p-ISSN: 2162-9374    e-ISSN: 2162-8416

2014;  4(2): 38-49


IT Services Management and ISO 20000: A Case Study in an IT Remote Support Company

Charlene da Silva Leite, José Gabriel Peixoto Rodrigues, Tatiana da Silva Sousa, Henrique Rego Monteiro da Hora

Post graduation in Production and Systems, Fluminense Federal Institute (IFF), Campos dos Goytacazes, RJ, Brazil

Correspondence to: Henrique Rego Monteiro da Hora, Post graduation in Production and Systems, Fluminense Federal Institute (IFF), Campos dos Goytacazes, RJ, Brazil.


Copyright © 2014 Scientific & Academic Publishing. All Rights Reserved.


There is an increasing demand for quality on the market, especially when the approach is related to IT which is a dynamic area and more important to companies each day. This paper was elaborated with the objective to describe relevant information to the NBR ISO/IEC 20000-1 certification process based on the experience of the company CJHT in the area of Remote Support to the user. The methodology used is classified as qualitative in which, through a documental research, criticisms were made regarding the implementation process. At the end of the article, there is an analysis of the benefits versus the employed effort coming to the conclusion that there are benefits for the organization and its collaborators. Moreover, the main difficulties found in the certification process were reported.

Keywords: Certification, IT services management, ISO 20000, ITIL

Cite this paper: Charlene da Silva Leite, José Gabriel Peixoto Rodrigues, Tatiana da Silva Sousa, Henrique Rego Monteiro da Hora, IT Services Management and ISO 20000: A Case Study in an IT Remote Support Company, Management, Vol. 4 No. 2, 2014, pp. 38-49. doi: 10.5923/

1. Introduction

The NBR ISO/IEC 20000 series distinguishes the best processes practices, which do not depend on the organizational format, size, organization names or its structure. It is applicable to both the large or small-sized services supplier, besides the requirements of best practices of services processes do not change according to the organization format [1].
The coordinated implementation and integration of the service management processes provide continuous control, greater efficiency and opportunities of continuous improvement. Perform activities and processes require that people be well organized and coordinated. Appropriate tools are also necessary to ensure effective and efficient, according to the ISO - International Organization for Standardization [1].
The Brazilian Association of Technical Standards (ABNT) is the National Standardization Venue. The Brazilian Standards are elaborated by Study Commissions (CE) composed by representatives from the involved sectors, namely: producers, consumers and neutrals (university, laboratory and others).
According to ABNT [2] the NBR ISO/IEC 20000-1 was elaborated in the Brazilian Committee of Computers and Data Processing (ABNT/CB-21), by the Commission of Information Technology Operation Study (CE-21:007.25). The Project was circulated in National Consultation following edictal 12, dated Nov. 21, 2007, under Project number 21:007.25-001/1. Adoption identical to ISO/IEC 20000-1:2005 regarding technical content, structure and composing, elaborated by the Technical Committee of Information Technology (ISO/IEC JTC 1).
Information Technology companies are increasingly more interested in implementing the NBR ISO 20000 standard, especially those which focus on providing IT services. Such providers seek flexibility so they are able to rapidly respond to the changes in both the competition and the market. The ISO/IEC 20000 emerges in this context as a differentiation alternative in the IT Services Management market (ITSM).
Figure 1. Relation among ISO 9001, ISO 20000 and ISO 27001 [4]
According to Santos and Campos [3], this standard has aspects related to the NBR ISO 9001, which can be worked in an efficient way by the companies aiming at reducing time and cost while increasing quality in its achievement and maintenance. Figure 1 shows the relation among standards, being ISO 9001 the implementation foundation for the other standards, because it defines requirements which assure the quality of the product/service focusing on customer’s satisfaction. ISO 27001 is the standard for information security which has requirements which assure reliability, availability and integrity of the client’s data. Neither is mandatory, however they do facilitate the implementation of the IT management in the organization, as described on item 3.5 of this article.
The justification of this research is based on the relevance of a case study of the implementation of one of the main international standard in information technology, namely ISO 20000. Due to the importance of the certification, numerous companies in the world have already achieved such seal of quality and other ones are in the implementation process. In 2008 there were 339 organizations with ISO 20000, led by Japan with 48 certified companies, followed by India with 40 and then China with 34. Since this is a recent subject, there is a lack of academic contributions in the area which can contribute to the view of such integration and the final results [3].
According to APM Group [5] few companies have the ISO/IEC 20000 certificate in Brazil, among which we may mention:
• Asyst Sudamerica – Data Processing Specialized Service S/C Ltd;
• T-Systems do Brasil Ltda;
• HP Service Brasil;
• CPM Braxis - Global Operating Center.
Still according to the APM Group [6], achieving ISO/IEC 20000 certification demonstrates to other organizations, suppliers, customers, staff, partners and industry bodies that the service provider company is a qualified, suitable supplier, once the company proofs they have shown they have practices, procedures and management system controls in place to ensure services are provided effectively with customer satisfaction at the core.
Sixty to ninety percent of a total cost in IT ownership comes from managing processes and developing disciplines for such [7], therefore it indicates its importance and the reason why researchers dedicate time and work investigating IT management.
The objective of this article is to describe the NBR ISO/IEC 20000-1 certification process in an information technology company, emphasizing the difficulties. The company name is omitted due to industrial secrecy, but there was entire collaboration to the research. The company is referred to by the pseudonym CJHT.

