See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/261099939

IT Services Management and ISO 20000: A Case Study in an IT Remote Support

Company

Article  in  Management · February 2014

DOI: 10.5923/j.mm.20140402.02

CITATIONS READS

3 10,086

4 authors, including:

José Gabriel Peixoto Rodrigues Henrique Rego Monteiro da Hora

CTIS Instituto Federal de Educação, Ciência e Tecnologia Fluminense (IFF)
2 PUBLICATIONS   5 CITATIONS    302 PUBLICATIONS   605 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Decision in a Learning Environment View project

Estudo exploratório da eficiência partidária na Câmara dos Deputados Federais usando Análise Envoltória de Dados View project

All content following this page was uploaded by Henrique Rego Monteiro da Hora on 27 March 2014.

The user has requested enhancement of the downloaded file.

Management 2014, 4(2): 38-49
DOI: 10.5923/j.mm.20140402.02

IT Services Management and ISO 20000: A Case Study in

an IT Remote Support Company
Charlene da Silva Leite, José Gabriel Peixoto Rodrigues, Tatiana da Silva Sousa,
Henrique Rego Monteiro da Hora*

Post graduation in Production and Systems, Fluminense Federal Institute (IFF), Campos dos Goytacazes, RJ, Brazil

Abstract There is an increasing demand for quality on the market, especially when the approach is related to IT which is
a dynamic area and more important to companies each day. This paper was elaborated with the objective to describe relevant
information to the NBR ISO/IEC 20000-1 certification process based on the experience of the company CJHT in the area of
Remote Support to the user. The methodology used is classified as qualitative in which, through a documental research,
criticisms were made regarding the implementation process. At the end of the article, there is an analysis of the benefits
versus the employed effort coming to the conclusion that there are benefits for the organization and its collaborators.
Moreover, the main difficulties found in the certification process were reported.
Keywords Certification, IT services management, ISO 20000, ITIL

The Project was circulated in National Consultation

1. Introduction following edictal 12, dated Nov. 21, 2007, under Project
number 21:007.25-001/1. Adoption identical to ISO/IEC
The NBR ISO/IEC 20000 series distinguishes the best 20000-1:2005 regarding technical content, structure and
processes practices, which do not depend on the composing, elaborated by the Technical Committee of
organizational format, size, organization names or its Information Technology (ISO/IEC JTC 1).
structure. It is applicable to both the large or small-sized Information Technology companies are increasingly more
services supplier, besides the requirements of best practices interested in implementing the NBR ISO 20000 standard,
of services processes do not change according to the especially those which focus on providing IT services. Such
organization format [1]. providers seek flexibility so they are able to rapidly respond
The coordinated implementation and integration of the to the changes in both the competition and the market. The
service management processes provide continuous control, ISO/IEC 20000 emerges in this context as a differentiation
greater efficiency and opportunities of continuous alternative in the IT Services Management market (ITSM).
improvement. Perform activities and processes require that
people be well organized and coordinated. Appropriate tools
are also necessary to ensure effective and efficient, according
to the ISO - International Organization for Standardization
[1].
The Brazilian Association of Technical Standards (ABNT)
is the National Standardization Venue. The Brazilian
Standards are elaborated by Study Commissions (CE)
composed by representatives from the involved sectors,
namely: producers, consumers and neutrals (university,
laboratory and others).
According to ABNT [2] the NBR ISO/IEC 20000-1 was
elaborated in the Brazilian Committee of Computers and Figure 1. Relation among ISO 9001, ISO 20000 and ISO 27001 [4]
Data Processing (ABNT/CB-21), by the Commission of
According to Santos and Campos [3], this standard has
Information Technology Operation Study (CE-21:007.25).
aspects related to the NBR ISO 9001, which can be worked
in an efficient way by the companies aiming at reducing time
* Corresponding author:
henrique.dahora@iff.edu.br (Henrique Rego Monteiro da Hora) and cost while increasing quality in its achievement and
Published online at http://journal.sapub.org/mm maintenance. Figure 1 shows the relation among standards,
Copyright © 2014 Scientific & Academic Publishing. All Rights Reserved being ISO 9001 the implementation foundation for the other
 Management 2014, 4(2): 38-49 39

