Professional Documents
Culture Documents
Rationale
OV01.1 - Overview of ISO 20000, related best practices, standards and schemes
D
a)
Part 1 is a standard that specifies requirements; it does not provide guidance because
all requirements are mandatory. Part 5 provides guidance on how to implement an SMS.
Ref. PG 1.1 (or APMG 20k supp.2)
b)
ISO/IEC 20000 Part 2 describes the best practices for service management processes
within the scope of Part 1. Ref. 2PG 1.1 (or APMG 20k supp.2)
c)
Part 1 is a standard that specifies requirements; it does not provide guidance because
all requirements are mandatory. Ref. PG 1.1 (or APMG 20k supp.2)
d)
This is the description provided in the scope section of ISO/IEC 20000 Part 1. ISO/IEC
20000-1, 1.1 para 1
OV02.3 - Overview of ISO 20000, related best practices, standards and schemes
B
a)
ITIL was first published in the late 80s and as such pre-existed ISO/IEC 20000 (and BS
15000) by many years and so could not be based on ISO/IEC 20000. Although they
are related, neither ITIL nor ISO/IEC 20000 was based on the other. Ref. PG 3.5 pap 2
(or APMG 20k supp 6.2 para 1)
b)
ITIL provides best practice advice for IT service management, whereas ISO/IEC 20000
specifies requirements for a service management system. Ref. PG 3.5 table row 1 (or
APMG 20k supp. 6.2)
c)
ITIL is independent of ISO/IEC 20000. Neither is contained in, or is a subset of, the
other. Ref. PG 3.5 para 2 (or APMG 20k supp 6.2 para 1)
d)
They are related however ITIL does not contain a service management system. Ref. PG
3.5 table row 7 (or APMG 20k supp. 6.2)
OV01.4 - Overview of ISO 20000, related best practices, standards and schemes
A
a)
The part 1 introduction explains how the use of PDCA and an integrated process
approach enables integrated management systems ISO/IEC 20000-1, Introduction
b)
Although a service provider could be certified against all three, it is not necessary in
ensuring an effective IT service management system. The certification scheme does not
demand this. APMG 15/015
c)
ISO 9001 applies to quality management and ISO/IEC 27001 applies to information
security management. They could be used in some parts of an IT service provider
organization. There is nothing in the standard to tell us this is true. ISO/IEC 20000-1,
Introduction
d)
ISO 9001 is not mainly concerned with customer complaints, it is a general quality
management system standard. There is nothing in the standard to tell us this is true.
ISO/IEC 20000-1, Introduction
OV02.5 - Overview of ISO 20000, related best practices, standards and schemes
C
a)
RCBs must not give advice and guidance to a service provider as it would compromise
their independence during an audit. Ref. PG 2.3 (or APMG 20k supp. 4.2)
b)
Although the RCB would assess staff competence, it is not their main role, neither is it a
requirement for staff to be certified in ITIL. Ref. PG 2.3 (or APMG 20k supp. 4.2)
c)
RCBs assess the IT service provider against Part 1 of the standard to determine
conformance. Ref. PG 2.3 (or APMG 20k supp. 4.2)
d)
The administrator of the Certification Scheme does not engage RCBs and the RCB role
is to assess conformity. The administrator of the Certification Scheme is not told of any
non-conformities. Ref. PG 2.3 (or APMG 20k supp. 4.2)
OV02.4 - Overview of ISO 20000, related best practices, standards and schemes
D
a)
Information is held in the form of documents and records. Documents give evidence of
intentions, whereas records are evidence of activities. The service continuity plan is an
example of a document, not a record. ISO/IEC 20000-1, 3.8 and 3.22
b)
Information is held in the form of documents and records. Documents give evidence of
intentions, whereas records are evidence of activities. The capacity plan is an example
of document, not a record. ISO/IEC 20000-1, 3.8 and 3.22
c)
Information is held in the form of documents and records. Documents give evidence of
intentions, whereas records are evidence of activities. A service level agreement is an
example of a document, not a record. ISO/IEC 20000-1, 3.8 and 3.22
d)
Information is held in the form of documents and records. Documents give evidence of
intentions, whereas records are evidence of activities. A service report is an example of
a record. ISO/IEC 20000-1, 3.8 and 3.22
OV01.5 - Overview of ISO 20000, related best practices, standards and schemes
D
a)
This defines an independent Registered Certification Body. Ref. PG 2.3 (or APMG 20k
supp. 4.2)
b)
c)
This refers to an external organization giving advice to a service provider. Ref. PG 2.3 (or
APMG 20k supp. 4.2)
d)
a)
The Deming Cycle is the common name for the Plan/Do/Check/Act methodology. Ref.