2. Research Methodology and Strategy

2.1. Research Classification

The adopted strategy to reach the proposed objective is the single case analysis, classified as applied research regarding its nature, because it generates knowledge from the practical application to specific problems [8].
The approach is classified as qualitative in the data collection, analysis and implementation, for being descriptive and both the process and its significance are the main focus of the approach [8].
In relation to the procedure methods, this research uses action-research when conceived and performed in close association with an action or with the solution of a collective problem. The researchers and participants that are representative to the situation or the problem are involved in a cooperative or participative way [8]. The documental research is also used in the files of the object of study and the single case study [9].

2.2. Methodological Research

The researches with descriptions of the implementation of the NBR ISO/IEC 20000 standard are scarce especially because there are few companies dedicated to such certification. However, it is possible to verify descriptions about the implementation of other standards, such as the NBR ISO 9001.
Paes, Hora and Valdiviezo [10] reported the certification process of a basic sanitation company, comparing quantity of Work Instructions and managerial information systems used.
Walter [11] discusses the certification process of the same standard, but unlike the above mentioned authors, he does not directly report the benefits, but the process itself, indicating the paths taken, documents created and necessary trainings.

2.3. Technical Procedures

In order to reach the research objective, a documental research is performed in the company, seeking the descriptions of the implementation. The use of action-research, where the researcher is part of the object of study, allows the authors to report their perceptions regarding the implementation process, because they played an active role during the research.
The results are analyzed both critically and qualitatively, indicating the critical points of the process so to support future implementations.

2.4. Results Analysis

The reports obtained though action-research are critically analyzed in order to evidence the imperfections in the implementation and elaborate a directing text with the most critical points of the implementation process.

3. IT Services Management

The implementation of IT services management, NBR ISO/IEC 20000-1, requires knowledge in both data processing and management. For that, the best IT Governances practices are used, such as ITIL and COBIT.

3.1. IT Governance Practices

According to ISACA [12], the IT Governance is a structure of relationships and process to direct and control the company in order to reach its objectives by value addition at the same time as it balances risks and incomes regarding IT and its processes.
There are many models or patterns which contribute to the IT Governance available in the market to support the companies in the implementation process, among which there are COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) [13], [14].
Figure 2 shows how COBIT and ITIL are divided in order to cover the whole IT Governance, being the former in the strategic and tactic levels of the organization and the latter in the operational level.
Figure 2. COBIT and TI division to cover the whole IT Governance

