate processes, or parts of processes, that are in the organization’s SMS.
Figure 2 illustrates the usage, agreements and relationships between business relationship management,
service level management and supplier management.
Figure 2 — Relationships and agreements between parties involved in the service lifecycle
NOTE 1 ISO/IEC 20000-3 includes examples of supply chain relationships with their potential applicability
and scope.
NOTE 2 Supplier management in this document excludes the procurement of suppliers.

Plain English Explanation

This clause defines the purposes for which suppliers may be used to such as, provision of and operation of
services or service components or processes being some of the different ways in which the service is done.

ISO/IEC 20000-1:2018- 8.3 Relationship and agreement

8.3.2 Business relationship management
The customers, users and other interested parties of the services shall be identified and documented. The
organization shall have one or more designated individuals responsible for managing customer
relationships
and maintaining customer satisfaction.
The organization shall establish arrangements for communicating with its customers and other interested
parties. The communication shall promote understanding of the evolving business environment in which the
services operate and shall enable the organization to respond to new or changed service requirements.

At planned intervals, the organization shall review the performance trends and the outcomes of the services.
At planned intervals, the organization shall measure satisfaction with the services based on a representative
sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and
reported.
Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not
resolved through the normal channels, a method of escalation shall be provided.

Plain English Explanation

The important duty is to identifying all the related parties to the service such as, customers, users and such
other interested parties and assigning one or more designated persons to manage the relations and the
customer satisfaction. This process ensures that the service provider has a full understanding of the needs and
priorities of the business and that customers are appropriately involved/represented in the work of service
level management.

Arrangement of means of communication is necessary. It should the evolving business environment in

services operation and respond to new or changed service operation even in changing circumstances.

Regular reviewing and documentation of performance trends and the results of services and the reports
therein will help in improvement of services. The organisation shall on a frequent basis measure customer
satisfaction via a study from a representative sample of customers. Analysis of this report will aide in
improvement if necessary.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 52 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

The organisation must maintain a proper record of complaints and their closure. If a complaint is not
resolved through normal means, then alternate means shall be provided. Summary of such service
complaints need to be reported to relevant managers.
In the previous version there was a need for a ‘definition of a customer complaint’. Now there is no such
requirement.

Audit Tool
To Meet: Business Relationship Manager.
Documents/Procedures: Business relationship management process, Service compliant procedure
Records: Performance trends, customer satisfaction survey, service compliant tickets

Sample Questions:
Who manages the service complaints?
What are the performance trends for the new services?
When was the customer satisfaction of the services measured?
Why these service complaints are not yet closed?
Show me: The list of service complaints. The list containing performance trends and outcome of services.
Show me a case where the service complaint was escalated and explain how it was resolved.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 53 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.3 Relationship and agreement

8.3.3 Service level management
The organization and the customer shall agree the services to be delivered.
For each service delivered, the organisation shall establish one or more SLAs based on the documented
service requirements. The SLA(s) shall include service level targets, workload limits and exceptions.

At planned intervals, the organization shall monitor, review and report on:
a) performance against service level targets;
b) actual and periodic changes in workload compared to workload limits in the SLA(s).
Where service level targets are not met, the organization shall identify opportunities for improvement.
NOTE Agreement of the services to be delivered between the organization and its customers can take many
forms such as a documented agreement, minutes of verbal agreement in a meeting, agreement
indicated by email or agreement to terms of service.

Plain English Explanation

a) Requires an understanding of customer requirements and an agreement that specified service levels
will be met / delivered
b) Service catalogue – Includes name, targets, contact points, service hours and exceptions
c) Service level agreements – A formal document between service provider and customer
d) Service level management process – needs to be flexible to accommodate major business changes

Service Level Agreements shall be:

a. Written agreement – formally authorized by senior customer and service provider representatives
b. Customer’s business needs and budget are driving force for content, structure and targets.
c. Must be measurable and reportable.
d. Should only include appropriate subsets of targets to ensure focus on most important aspects of the
service.

Contents (good practice in ISO 20000-2:2011)

1. Service scope and description
2. Service hours
3. Measures of availability and reliability
4. Support details
5. Respond and fix times
6. Deliverables and timescales
7. Change approval and implementation
8. Reference to IT service Continuity plan
9. Signatories
10. Responsibilities of both parties e.g. security
11. Reporting
12. Review process
13. Glossary of terms

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 54 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Audit Tool
To Meet: Service Manager.
Documents/Procedures: Service catalogue, SLA, OLA process
Records: SLA, OLA, service catalogue, Service improvement process

Sample Questions:
Who manages the service level agreements?
What are the service level targets?
When was review conducted for performance against the service level targets?
Why SLA is not signed for these services
How do you ensure that the people who are proactively notified of incidents in danger of missing a service
level (i.e. breach of timescale), extremely difficult to solve etc?

Show me: SLAs, performance reviews, service level targets.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 55 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.3 Relationship and agreement

8.3.4 Supplier management
8.3.4.1 Management of external suppliers
The organization shall have one or more designated individuals responsible for managing the relationship,
contracts and performance of external suppliers.
For each external supplier, the organization shall agree a documented contract. The contract shall include
or contain a reference to:
a) scope of the services, service components, processes or parts of processes to be provided or operated by
the external supplier;
b) requirements to be met by the external supplier;
c) service level targets or other contractual obligations;
d) authorities and responsibilities of the organization and the external supplier.

The organization shall assess the alignment of service level targets or other contractual obligations for the
external supplier against SLAs with customers, and manage identified risks.
The organization shall define and manage the interfaces with the external supplier.
At planned intervals, the organization shall monitor the performance of the external supplier. Where service
level targets or other contractual obligations are not met, the organization shall ensure that opportunities
for improvement are identified.
At planned intervals, the organization shall review the contract against current service requirements.
Changes identified for the contract shall be assessed for the impact of the change on the SMS and the
services before the change is approved.
Disputes between the organization and the external supplier shall be recorded and managed to closure.

Let us recall the definitions:

-------------------------------------------------------------------------------------------------------------------------------
3.2.8
internal supplier
part of a larger organization (3.1.14) that is outside the scope of the SMS (3.2.23) that enters into a
documented agreement to contribute to the planning, design, transition (3.2.27), delivery or
improvement of a service (3.2.15), service component (3.2.18) or process (3.1.18)
EXAMPLE Procurement, infrastructure, finance, human resources, facilities.

Note 1 to entry: The internal supplier and the organization in the scope of the SMS are both part of the same
larger organization.

3.2.4
external supplier
another party that is external to the organization that enters into a contract to contribute to the
planning, design, transition (3.2.27), delivery or improvement of a service (3.2.15), service component
(3.2.18) or process (3.1.18)
Note 1 to entry: External suppliers include designated lead suppliers but not their sub-contracted suppliers.

Note 2 to entry: If the organization in the scope of the SMS is part of a larger organization, the other party is external to
the larger organization.
-------------------------------------------------------------------------------------------------------------------------------

Plain English Explanation

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 56 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

There shall be a designated person or more to deal with the external suppliers and the necessary contracts
and documents related to them. Each external supplier shall have a separate written contract pertaining to
their obligations towards the organisation. The list of prerequisites given in the clause shall be adhered to for
best results.

This process works collaboratively with SLM to define, negotiate, document and agree terms of service with
suppliers to support the achievement of commitment made by the service provider in SLAs, Supplier
management also manages the performance of suppliers and contracts against these terms of service to
ensure related SLA targets are met.

