Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021
ISO-20000-ITIL-blog

ISO 20000 & ITIL® Blog

How to perform ISO 20000 training and awareness

Although training belongs among the logical activities in every contemporary organization, ISO standards don’t leave that topic to the organization’s (free) judgement. ISO 20000 is not an exception – there is a direct requirement related to personnel (involved in the SMS – Service Management System) competence. Further on, skilled personnel is not the only requirement. Awareness (of how they contribute to the achievement of service management objectives, as well as fulfillment of service requirements) is something that the standard strongly requires, so let’s see how to approach training and awareness inside the organization.

The standard’s requirements

Basically, when thinking about training and awareness for your SMS – there is no need to start from scratch. Namely, ISO 20000 sets pretty clear requirements. So, in section 4.4.2 of the standard, there are requirements to:

  • determine the necessary competence for personnel – there are various processes in the scope of the SMS, which significantly differ one from another. Therefore, it’s necessary to define competences (i.e., subject matter knowledge, expertise, skills, experience…) required for a particular role (e.g., the Service Level Manager needs certain skills in order to fulfill his tasks efficiently).
  • ensure that necessary competence is achieved – this is a direct requirement to provide training, or some other methodology, in order to achieve the necessary competence.
  • evaluate – so, you defined what is required (which competences are needed and what you need to do to achieve them), you did all that was necessary to achieve the required competences, and now you need to evaluate whether all this achieved the required results (and what to do if not).
  • raise awareness – in addition to being aware of their obligation, the personnel also need to know how they contribute to the service outcomes.
  • document – to prove what you did, records on education, training, achieved skills, and people’s experience must be kept.


How to perform trainings

As you can see, gaining the required knowledge is crucial for the successful operation of the SMS. Fortunately, these days there are a lot of opportunities to gain the necessary knowledge:

  • Courses – there are a variety of course providers offering trainings on different levels (e.g., foundation, internal auditor, lead auditor, etc.). Adapt the trainings that are offered to your requirements in such a way that you will send different people to different levels of the trainings. Training can be in-house (delivered on your premises, by your own experts or by external trainers/consultants) or public (offered by a training institution on their premises).
  • E-learning – the popularity of web-based trainings is increasing. It could be difficult to discipline training attendees to sit in the office and participate in the training, but it certainly offers the convenience of gaining the necessary knowledge without leaving the office.
  • Literature – there are many books written on the topic of ISO 20000 implementation. This gives you an opportunity to make the best choice according to your needs. Additionally, ITIL, as an IT Service Management (ITSM) best practice framework, offers excellent guidance for the implementation of most of the ISO 20000 requirements.
  • Expert groups – the Internet offers many places where experts share and exchange their opinions. These are usually discussion groups on certain forums. It is important not to be afraid to ask anything you need to resolve, as well as to participate and help others with your own expertise, knowledge, and experience. The advantage of such groups is that people who participate have practical experience, and the information you get is coming from real life.

How to raise awareness

Having competent people is usually not enough, when we talk about an SMS. This is true from the point of view of the standard, i.e., its requirements, as well as from a practical point of view. What you need is to raise awareness in the scope of your ITSM organization in order to ensure that all your employees (at least those important for the SMS) are engaged in the daily life of the SMS.

Here are a few examples of how to raise awareness:

  • Info sessions – gather all needed people and refresh some of the SMS-related topics. That doesn’t have to be the complete ISO 20000, but only part of it. In your next info session – some other part. I assume you get the point.
  • Newsletter – send a newsletter at regular intervals. The newsletter can be IT (in general) related, but it could also be SMS specific.
  • Intranet – that’s an excellent (and relatively cheap) solution to provide SMS-related content. You can put some reports (in order for your Intranet portal to be more lively), or customer feedback. In such a way, people will get feedback from the real world and raise awareness about the effects that your SMS produces.
  • E-mail – info e-mails are an easy and efficient way to convey messages. You can, for example, choose some important topic relevant for your SMS, or something that is repeatedly done wrong by many employees (e.g., avoiding a call to the Service Desk to open an incident), and communicate with all employees in your organization.
  • Best practice sessions – based on your organization’s own, and other organizations’ experience. Create white papers or info sessions where success stories will be presented. That could be your own stories or from other companies.
  • Integrate people in the SMS implementation – implementation of the SMS is your chance to engage people from the beginning. Give them tasks in documentation creation or process set-up. In such a way, they will feel like a part of things right from the beginning.

It’s hard to say which methodology is best. I would say – none, but rather a mixture of several of them. Which ones? Well, that depends on your organization, but particularly on your people.

How do you prove it works?

Records of education, training, skills, and experience are, according to ISO 20000, mandatory. But, that’s just the forms, the material for the auditor. The other question is – does the level of knowledge, as well as the awareness, satisfy the requirements that the SMS must fulfill? If you want to be clear about the answer – go inside the organization. Talk to the people, look at what they do and how they fulfill their jobs, talk to the users of the service … these are just examples of direct inputs of how the SMS works, having in mind that people are in the background of every task that is performed.

Having skilled personnel who are aware of their contribution to the SMS and how the SMS fulfills its requirements should not be just a formality. After all, customers are the ones who judge how skilled and dedicated your people are. It’s better that you think about that before negative feedback arrives.

To help you establish good security practices within your company, try these free 25 security awareness training videos.

Advisera Branimir Valentic
Author
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.