3.2. ITIL Practices

ITIL was developed by CCTA (Central Computer and Telecommunication Agency), currently called OGC (Office of Government Commerce), in the United Kingdom, in the late 19880’s, being documented in a group of books which describe a reference model with the best practices for an effective IT Services Management. Even though it was originally conceived for the public sector in the United Kingdom, it rapidly expanded to the other organizations in the public and private sectors, generating an industry composed by trainings, certifications, consulting, software tools and a specific Forum called itSMF [15], [16].
The ITIL seeks, in its methodology, the identification of processes in the IT area and the alignment of its services to the organization needs, promoting a qualitative approach for the economic, effective, effectual and efficient use of the IT infrastructure [14], [17].
According to Shimada and Costa Jr. [18], the seven books which describe the library of best practices of ITIL are:
Service Support (Service Management) – Assures the client has access to appropriate services to support business functions. It comprehends Service Desk, Incidents Management, Problems Management, Configurations Management, Change Management and Release Management;
Service Provision (Service Management) – Covers the service the business demands the supplier to provide adequate support to the corporate users. Comprehends Capacity Management, Financial Management for IT Services, Availability Management, Service Level Management and Continuity Management;
Applications Management – Comprehends the life cycle of the software development, expending the superficially treated questions in support to the software life cycle and IT Services tests. Applications Management also gives details about changes in the business, emphasizing clear definitions of requirements and in the implementations of solutions to satisfy the needs of the business user;
IT Infrastructure and Telecommunications Management – Covers all the aspects from identifying the business requirements, through the proposal process, up to the test, the installation implementation and the continuous optimization of IT components and computers networks infrastructure and IT services;
Security Management – approaches Security from the services supplier’s point of view. Identifies and indicates the security level necessary to supply the organization with total service;
Planning to Implement the IT Services Management – Explains the steps needed for an organization to identify the benefits it can expect from ITIL and how to start collecting such benefits. It aids the organizations to identify their strong and weak points, thus reinforcing the former to overcome the latter;
Business Perspective – Offers counseling and orientation to help the Information Technology staff understand how they can contribute to the business objectives and how their functions and services can be better aligned and explored so to maximize this contribution.
One of the main factors for the ITIL increasing success is its flexibility, because it should be implemented as part of a business methodology which involves the services management processes [19].

3.3. CobIT Practices

According to Lahti and Peterson [13], CobiT is a guide to IT management recommended by ISACF (Information Systems Audit and Control Foundation, It includes resources such as executive summary, framework, objectives control, audit maps, group of implementation tools and guide with management techniques. The CobiT management practices are recommended by the IT management experts who help optimize the investments in IT and provide metrics to evaluate the results. CobiT does not depend on IT platforms adopted by the companies.
According to Neves [20] the orientation to the processes is defined in 34 processes, divided in four domains, as described below [16]:
Plan and Organize (PO) – Approaches the strategies, tactics and aspects for a better contribution of IT to reach the business objectives;
Acquire and Implement (AI) – Approaches the IT strategies to identify solutions for IT, needs of development or technology acquisition, implementation and integration with the business processes;
Monitor and Evaluate (ME) – Approaches the performance management, internal controls monitoring and provides governance, aiming at evaluating the quality of the processes and the compliance with the control requirements.
Acording to Lahti and Peterson [13], CobiT provides detailed information to manage processes based on business objectives. CobiT is projected to aid three distinct audiences:
Managers who need the risk and control the investments in IT in an organization;
Users who need guaranties that the IT services which depend on their products and services to internal and external clients are being managed;
Auditors who can stand on the CobiT recommendations to evaluate the IT management level and counsel the internal control of the organization.
According to Neves [20], the business orientation tries to unite the business objectives and the IT objectives, supplying metrics and maturity models to better the IT governance evaluation, besides supporting the identification of responsibilities of the business and IT area. For that, it is needed to manage and control the IT resources by means of structured processes, such as audits, which enable delivering the goods/services according to the planning.