The contractual obligations of an external supplier shall be assessed based on its alignment with SLAs, other
contractual obligations and shall manage risks accordingly. The performance of the external suppliers shall
be monitored frequently and in case of the supplier not meeting the targets or obligations then opportunities
shall be provided for resolving such issues.

The contract must also be reviewed regularly to assess if it meets with the current service requirements. In
case it does require changing, then the changes shall be assessed primarily against the SMS and other
services it shall impact on. Any and all disputes with the external suppliers shall be recorded and the
resolution of such dispute shall be documented in full.

Audit Tool
To Meet: Relationship Manager.
Documents/Procedures: Relationship process, Contract management,
Records: Contracts, Service level targets, SLAs

Sample Questions:
Who manages the service relationships, contracts and performance of external suppliers?
What are the scope of services, service components, processes for the services provided by the external
supplier?
When was the contract against the current service requirements reviewed?
Where are the contracts stored?
Why the alignment of service level targets for external supplier has not been assessed? How do you arrive at
the criteria used to evaluate that a particular requirement will be serviced by external suppliers or internal
staff?
Show me: Documented contract, SLAs for internal suppliers

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 57 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.3 Relationship and agreement

8.3.4 Supplier management
8.3.4.2 Management of internal suppliers and customers acting as a supplier
For each internal supplier or customer acting as a supplier, the organization shall develop, agree and
maintain a documented agreement to define the service level targets, other commitments, activities and
interfaces between the parties.
At planned intervals, the organization shall monitor the performance of the internal supplier or the customer
acting as a supplier. Where service level targets or other agreed commitments are not met, the organization
shall ensure that opportunities for improvement are identified.

Plain English Explanation

The supplier management process ensures that suppliers and the services they provide are managed to
support IT service targets and organization’s expectations. The purpose of the supplier management process
is to obtain value for money from suppliers and to ensure that suppliers perform to the targets contained
within their contracts. The use of value networks and the suppliers (and the services they provide) are an
integral part of any end to end solution. Suppliers and the management of suppliers and partners are essential
to the provision of quality IT services

In the case of an internal supplier or a customer acting as a supplier, the organisation must maintain a
documented contract that defines all the targets, obligations, commitments and activities agreed upon by both
parties.

The performance of the internal suppliers or customer acting as a supplier shall be monitored frequently and
in case of the supplier not meeting the targets or obligations then opportunities shall be provided for
resolving such issues.

Audit Tool
To Meet: Relationship Manager.
Documents/Procedures: Relationship process, Contract management,
Records: Contracts, Service level targets, SLAs

Sample Questions:
How shall the customer satisfaction of a service be improved?
How do you ensure that supplier management processes and planning are involved throughout the service
lifecycle?
When did you update supplier policy and the Supplier and Contract Database (SCD)
Why should the supplier contract be assessed against SLAs?
What are the different areas that the organisation must assess on suppliers’ obligations?
Who are the different internal suppliers?

Show me: how the supplier performance maybe enhanced.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 58 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.4 Supply and demand

8.4.1 Budgeting and accounting for services
The organization shall budget and account for services or groups of services in accordance with its financial
management policies and processes.
Costs shall be budgeted to enable effective financial control and decision-making for services.
At planned intervals, the organization shall monitor and report on actual costs against the budget, review
the financial forecasts and manage costs.
NOTE Many, but not all, organizations charge for their services. Budgeting and accounting for services in
this document excludes charging, to ensure applicability to all organizations.

Plain English Explanation

In this version, they have deleted specific methods of costing for services. Costing should be done in
accordance with its financial management policies and processes.

Services and other such relevant matters can be dealt with effectively only through effective planning of
resources available, through budgeting and implementation of financial management policies and processes.
Budgeting helps in determining the most effective control for expenses in the implementation of services and
other relevant processes. The budgets should also factor into account the costs in the decision making
processes for services and not just the services alone.

This process works with SLM to validate the predicted cost of delivering the service levels required by the
customer to inform their decision-making process and to ensure that actual costs are compared with predicted
costs as part of overall management of the cost effectiveness of the service.

A regular auditing of the costs and expenses being made by the organisation against the budget that was
determined shall be conducted and the reports made from such audits will help in making forecasts for future
financial concerns and management of the costs.

Audit Tool
To Meet: Finance Manager.
Documents/Procedures: Budget process, Account process, pricing methods
Records: Budget, IT account, Cost model, Billing
Sample Questions:

How the budget is estimated for IT services?

When is the actual cost monitored against the budgets?
Why the cost is not budgeted?
What the measures taken to effectively control the financials for the services?
Who approves the budgets?
Show me: the budget, cost that is considered in the budget, financial tracking.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 59 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.4 Supply and demand

8.4.2 Demand management
At planned intervals, the organization shall:
a) determine current demand and forecast future demand for services;
b) monitor and report on demand and consumption of services.

NOTE Demand management is responsible for understanding current and future customer demand for
services. Capacity management works with demand management to plan and provide sufficient capacity to
meet the demand.
Plain English Explanation
The organisation must ascertain the demand for services both in the present and in the future. It must
maintain a thorough record and report on the demand and consumption of services it provides.
The demand management shall understand the requirements of the current demands of the clientele and
market and shall coordinate accordingly with the capacity management, to meet the needs. Poorly managed
demand is a source of risk for service providers because of uncertainty in demand.

Demand management is responsible for understanding and strategically responding to business demands for
services by analysing patterns of activity and user profiles and provisioning capacity in line with strategic
objectives

Unlike goods, services cannot be manufactured in advance and stocked, in anticipation of demand. Based on
the demand forecast and patterns, the available capacity of resources is utilised. Some types of capacity can
be quickly increased as required and quickly released when not in use.
Patterns of business activity influence the demand patterns such as seasonal, festival time, changing trend of
a service, introduction of new service or a product are some of the points for the service providers.

Analysing and tracking the activity patterns of the business process make it possible to predict demand for
services in the catalogue that support the process. Unplanned demand management may also lead to lose the
business opportunity, or offer a poor service, as the unexpected surge in demand could not be handled
properly by the organization.

Audit Tool
To Meet: Demand Manager and Capacity Manager.
Documents/Procedures: Demand estimation.Records: Availaility projections
Sample Questions:
How do you control the excess capacity?
When did the SLA, forecasting and planning have been aligned to demand management?
Why the impact on the quality of service has not been assessed for insufficient capacity?
What steps are taken to increase the capacity based on the forecast?
Who is responsible to review the demand management?

Show me: .Demand forecast

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 60 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.4 Supply and demand

8.4.3 Capacity management
The capacity requirements for human, technical, information and financial resources shall be determined,
documented and maintained taking into consideration the service and performance requirements.
The organization shall plan capacity to include:
a) current and forecast capacity based on demand for services;
b) expected impact on capacity of agreed service level targets, requirements for service availability and
service continuity;
c) timescales and thresholds for changes to service capacity.
The organization shall provide sufficient capacity to meet agreed capacity and performance requirements.
The organization shall monitor capacity usage, analyse capacity and performance data and identify
opportunities to improve performance.
Plain English Explanation
In this version, they have removed the requirement for a ‘Capacity Plan’. ITIL defines that this provides
appropriate capacity to support resilience and over all service availability. The process also uses information
from demand management about patterns of business activity and users profiles to understand business
demand for IT services and provides this information to availability management for business-aligned
availability planning.