standards, because it defines requirements which assure the application to specific problems [8].
quality of the product/service focusing on customer’s The approach is classified as qualitative in the data
satisfaction. ISO 27001 is the standard for information collection, analysis and implementation, for being
security which has requirements which assure reliability, descriptive and both the process and its significance are the
availability and integrity of the client’s data. Neither is main focus of the approach [8].
mandatory, however they do facilitate the implementation of In relation to the procedure methods, this research uses
the IT management in the organization, as described on item action-research when conceived and performed in close
3.5 of this article. association with an action or with the solution of a collective
The justification of this research is based on the relevance problem. The researchers and participants that are
of a case study of the implementation of one of the main representative to the situation or the problem are involved in
international standard in information technology, namely a cooperative or participative way [8]. The documental
ISO 20000. Due to the importance of the certification, research is also used in the files of the object of study and the
numerous companies in the world have already achieved single case study [9].
such seal of quality and other ones are in the implementation
process. In 2008 there were 339 organizations with ISO 2.2. Methodological Research
20000, led by Japan with 48 certified companies, followed The researches with descriptions of the implementation of
by India with 40 and then China with 34. Since this is a the NBR ISO/IEC 20000 standard are scarce especially
recent subject, there is a lack of academic contributions in because there are few companies dedicated to such
the area which can contribute to the view of such integration certification. However, it is possible to verify descriptions
and the final results [3]. about the implementation of other standards, such as the
According to APM Group [5] few companies have the NBR ISO 9001.
ISO/IEC 20000 certificate in Brazil, among which we may Paes, Hora and Valdiviezo [10] reported the certification
mention: process of a basic sanitation company, comparing quantity of
• Asyst Sudamerica – Data Processing Specialized Work Instructions and managerial information systems used.
Service S/C Ltd; Walter [11] discusses the certification process of the same
• T-Systems do Brasil Ltda; standard, but unlike the above mentioned authors, he does
• HP Service Brasil; not directly report the benefits, but the process itself,
• CPM Braxis - Global Operating Center. indicating the paths taken, documents created and necessary
Still according to the APM Group [6], achieving ISO/IEC trainings.
20000 certification demonstrates to other organizations,
2.3. Technical Procedures
suppliers, customers, staff, partners and industry bodies that
the service provider company is a qualified, suitable supplier, In order to reach the research objective, a documental
once the company proofs they have shown they have research is performed in the company, seeking the
practices, procedures and management system controls in descriptions of the implementation. The use of
place to ensure services are provided effectively with action-research, where the researcher is part of the object of
customer satisfaction at the core. study, allows the authors to report their perceptions
Sixty to ninety percent of a total cost in IT ownership regarding the implementation process, because they played
comes from managing processes and developing disciplines an active role during the research.
for such [7], therefore it indicates its importance and the The results are analyzed both critically and qualitatively,
reason why researchers dedicate time and work investigating indicating the critical points of the process so to support
IT management. future implementations.
The objective of this article is to describe the NBR
ISO/IEC 20000-1 certification process in an information 2.4. Results Analysis
technology company, emphasizing the difficulties. The The reports obtained though action-research are critically
company name is omitted due to industrial secrecy, but there analyzed in order to evidence the imperfections in the
was entire collaboration to the research. The company is implementation and elaborate a directing text with the most
referred to by the pseudonym CJHT. critical points of the implementation process.

2. Research Methodology and Strategy 3. IT Services Management

2.1. Research Classification The implementation of IT services management, NBR
The adopted strategy to reach the proposed objective is the ISO/IEC 20000-1, requires knowledge in both data
single case analysis, classified as applied research regarding processing and management. For that, the best IT
its nature, because it generates knowledge from the practical Governances practices are used, such as ITIL and COBIT.
40 Charlene da Silva Leite et al.: IT Services Management and ISO 20000:
A Case Study in an IT Remote Support Company

Incidents Management, Problems Management,

3.1. IT Governance Practices
Configurations Management, Change Management and
According to ISACA [12], the IT Governance is a Release Management;
structure of relationships and process to direct and control • Service Provision (Service Management) – Covers
the company in order to reach its objectives by value addition the service the business demands the supplier to provide
at the same time as it balances risks and incomes regarding adequate support to the corporate users. Comprehends
IT and its processes. Capacity Management, Financial Management for IT
There are many models or patterns which contribute to the Services, Availability Management, Service Level
IT Governance available in the market to support the Management and Continuity Management;
companies in the implementation process, among which • Applications Management – Comprehends the life
there are COBIT (Control Objectives for Information and cycle of the software development, expending the
Related Technology) and ITIL (Information Technology superficially treated questions in support to the software
Infrastructure Library) [13], [14]. life cycle and IT Services tests. Applications Management
Figure 2 shows how COBIT and ITIL are divided in order also gives details about changes in the business,
to cover the whole IT Governance, being the former in the emphasizing clear definitions of requirements and in the
strategic and tactic levels of the organization and the latter in implementations of solutions to satisfy the needs of the
the operational level. business user;
• IT Infrastructure and Telecommunications
Management – Covers all the aspects from identifying
the business requirements, through the proposal process,
up to the test, the installation implementation and the
continuous optimization of IT components and computers
networks infrastructure and IT services;
• Security Management – approaches Security from
the services supplier’s point of view. Identifies and
indicates the security level necessary to supply the
organization with total service;
• Planning to Implement the IT Services
Management – Explains the steps needed for an
organization to identify the benefits it can expect from
ITIL and how to start collecting such benefits. It aids the
organizations to identify their strong and weak points,
Figure 2. COBIT and TI division to cover the whole IT Governance thus reinforcing the former to overcome the latter;
• Business Perspective – Offers counseling and
3.2. ITIL Practices
orientation to help the Information Technology staff
ITIL was developed by CCTA (Central Computer and understand how they can contribute to the business
Telecommunication Agency), currently called OGC (Office objectives and how their functions and services can be
of Government Commerce), in the United Kingdom, in the better aligned and explored so to maximize this
late 19880’s, being documented in a group of books which contribution.
describe a reference model with the best practices for an One of the main factors for the ITIL increasing success is
effective IT Services Management. Even though it was its flexibility, because it should be implemented as part of a
originally conceived for the public sector in the United business methodology which involves the services
Kingdom, it rapidly expanded to the other organizations in management processes [19].
the public and private sectors, generating an industry
composed by trainings, certifications, consulting, software 3.3. CobIT Practices
tools and a specific Forum called itSMF [15], [16]. According to Lahti and Peterson [13], CobiT is a guide to
The ITIL seeks, in its methodology, the identification of IT management recommended by ISACF (Information
processes in the IT area and the alignment of its services to Systems Audit and Control Foundation, www.isaca.org). It
the organization needs, promoting a qualitative approach for includes resources such as executive summary, framework,
the economic, effective, effectual and efficient use of the IT objectives control, audit maps, group of implementation
infrastructure [14], [17]. tools and guide with management techniques. The CobiT
According to Shimada and Costa Jr. [18], the seven books management practices are recommended by the IT
which describe the library of best practices of ITIL are: management experts who help optimize the investments in
• Service Support (Service Management) – Assures IT and provide metrics to evaluate the results. CobiT does
the client has access to appropriate services to support not depend on IT platforms adopted by the companies.
business functions. It comprehends Service Desk, According to Neves [20] the orientation to the processes is
 Management 2014, 4(2): 38-49 41