PG 3.2 (or APMG 20k supp. 3.2)
b)
The supply chain is the name for relationships between customers, the service provider
and suppliers. ISO/IEC 20000-1, figure 3
c)
The 4-step improvement methodology is a name which does not exist although the
PDCA cycle may be described in this way. Ref. PG 3.2 (or APMG 20k supp. 3.2)
d)
a)
There shall be a policy on continual improvement of both the SMS and services.
ISO/IEC 20000-1, 4.5.5.1
b)
There shall be a policy on continual improvement of both the SMS and services. ISO/IEC
20000-1, 4.5.5.1
c)
There shall be a policy on continual improvement of the SMS and services. ISO/IEC
20000-1, 4.5.5.1
d)
There are requirements that there shall be a policy on continual improvement of both the
SMS and services. ISO/IEC 20000-1, 4.5.5.1
OV02.2 - Overview of ISO 20000, related best practices, standards and schemes
B
a)
Incorrect because there are no guarantees stated within ISO/IEC 20000. ISO/IEC
20000-1, 1
b)
ISO/IEC 20000 Part 1 specifies the requirements for the service provider to plan,
establish, implement, operate, monitor, review maintain and improve an SMS. ISO/IEC
20000-1, 1
c)
ISO/IEC 20000 specifies the WHAT, not the HOW. IT does not refer to anything being
the best approach. ISO/IEC 20000-1, 1
d)
Part 1 specifies minimum requirements, not a level of quality to aspire to and does not
state that it is a quality benchmark. ISO/IEC 20000-1, 1
10
11
a)
The Registered Certification Body audits a service provider who wishes to be certified
under the APMG International ISO/IEC 20000 Certification Scheme. There is a specific
requirement for top management to conduct reviews. ISO/IEC 20000-1, 4.5.4.3
b)
There is a specific requirement for top management to conduct reviews. ISO/IEC 200001, 4.5.4.3
c)
The standard does not state that a consultancy organization shall review the service
management but is specific that top management shall conduct reviews. ISO/IEC
20000-1, 4.5.4.3
d)
Top management shall review the SMS and services at planned intervals. ISO/IEC
20000-1, 4.5.4.3
12
a)
This describes the objective of clause 5, design and transition of new or changed
Services. Ref. PG 1.2 (or APMG 20k supp. 3.4)
b)
This only covers part of the overall process. It is performed as part of change
management. It is not the objective. Ref. PG 1.2 (or APMG 20k supp 3.4)
c)
This only covers part of the overall process. The costing is done as part of planning the
new of changed services. It is not the objective. Ref. PG 1.2 (or APMG 20k supp. 3.4)
d)
This only covers part of the overall process during transition. It is not the objective. Ref.
PG 1.2 (or APMG 20k supp 3.4)
SLAs shall include agreed service targets, workload characteristics and exceptions.
ISO/IEC 20000-1, 6.1
b)
SLAs shall include agreed service targets, workload characteristics and exceptions.
ISO/IEC 20000-1, 6.1
c)
SLAs shall include agreed service targets, workload characteristics and exceptions.
ISO/IEC 20000-1, 6.1
d)
SLAs shall include agreed service targets, workload characteristics and exceptions.