The capacity management process understands the service delivery requirements the organisation’s operation
and the IT infrastructure that require to support to service delivery. It ensures that all the current and future
capacity and performance aspects of the business requirements are provided cost effectively.

The following activities can be carried out as part of capacity management

 Annual and quarterly capital expenditure processes already in place should be reviewed to assess the
future capacity requirement
 The capacity requirement may also be reviewed by purchase or finance department
 Network monitoring tool reports should be reviewed to assess the capacity enhancement
 Review linkage between processes of business predictions and workload estimate and the capacity
planning process.

The capacity requirement has sub-process such as Business capacity management, to ensure future business
requirement for IT services are considered, planned, Service capacity management, focuses on performance
of the live operational IT services and component capacity management addresses the individual components
of the IT infrastructure.

Audit Tool
To Meet: Capacity Manager.
Documents/Procedures: , trend analysis procedure, CAPEX process.
Records: current and forecast of capacity.

Sample Questions:
How shall costs be effectively managed when increasing the capacity?
When did the capacity management got severely affected?
Why demand and capacity management are not coordinated?
What are the problems that are possibly encountered in estimating capacity?
Who are the parties to be monitored for effective demand management?
Show me: Monitoring report of capacity usage
Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 61 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.5 Service design, build and transition

8.5.1 Change management
A change management policy shall be established and documented to define:
8.5.1.1 Change management policy
a) service components and other items that are under the control of change management;
b) categories of change, including emergency change, and how they are to be managed;
c) criteria to determine changes with the potential to have a major impact on customers or services.
Plain English Explanation

The purpose of the change management process is to control the lifecycle of all changes, enabling beneficial
changes to be made with minimum disruption to IT services. The objectives of change management are to
respond to changing business requirements, IT, capture the changes and optimise overall business risk due to
changes.

In that context a change management policy is mandatory. In the clause 8.5.1.1, the necessary prerequisites
to a change management policy are given. The policy shall be well documented and shall define the
components and the items which fall under the purview of change management. It shall include the different
categories of change and what constitutes emergency change and shall provide for the management of such
change. It shall also define the criteria for determining the changes and identifying which ones will have
impact.

8.5.1.2 Change management initiation

Requests for change, including proposals to add, remove or transfer services, shall be recorded and
classified.
The organization shall use service design and transition in 8.5.2 for:
a) new services with the potential to have a major impact on customers or other services as determined by
the change management policy;
b) changes to services with the potential to have a major impact on customers or other services as
determined by the change management policy;
c) categories of change that are to be managed by service design and transition according to the change
management policy;
d) removal of a service;
e) transfer of an existing service from the organization to a customer or other party;
f) transfer of an existing service from a customer or other party to the organization.
Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be
managed through the change management activities in 8.5.1.3.
Requests for change not being managed through 8.5.2 shall be managed through the change management
activities in 8.5.1.3.
Plain English Explanation
This clause defines the process on how the recording and the documentations for the request for change and
other such proposals that shall be defined in 8.5.2 must be done.

The important areas that require documentation is any situations that have the possibility of having major
impact on either the customer or the services rendered by the organisation. It could be due to any material
changes to the change management policy, such as new services, changes to pre-existing services, removal
of services or transfer of existing services from either the customers or other third parties.

The changes that shall be undertaken within the scope of 8.5.2 need to be assessed, approved and reviewed
and all necessary changes shall be managed with the provisions given under the clause 8.5.1.3. Any changes
that are not within the scope of 8.5.2 shall be managed through 8.5.1.3.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 62 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

8.5.1.3 Change management activities

The organization and interested parties shall make decisions on the approval and priority of requests for
change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial
impact. Decision making shall also consider potential impacts of the change on:
a) existing services;
b) customers, users and other interested parties;
c) policies and plans required by this document;
d) capacity, service availability, service continuity and SMS;
e) other requests for change, releases and plans for deployment.
Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and
other deployment details for approved changes shall be communicated to interested parties.
The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested.
Unsuccessful changes shall be investigated and agreed actions taken.
The organization shall review changes for effectiveness and take actions agreed with interested parties.
At planned intervals, request for change records shall be analysed to detect trends. The results and
conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for
improvement.
Plain English Explanation
The previous clause touched upon the possible responses for requests for change. This clause further
elucidates the point by dealing with the decision making process and other procedures that might be involved
in handling a request for change.

Such requests must be approved and prioritised by the organisation. The organisation must consider several
categories before reaching a decision like the possible impact such a change might have on various factors
like existing services, customers, the organisation, other interested parties, the pre-existing policies,
availability and continuity of service and the SMS to name a few. These changes must be verified, assessed
and tested on approval. The details of its deployment shall be communicated to all parties who shall be
affected by the change.

The changes shall be reviewed for effectiveness and in case of any unsuccessful changes the organisation
shall plan and test possible remedies. These processes shall all be documented and investigated. Regular
assessments of the requests for change will aide in analysis of data trends. The recording and reviewing of
such analysis will provide opportunities for improvement.

Audit Tool
To Meet: The Change Manager
Documents/Procedures: Change management process,
Records: Change management records, CAB approval, Emergency change record

Sample Questions:
How shall you determine the factors to be considered for change management initiative?
When was the service design and transition carried out last?
Why the requests for change has not been regularly analysed?
What are emergency changes defined in the change management policy?
Who are the interested parties to be communicated with regard to change management?

Show me: the categories that must be considered for approval of a request for change.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 63 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 64 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.5 Service design, build and transition

8.5.2 Service design and transition
8.5.2.1 Plan new or changed services
Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall
include or contain a reference to:
a) authorities and responsibilities for design, build and transition activities;
b) activities to be performed by the organization or other parties with their timescales;
c) human, technical, information and financial resources;
d) dependencies on other services;
e) testing needed for the new or changed services;
f) service acceptance criteria;
g) intended outcomes from delivering the new or changed services, expressed in measurable terms;
h) impact on the SMS, other services, planned changes, customers, users and other interested parties.
For services that are to be removed, the planning shall additionally include the date(s) for the removal of the
services and the activities for archiving, disposal or transfer of data, documented information and service
components.
For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of
the services and the activities for the transfer of data, documented information, knowledge and service
components.
The CIs affected by new or changed services shall be managed through configuration management.
Plain English Explanation
Service design aims to develop services or processes with proper control meeting the business requirement
and the customer needs. This enables the design to match the anticipated environment is much more
effective and efficient, In the absence of service design the services will often be unreasonably expensive to
run, prone to failure, resource wastage and may not meet the expectation of the stakeholders.

The well designed service will provide the proper estimate of the project cost, time, resource requirement,
enable success change management, easier methods to follow, sharing of service assets, reduce time in
redesigning services and increase the confidence that the new or changed service can be delivered to
specification without unexpectedly affecting other services or stakeholders.

Based on this premise, this clause discusses the criteria to be considered and included in the planning new or
change of the service design. Planning of service requirement for new or changed services to include the
authorities, responsibilities, activities to be performed and the resources that are required to achieve this.
Also the dependent services are identified, so that the service disruption due to introduction of new service
can be minimal and the acceptance criteria is defined to ensure that the service meet the expectation of the
stakeholder.