defined in 34 processes, divided in four domains, as According to ABNT [21], audits are used to determine in
described below [16]: which level the quality management system requirements are
• Plan and Organize (PO) – Approaches the strategies, met. The audit findings are used to evaluate the efficacy of
tactics and aspects for a better contribution of IT to reach the quality management system and to identify improvement
the business objectives; opportunities.
• Acquire and Implement (AI) – Approaches the IT First party audits are performed by the organization itself
strategies to identify solutions for IT, needs of or on its behalf, for internal purposes, and may compose the
development or technology acquisition, implementation basis for a self-declaration as for the conformity of the
and integration with the business processes; organization.
• Monitor and Evaluate (ME) – Approaches the Second party audits are performed by clients of the
performance management, internal controls monitoring organization, or by other people on behalf of the client.
and provides governance, aiming at evaluating the quality Third party audits are performed by independent external
of the processes and the compliance with the control organizations. Such organizations, usually accredited,
requirements. provide certifications or registration of compliance with
Acording to Lahti and Peterson [13], CobiT provides requirements such as those from ISO 9001 [22].
detailed information to manage processes based on business NBR ISO 19011 provides guidelines regarding audits.
objectives. CobiT is projected to aid three distinct audiences: Since the implementation of ISO 9001 in 2007 in the
• Managers who need the risk and control the company CJHT, there has been a team capacitated for
investments in IT in an organization; internal audits composed by representatives of the each area
• Users who need guaranties that the IT services which of the organization which executes this systematic every six
depend on their products and services to internal and months, alternating with the external audits. The Integrated
external clients are being managed; Management System (IMS) staff, in partnership with all the
• Auditors who can stand on the CobiT other areas, performs all the planning, execution control and
recommendations to evaluate the IT management level results treatment of the company standards.
and counsel the internal control of the organization.
3.5. ISO/IEC 20000
According to Neves [20], the business orientation tries to
unite the business objectives and the IT objectives, supplying According Polter, Verheijen and Selm [23], the ISO/IEC
metrics and maturity models to better the IT governance 20000 objective – inherited from BS 15000 – is to “provide a
evaluation, besides supporting the identification of common pattern of reference to any company which offer IT
responsibilities of the business and IT area. For that, it is services to internal or external clients”. Due to the
needed to manage and control the IT resources by means of importance of communication to the Services Management,
structured processes, such as audits, which enable delivering one of the most important objectives of the standard is to
the goods/services according to the planning. create a terminology common to services providers, their
suppliers and their clients. Figure 3 shows the coverage of
3.4. Management System Audits ISO/IEC 20000 certification and its structure.

