• Skip to main content
  • Skip to primary sidebar

This view of service management...

On the origin and the descent of managing services. We put meat on the bones.

  • Kanban eLearning
  • Services
    • Kanban Software Solutions
    • Consulting & Coaching
    • Training and Seminars
  • Posts
  • Events
    • Events – Agenda View
    • Events – Calendar View
    • International Service Management Calendar
  • Publications
    • Our Publications
    • Notable Publications
    • Quotes
  • About us

Supplier Management according to ISO/IEC 20000

15 December 2012 by Robert Falkowitz 6 Comments

Increasing dependency on suppliers

As we depend increasingly on third parties to provide to our customers the services they expect, the capability of a service provider to manage those parties and govern the overall network of suppliers increases in importance proportionally. There has been a slow, but steady, adoption of practices as defined by ISO/IEC 20000 for managing suppliers. Unfortunately, that standard is not always well understood, especially in terms of the scope that it covers. Any organization concerned with compliance with this standard must maintain a clear understanding of what it requires.

ISO/IEC 20000 references

ISO/IEC 20000 provides requirements and advice for supplier management in several documents:

  • ISO/IEC 20000-1:2011, Service management system requirements
    – provides a definition for the term “supplier” (§3.35)
    – it positions supplier processes as subject to governance by the service provider (§4.2)
    – it names suppliers as the recipient of the information security policy (§6.6.1)
    – it defines a supplier management process, with various required practices (§7.2)
  • ISO/IEC TR 20000-3:2011, Guidance on scope definition and applicability of ISO/IEC 20000-1, provides extended guidance on supply chains and the scope of the service management system.

ISO/IEC 20000 does not concern all suppliers!

The casual reader of ISO/IEC 20000 may believe that this standard addresses the management and governance of all suppliers of a service provider. A more careful reading indicates, however, that the standard explicitly limits its requirements to those suppliers responsible for one or more service management processes or functions.

The first sentence of Part 1, §7.2, reads:

The service provider may use suppliers to implement and operate some parts of the service management processes.

Thus, the standard is concerned only with the suppliers of one or more service management processes. This is why the contract with the supplier “…shall contain or include reference to…b) dependencies between services, processes and the parties;…e) interfaces between service management processes operated by the supplier and other parties…”

Part 3 provides further information that eliminates any ambiguity. For example (§6.7.2):

The service provider is required to have governance of the processes operated by the “Direct supplier of services” if they wish to include the direct supplier’s processes in the scope statement.

When it discusses the role of a lead supplier in the supply chain, part 3

Finally, part 3 provides a set of scenarios to help define scope. Scenario 1 describes an internal service provider that has three external suppliers. However, these external suppliers “…do not supply services relevant to service management.” They are therefore put outside the scope of the SMS. Scenario 2 makes this point crystal clear. It envisions a case similar to scenario 1, with the addition of a supplier (Supplier 1) that provides the service desk function to the service provider. Therefore, continues the document, “if the internal service provider can demonstrate governance of the processes that span the boundary between the service provider and Supplier 1, e.g. those used for incident management” then the internal service provider may be able to demonstrate conformity to ISO/IEC 20000-1. In order to so, it must provide “evidence that the processes operated by the outsourced service desk function and the interfaces between processes are defined”. Scenario 3 only reconfirms the same point. It cites an example similar to Scenario 2 where the external supplier (Supplier 2) provides application management services as well as the service desk function.   However, “Application management services do not have to be included in the scope of service management to demonstrate conformity to ISO/IEC 20000-1.”

This concept of scoping may be astonishing for those who do not consider carefully the objective of ISO/IEC 20000. The standard has nothing to say about suppliers of IT services or goods, per se. For example, virtually every IT service provider organization depends on one or more suppliers for wide area networking and Internet connectivity. It is unlikely that any service provider builds its own hardware, depending again on a series of suppliers. While many service providers do develop certain applications in house, all of them also license applications from third parties, or use applications provided as a service. Indeed, we increasingly see the use of IaaS and PaaS, too. And yet, none of these suppliers are covered by the ISO/IEC standard for service management. The supplier management process that the service provider is required to have is not specifically intended to manage any of these third parties.

And yet, this is perfectly understandable. ISO/IEC 20000 is simply not concerned with the delivery of IT services. It is only concerned with the system used to manage those services. In other words, ISO/IEC 20000 says nothing whatsoever about how to transport data, how to send an email from place to place, how to create a balance sheet or a profit and loss statement using a computer—all of them good and noble IT services. It is only concerned with the service management processes.