8.5.2.2 Design
The new or changed services shall be designed and documented to meet the service requirements
determined in 8.2.2. The design shall include relevant items from the following:
a) authorities and responsibilities of the parties involved in the delivery of the new or changed services;
b) requirements for changes to human, technical, information and financial resources;
c) requirements for appropriate education, training and experience;
d) new or changed SLAs, contracts and other documented agreements that support the services;
e) changes to the SMS including new or changed policies, plans, processes, procedures, measures and
knowledge;
f) impact on other services;
g) updates to the service catalogue(s).

Plain English Explanation

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 65 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

The importance aspects of service design as defined by ITIL are

 Service solutions for new or changed services
 Management information systems and tools
 Technology architecture and management architecture
 The process required
 Measurement methods and matrices

It is important that a holistic, results-drive approach to all aspects of design is adopted and that when
changing any of the individual elements of design, all other aspects are considered.

The new or changed services shall also meet the requirements as given in the clause 8.2.2. The designs shall
also include details as to the relevant authorities and their respective responsibilities with regard to the
design. There shall also be other requirements such as changes to the human, technical, information and
other relevant resources and details regarding any other new or changed documents, contracts and policies
and also the impacts on other services and other updates that shall affect the process. The designing shall
take the above into consideration and shall be documented thoroughly.

This process is responsible for ensuring that the overall service design activities are completed successfully.

8.5.2.3 Build and transition

The new or changed services shall be built and tested to verify that they meet the service requirements,
conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance
criteria are not met, the organization and interested parties shall make a decision on necessary actions and
deployment.
Release and deployment management shall be used to deploy approved new or changed services into the live
environment.
Following the completion of the transition activities, the organization shall report to interested parties on
the achievements against the intended outcomes.
Plain English Explanation

The organisation shall thoroughly test and assess the new or changed service whether it meets the
requirements and follows the design previously established and agreed upon. In case of any unmet
requirements the organisation and all other involved parties shall decide upon the necessary actions.
After the deployment of the new or changed services by the relevant management the organisation shall
observe and report on the achievements measured against the desired outcomes to the interested parties.

Audit Tool
To Meet: The Program Manager
Documents/Procedures: Service design and transition process.
Records: Service requirements, Design document, Transition document.
Sample Questions:
How do you estimate the interruption to the service when the new or changed services are implemented?
When do you communicate the service design and transition to external stakeholders?
Why is planning of services is not considered to new or changed service?
What are the criteria for plan designing?
Who is responsible for the transition?
Show me: the changed SLAs, Transition records.
Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 66 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 67 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.5 Service design, build and transition

8.5.3 Release and deployment management
The organization shall define the types of release, including emergency release, their frequency and how
they are to be managed.
The organization shall plan the deployment of new or changed services and service components into the live
environment. Planning shall be co-ordinated with change management and include references to the related
requests for change, known errors or problems which are being closed through the release. Planning shall
include the dates for deployment of each release, deliverables and methods of deployment.
The release shall be verified against documented acceptance criteria and approved before deployment. If the
acceptance criteria are not met, the organization and interested parties shall make a decision on necessary
actions and deployment.
Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken.
The release shall be deployed into the live environment so that the integrity of the services and service
components is maintained.
The success or failure of releases shall be monitored and analysed. Measurements shall include incidents
related to a release in the period following deployment of a release. The results and conclusions drawn from
the analysis shall be recorded and reviewed to identify opportunities for improvement.
Information about the success or failure of releases and future release dates shall be made available for
other service management activities as appropriate.
Plain English Explanation
ITIL defines the purpose of this process is to plan, schedule and control the build, test and deployment of
releases and to deliver new functionality required by the business while protecting the integrity of existing
services.
This clause discusses the procedure to be followed in the release and deployment of new or changed service
and defines the types therein and their management. Firstly, the organisation must plan properly the
deployment of new or changed service and/or service components. The planning must also be coordinated
with change management, in that, it shall be in reference to any related requests for change, any known
errors or other such problems inherent to it and whether they are addressed in the new plan. The details
regarding the deployment of each release such as the date, the methods of deployment, etc., shall be included
in the plan.
Secondly, before deployment into a live environment the necessary tests and assessments shall be conducted.
The release being deployed shall not affect the integrity of the pre-existing services and their components.
Proper documentation and maintenance of records is useful in analysing the success or failure of the release.
Any incidents relating to the release after the deployment of the release shall be recorded. The results formed
from the analysis shall be reviewed and recorded for identifying any opportunities for improving. The
details, therein, shall be made available as and when necessary.

Audit Tool
To Meet: The Release and deployment Manager
Documents/Procedures: Release management process
Records: Emergency changes, success and failure records of changes.
Sample Questions:
How: How do you estimate the resources when deploying a release?
When: When do you update the configuration information affected due to change?
Why: Why the request for change and known error were not considered during the release?
What: What are the necessary tests or assessments to be conducted during pre-deployment stage?
Who: Who are the relevant parties to make a decision for deployment?
Show me: the importance of maintaining a record of incidents relating to the deployment of a release.
Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 68 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.6 Resolution and Fulfilment

8.6.1 Incident management
Incidents shall be:
a) recorded and classified;
b) prioritized taking into consideration impact and urgency;
c) escalated if needed;
d) resolved;
e) closed.
Records of incidents shall be updated with actions taken.
The organization shall determine criteria to identify a major incident. Major incidents shall be classified
and managed according to a documented procedure. Top management shall be kept informed of major
incidents. The organization shall assign responsibility for managing each major incident. After the
incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for
improvement.
Plain English Explanation
Incident is defined as an unplanned interruption to an IT service or reduction in the quality of an IT service
or a failure of a CI that has not yet impacted an IT service.

The purpose of Incident management is to restore normal service operation as quickly as possible and
minimise the adverse impact on business operations, thus ensuring that agreed levels of service quality are
maintained.

The 8.6 clause is to aide in restoring normal service operation as quickly as possible and minimize adverse
impact on business operations.
The process required of the organisation to efficiently deal with an incident is discussed in a clear and
concise manner. Making records of each incident is vital. This process provides critical data to Service
Level Management to demonstrate performance against many SLA targets, as well as operating with the
fulfilment of SLA targets as a critical success factor.

Each major incident must be properly identified, classified and managed. The organisation must determine
what composes a major incident and establish a detailed procedure to deal with it and that procedure is to be
well documented. In case of any incident the top management must be immediately notified to keep them
informed of the situation. Assigning a person with the responsibility to deal with the incident is vital in
creating a proper solution for the situation. After resolving the incident it must be properly reported and
reviewed so as to make any improvements if any are needed.

Audit Tool
To Meet: The Incident Manager
Documents/Procedures: Incident management process
Records: Incident records.
Sample Questions:
How: How are the incidents classified?
When: When the records of incident updated?
Why: The incidents are not submitted to the CAB?
What: What are the criteria to identify a major incident?
Who: Who is responsible to record the incidents?
Show me: The major incidents.
Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 69 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.6 Resolution and Fulfilment

8.6.2 Service request management
Service requests shall be:
a) recorded and classified;
b) prioritized;
c) fulfilled;
d) closed.
Records of service requests shall be updated with actions taken.
Instructions for the fulfillment of service requests shall be made available to persons involved in service
request fulfillment.
Plain English Explanation
Service request are typically requests for small changes that are low risk, frequently performed, low cost.
Service requests are transactional and associated with the standard services that a provider is delivering. For
example, a service request on Desktop support include installation of a desktop, moving, upgrading,
removing, replacing etc. Similarly for Email support the request such as adding a user, deleting a user,
change of password, increasing the mailbox size etc.