Figure 3. ISO/IEC 20000 in the service management landscape [6]

42 Charlene da Silva Leite et al.: IT Services Management and ISO 20000:
A Case Study in an IT Remote Support Company

The existence of Quality Management Systems ISO sure they are quick, easy, consistent and authorized. The
9001:2008 is a facilitator in the implementation of ISO/IEC objective of the Change Management is to successfully
20000-1 [6]. The activities of measurement and service complete all the adjustments and changes in the IT
management analysis include internal audits planned by the infrastructure in a systematic way. This way, the risks
Integrated Management System – IMS. Service associated to the service maintenance, and consequently
improvement actions are established based on analysis of their quality and impact, are maintained at the lowest
indicators, changes, quality and services levels which take possible levels;
place during the meetings for critical analysis and • Release Management: Manages the distributions
coordination [3]. and the release control of the software, hardware and
The NBR ISO/IEC 20000-1 has many aspects related to updates. The Release Management controls the all
the NBR ISO 9001, which can be worked on in an efficient softwares and hardwares existing in the IT infrastructure
way in order to reduce time and cost and increase quality in in production and it organizes the distribution in
its achievement and maintenance [3]. operational environments. Only softwares and hardwares
In order to implement the management of IT Services, which have been verified, tested and approved the Release
besides complying with the ISO 9001 (Quality Management Management are distributed, once assured that the original
System), it is also necessary to comply with the ISO 27002 versions can be resumed in case of flaws;
(Information Security). According to ISO/IEC [1], • Service Level Management (SLM): The objective
information security is the result of a system of policies and of the Service Level Management is to make the
procedures, elaborated to identify, control and protect agreements between the clients and the IT organization
information and any equipment used for its storage, clear concerning the type and quality of the services being
transmission and processing. The collaborators of the offered, taking the pertinent actions for its
services providers which are specialists in information implementations and seeking solutions which assure the
security should be familiarized with the NBR ISO/IEC compliance to the established levels;
27002 [14]. • Availability Management: Manages the present,
According MacFarlane and Rudd 2005 apud [24] For a optimizes the service supply chain and follow the business
company to implement the services management, it is up. The Availability Management identifies, defines and
important to establish the processes in accordance to the prepares the necessary measure to ensure the required
NBR ISO/IEC 20000-1 requirements: availability by the services, monitoring the reliability and
• Configuration Management: Manages, controls and availability in the failures and interruptions and
monitors the Configuration Items (CI) existing in the Data recommending changes so to prevent future losses in the
Base Configuration Management (DBCM). A CI is any services quality;
component or element existing in the infrastructure • Capacity Management: Manages the future,
necessary for a service supply;
monitoring and evaluating the services development, also
• Incident Management: Manages the deviations
planning new businesses. The Capacity Management
(incidents) in the infrastructure, seeking rapid
identifies and specifies the demand and the client’s needs,
reestablishment of the services. The Incidents
trying to translate them into constantly monitored
Management is devoted to resolving the incident and
resources;
reestablishing the service supply to the client as quickly as
• IT Service Continuity Management: Manages
possible, minimizing the impact of the incident on the
disaster, keeping plans for contingency and disasters
business. It should also assure that the service quality and
recovery, business survival, risks and vulnerabilities. The
availability both meet the ANS’s agreed upon. An
IT Service Continuity Management treats the unexpected
incident is classified as any event which is not part of the
interruptions in IT services, preparing and planning
standard functioning of a service and which causes, or
may cause, an interruption in the service or a reduction in recovery and restoration measures and of the IT services;
its quality, and which has a known solution (known error); • Financial Management: Manages the effective costs,
• Problem Management: Manages the problems, the financial resources allocation and the Return over
seeking to identify the root causes, proposing solutions to Investment – ROI. The Financial Management performs
the problems, eliminating repetitive problems, the correct budgetary provision of the IT services,
accelerating the solution time and generating a solutions considering involved costs and possible investments
bank. The objectives of the Problem Management include: benefits, especially in decision making regarding
increasing the IT infrastructure quality by investigating environment changes.
the causes of the incidents or potential incidents, removing The ABNT NBR ISO/IEC 20000-1 specifies a number of
them in a permanent way and proactively preventing new management processes of intimately connected services, as
incidents. Once the cause of the problem (a infrastructure shown by Figure 1.
flaw) is identified and a solution is established, a problem The authors of this article participated in the elaboration of
becomes known as a known error; internal documents (Appendix) according to the services
• Change Management: Manages changes, making management processes described above.
 Management 2014, 4(2): 38-49 43

