Increasing dependency on suppliers
As we depend increasingly on third parties to provide to our customers the services they expect, the capability of a service provider to manage those parties and govern the overall network of suppliers increases in importance proportionally. There has been a slow, but steady, adoption of practices as defined by ISO/IEC 20000 for managing suppliers. Unfortunately, that standard is not always well understood, especially in terms of the scope that it covers. Any organization concerned with compliance with this standard must maintain a clear understanding of what it requires.
ISO/IEC 20000 references
ISO/IEC 20000 provides requirements and advice for supplier management in several documents:
- ISO/IEC 20000-1:2011, Service management system requirements
– provides a definition for the term “supplier” (§3.35)
– it positions supplier processes as subject to governance by the service provider (§4.2)
– it names suppliers as the recipient of the information security policy (§6.6.1)
– it defines a supplier management process, with various required practices (§7.2)
- ISO/IEC TR 20000-3:2011, Guidance on scope definition and applicability of ISO/IEC 20000-1, provides extended guidance on supply chains and the scope of the service management system.
ISO/IEC 20000 does not concern all suppliers!
The casual reader of ISO/IEC 20000 may believe that this standard addresses the management and governance of all suppliers of a service provider. A more careful reading indicates, however, that the standard explicitly limits its requirements to those suppliers responsible for one or more service management processes or functions.
The first sentence of Part 1, §7.2, reads:
The service provider may use suppliers to implement and operate some parts of the service management processes.
Thus, the standard is concerned only with the suppliers of one or more service management processes. This is why the contract with the supplier “…shall contain or include reference to…b) dependencies between services, processes and the parties;…e) interfaces between service management processes operated by the supplier and other parties…”
Part 3 provides further information that eliminates any ambiguity. For example (§6.7.2):
The service provider is required to have governance of the processes operated by the “Direct supplier of services” if they wish to include the direct supplier’s processes in the scope statement.
When it discusses the role of a lead supplier in the supply chain, part 3
Finally, part 3 provides a set of scenarios to help define scope. Scenario 1 describes an internal service provider that has three external suppliers. However, these external suppliers “…do not supply services relevant to service management.” They are therefore put outside the scope of the SMS. Scenario 2 makes this point crystal clear. It envisions a case similar to scenario 1, with the addition of a supplier (Supplier 1) that provides the service desk function to the service provider. Therefore, continues the document, “if the internal service provider can demonstrate governance of the processes that span the boundary between the service provider and Supplier 1, e.g. those used for incident management” then the internal service provider may be able to demonstrate conformity to ISO/IEC 20000-1. In order to so, it must provide “evidence that the processes operated by the outsourced service desk function and the interfaces between processes are defined”. Scenario 3 only reconfirms the same point. It cites an example similar to Scenario 2 where the external supplier (Supplier 2) provides application management services as well as the service desk function. However, “Application management services do not have to be included in the scope of service management to demonstrate conformity to ISO/IEC 20000-1.”
This concept of scoping may be astonishing for those who do not consider carefully the objective of ISO/IEC 20000. The standard has nothing to say about suppliers of IT services or goods, per se. For example, virtually every IT service provider organization depends on one or more suppliers for wide area networking and Internet connectivity. It is unlikely that any service provider builds its own hardware, depending again on a series of suppliers. While many service providers do develop certain applications in house, all of them also license applications from third parties, or use applications provided as a service. Indeed, we increasingly see the use of IaaS and PaaS, too. And yet, none of these suppliers are covered by the ISO/IEC standard for service management. The supplier management process that the service provider is required to have is not specifically intended to manage any of these third parties.
And yet, this is perfectly understandable. ISO/IEC 20000 is simply not concerned with the delivery of IT services. It is only concerned with the system used to manage those services. In other words, ISO/IEC 20000 says nothing whatsoever about how to transport data, how to send an email from place to place, how to create a balance sheet or a profit and loss statement using a computer—all of them good and noble IT services. It is only concerned with the service management processes.
There is not, to my knowledge, any ISO standard specific to the management of all suppliers. To find a standard applicable to them all, one would have to look at generic quality systems, such as described in the ISO 9000 family of standards.
Simplified scope means simplified compliance
In conclusion, a clear understanding of the scope of supplier management in ISO/IEC 20000 may have a significant impact on the work involved in achieving conformity to its requirements. A typical IT service provider organization has a very large number of suppliers, in the hundreds if not the thousands. However, the number of suppliers executing one or more service management processes for the account of the service provider will probably be very small. For each of those suppliers, the service provider is required to have a contract containing many required details, a designated supplier manager and activities to manage the performance of the supplier.