In such cases the record shall be maintained containing information about the service request, actions taken
and Instructions to persons involved etc.

A service request is associated with a request model that defines and pre-requisites, authorization needed and
standard work steps and activities to fulfil it.

Audit Tool
To Meet: The Incident and Service Request Manager
Documents/Procedures: Service request management process
Records: Service request records
Sample Questions:
How: How are the Service request classified?
When: When the records of Service request updated?
Why: The Service request are not submitted to the CAB?
What: What are the criteria to identify a delay in fulfilling a service request?
Who: Who is responsible to record the Service request?
Show me: The service requests for the month of …….
Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 70 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.6 Resolution and Fulfilment

8.6.3 Problem management
The organization shall analyse data and trends on incidents to identify problems. The organization shall
undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of
incidents.
Problems shall be:
a) recorded and classified;
b) prioritized;
c) escalated if needed;
d) resolved if possible;
e) closed.
Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be
managed according to the change management policy.
Where the root cause has been identified, but the problem has not been permanently resolved, the
organization shall determine actions to reduce or eliminate the impact of the problem on the services.

Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be
made available for other service management activities as appropriate.
At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported.
Plain English Explanation
This process is responsible for managing the lifecycle of all problems. ITIL defines a problem as the
underlying cause of one or more incidents.

Purpose of problem management is to manage the lifecycle of al problems from first identification through
further investigation, documentation and eventual removal. Problem management sees to minimise the
adverse impact of incidents and problem on the business that are caused by underlying errors within the IT
infrastructure, and to proactively prevent recurrence of incidents related to these errors.

The organisation is expected to analyse the data and trends on incidents in order to prevent the incidents
turning into problem at a later stage. The root cause is analysed to identity action that can be taken to
prevent the undesired incident. Root cause, known errors, problem resolutions are captured as part of
effective problem management

The standard mandates the problems to be recorded, prioritised, escalated, resolved, and closed out in a
systematic manner. Appropriate changes to be carried out wherever necessary apart from learning from the
lessons and updating the knowledge database with the solutions

Audit Tool
To Meet: The problem manager
Documents/Procedures: Problem management process
Records: Root cause analysis, problem records
Sample Questions:
How do you analyse the data and trends on incidents?
When did you update the lessons learned in the knowledge base?
Why is documentation of SMS incidents is not indicating the priority?
What are the external factors causing the problems?
Who are the external parties to be made aware of the SMS policy?
Show me: Problem records, changes needed for problem resolution.
Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 71 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.7 Service Assurance

8.7.1 Service availability management
At planned intervals, the risks to service availability shall be assessed and documented. The organization
shall determine the service availability requirements and targets. The agreed requirements shall take into
consideration relevant business requirements, service requirements, SLAs and risks.
Service availability requirements and targets shall be documented and maintained.
Service availability shall be monitored, the results recorded and compared with the targets. Unplanned
non-availability shall be investigated and necessary actions taken.
NOTE Risks identified in 6.1 can provide input to the risks for service availability, service continuity and
SMS.
Plain English Explanation
The purpose of this process is to ensure that the level of availability delivered in all IT services meets the
agreed availability needs and/or service level targets in a cost-effective and timely manner. Availability
management is concerned with meeting both the current and future availability needs of the business.

In clause 8.7.1, the management of the availability of services requires the assessment and documentation of
the risks to service availability at planned intervals. This involves the organisation to make sure that all the
procedural and technical features and the risks involved to those processes are regularly assessed and
documented.

The organisation must assess the relevant targets and requirements for service availability. This includes
identifying the available resources and the areas which require improvement. The requirements must also
include business requirements, service requirements, SLA and other such risks.

The organisation must maintain a detailed record of all these processes which are conducted regularly.
Monitoring of these records must be conducted regularly to maintain accuracy. Also, comparison of these
records with the targets will ensure that the availability of services is properly managed.

In case of any non-availability of services that seems to be unplanned, the relevant area must be thoroughly
investigated so that necessary actions can be taken. The risks that have been assessed previously will help in
taking necessary actions to help maintain the agreed levels of availability of services.

Audit Tool
To Meet: Availability Manager
Documents/Procedures: Availability process
Records: Service level targets, Availability report

Sample Questions:
How is service availability assessed?
When is the record of service availability reviewed?
Why records of service availability not maintain?
What are the requirements for determining service availability?
Who shall determine service availability?
Show me how the risks assessed in 6.1 are relevant to service availability.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 72 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.7 Service Assurance

8.7.2 Service continuity management
At planned intervals, the risks to service continuity shall be assessed and documented. The organization
shall determine the service continuity requirements. The agreed requirements shall take into
consideration relevant business requirements, service requirements, SLAs and risks.
The organization shall create, implement and maintain one or more service continuity plans. The service
continuity plan(s) shall include or contain a reference to:
a) criteria and responsibilities for invoking service continuity;
b) procedures to be implemented in the event of a major loss of service;
c) targets for service availability when the service continuity plan is invoked;
d) service recovery requirements;
e) procedures for returning to normal working conditions.
The service continuity plan(s) and list of contacts shall be accessible when access to the normal service
location is prevented.
At planned intervals, the service continuity plan(s) shall be tested against the service continuity
requirements. The service continuity plan(s) shall be re-tested after major changes to the service
environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and
after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall
take necessary actions.
The organization shall report on the cause, impact and recovery when the service continuity plan(s) has
been invoked.

Plain English Explanation

The purpose of this management process is to support the overall business continuity management (BCM)
process by ensuring that, by managing the risks that could seriously affect IT services, the IT service
provider can always provide minimum agreed business continuity related service levels.

Clause 8.7.2 discusses the management of the continuity of services, specifically, regarding the planning for
providing continuous and uninterrupted service. This requires the assessment and documentation of the risks
to service continuity at planned intervals. The organisation has to make sure that all the procedural and
technical features and the risks involved to those process are regularly assessed and documented. The
requirements must also include business requirements, service requirements, service level agreements(SLA)
and other such risks.

The organisation must create, implement and maintain one or more service continuity plans. These plans
shall be inclusive of relevant targets and requirements such as the following:
a) The requirements and responsibilities that must be met to necessitate service continuity.
b) The procedures must be ready to be implemented when the normal service is disrupted.
c) The major requirements for service must be one of the primarily targeted areas.
d) Plans must include requirements for recovering to normal service
e) Procedures must aide in returning to normal working conditions.

The service continuity plan(s) and details such as list of contacts should be accessible during any disaster
situation which disrupts normal service. The plan must be tested with regular frequency against the service
requirements. In case of any major changes to the service environment, the service continuity plan should be
re-tested to check if it is still effective. A record of these tests and their results shall be diligently maintained.
A review shall follow each time the plan has be put into effect. This helps in identifying the areas that require
improvement, in rectification of errors and recognising deficiencies or lack of proper measures. The
organisation must address these concerns and make adjustments accordingly.
Reports shall be made when the service continuity plan is implemented in actuality. The report must include
what caused the situation, how it impacted the service and the recovery from the situation with the help of

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 73 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

the plan. The report shall aide in understanding how well the plan adjusts to a real scenario as opposed to
testing assessments. This will help in adjusting the plan accordingly for future requirements.

