• Skip to main content
  • Skip to primary sidebar

This view of service management...

On the origin and the descent of managing services. We put meat on the bones.

  • Kanban Software
  • Services
    • Kanban Software Solutions
    • Consulting & Coaching
    • Training and Seminars
  • Posts
  • Events
    • Events – Agenda View
    • Events – Calendar View
  • Publications
    • Our Publications
    • Notable Publications
    • Quotes
  • About us

Supplier Management according to ISO/IEC 20000

15 December 2012 by Robert Falkowitz 6 Comments

Increasing dependency on suppliers

As we depend increasingly on third parties to provide to our customers the services they expect, the capability of a service provider to manage those parties and govern the overall network of suppliers increases in importance proportionally. There has been a slow, but steady, adoption of practices as defined by ISO/IEC 20000 for managing suppliers. Unfortunately, that standard is not always well understood, especially in terms of the scope that it covers. Any organization concerned with compliance with this standard must maintain a clear understanding of what it requires.

ISO/IEC 20000 references

ISO/IEC 20000 provides requirements and advice for supplier management in several documents:

  • ISO/IEC 20000-1:2011, Service management system requirements
    – provides a definition for the term “supplier” (§3.35)
    – it positions supplier processes as subject to governance by the service provider (§4.2)
    – it names suppliers as the recipient of the information security policy (§6.6.1)
    – it defines a supplier management process, with various required practices (§7.2)
  • ISO/IEC TR 20000-3:2011, Guidance on scope definition and applicability of ISO/IEC 20000-1, provides extended guidance on supply chains and the scope of the service management system.

ISO/IEC 20000 does not concern all suppliers!

The casual reader of ISO/IEC 20000 may believe that this standard addresses the management and governance of all suppliers of a service provider. A more careful reading indicates, however, that the standard explicitly limits its requirements to those suppliers responsible for one or more service management processes or functions.

The first sentence of Part 1, §7.2, reads:

The service provider may use suppliers to implement and operate some parts of the service management processes.

Thus, the standard is concerned only with the suppliers of one or more service management processes. This is why the contract with the supplier “…shall contain or include reference to…b) dependencies between services, processes and the parties;…e) interfaces between service management processes operated by the supplier and other parties…”

Part 3 provides further information that eliminates any ambiguity. For example (§6.7.2):

The service provider is required to have governance of the processes operated by the “Direct supplier of services” if they wish to include the direct supplier’s processes in the scope statement.

When it discusses the role of a lead supplier in the supply chain, part 3

Finally, part 3 provides a set of scenarios to help define scope. Scenario 1 describes an internal service provider that has three external suppliers. However, these external suppliers “…do not supply services relevant to service management.” They are therefore put outside the scope of the SMS. Scenario 2 makes this point crystal clear. It envisions a case similar to scenario 1, with the addition of a supplier (Supplier 1) that provides the service desk function to the service provider. Therefore, continues the document, “if the internal service provider can demonstrate governance of the processes that span the boundary between the service provider and Supplier 1, e.g. those used for incident management” then the internal service provider may be able to demonstrate conformity to ISO/IEC 20000-1. In order to so, it must provide “evidence that the processes operated by the outsourced service desk function and the interfaces between processes are defined”. Scenario 3 only reconfirms the same point. It cites an example similar to Scenario 2 where the external supplier (Supplier 2) provides application management services as well as the service desk function.   However, “Application management services do not have to be included in the scope of service management to demonstrate conformity to ISO/IEC 20000-1.”

This concept of scoping may be astonishing for those who do not consider carefully the objective of ISO/IEC 20000. The standard has nothing to say about suppliers of IT services or goods, per se. For example, virtually every IT service provider organization depends on one or more suppliers for wide area networking and Internet connectivity. It is unlikely that any service provider builds its own hardware, depending again on a series of suppliers. While many service providers do develop certain applications in house, all of them also license applications from third parties, or use applications provided as a service. Indeed, we increasingly see the use of IaaS and PaaS, too. And yet, none of these suppliers are covered by the ISO/IEC standard for service management. The supplier management process that the service provider is required to have is not specifically intended to manage any of these third parties.

And yet, this is perfectly understandable. ISO/IEC 20000 is simply not concerned with the delivery of IT services. It is only concerned with the system used to manage those services. In other words, ISO/IEC 20000 says nothing whatsoever about how to transport data, how to send an email from place to place, how to create a balance sheet or a profit and loss statement using a computer—all of them good and noble IT services. It is only concerned with the service management processes.