4. Object of Study Characterization 5.1. Environment

The company CJHT of remote support in IT, located in The main motivation for the implementation and
Campos dos Goytacazes, in Rio de Janeiro state, is one of the consequent certification in the IT Services Management is
largest Information Technology companies in Brazil, having given by the demand on the contract renewal with the unique
differentials in the IT products and services provided to large client in the segment of the company CJHT.
corporations, as well as in the commercialization of The other motivations are:
equipment, softwares, supplies and accessories as a retailer • Search for better practices in the market;
to all customer audiences. This multiplicity of operations • Greater participation in restrict market niche;
makes the IT remote support company known in the market • Increase the quality and the reliability in services
as complete. provision;
The IT remote support company is 100% Brazilian, • Improve the management of contracts with suppliers
majorly acting in states of São Paulo, Rio de Janeiro and the and partners.
Federal District in the IT Services areas, subdivided into:
Infrastructure Management; Printing and Digital Content 5.2. Preparation
Solutions; Data Processing Point Outsourcing; WebCom; Once the certification is decided for, the managerial group
Systems Development and Maintenance; Projects Office carries out a meeting to define the implementation strategy
(PMO); Partner Solutions; User Support and Customer of the due standard, as described by Figure 4.
Service; Printing Center divided into Offset, Laser, Finishing,
Digital Color, among other products and services, besides The ISO/IEC 20000 implementation process was performed
the CJHT Digital. in fourteen months, with high investment, and consisted of:
The Integrated Management System policy statement is • Define and approve the scope: a standard and
made by the company president and it states that CJHT is a certification scope of work is initially defined and
company which supplies the market with products, services submitted for prior approval by the certifying organization;
and IT solutions, focusing on quality-directed client services. the hiring of a external consulting with experience in
The IMS policy is also extended to the IT Services implementation of standards is needed, as well as
Management, focusing on information security and organizing a project coordination committee, composed
environment responsibility, taking into consideration the by one member from each area (Operations, Quality, IT
existing legislation and other environmental and continuous Solutions, Integrated Management System,
improvement aspects. Administrative / Procurement and Human Resources).
The following objectives are extracted from the IMS Policy: The team is defined by the managerial body according to
the profile of each member. There is a periodic
• Increase the Company profitability;
videoconference between the consultant and the project
• Increase customers’ satisfaction – IT Services;
coordination committee (locally and at the CJHT
• Implement the Integrated Management System in the
headquarters in Brasília) for the implementation of the
whole Company;
next steps of the process.
• Rationalize the use of natural resources by the
• Elaborate and approve project plan: a plan is
Company;
create by the committee aided by the hired consulting and
• Assure the recycling of residues generated by the
approved by the areas managers of CJHT;
processes covered by the environmental scope;
• Promote the collaborators development;
• Increase the Company collaborators’ satisfaction;
• Keep the availability of a technological environment
for the Company;
• Assure the compliance of the levels of services hired
and/or agreed upon;
• Assure the non-occurrence of information security
incidents.
The measurement of the objectives listed above is
performed through performance indicators and followed-up
on a periodic basis.

5. Implementation Process Figure 4. Services Management Process [1]

44 Charlene da Silva Leite et al.: IT Services Management and ISO 20000:
A Case Study in an IT Remote Support Company

Figure 5. ISO/IEC 20000 implementation process

• Evaluate the current practices: comparison with tool for internal registration Qualitor Web was purchased.
the quality management system (ISO 9001) implemented The choice for such tool was due to the fact that it works
and consistent in the company since 2007; with the ITIL Service Management standard and it allows
• Compare practices with ISO 20000: a comparison changes according to client’s requirement;
between the requirements of ISO 20000 and ISO 9001 is • Implement ISO 20000 processes: Initiate the
performed; Elaboration of Service Level Agreement with application of the documents and adjust; formation of a
the client; External Support Agreement with suppliers and change committee, composed by the Senior Executive, the
Operational Level Agreement among internal areas. Thus Change Manager and the representatives from the units;
integrating a partnership in the implementation of a better • Train in management system processes: Carry out
provision of remote support services; awareness event for the whole organization in the
• Document and evaluate the differences (gap revised/new documents made available in the documents
analysis): an electronic spreadsheet with the analysis of management tool DocNix;
what the company which is already certified in the NBR • Perform Internal Audit: Between August 3rd and 5th,
ISO 9001 needs to achieve the NBR ISO/IEC 20000. The 2009, to check the implementation of the requirements of
requirements are found in the referred standards. the due standard. Such activity lasted 3 days and resulted
• Elaborate Action Plan: An action plan is elaborated in 32 non-conformities and 16 improvement opportunities,
for the carrying out of the committee; which were treated by the respective areas with the aid of
• Train teams in ITIL, ISO 9001 and 20000: the 20000 committee;
Training and certification in ITIL V.2 (2007) for the • Perform External Pre-Audit: Between September
managerial body, standard implementation committee and 26th and 27th, 2009, by the Certification organization. Such
the operational body of the organization; Training on activity lasted 2 days, and 17 nonconformities were
interpretation of the standards NBR ISO/IEC 20000 and generated, which were treated by the respective areas with
NBR ISO/27002 for the committee and the managerial the aid of the 20000 committee;
body; Recycling training on ISO 9001:2008; • Perform External Final Audit: Between October
• Define and implement the management system: 21st and 22nd, 2009, by the Certification organization.
Review the NBR ISO 9001 documents with the inclusion Such activity lasted 2 days and no nonconformities or
of IT Management and elaboration of new ones, taking observations were registered;
into account the structure of the internal processes of • Get a recommendation: The certifying organization
CJHT (Figure 5). The list of the current documents can be delivered the indication letter, once the certification could
consulted in Attachment I of this research; only be delivered within a one month. This way, there was
• In order to manage the incidents and problems, the aid no need for a follow-up audit, which consists of a
 Management 2014, 4(2): 38-49 45