Audit Tool
To Meet: Service continuity manager
Documents/Procedures: Service continuity procedure
Records: Service continuity plan, Essential services list testing records

Sample Questions:
How is a service continuity plan evaluated to ensure it address the essential services are covered?
When was the service continuity plan tested?
Why is a service continuity plan does not consider dependent services?
What are the services considered in continuity plan?
Show me how the reports made on service continuity plan are useful.

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 74 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.7 Service Assurance

8.7.3 Information Security management
8.7.3.1 Information Security policy
Management with appropriate authority shall approve an Information Security policy relevant to the
organization. The Information Security policy shall be documented and take into consideration the service
requirements and the obligations in 6.3 c).
The Information Security policy shall be made available as appropriate. The organization shall
communicate the importance of conforming to the Information Security policy and its applicability to the
SMS and the services to appropriate persons within:
a) the organization;
b) customers and users;
c) external suppliers, internal suppliers and other interested parties.
Plain English Explanation
The Information Security policy must be approved by the management. It is necessary that the policy be
relevant to the organisation. The documents must take into consideration the service requirements and the
obligations. Therefore, the policy must be according to the Information Security plan.

The policy must be made available as and when appropriate. This is to ensure that the policy is effectively
followed by all parties involved. Effective conformity to the policy can be made only if the organisation
communicates all the relevant details including its applicability to the SMS and other services rendered to all
appropriate personnel involved, including the employees within the organisation, customers, users, any other
outsiders and all other involved third parties.

ISO/IEC 20000-1:2018- 8.7 Service Assurance

8.7.3 Information Security management
8.7.3.2 Information Security controls
At planned intervals, the information security risks to the SMS and the services shall be assessed and
documented. Information security controls shall be determined, implemented and operated to support the
information security policy and address identified Information security risks. Decisions about information
security controls shall be documented.
The organization shall agree and implement information security controls to address information security
risks related to external organizations.
The organization shall monitor and review the effectiveness of Information Security controls and take
necessary actions.
PLAIN ENGLISH EXPLANATION
This standard has only very few controls, for example:
1. Information Security policy
2. risk assessment and risk treatment
The organisation shall maintain proper documentation and record of all the above reports and processes to
ensure efficacious implementation of the Information Security policy. This also ensures the confidentiality,
integrity and the availability of information assets.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 75 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018- 8.7 Service Assurance

8.7.3 Information Security management
8.7.3.3 Information Security incidents
Information Security incidents shall be:
a) recorded and classified;
b) prioritized taking into consideration the Information Security risk;
c) escalated if needed;
d) resolved;
e) closed.
The organization shall analyse the Information Security incidents by type, volume and impact on the SMS,
services and interested parties. Information Security incidents shall be reported and reviewed to identify
opportunities for improvement.
NOTE The ISO/IEC 27000 series specifies requirements and provides guidance to support the
implementation and operation of an Information Security management system. ISO/IEC 27013 provides
guidance on the integration of ISO/IEC 27001 and ISO/IEC 20000-1 (this document).
Plain English Explanation
In IT service Management, incident and problem are separate. IT service incident is something that has a
‘known error’ and does not need a root cause analysis. But all ‘security incidents’ need to be investigated and
need a root cause analysis. In a sense, ‘security incident’ may be directly reported as a ‘problem’ in IT
Service Management.

Audit Tool
To Meet: Information Security Manager
Documents/Procedures: Information Security Incident Management.
Records: Security Incident management records

Sample Questions:
How are Information Security incidents to be handled ?
When did you review Information Security policy?
Why is Information Security policy does not address lessons learned from incidents?
What are the steps taken to effectively implement the risk treatment plan?
Who is responsible to review the Information Security policy?
Show me: Information Security policy, Incident report, Risk treatment plan

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 76 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

9. Performance evaluation

ISO/IEC 20000-1:2018 - 9.1 Monitoring, measurement, analysis and evaluation

The organization shall determine:
- what needs to be monitored and measured for the SMS and the services;
- the methods for monitoring, measurement, analysis & evaluation, as applicable, to ensure valid results;
- when the monitoring and measuring shall be performed;
- when the results from monitoring and measurement shall be analysed and evaluated;

The organization shall retain appropriate documented information as evidence of the results.

The organization shall evaluate the SMS performance against the service management objectives and
evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services
against the service requirements.

Plain English Explanation

If we go back to definitions of monitoring and measurement, monitoring relates to determining the status of a
system, a process (3.1.18) or an activity, whereas measurement is a process to determine a value. Network
monitoring tool may give us an idea of monitoring whether the connectivity is up or down in a specific part
of the network, daily summary report will give us a value, for example, how many minutes was the
downtime.

Service Desk operation includes monitoring and measuring of service levels. If it is automated, there will be
a facility to generate ad hoc reports and analyse the trends in maintaining agreed service levels. Such a tool
can be configured to send alerts and also emails when there is a breach of SLA terms. To sum up,
measurement process will add value to the monitoring process by being specific about areas for
improvement.

Frequency of such monitoring and measuring is upto the organization and also depends on scope of SMS.
A few organizations define KPIs for each process and track them. This is in particular true when several
processes are outsourced and payment has to made or contract renewed based on performance. As an auditor
you may not find a single person or a process to audit this process. You have to understand the organization
and then select specific areas and persons to audit.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 77 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Audit tool
Whom to meet:
Network team, application development team, backup team, IT infra team,
Process Owners
- Monitor SMS metrics
Other Managers:
- Conduct internal SMS audits
Senior Management:
- Conduct management reviews
- Review risk assessments at least once a year or when there is major change
Which documented information to review:
SOPs, IT policies, network policies, log management policy

Audit Questions:
1. What parameters are monitored?
2. Can you show me the location where the logs are stored for the last six months?
3. What are the KPIs set?
4. How are the KPIs evaluated to ensure that they meeting the objective?

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 78 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018 - 9.2 Internal audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether
the SMS:
a) conforms to
1) the organization’s own requirements for its SMS;
2) the requirements of this document;

b) is effectively implemented and maintained.

9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit programme(s), including the frequency, methods,
responsibilities, planning requirements and reporting which shall take into consideration:
1) the importance of the processes concerned
2) changes affecting the organization
3) the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant management;
e) retain documented information as evidence of the implementation of the audit programme(s) and the
audit results.

NOTE ISO 19011 provides guidelines on auditing management systems.

Plain English Explanation

 Develop an internal audit procedure.
 Set up an internal audit program and train internal auditor.
(Note: A Security calendar may include internal audit program, external audit program, security monitoring
program, etc).
 Ensure that audits are conducted by independent persons.
 Perform regular internal audits.
 Report problems discovered during audits.
 Follow up audit to verify that implemented solutions have solved the problems.
 Records of the audits and their results shall be maintained (see 4.3.3).
 The management responsible for the area being audited shall ensure that any necessary corrections
and corrective actions

Remember – It is the auditees' (process owners) responsibility to develop a solution, not the auditors. Be
helpful and contribute to the problem solving if asked. If the auditor’s attitude is helpful they will be asked to
help solve the problems found.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 79 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Audit tool
Whom to meet: Management Representative, SMS Implementation team

Which documented information to review:

Internal audit plan, procedure, policy, CAPA policy

Audit Questions:
1. When was the last internal audit conducted?
2. What were the findings of internal audit?
3. How do you evaluate the capability of the internal audit team?