ISO/IEC 20000-1, 6.1
13
14
a)
The Standard states that business plans, SLAs and risks shall be taken into
consideration. This option can be ruled out because incident trend analysis cant be
used to determine requirements. Ref ISO/IEC 20000-1, 6.3.1
b)
The Standard states that business plans, SLAs and risks shall be taken into
consideration. This option is a list of possible constraints that may affect availability or
continuity but they wont help determine requirements. Ref ISO/IEC 20000-1, 6.3.1
c)
The Standard states that business plans, SLAs and risks shall be taken into
consideration. Ref ISO/IEC 20000-1, 6.3.1
d)
The Standard states that business plans, SLAs and risks shall be taken into
consideration. This option can be ruled out because supplier contracts are irrelevant. Ref
ISO/IEC 20000-1, 6.3.1
15
a)
Identity shall be included in the description of each service report documented and
agreed by the service provider and interested parties. Author may be useful but it is not
a requirement. ISO/IEC 20000-1, 6.2
b)
Identity shall be included in the description of each service report documented and
agreed by the service provider and interested parties. ISO/IEC 20000-1, 6.2
c)
Identity shall be included in the description of each service report documented and
agreed by the service provider and interested parties. Size of report may be useful but it
is not a requirement. ISO/IEC 20000-1, 6.2
d)
Identity shall be included in the description of each service report documented and
agreed by the service provider and interested parties. Format may be useful but it is not
a requirement. ISO/IEC 20000-1, 6.2
Testing of the service continuity and availability plans is part of the process
requirements, but not the overall objective. PG 1.2 (or APMG 20k supp. 3.3)
b)
This is an activity often associated with the process, but not the overall objective. PG
1.2 (or APMG 20k supp. 3.3)
c)
This is the objective described. The others may be part of the process requirements or
activities but not the overall objective. PG 1.2 (or APMG 20k supp. 3.3)
d)
This is part of the process requirements, but not the overall objective. The agreed
requirements for service continuity and availability shall take into consideration service
level agreements. PG 1.2 (or APMG 20k supp. 3.3)
16
17
a)
The service provider shall document, agree and implement information security controls
with these external organizations. Ref ISO/IEC 20000-1, 6.6.2
b)
The service provider shall document, agree and implement information security controls
with these external organizations. Ref ISO/IEC 20000-1, 6.6.2
c)
The service provider, not the lead supplier, shall document, agree and implement
information security controls with these external organizations. Ref ISO/IEC 20000,
6.6.2
d)
The service provider, not the business relationship manager, shall document, agree and
implement information security controls with these external organizations. Ref ISO/IEC
20000-1, 6.6.2
18
a)
Personnel performing the work shall be competent on the basis of appropriate education,
training, skill and experience. There is no mandatory requirement for all staff to have
formal training and qualifications. ISO/IEC 20000-1, 4.4.2
b)
Personnel performing the work shall be competent on the basis of appropriate education,
training, skill and experience. There is no mandatory requirement for senior staff to have
formal training and qualifications. ISO/IEC 20000-1, 4.4.2
c)
Personnel performing the work shall be competent on the basis of appropriate education,
training, skill and experience. ISO/IEC 20000-1, 4.4.2
d)
There is a specific requirement that personnel performing the work shall be competent
on the basis of appropriate education, training, skill and experience. ISO/IEC 20000-1,
4.4.2
Forecasts for future demand for services shall be included in a capacity plan. Ref
ISO/IEC 20000-1, 6.5
b)
Costs of service capacity upgrades shall be included in a capacity plan. Ref ISO/IEC
20000-1, 6.5
c)
Current demand for services shall be included in a capacity plan. Ref ISO/IEC 20000-1,
6.5
d)
Service level agreements are a specific type of document, and would not be included in
a capacity plan. (There may be some mention of service level targets and achievements
in a capacity plan, but these are not the same thing as a service level agreement). Ref
ISO/IEC 20000-1, 6.5
19
20
a)
The service requirements shall be included in the service management plans. Ref
ISO/IEC 20000-1, 4.5.2
b)
c)
The resource required for service management shall be included in the service
management plans. Ref ISO/IEC 20000-1, 4.5.2
d)
The technology used to support the SMS shall be included in the service management
plans. Ref ISO/IEC 20000-1, 4.5.2
21
a)
Frequency and type of releases is the only requirement for the release policy. ISO/IEC
20000-1, 9.3
b)
A release policy does not include service level targets. These are contained in SLAs,
not policies. ISO/IEC 20000-1, 9.3 and 6.1
c)
A release policy does not include the specific changes to be included in a release;
these are included in the release plan. ISO/IEC 20000-1, 9.3
d)
A release policy does not include specific back-out actions for a release; these are
included in the release plan. ISO/IEC 20000-1, 9.3
The service provider shall review the performance of services at planned intervals. There
is no requirement for monthly reviews. ISO/IEC 20000-1, 7.1
b)
The service provider shall review the performance of services at planned intervals. There
is no requirement for annual reviews. ISO/IEC 20000-1, 7.1
c)
The service provider s shall review the performance of services at planned intervals.