verification of the treatment of the inconsistencies found specific Contact Center (IT Remote Support) process of the
in the certification audit and its closure; Campos dos Goytacazes unit so the Operation area may
• Get the ISO 20000 certification: The certificate was perform the users’ support service and comply/surpass the
delivered to the company thirty days after the client’s satisfaction level.
recommendation, when the company was formally Continuous improvement process: the company CJHT
declared certified on ISO/IEC 20000. From that moment kept its 20000 committee reducing only its meetings
on, the news was made public to the press, clients and periodicity from weekly to twice a month. This way
suppliers, and so were the benefits resulting from such maintaining the management system of the IT services
achievement. implemented and searching for the continuous improvement
Figure 5 shows the internal processes structure of the of its result to the client’s view.
company CJHT, which consists of the relation between the Figure 6 presents the implementation timetable of the
corporate and commercial processes, integrated management, ISO/IEC 20000 in the company CJHT, composed by task,
integration aid which support the whole organization and the who is in charge, start date and end date.

Figure 6. Internal processes structure

46 Charlene da Silva Leite et al.: IT Services Management and ISO 20000:
A Case Study in an IT Remote Support Company

NBR ISO 20.000-1 Implementation Timetable

Start Date End Date
Task In charge
(mm/dd/yy) (mm/dd/yy)
Project Plan Elaboration IMS Team 08/11/08 08/17/08
GAP Analysis 20000 Committee 08/18/08 08/31/08
Definition of Service Management System 20000 Committee 09/01/08 10/30/08
Elaborate GAP Analysis Tasks 20000 Committee 09/01/08 07/30/09
Give Training on "ITIL v.2" – many classes IMS Team 8/11/2008 9/3/2009
Give Training on "NBR ISO 20000-1/2 Interpretation" IMS Team 09/04/08 09/05/08
Give training on "NBR ISSO 27002 Interpretation” IMS Team 11/03/08 11/07/08
Implementation of Service Management System 20000 Committee 11/01/08 07/30/09
Perform Quality Consulting IMS Team 08/11/08 11/30/09
Generate records which prove the execution of processes as defined by IMS 20000 Committee 07/01/09 08/25/09
Perform Awareness Campaign with Collaborators IMS Team 04/07/09 04/09/09
Perform Internal Audit IMS Team 08/03/09 08/05/09
Perform Critical Analysis Meeting with the IMS High Management IMS Team 08/11/09 08/11/09
Perform External Pre-Audit IMS Team 08/26/09 08/27/09
Perform Certification Audit IMS Team 10/20/09 10/21/09
Receive Certificate issued by Accredited Organization IMS Team 11/21/09 12/31/09

Figure 7. Implementation Timetable. Source: Internal Documentation from company

The preparation for a certification is a moment that 6. Conclusions

requires extra efforts from the organization members, for it is
6.1. Concerning the Objectives
a period of time of continuous learning on the internal
processes. Especially about the commitment of the The general objective of the research is reached through
managerial body so the improvement suggestions may be the elaboration of a detailed certification process, with all the
executed in time. implementation items detailed and accomplished.
The specific objectives are met the following way:
5.3. Processes
• Definition of research methodology and strategy,
Work focused on processes is constituted by the four classifying it as action-research;
premises below: • Description of IT Management Services and its
• Planning: Study the contract with the client and integration with the IT Governance, COBIT and ITIL,
elaborate the Services Management Plan – SMP – besides the NBR ISO 9001 and 27002 standards;
including the implementation of the service management; • Mentioning the systematic of integrated management
issuance of service management processes; processes system audits;
changes and new services. • Description of the object of case study;
• The collaborators which perform activities in service • Mentioning the implementation process of the NBR
management are capacitated based on education, training, ISO 9001:2008;
skills and experience; • Performing the critical analysis of the listed
• Implementation: Follows what is defined in the bibliographic references.
SMP regarding incidents and problems management; This way, it is possible to conclude that all the objectives
changes and release management; management of were reached with the execution of this present research.
availability, capacity, continuity and configuration and
continuous quality; 6.2. Concerning the Research
• Service Provision: This process regards the Managing the IT services became a critical task and a
definition, the agreements, the records and the services challenge for managers, once it is responsible for 60% to
levels management; 90% of the total costs of its ownership [7]. This research
• Measurement and Monitoring: The performance presented an entire documented certification process in the
compared to defined goals for service, client’s satisfaction, ISO 20000, and contributed to the scientific communication
resources capacity use, tendencies and greater being an important reference for future similar processes for
nonconformities are all monitored, measured and comparisons.
critically analyzed. According to Heldman [25], the lessons learned are the
The focus on the processes was used when implementing information collected and documented during the project
the NBR ISO/IEC 20000, so it is believed the IT services which may be used for the benefit of the current project,
management was performed in a thorough way. future projects or any projects which may be under execution
 Management 2014, 4(2): 38-49 47