3.4. Management System Audits

According to ABNT [21], audits are used to determine in which level the quality management system requirements are met. The audit findings are used to evaluate the efficacy of the quality management system and to identify improvement opportunities.
First party audits are performed by the organization itself or on its behalf, for internal purposes, and may compose the basis for a self-declaration as for the conformity of the organization.
Second party audits are performed by clients of the organization, or by other people on behalf of the client.
Third party audits are performed by independent external organizations. Such organizations, usually accredited, provide certifications or registration of compliance with requirements such as those from ISO 9001 [22].
NBR ISO 19011 provides guidelines regarding audits. Since the implementation of ISO 9001 in 2007 in the company CJHT, there has been a team capacitated for internal audits composed by representatives of the each area of the organization which executes this systematic every six months, alternating with the external audits. The Integrated Management System (IMS) staff, in partnership with all the other areas, performs all the planning, execution control and results treatment of the company standards.

3.5. ISO/IEC 20000

According Polter, Verheijen and Selm [23], the ISO/IEC 20000 objective – inherited from BS 15000 – is to “provide a common pattern of reference to any company which offer IT services to internal or external clients”. Due to the importance of communication to the Services Management, one of the most important objectives of the standard is to create a terminology common to services providers, their suppliers and their clients. Figure 3 shows the coverage of ISO/IEC 20000 certification and its structure.
Figure 3. ISO/IEC 20000 in the service management landscape [6]
The existence of Quality Management Systems ISO 9001:2008 is a facilitator in the implementation of ISO/IEC 20000-1 [6]. The activities of measurement and service management analysis include internal audits planned by the Integrated Management System – IMS. Service improvement actions are established based on analysis of indicators, changes, quality and services levels which take place during the meetings for critical analysis and coordination [3].
The NBR ISO/IEC 20000-1 has many aspects related to the NBR ISO 9001, which can be worked on in an efficient way in order to reduce time and cost and increase quality in its achievement and maintenance [3].
In order to implement the management of IT Services, besides complying with the ISO 9001 (Quality Management System), it is also necessary to comply with the ISO 27002 (Information Security). According to ISO/IEC [1], information security is the result of a system of policies and procedures, elaborated to identify, control and protect information and any equipment used for its storage, transmission and processing. The collaborators of the services providers which are specialists in information security should be familiarized with the NBR ISO/IEC 27002 [14].
According MacFarlane and Rudd 2005 apud [24] For a company to implement the services management, it is important to establish the processes in accordance to the NBR ISO/IEC 20000-1 requirements:
Configuration Management: Manages, controls and monitors the Configuration Items (CI) existing in the Data Base Configuration Management (DBCM). A CI is any component or element existing in the infrastructure necessary for a service supply;
Incident Management: Manages the deviations (incidents) in the infrastructure, seeking rapid reestablishment of the services. The Incidents Management is devoted to resolving the incident and reestablishing the service supply to the client as quickly as possible, minimizing the impact of the incident on the business. It should also assure that the service quality and availability both meet the ANS’s agreed upon. An incident is classified as any event which is not part of the standard functioning of a service and which causes, or may cause, an interruption in the service or a reduction in its quality, and which has a known solution (known error);
Problem Management: Manages the problems, seeking to identify the root causes, proposing solutions to the problems, eliminating repetitive problems, accelerating the solution time and generating a solutions bank. The objectives of the Problem Management include: increasing the IT infrastructure quality by investigating the causes of the incidents or potential incidents, removing them in a permanent way and proactively preventing new incidents. Once the cause of the problem (a infrastructure flaw) is identified and a solution is established, a problem becomes known as a known error;
Change Management: Manages changes, making sure they are quick, easy, consistent and authorized. The objective of the Change Management is to successfully complete all the adjustments and changes in the IT infrastructure in a systematic way. This way, the risks associated to the service maintenance, and consequently their quality and impact, are maintained at the lowest possible levels;
Release Management: Manages the distributions and the release control of the software, hardware and updates. The Release Management controls the all softwares and hardwares existing in the IT infrastructure in production and it organizes the distribution in operational environments. Only softwares and hardwares which have been verified, tested and approved the Release Management are distributed, once assured that the original versions can be resumed in case of flaws;
Service Level Management (SLM): The objective of the Service Level Management is to make the agreements between the clients and the IT organization clear concerning the type and quality of the services being offered, taking the pertinent actions for its implementations and seeking solutions which assure the compliance to the established levels;
Availability Management: Manages the present, optimizes the service supply chain and follow the business up. The Availability Management identifies, defines and prepares the necessary measure to ensure the required availability by the services, monitoring the reliability and availability in the failures and interruptions and recommending changes so to prevent future losses in the services quality;
Capacity Management: Manages the future, monitoring and evaluating the services development, also planning new businesses. The Capacity Management identifies and specifies the demand and the client’s needs, trying to translate them into constantly monitored resources;
IT Service Continuity Management: Manages disaster, keeping plans for contingency and disasters recovery, business survival, risks and vulnerabilities. The IT Service Continuity Management treats the unexpected interruptions in IT services, preparing and planning recovery and restoration measures and of the IT services;
Financial Management: Manages the effective costs, the financial resources allocation and the Return over Investment – ROI. The Financial Management performs the correct budgetary provision of the IT services, considering involved costs and possible investments benefits, especially in decision making regarding environment changes.
The ABNT NBR ISO/IEC 20000-1 specifies a number of management processes of intimately connected services, as shown by Figure 1.
The authors of this article participated in the elaboration of internal documents (Appendix) according to the services management processes described above.