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 80 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018 - 9.3 Management review

Top management shall review the organization’s SMS, at planned intervals, to ensure their continuing
suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the SMS;
c) information on the performance and effectiveness of the SMS, including trends in:
- nonconformities and corrective actions;
- monitoring and measurement results;
- audit results;
d) opportunities for continual improvement;
e) feedback from customers and other interested parties;
f) adherence to and suitability of the service management policy and other policies required by this
document;
g) achievement of service management objectives;
h) performance of the services;
i) performance of other parties involved in the delivery of the services;
j) current and forecast human, technical, information and financial resource levels and human & technical
resource capabilities;
e) results of risk assessment and the effectiveness of actions taken to address risk and opportunities;
f) changes that can affect the SMS and the services.

The outputs of the management review shall include decisions related to continual improvement
opportunities and any need for changes to the SMS and the services.

The organization shall retain documented information as evidence of the results of management reviews.

Plain English Explanation

 Examine previous management reviews.
 Evaluate the performance of your SMS.

 Evaluate whether your SMS should be improved.

 Examine service incidents data.
 Examine opportunities to improve.
 Examine feedback from customers.
 Examine SMS effectiveness information.
 Examine corrective and preventive actions.
 Examine changes that might affect your system.
 Generate actions to improve your SMS system.
 Generate actions to address resource needs.

Audit tool
Whom to meet: Management Representative
Which documented information to review:
MRM minutes, action plan to solve issues raised in MRM
Audit Questions:
 Which reports are discussed during the MRM?
Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 81 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 82 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018 - 9.4 Service reporting

The organization shall determine reporting requirements and their purpose.

Reports on the performance and effectiveness of the SMS and the services shall be produced using
information from the SMS activities and delivery of the services. Service reporting shall include trends.

The organization shall make decisions and take actions based on the findings in service reports. The agreed
actions shall be communicated to interested parties.

NOTE The reports that are required are specified in the relevant clauses of this document. Additional reports can also
be produced.

Plain English Explanation

In the 2011 version, this was part of Service Level Management. There were six types of service reports.
Now it refers to reports on all SMS processes and services.

Ideally we should have service reports on each service in the service catalogue and report on changes to /
status of SMS each process. But, in practice, the auditor will find SLA compliance actually utilised and
SLA breach reports. This is just as a starting point. Report on status of achievement of all service
management objectives will be a comprehensive report on all the services and processes. During each
surveillance audit, the audit team should review and document how many new reports have been added in
that year. Organize may select any one or all of the following service reports:

1) Context Analysis and understanding the needs and expectations of interested parties
2) Leadership and Commitment
3) Changes to Policy, if any and report on communication of the service management policy
4) Organisational roles, responsibilities and authorities
5) Service Management risks and opportunities
6) Service Management Objectives
7) Resources - Human, technical, information and financial
8) Awareness, competence and knowledge management
9) Communication
10) Changes to documented information
11) Service catalogue
12) External and internal suppliers
13) Asset management
14) Configuration management
15) Business relationship management
16) Service level management
17) Supplier management
18) Budgeting and accounting for services
19) Demand management
20) Capacity management
21) Change management
22) Service design and transition
23) Release and deployment management
24) Incident management
25) Service request management
26) Problem management
27) Service availability management
28) Service continuity management
ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 83 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

29) Information security management

30) Monitoring, measurement, analysis and evaluation
31) Summary of internal audit report and trends
32) Summary of management review actions initiated
33) Nonconformities and corrective action
34) Continual improvement

In small organizations, the audit team may find only a few of these reports. The audit team should confirm
that management have defined which reports will be issued and what frequency and who will submit those
reports.

Can the auditor raise a non-conformance report if the number of reports are less than 34 listed above?
NO.

The requirements are clear:

The organization shall determine reporting requirements and their purpose.

Audit tool
Whom to meet: Various Manager, in particular Help Desk Manager, Service Continuity Manager, Manager
for Capacity Planning and Demand Management, Manager for budgeting and accounting, Change Manager,
Release and deployment Manager, Service Availability and Continuity Manager, Business Relationship
Manager, Service Level Manager, etc.

Which documented information to review:

On demand reports generated from various software applications.
Excel sheet reports.
Operational Dash Boards
PPTs prepared for Management Review.

Audit Questions:
 Which reports are discussed during the MRM?

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 84 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

10. Improvement
ISO/IEC 20000-1:2018 - 10.1 Nonconformity and corrective action
10.1.1 When a nonconformity occurs, the organization shall:
a) react to the nonconformity, and as applicable:
take action to control and correct it; and
deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or
occur elsewhere, by:
- reviewing the nonconformity;
- determining the causes of the nonconformity; and
- determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the SMS, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.

10.1.2 The organization shall retain documented information as evidence of:

a) the nature of the nonconformities and any subsequent actions taken, and
b) the results of any corrective action.

Plain English Explanation

The word preventive action has been removed from this section. However, the corrective action is given
more prominence. It is emphasised that the action taken are eliminate the root cause for the non conformity,
so that it does not recur elsewhere.

- Review your nonconformities.

- Follow up on closure of non conformances.
- Inform all interested parties about continual improvement of the SMS.
- Figure out what causes your nonconformities.
- Evaluate whether you need to take corrective action.
- Develop corrective actions to prevent recurrence.
- Take corrective actions when they are necessary.
- Record the results that your corrective actions achieve.
- reviewing the effectiveness of your corrective actions.

Audit tool
Whom to meet: Management Representative

Which documented information to review:

SMS policy, Internal audit reports, corrective actions

Audit Questions:
1. How do you ensure that the audit findings are not repeated in the future audits?
2. Is any MRM action item pending?

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 85 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 86 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

ISO/IEC 20000-1:2018 - 10.2 Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the SMS and the
services.

The organization shall determine evaluation criteria to be applied to the opportunities for improvement
when making decisions on their approval. Evaluation criteria shall include alignment of the improvement
with service management objectives.

Opportunities for improvement shall be documented. The organization shall manage approved improvement
activities that include:
a) setting one or more targets for improvement in areas such as quality, value, capability, cost, productivity,
resource utilization and risk reduction;
b) ensuring that improvements are prioritized, planned and implemented;
c) making changes to the SMS, if necessary;
d) measuring implemented improvements against the target(s) set and where target(s) are not achieved,
taking necessary actions;
e) reporting on implemented improvements.

NOTE Improvements can include reactive and pro-active actions such as correction, corrective action, preventive
action, enhancements, innovation and re-organization.

Plain English Explanation

Suitability
- Changing SMS policy according to the developing needs
- Reviewing and modifying SMS objectives
Effectiveness
- Take actions on Audit results
- Analysis of monitored events
- Ensure corrective actions are taken effectively and on time
Adequacy
- Management review
- Detect potential nonconformities.
- Reviewing the effectiveness of your corrective actions.

Audit tool
Whom to meet: Management Representative

Which documented information to review:

SMS policy, Internal audit reports, corrective actions, Metrics, MRM reports, various monitoring reports.

Audit Questions:
1. What metrics are established and what are the results?
2. What the changes to the business and how this has been addressed in the scope, policy and
objective?
3. What the trend of security incidents?
4. How do you record the learning from security incidents?

Add your sample questions:

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 87 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

HOW IS AN ITSMS CERTIFICATION AUDIT CARRIED OUT?