by the organization. Such lessons may be either positive or obtained results, because the client did not consider it as a
negative. During a project, knowledge should be transferred, requirement, but as a bonus, in his next order, once the other
integrated, created and explored in order to create new competitors had not implemented such standard in the
organizational value. This way, to obtain a ISO/IEC 20000 organizations.
certification, collect information and meetings of the lessons In the case of the company being studies, the use of
learned were performed during all the project phases. The action-research was attempted due to the direct participation
main results obtained after the implementation of the IT of the authors in the project and academic studies. The
services management in the company CJHT were: objective of the action-research was to solve a problem and
• Benefits for the organization: contribute to the academic area with the research. The main
− Provide managed services to satisfy the business and relevance of this research was to establish a reference model
the client, at a reasonable cost; for the ISO/IEC 20000 implementation and certification. The
− Solve problems of continuity, availability, capacity of reference presented here has a prescriptive characteristic,
services supplied; being available to be used by any provider which wishes to
− Provide tools to comply with the level of hired initiate a project of this caliber. It was also attempted to
services; present the results and lessons learned in a clear way, serving
− Keep the Company competitive edge in the market; as base for future studies about the subject.
− Keep current and future contracts with the client.
• Benefits for the collaborators 6.3. Concerning Future Researches
− Work in a company which performs activities based This present research allows new analysis in various aspects
on orientations and standards for services provision to be implemented, such as:
accepted worldwide;
• Analyze qualitative and quantitative benefits in a mid
− Acquire professional growth practices in the
to long term from the implementation of the standard;
Company.
• Elaborate a market study evidencing the effect of the
• Difficulties encountered
certification on the companies which got certified;
− Interpretation of the NBR ISO 9001:2008 to
• Elaborate a management model to aid the certification
implement the requirements, even after the training given
maintenance;
on such standard;
• Analyze the requirements for implementing the ISO
− Physical distance of the consultant, being him in
9001, 20000 and 27002, evidencing the common grounds
Brasília, causing the meetings to be help through
and how to simplify the parallel maintenance of such
video-conference;
certifications, complying with all of their requirements.
− Conciliation of the ordinary activities and the
In general, it is suggested that the subject be researched
activities of standard implementation, by the 20000
upon after implementation so to open a quite vast range of
committee;
possibilities which shall serve as initial idea to numerous
− Need of customization of the bought tool, Qualitor
further researches.
Web, to adequate it to the company business;
− Focus on the infrastructure area, causing considerable
changes in the work routine and thus resistance. ACKNOWLEDGEMENTS
Thusly, the organization understands that the IT services
management must be used to assure the service provision in The authors are grateful to the Fluminense Federal
the best possible way. Institute, for supporting the research, and to the Company,
The costs from the implementation of such standard and for allowing the employees sharing its cultural
its consequent certification are high in comparison to the knowledgement to the science progress.
48 Charlene da Silva Leite et al.: IT Services Management and ISO 20000:
A Case Study in an IT Remote Support Company

Appendix
Internal documents of company CJHT:
Code Document Title
PR-0001 IT Services Management
PR-0002 Service Provision Management
PR-0003 Service Support Management
PR-0003 Management of Relationship with the Client
PR-0004 Management of Nonconforming Product
PR-0005 Information Security Management
PR-0006 Risk Management
PR-0007 Change and Release Management
PR-0008 Technological Infrastructure Management
PR-0009 Information Management
PR-0010 Action Management
PR-0011 IT Remote Support to Users Management
PR-0012 Corporate Systems Management
PR-0013 Acquisition Management
IS-0001 IT Remote Support Demobilization Control
IS-0002 IT Remote Support Implementation Control
IS-0003 Hiring and Recruiting Control
IS-0004 Execution of IT Remote Support Users’ Satisfaction and Manifestation Researches Treatment
IS-0005 Products and Services Acquisition Control
IS-0006 Managerial Report Elaboration Control
IS-0007 Budget Control
IS-0008 Records and Calls Quality Monitoration Control
IS-0009 Execution and Controlo f IT Remote Support Measurements
IS-0010 Calls Classification and Forwarding
IS-0011 Perform and Restore Backup
DF-0001 IT Strategy Definition
DF-0002 IT Glossary
NT-0001 IT Assets Use Policy
NT-0002 Security Policy
FR-0250 Changes and Release Management Plan
FR-0001 Availability, Capacity and Continuity Plan
FR-0002 Service Management Plan
FR-0003 External Support Agreement
FR-0004 Service Level Agreement
FR-0005 Operational Level Agreement
Legend:
PR- Procedure;
IS – Service Instruction;
DF – Definition Document;
NT – Technical Standard;
FR – Form.

Padrão 20000:1, 2008.