There is not, to my knowledge, any ISO standard specific to the management of all suppliers. To find a standard applicable to them all, one would have to look at generic quality systems, such as described in the ISO 9000 family of standards.

Simplified scope means simplified compliance

In conclusion, a clear understanding of the scope of supplier management in ISO/IEC 20000 may have a significant impact on the work involved in achieving conformity to its requirements. A typical IT service provider organization has a very large number of suppliers, in the hundreds if not the thousands. However, the number of suppliers executing one or more service management processes for the account of the service provider will probably be very small. For each of those suppliers, the service provider is required to have a contract containing many required details, a designated supplier manager and activities to manage the performance of the supplier.

Summary
Article Name
Supplier Management according to ISO/IEC 20000
Description
The scope of supplier management according to ISO/IEC 20000 is largely misunderstood. However, that standard should probably change how it understands that scope.
Author
Robert S. Falkowitz
Publisher Name
Concentric Circle Consulting
Publisher Logo
Concentric Circle Consulting

Filed Under: Supplier management Tagged With: ISO/IEC 20000, scope, supplier management

Subscribe to our mailing list

Click here to be the first to learn of our events and publications
  • Email
  • Facebook
  • LinkedIn
  • Phone
  • Twitter
  • xing
  • YouTube

Reader Interactions

Comments

  1. ISO/IEC 20000 Documents ProceduresISO/IEC 20000 Documents Procedures says

    19 May 2014 at 13:54

    Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.

    Reply
    • Robert FalkowitzRobert Falkowitz says

      19 May 2014 at 14:42

      I think the difficulty comes from the fact that although the various parts of ISO 20000 are very explicit, it is hard for many to believe that what is said there is what is really needed.

      Reply
  2. ISO 20000 ConsultantISO 20000 Consultant says

    21 May 2014 at 14:02

    Hi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!

    Reply
  3. ISO 20000 Consultant in HKISO 20000 Consultant in HK says

    23 February 2016 at 05:30

    Hello Robert, thx for the post! I am the process owner of Supplier Management in my organisation. As no supplier is here for executing one of the service management processes (all of them are only hardware / software vendors), so isn’t it true that we actually don’t require a supplier management process but still can make my service management system conform to the ISO 20000 standard?

    Reply
    • Robert FalkowitzRobert Falkowitz says

      23 February 2016 at 12:04

      That’s a very interesting question. If your objective is conformity, without a formal compliance audit, then I would say, “sure, no problem.” But if you need to be certified as compliant with ISO20000, then it might be very difficult to convince the auditor that you do not need such a process. There are two reasons for this. First, that fact that you might not have outsourced any service management activities today does not mean that you will not do so tomorrow. Second, I suspect that the many, many people misunderstand the scope of application of supplier management according to ISO20000. They probably think it covers all suppliers to the IT service provider, which is certainly not what it says in the standard or in the complimentary explanations.

      Whether or not ISO20000 should include all IT suppliers within its scope is a different issue. I rather think that it would be very useful to do so and I have received a concurring opinion from one of the original authors of the standard. But we should base our understanding, not on what we think the standard ought to have said, but on what it really does say.

      Reply
      • RichardRichard says

        9 January 2019 at 21:30

        It seems the best approach is to implement Supplier Mgmt for all suppliers, but include in the scope of your ISO20000 program only “those suppliers responsible for one or more service management processes or functions.” An unnecessary increase in scope = increased risk of a non-conformity.

        Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Kanban eLearning

Kanban training online

Recent Posts

  • The role of the problem manager
  • The Three Indicators
  • Visualization of Configurations

Tag Cloud

process change control adaptive case management service request value ITSM Incident Management knowledge work priority impact value stream process definition lean kanban board lead time cause flow flow efficiency Cost of Delay automation incident service manager problem knowledge management risk manifesto for software development leadership tools ITIL bias rigidity agile resource liquidity lean management change management kanban waste urgency manifesto incident management tools
  • Kanban eLearning
  • Services
  • Posts
  • Events
  • Publications
  • Subscribe
  • Rights & Duties
  • Personal Data

© 2014–2022 Concentric Circle Consulting · All Rights Reserved.
Concentric Circle Consulting Address
Log in

This site uses cookies . You accept those cookies when you continue to use this site. Cookie policyAllow cookiesNo 3rd party non-functional cookiesCookie policy
You can revoke your consent any time using the Revoke consent button.Change cookie settings