ISO/IEC 20000-1, 7.1
d)
The service provider shall review the performance of services at planned intervals. There
is no requirement for reviews to be dependent on customer satisfaction results. ISO/IEC
20000-1, 7.1
22
23
a)
The lead supplier is responsible for managing its subcontracted suppliers. ISO/IEC
20000-1, 7.2
b)
The lead supplier is responsible for managing its subcontracted suppliers. The service
provider does not have a direct relationship with the sub-contractor. ISO/IEC 20000-1,
7.2
c)
The lead supplier is responsible for managing its subcontracted suppliers. The service
provider does not have a direct relationship with the sub-contractor. ISO/IEC 20000-1,
7.2
d)
The lead supplier is responsible for managing its subcontracted suppliers. The service
provider does not have a direct relationship with the sub-contractor. ISO/IEC 20000-1,
7.2
24
a)
b)
c)
d)
Top management shall ensure that a designated individual responsible for managing the
major incident is appointed. ISO/IEC 20000-1, 8.1
b)
The requirement within incident and service request management is that After the
agreed service has been restored, major incidents shall be reviewed to identify
opportunities for improvement. ISO/IEC 20000-1, 8.1
c)
The service provider shall document and agree with the customer the definition of a
major incident. ISO/IEC 20000-1, 8.1
d)
It is not a requirement to record the root cause when the incident is created. ISO/IEC
2000-1, 8.1
25
OV01.3 - Overview of ISO 20000, related best practices, standards and schemes
B
26
a)
There is no requirement for a service provider to use ITIL. ISO/IEC 20000 is intentionally
independent of specific guidance. ISO/IEC 20000-1, introduction
b)
c)
There is no requirement for the service provider to use best practice, or to be certified for
it. ISO/IEC 20000 is intentionally independent of specific guidance. ISO/IEC 20000-1,
introduction
d)
27
a)
b)
c)
d)
Problem management would identify the actions but change management would
process them. ISO/IEC 20000-1, 9.2
b)
c)
Service continuity and availability management will investigate any unplanned nonavailability the error may cause but it will be change management that will correct the
error. ISO/IEC 20000-1, 9.2
d)
10
28
29
a)
Supplier management is not contained within the SMS general requirements. ISO/IEC
20000-1, 4
b)
Information security management is not contained within the SMS general requirements.
ISO/IEC 20000-1 4
c)
Design and transition of new or changed services is not within the SMS general
requirements. ISO/IEC 20000-1, 4
d)
30
a)
b)
c)
d)
This is not a restriction imposed by ISO/IEC 20000. The requirement is that there shall
be a documented procedure to manage emergency changes. ISO/IEC 20000-1, 9.2
b)
This is not a requirement of ISO/IEC 20000. The requirement is that there shall be a
documented procedure to manage emergency changes. ISO/IEC 20000-1, 9.2 .
c)
This is not a requirement of ISO/IEC 20000. The requirement is that there shall be a
documented procedure to manage emergency changes. ISO/IEC 20000-1, 9.2
d)
11
31
32
a)
All processes and requirements must be met. There can be no exclusions. ISO/IEC
20000-1, 1.2
b)
All processes and requirements must be met. There can be no exclusions. ISO/IEC
20000-1, 1.2
c)
All processes and requirements must be met. There can be no exclusions. ISO/IEC
20000-1, 1.2
d)
All processes and requirements must be met. There can be no exclusions. ISO/IEC
20000-1, 1.2
33
a)
Supplier management is used when suppliers operate some parts of the service
management processes. An internal group is not a supplier suppliers are external to
the organization. ISO/IEC 20000-1 7.2, 3.14, 3.35
b)
The service provider shall manage internal groups who are operating parts of the
processes through the service level management process. ISO/IEC 20000-1, 4.2.
c)
d)
Processes are evidence of intention but not a definition of the type of documents to be
produced at an audit. Documents that describe intent are required to be shown at an
audit. Process descriptions will be one such document. ISO/IEC 20000-1, 3.8 and 3.22,
PG 2.5, section on evidence (or APMG 20k supp. 7.3)
b)
Plans are evidence of intention but not a definition of the type of documents to be
produced at an audit. Documents that describe intent are required to be shown at an
audit. Plans will be one such document. ISO/IEC 20000-1, 3.8 and 3.22, PG 2.5,
section on evidence (or APMG 20k supp. 7.3)
c)
The two types of documentation required to be produced at an audit are those showing
evidence of intention and those that are records of achievement or activities performed.