4. Object of Study Characterization

The company CJHT of remote support in IT, located in Campos dos Goytacazes, in Rio de Janeiro state, is one of the largest Information Technology companies in Brazil, having differentials in the IT products and services provided to large corporations, as well as in the commercialization of equipment, softwares, supplies and accessories as a retailer to all customer audiences. This multiplicity of operations makes the IT remote support company known in the market as complete.
The IT remote support company is 100% Brazilian, majorly acting in states of São Paulo, Rio de Janeiro and the Federal District in the IT Services areas, subdivided into: Infrastructure Management; Printing and Digital Content Solutions; Data Processing Point Outsourcing; WebCom; Systems Development and Maintenance; Projects Office (PMO); Partner Solutions; User Support and Customer Service; Printing Center divided into Offset, Laser, Finishing, Digital Color, among other products and services, besides the CJHT Digital.
The Integrated Management System policy statement is made by the company president and it states that CJHT is a company which supplies the market with products, services and IT solutions, focusing on quality-directed client services. The IMS policy is also extended to the IT Services Management, focusing on information security and environment responsibility, taking into consideration the existing legislation and other environmental and continuous improvement aspects.
The following objectives are extracted from the IMS Policy:
Increase the Company profitability;
Increase customers’ satisfaction – IT Services;
Implement the Integrated Management System in the whole Company;
Rationalize the use of natural resources by the Company;
Assure the recycling of residues generated by the processes covered by the environmental scope;
Promote the collaborators development;
Increase the Company collaborators’ satisfaction;
Keep the availability of a technological environment for the Company;
Assure the compliance of the levels of services hired and/or agreed upon;
Assure the non-occurrence of information security incidents.
The measurement of the objectives listed above is performed through performance indicators and followed-up on a periodic basis.

5. Implementation Process

5.1. Environment

The main motivation for the implementation and consequent certification in the IT Services Management is given by the demand on the contract renewal with the unique client in the segment of the company CJHT.
The other motivations are:
Search for better practices in the market;
Greater participation in restrict market niche;
Increase the quality and the reliability in services provision;
Improve the management of contracts with suppliers and partners.