An ITSMS Certification Audit may be conducted in one Stage combining Document Review and
Implementation Review.

We audit to:
 Confirm ITSMS arrangements comply with organizational requirements, both internal and external
(intent)
 Assess that the stated requirements and controls are being used (implementation)
 Evaluate that processes and controls effectively manage IT Service Management (effectiveness).

Audit Criteria:
1. Legal and regulatory requirements for IT Service Management (normally with reference to software
licensing)
2. Customer and contractual requirements for IT Service Management.
3. Requirements of ISO/IEC 20000-1:2011
4. Senior Management intentions of higher level of compliance.

Sources of information - before the audit

1. Company information brochure
2. Web site if it is updated with details of IT Service Management services
3. ITSMS Scope document

Sources of information - during the audit (these would not normally be available to a third party
certification body auditor before the audit).
1. IT Service Management Manual
2. Records of service incidents, CMDB, KEDB, etc
3. Information gathered during interviews and observation of service management practices.
4. Internal IT Service Management audit reports, SLA review reports, service reports, etc

Audit Meetings
There are four types of meetings that a Lead Auditor has to conduct:
1. Opening meeting
2. Daily Review meeting
3. Auditor’s meeting (normally just before the closing meeting)
4. Closing meeting.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 88 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Update on APMG scheme

Ref: RCB terms & Conditions, January 2019
(https://apmg-international.com/product/iso-iec-20000).
servicedesk@apmgroup.co.uk or by phone to +44 (0) 1494 452 450.

6.3 Auditor Training and Competence Requirements

Before an RCB application can be approved, applicants are required to demonstrate that they have
at least two auditors who have attended an APMG-accredited ISO/IEC 20000 auditor training
course or equivalent and who have passed the associated examinations or have completed and
passed the APMG conversion assessment through attending an alternative accredited (e.g. IRCA
and PECB) ISO/IEC 20000 Auditor training course, holding a valid certificate plus the completion
of an APMG ISO/IEC 20000 Auditor interview.

It should be noted that no recognition shall be given for any training certificate that does not relate
to an ISO/IEC 20000 Auditor qualification (such as ITIL, ISO/IEC 27001 etc) or for any ISO/IEC
20000 Auditor training certificate issued through internal training within the RCB unless it is
recognised by an external accreditation body, such as IRCA and PECB.

RCBs are expected to retain a minimum of two ISO/IEC 20000 Auditors that meet the above
criteria under their control to ensure that all audits carried out in accordance with the APMG
Scheme are conducted by an APMG approved ISO/IEC 20000 Auditor.

6.4 The Register of RCBs

APMG maintains a Register of RCBs. This will be published at https://apmg-
international.com/product/iso-iec-20000 and will provide an optional facility for links to RCB’s
web sites.

6.5 Register of Certificates Issued

APMG will maintain a register of all certificates issued by RCBs. This will be published at
https://apmg-international.com/product/iso-iec-20000 and will specify the name and location/s of
the certified organisation, effective dates, and scope.

Certificated organisations have the right to withhold their information from public display within
the register. If they wish to do this then they must request this via their RCB who should then advise
APMG.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 89 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

Annex 2: APMG/ISO 20000 Auditor Competency Requirements

No recognition should be given for any training certificate that does not relate to an ISO/IEC 20000
Auditor qualification (e.g. ITIL, ISOIEC 27001, etc.)

No recognition should be given to an ISO/IEC 20000 Auditor training certificate issued through
internal training within the RCB unless it is recognized by an external accreditation body, such as
IRCA and PECB.

APMG RCBs shall ensure through their initial application review processes that ISO/IEC 20000
Auditors are assigned to audits under the APMG Scheme, that have been qualified through either;

A direct route of completing an APMG ISO/IEC 20000 Auditor training course and hold a valid
certificate, or
An indirect route of an alternative accredited (e.g. IRCA and PECB) ISO/IEC 20000 Auditor
training course and valid certificate plus the completion of an APMG ISO/IEC 20000 Auditor
examination and award of a valid certificate/conference call interview with a competence
evaluation.

APMG 7.2.4: All technical experts used on audits must have successfully completed the three-day
APMG accredited ISO/IEC 20000 Consultant training course or the APMG Auditor equivalent,
hold the associated certificate and have two years relevant IT service management experience, or
have completed and passed the APMG conversion assessment.

APMG 7.2.5: The following criteria shall be applied for each auditor in the ITSMS audit team. The
auditor shall have:
a) at least four years full time practical workplace experience in information technology, of which
at least two years in a role or function relating to IT Service Management;
b) successfully completed a minimum of a five day training programme on the subject of auditing
and audit management, two days of which shall have been an itSMF accredited ISO/IEC 20000
Auditor training course or the APMG equivalent and hold the associated certificate;
c) prior to assuming responsibility for performing as an auditor, the candidate should have gained
experience in the entire process of assessing an ITSMS. This experience should have been
gained by participation in a minimum of two ITSMS assessments, including review of
documentation and improvement programmes, implementation assessment and audit reporting;
d) Maintained their own knowledge and skill in auditing ITSMS.

Auditors performing as lead auditor shall additionally fulfil the following requirements:
1. have acted in the role of audit team leader in at least three ITSMS audits, under the direction
and guidance of an auditor competent as an audit team leader
2. have demonstrated they possess adequate knowledge and attributes to manage the assessment
process;

Any variations to these pre-requisite levels shall be documented by the certification body e.g. for
personnel already qualified as auditors in a related discipline.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 90 of 87
 Exemplar Global – PIM 2020
Privacy Information Management

APMG 7.2.10: Auditors shall be able to demonstrate their knowledge and experience, as outlined
above, for example through:
a) recognized ITSMS-specific qualifications;
b) registration as an auditor;
c) approved ITSMS training courses;
d) up to date continual professional development records;
e) practical demonstration through witnessing auditors going through the ITSMS audit process on
real client systems
f) at least annually recorded personal reviews and fee.

Annex 4: Criteria for Approving APMG ISO/IEC 20000 Lead Auditors and Auditors
ISO/IEC 20000-6:2017 Clause 7.2.1 SM7.2.1 Competence of personnel involved in certification
activities shall apply.

The following referenced documents are indispensable for the application of this section:
ISO/IEC 20000-1:2018
ISO/IEC 20000-2:2012
ISO/IEC 20000-3:2012
ISO/IEC 20000-10:2018

No recognition should be given for any training certificate that does not relate to an ISO/IEC 20000
Auditor qualification (e.g. ITIL, ISO/IEC 27001, etc.)

No recognition should be given to an ISO/IEC 20000 Auditor training certificate issued through
internal training within the RCB unless it is recognized by an external accreditation body, such as
IRCA and PECB.

APMG RCBs shall ensure through their initial application review processes that ISO/IEC 20000
Auditors are assigned to audits under the APMG Scheme, that have been qualified through either;

A direct route of completing an APMG ISO/IEC 20000 Auditor training course and hold a valid
certificate, or

An indirect route of an alternative accredited (e.g. IRCA and PECB) ISO/IEC 20000 Auditor
training course and valid certificate plus the completion of an APMG / ISO 20000 Auditor
examination and award of a valid certificate/conference call interview with a competence
evaluation.

ISC (Global) – Exemplar Global – PIM 2019 - Delegate Manual Issue 4 Rev 0 Feb 2020 91 of 87