ISO/IEC 20000-1, 3.8 and 3.22, PG 2.5, section on evidence (or APMG 20k supp. 7.3)
d)
Controls are evidence of intention but not a definition of the type of documents to be
produced at an audit. Documents that describe intent are required to be shown at an
audit. Controls will be one such document. ISO/IEC 20000-1, 3.8 and 3.22, PG 2.5,
section on evidence (or APMG 20k supp. 7.3)
12
34
OV02.1 - Overview of ISO 20000, related best practices, standards and schemes
C
35
a)
Wrong way around, other parts provide supporting advice, Part 1 contains mandatory
requirements. PG 1.1 (or APMG 20k supp. 2)
b)
Both Parts 1 and 2 align with ITIL. PG 3.5 para 2 (or APMG 20k supp. 6.2)
c)
The other parts provide supporting advice for Part 1 which is the only Part to contain
mandatory requirements. PG 1.1 (or APMG 20k supp. 2)
d)
The other parts provide supporting advice for Part 1 which is the only Part to contain
mandatory requirements. PG 1.1 (or APMG 20k supp. 2)
36
a)
The names of suppliers are not one of the factors to be included or considered for the
scope statement. ISO/IEC 20000-1, 4.5.1
b)
The geographical location(s) from which the service provider delivers the service and the
customer locations shall be considered when defining the scope. ISO/IEC 20000-1,
4.5.1
c)
As all processes in ISO/IEC 20000-1 are required in the scope with no exclusions, there
is no need to specify which processes are in the scope. ISO/IEC 20000-1, 4.5.1 and
1.2
d)
b)
This will not make an organization ineligible for ISO/IEC 20000 certification provided the
service provider can demonstrate governance of processes operated by the data centre
provider. ISO/IEC 20000-1, 4.2, ISO/IEC 20000-3, 5.2 (or PG 2.4.2, paragraph on
Governance of processes)
c)
There is no reason why the service desk must remain in-house provided the service
provider can demonstrate governance of processes operated by the service desk
provider. ISO/IEC 20000-1, 4.2, ISO/IEC 20000-3, 5.2 (or PG 2.4.2, paragraph on
Governance of processes)
d)
This will not make an organization ineligible for ISO/IEC 20000 certification provided the
service provider can demonstrate governance of processes operated by the data centre
provider. ISO/IEC 20000-1, 4.2, ISO/IEC 20000-3, 5.2 (or PG 2.4.2, paragraph on
Governance of processes)
13
37
38
a)
Any auditor can identify observations and non-conformities. PG 2.7 (or APMG 20k
supp. 7.1)
b)
An observation is a recommendation for potential improvement and cannot lead to noncertification. They can be noted by internal or external auditors and are different from
non-conformities because they are not mandatory to be remedied. PG 2.7 (or APMG
20k supp. 7.1)
c)
d)
39
a)
Certificates are valid for three years. PG 2.5 (or APMG 20k supp. 7.2)
b)
Certificates are valid for three years. PG 2.5 (or APMG 29k supp. 7.2)
c)
Certificates are valid for three years. PG 2.5 (or APMG 20k supp. 7.2)
d)
Certificates are valid for three years. PG 2.5 (or APMG 20k supp 7.2)
Recertification audits are required to be carried out every three years. PG 2.5 (or APMG
20k supp. 7.2)
b)
There are no requirements concerning a gap analysis audit. PG 2.5 (or APMG 20k supp.
7.2)
c)
d)
An RCB could not carry out an internal audit. PG 2.5 (or APMG 20k. supp. 7.2)
14
40
The service provider conducts the internal audit; the RCB conducts the surveillance and
re-certification audits. ISO/IEC 20000-1, 4.5.4.2, PG 2.5 (or APMG 20k supp. 7.2)
b)
The RCB conducts both the surveillance and re-certification audits. The service provider
conducts the internal audits. ISO/IEC 20000-1, 4.5.4.2, PG 2.5 (or APMG 20k supp.
7.2)
c)
The service provider conducts the internal audit, the RCB conducts the surveillance and
re-certification audits. ISO/IEC 20000-1, 4.5.4.2, PG 2.5 (or APMG 20k supp. 7.2)
d)
The service provider conducts the internal audit, not the customer. ISO/IEC 20000-1,
4.5.4.2, PG 2.5 (or APMG 20k supp. 7.2)