Quality Management or Service Management?
Dolf van der Haven
Governance, Risk and Compliance | Information Security, Service Management, Quality Management | Chicken farmer
With the increased application of ISO’s high-level structure (HLS, a.k.a. Annex L) text and definitions to the majority of the management system standards (MSS), there is an increase in overlapping requirements between various MSS. There are people who say, “I already have an ISO 9001:2015 [Quality Management] certification, do I really need an ISO/IEC 20000-1:2018 [Service Management] certification as well for my services?” Apart from all the considerations related to the context of the organization and the services provided, the distinction between ISO 9001 and ISO/IEC 20000-1 is still significant.
quality
degree to which a set of inherent characteristics of an object fulfils requirements
Source: ISO 9000:2015. An “object” is further defined as a product, service, process, system, etc. A “characteristic” can be any feature e.g. physical aspects or human behaviour.
service
output of an organization with at least one activity necessarily performed between the
organization and the customer
Source: ISO 9000:2015
service
means of delivering value for the customer by facilitating outcomes the customer wants to achieve
Source: ISO/IEC 20000-1:2018
The three definitions above show a difference in focus between quality management and service management: similar to products, ISO 9001 focuses on services as the output of an organization that need to conform to certain requirements. ISO 9001 has historically only focused on products and added services in it 2015 edition more or less as an afterthought. Meanwhile, ISO/IEC 20000-1 had been published in 2005 (and updated in 2011 and 2018) to focus on services alone. ISO/IEC 20000-1’s definition of a service has always had the focus on value creation, related to the results or outcomes the customer wants to achieve with the services.
Is this just a futile difference in wording or is there a real difference between how ISO 9001 and ISO/IEC 20000-1 think about services?
Service management has its historical roots in IT, where methodologies such as ITIL have focused on how to improve the delivery of IT services since the 1980s. However, this does not mean that ISO/IEC 20000-1 is an IT standard: from its earliest version, it has clearly stated it can be applied to services of any nature. In today’s world of digital transformation, this basically means that IT is simply a component of most services, but service management focuses on the complete organization delivering the services, not only an IT department.
ISO 9001 has its roots far more in the manufacturing industry, where quality management can be easily applied using methodologies such as Lean and Six Sigma. Lean is also great for services, but the statistical methodologies of Six Sigma are far more difficult to apply to services, which by definition have an intangible aspect to them. Adding services to the scope of a standard that was always focused on (tangible) products was therefore quite a leap into the unknown.
It is therefore unsurprising that a quality management approach to services has a more limited scope than a full service management approach. Paraphrasing ISO 9000’s definition of quality, it says that quality of a service is the degree to which a set of inherent characteristics of a service fulfils requirements. This sounds like an internal inspection of the characteristics of e.g. an online shop, compared to a checklist of what those characteristics are supposed to be. This still comes much closer to product features than actual service features. The focus on value creation and, up to a point, what the customer wants to achieve with the service, is lost here.
More importantly, ISO/IEC 20000-1 focuses on a complete service lifecycle from conception to operation and improvement, including a large number of processes (ITIL 4 would call them practices) supporting the services. Most of these processes (e.g. incident management, configuration management) are completely absent from the quality management approach in ISO 9001. This is a completely different perspective on what it means to provide a service that actually creates value for the customer: the processes in Clause 8 of ISO/IEC 20000-1 cover about 50% of the requirements and are all indispensable for the delivery of services (which is why you cannot make any exclusions in the requirements of ISO/IEC 20000-1). ISO 9001 misses most of these: it has a number of clauses about requirements gathering and delivery of products and services, but leaves much of this up to the imagination of the user of the standard. I have in fact implemented a quality management system in a services environment and am still struggling to interpret some of the ISO 9001 requirements for the type of services (network management) my organization provides.