[3] G. S. Santos and F. C. de Campos, “Integração das Normas
ISO 20000 e ISO 9001 em Gestão de Serviços de TI
REFERENCES [Integration of ISO 20000 and ISO 9001 in IT Service
Management],” in XII Simpósio de Administração da
[1] ISO/IEC, “ISO/IEC 20000-1: Information technology - Produção, Logística e Operações Internacionais, São Paulo,
Service management - Part 1: Service management system 2009, p. 16.
requirements.” ISO - International Organization for
Standardization, 04-Dec-2011. [4] BSI, “Manual de Treinamento ISO 20000 Auditor [Training
Manual ISO 20000 for Auditor],” Bristish Standard Institute,
[2] ABNT, “NBR ISO 20000:1: Tecnologia da Informação – São Paulo, 2008.
Gerenciamento de Serviços. Parte 1, Especificação,”
Associação Brasileira de Normas Técnicas, Rio de Janeiro, [5] APM Group, “ISO/IEC 20000 Certified Organizations,”
 Management 2014, 4(2): 38-49 49

ISO/IEC 20000 Organizational Certification Scheme, 2009. . [16] ITGI, “Cobit Framework,” Steering Committee and IT
Governance Institute, Technical Report, 2007.
[6] APM Group, “ISO/IEC 20000 white paper,” The IT Service
Managment Forum, United Kingdon, 2012. [17] I. L. Magalhães and W . B. Pinheiro, Gerenciamento de
serviços de TI na prática: uma abordagem com base na ITIL.
[7] S. D. Galup, R. Dattero, J. J. Quan, and S. Conger, “An São Paulo, SP: Novatec, 2007.
overview of IT service management,” Communications of the
ACM, vol. 52, no. 5, p. 124, May 2009. [18] L. M. Shimada and M. V. C. Júnior, “Aplicação do ITIL e
ISO/IEC 20000 na Gestão de Serviços de Suporte em
[8] E. L. S. Silva and E. M. M. Menezes, Metodologia da Microinformática,” Revista da Pós-Graduação, vol. 1, no. 2,
Pesquisa e Elaboração de Dissertação, 4th ed. Florianópolis: Mar. 2008.
UFSC, 2005.
[19] S. M. de C. Lopes, V. G. André, and J. M. S. das Neves,
[9] R. K. Yin, Estudo de caso. Porto Alegre: Bookman, 2005. “Governança de TI - um estudo sobre ITIL e COBIT [IT
governance - a study on ITIL and COBIT],” presented at the
[10] V. L. Paes, H. R. M. da Hora, and L. E. V. Viera, “Utilização VII SEGeT – Simpósio de Excelência em Gestão e
dos princípios da qualidade na implantação de um sistema de Tecnologia, Resende, 2010.
gestão da qualidade (SGQ) em uma empresa de saneamento
básico,” in XV Simpósio de Engenharia de Produção, Bauru, [20] W. C. G. Neves, “Diretrizes para a Implantação da
2008, vol. 2, p. 12. Governança de Tecnologia da Informação com Base no Cobit,
a partir de ISO 9001: Aspectos de Gerenciamento de Projetos,”
[11] M. T. Walter, “The implementation of ISO 9001: 2000 Mestrado em Gestão do Conhecimento e Tecnologia da
standard on the Brazilian Supreme Court’s Library,” Ciência Informação, Universidade Católica de Brasília (UCB),
da Informação, vol. 34, no. 1, pp. 104–113, Jan. 2005. Brasília, 2007.
[12] ISACA, “COBIT 5 - A Business Framework for the [21] ABNT, “NBR ISO 9000:2005: Sistemas de gestão da
Governance and Management of Enterprise IT,” Information qualidade - Fundamentos e vocabulário,” Rio de Janeiro,
Systems Audit and Control Association, 2014. [Online]. 30-Dec-2005.
Available: http://www.isaca.org/COBIT/Pages/default.aspx.
[Accessed: 07-Feb-2014]. [22] ABNT, “NBR ISO 9001:2008 - Sistemas de gestão da
qualidade,” Rio de Janeiro, 28-Nov-2008.
[13] C. Lahti and R. Peterson, Sarbanes-Oxley: conformidade
usando COBIT e ferramentas open source. Rio de Janeiro: [23] S. Polter, T. Verheijen, and L. van Selm, ISO/IEC 20000: An
Alta Books, 2006. Introduction. Ireland: Van Haren Publishing, 2008.
[14] S. Sahibudin, M. Sharifi, and M. Ayat, “Combining ITIL, [24] C. Z. Calvi, “Gerenciamento de Serviços de TI e Modelagem
COBIT and ISO/IEC 27002 in Order to Design a do Processo de Configuração ITIL em uma plataforma de
Comprehensive IT Framework in Organizations,” in Second serviços sensíveis a contexto,” Master in Informatics,
Asia International Conference on Modeling Simulation, 2008. Universidade Federal do Espírito Santo (UFES), Vitória,
AICMS 08, 2008, pp. 749–753. 2007.
[15] E. A. P. Moraes and S. R. H. Mariano, “Uma Revisão dos [25] K. Heldman, Project management jumpstart. Hoboken, NJ:
Modelos de Gestão Em TI [A Management Models in IT Wiley, 2011.
Review],” presented at the IV Congresso Nacional de
Excelência em Gestão, Niterói, 2008.

View publication stats