There is not, to my knowledge, any ISO standard specific to the management of all suppliers. To find a standard applicable to them all, one would have to look at generic quality systems, such as described in the ISO 9000 family of standards.

Simplified scope means simplified compliance

In conclusion, a clear understanding of the scope of supplier management in ISO/IEC 20000 may have a significant impact on the work involved in achieving conformity to its requirements. A typical IT service provider organization has a very large number of suppliers, in the hundreds if not the thousands. However, the number of suppliers executing one or more service management processes for the account of the service provider will probably be very small. For each of those suppliers, the service provider is required to have a contract containing many required details, a designated supplier manager and activities to manage the performance of the supplier.

Summary
Article Name
Supplier Management according to ISO/IEC 20000
Description
The scope of supplier management according to ISO/IEC 20000 is largely misunderstood. However, that standard should probably change how it understands that scope.
Author
Robert S. Falkowitz
Publisher Name
Concentric Circle Consulting
Publisher Logo
Concentric Circle Consulting

Filed Under: Supplier management Tagged With: ISO/IEC 20000, scope, supplier management

Subscribe to our mailing list

Click here to be the first to learn of our events and publications
  • Email
  • Facebook
  • LinkedIn
  • Phone
  • Twitter
  • xing
  • YouTube

Reader Interactions

Comments

  1. ISO/IEC 20000 Documents ProceduresISO/IEC 20000 Documents Procedures says

    19 May 2014 at 13:54

    Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.

    Reply
    • Robert FalkowitzRobert Falkowitz says

      19 May 2014 at 14:42

      I think the difficulty comes from the fact that although the various parts of ISO 20000 are very explicit, it is hard for many to believe that what is said there is what is really needed.

      Reply
  2. ISO 20000 ConsultantISO 20000 Consultant says

    21 May 2014 at 14:02

    Hi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!

    Reply
  3. ISO 20000 Consultant in HKISO 20000 Consultant in HK says

    23 February 2016 at 05:30

    Hello Robert, thx for the post! I am the process owner of Supplier Management in my organisation. As no supplier is here for executing one of the service management processes (all of them are only hardware / software vendors), so isn’t it true that we actually don’t require a supplier management process but still can make my service management system conform to the ISO 20000 standard?

    Reply
    • Robert FalkowitzRobert Falkowitz says

      23 February 2016 at 12:04

      That’s a very interesting question. If your objective is conformity, without a formal compliance audit, then I would say, “sure, no problem.” But if you need to be certified as compliant with ISO20000, then it might be very difficult to convince the auditor that you do not need such a process. There are two reasons for this. First, that fact that you might not have outsourced any service management activities today does not mean that you will not do so tomorrow. Second, I suspect that the many, many people misunderstand the scope of application of supplier management according to ISO20000. They probably think it covers all suppliers to the IT service provider, which is certainly not what it says in the standard or in the complimentary explanations.

      Whether or not ISO20000 should include all IT suppliers within its scope is a different issue. I rather think that it would be very useful to do so and I have received a concurring opinion from one of the original authors of the standard. But we should base our understanding, not on what we think the standard ought to have said, but on what it really does say.

      Reply
      • RichardRichard says

        9 January 2019 at 21:30

        It seems the best approach is to implement Supplier Mgmt for all suppliers, but include in the scope of your ISO20000 program only “those suppliers responsible for one or more service management processes or functions.” An unnecessary increase in scope = increased risk of a non-conformity.

        Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Kanban eLearning

Kanban training online

Recent Posts

  • Verbs, nouns and kanban board structure
  • The role of the problem manager
  • The Three Indicators

Tag Cloud

bias change management agile lean process definition Incident Management automation tools incident knowledge management service request resource liquidity rigidity knowledge work incident management tools histogram ITSM cause flow efficiency waste kanban training manifesto process leadership flow manifesto for software development service management tools impact process metrics kanban board kanban context switching priority lean management service manager value stream ITIL problem risk Cost of Delay
  • Kanban Software
  • Services
  • Posts
  • Events
  • Publications
  • Subscribe
  • Rights & Duties
  • Personal Data

© 2014–2023 Concentric Circle Consulting · All Rights Reserved.
Concentric Circle Consulting Address
Log in

Manage Cookie Consent
We use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}