That said, there is a certain amount of overlap between the two standards, apart from the HLS text: this has been documented in the ISO/IEC 20000-7 standard, which focuses on the correlation and joint implementation of ISO/IEC 20000-1, ISO 9001 and ISO/IEC 27001 (Information Security Management). In this standard, the similarities and differences in the requirements and definitions between these three standards are explained in full detail. It shows to wat extent requirements can be jointly followed and what the pitfalls are.
Dolf van der Haven is a member of the ISO/IEC JTC1 SC40 committee developing the ISO/IEC 20000 series of standards. He has published two books about the ISO/IEC 20000:2018 standard, as well as a full documentation toolkit, available on ITSM Shop.
VP, Risk and Sustainability at OneStream Software
5 年For me its not about comparing the standards or choosing between them; it;'s about building blocks. In my view 9001 is a fantastic standard to build a foundation upon, (as long as it is used as intended -as a business improvement tool as opposed to merely a box ticking exercise) - establish the framework, culture, ways of working, exceptions etc and then build on that, or update it if you like, as you bring on other standards or adopt their practices. ? For example, our Service Management approach is covered, for the most part, under our 9001 certification, however following a Gap Analysis I know what areas of 20000 that I need to focus on in order to provide best practice and become certified to 20000. The fundamentals of Context, Interested parties, Risk Management, Leadership, Training and Awareness, Audit, Management Review etc are all in place for 9001 and 27001 so just require a little review to ensure 20000 is covered.? Another example is Provider / Supplier Management; there is a requirement to address this in 9001, 27001, 20000 and so on. Having got 9001 and 27001 certification, there are very few (if any) changes that I will need to do in order to satisfy the 20000 requirements - the same goes for Change Management.
Quality Philosopher - Management Systems Specialist
5 年The article comparing ISO 9001 and ISO 20000-1 is interesting but starts with a flawed proposition. Quoting isolated definitions that have been generated within a technical committee to explain terms to users of the standard is pointless. To compare the two standards you have to understand the intended applications as well as all relevant definitions. ISO 9001 in its introduction has: ‘The potential benefits to an organization of implementing a quality management system based on this International Standard are: a) the ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements;’ and this confirms the standard is firmly aimed at providers of services. This isn’t a recent switch, in the introduction to the 1994 edition, (11 years before the first edition of ISO 20000-1) it talks of: ‘The design and implementation of a quality system will be influenced by the varying needs of an organization, its particular objectives, the products and services supplied, and the processes and specific practices employed.’ ISO 9001 has been around since 1987 and has been applied to service providers for most of that time, it is no ‘afterthought’. Service management does not owe its roots to IT. Providing services has been around since people have walked the earth. Users of ISO 9001 have long been applying ISO 9001 to services. Speaking from personal experience, I have been using 9001 in service applications since the early 1990s.? ISO/IEC 20000-1 was originally aimed at providers of IT services and should have retained this focus to stay within the remit of its technical committee, ISO/IEC JTC1: ‘Standardization in the field of information technology.’ If the JTC wants to produce standards for quality of service provision they should work with ISO TC 176 rather than offering competing standards that end up confusing users.
Great summary and comparison Dolf. Thanks for taking the time to write and share this.
Head of Product Strategy and Innovation @ emite | DCMM CoAuthor | CBRM | IT Quality Expert
5 年Great blog as always Dolf. But the ISO definition of quality is really poor and service management still uses this in its warranty and utility concept. Neither really do IT any real justice. How can doing what you are asked and it not being broken be a measure of quality? A minimum standard maybe.
Information Security and Quality Management
5 年An informative article Dolf van der Haven. I had always assumed that, because the title of all the standards in the 20000 series begin with "Information technology", that they are intended specifically for use in the area of ICT. However, reading through ISO/IEC 20000-10:2018 (which is available as a free download) confirms what you state in your article, namely that this is incorrect. Thank you for this valuable information. https://standards.iso.org/ittf/PubliclyAvailableStandards/c074316_ISO_IEC_20000-10_2018.zip