5.2. Preparation

Once the certification is decided for, the managerial group carries out a meeting to define the implementation strategy of the due standard, as described by Figure 4.
The ISO/IEC 20000 implementation process was performed in fourteen months, with high investment, and consisted of:
Define and approve the scope: a standard and certification scope of work is initially defined and submitted for prior approval by the certifying organization; the hiring of a external consulting with experience in implementation of standards is needed, as well as organizing a project coordination committee, composed by one member from each area (Operations, Quality, IT Solutions, Integrated Management System, Administrative / Procurement and Human Resources). The team is defined by the managerial body according to the profile of each member. There is a periodic videoconference between the consultant and the project coordination committee (locally and at the CJHT headquarters in Brasília) for the implementation of the next steps of the process.
Elaborate and approve project plan: a plan is create by the committee aided by the hired consulting and approved by the areas managers of CJHT;
Figure 4. Services Management Process [1]
Figure 5. ISO/IEC 20000 implementation process
Evaluate the current practices: comparison with the quality management system (ISO 9001) implemented and consistent in the company since 2007;
Compare practices with ISO 20000: a comparison between the requirements of ISO 20000 and ISO 9001 is performed; Elaboration of Service Level Agreement with the client; External Support Agreement with suppliers and Operational Level Agreement among internal areas. Thus integrating a partnership in the implementation of a better provision of remote support services;
Document and evaluate the differences (gap analysis): an electronic spreadsheet with the analysis of what the company which is already certified in the NBR ISO 9001 needs to achieve the NBR ISO/IEC 20000. The requirements are found in the referred standards.
Elaborate Action Plan: An action plan is elaborated for the carrying out of the committee;
Train teams in ITIL, ISO 9001 and 20000: Training and certification in ITIL V.2 (2007) for the managerial body, standard implementation committee and the operational body of the organization; Training on interpretation of the standards NBR ISO/IEC 20000 and NBR ISO/27002 for the committee and the managerial body; Recycling training on ISO 9001:2008;
Define and implement the management system: Review the NBR ISO 9001 documents with the inclusion of IT Management and elaboration of new ones, taking into account the structure of the internal processes of CJHT (Figure 5). The list of the current documents can be consulted in Attachment I of this research;
In order to manage the incidents and problems, the aid tool for internal registration Qualitor Web was purchased. The choice for such tool was due to the fact that it works with the ITIL Service Management standard and it allows changes according to client’s requirement;
Implement ISO 20000 processes: Initiate the application of the documents and adjust; formation of a change committee, composed by the Senior Executive, the Change Manager and the representatives from the units;
Train in management system processes: Carry out awareness event for the whole organization in the revised/new documents made available in the documents management tool DocNix;
Perform Internal Audit: Between August 3rd and 5th, 2009, to check the implementation of the requirements of the due standard. Such activity lasted 3 days and resulted in 32 non-conformities and 16 improvement opportunities, which were treated by the respective areas with the aid of the 20000 committee;
Perform External Pre-Audit: Between September 26th and 27th, 2009, by the Certification organization. Such activity lasted 2 days, and 17 nonconformities were generated, which were treated by the respective areas with the aid of the 20000 committee;
Perform External Final Audit: Between October 21st and 22nd, 2009, by the Certification organization. Such activity lasted 2 days and no nonconformities or observations were registered;
Get a recommendation: The certifying organization delivered the indication letter, once the certification could only be delivered within a one month. This way, there was no need for a follow-up audit, which consists of a verification of the treatment of the inconsistencies found in the certification audit and its closure;
Get the ISO 20000 certification: The certificate was delivered to the company thirty days after the recommendation, when the company was formally declared certified on ISO/IEC 20000. From that moment on, the news was made public to the press, clients and suppliers, and so were the benefits resulting from such achievement.
Figure 5 shows the internal processes structure of the company CJHT, which consists of the relation between the corporate and commercial processes, integrated management, integration aid which support the whole organization and the specific Contact Center (IT Remote Support) process of the Campos dos Goytacazes unit so the Operation area may perform the users’ support service and comply/surpass the client’s satisfaction level.
Continuous improvement process: the company CJHT kept its 20000 committee reducing only its meetings periodicity from weekly to twice a month. This way maintaining the management system of the IT services implemented and searching for the continuous improvement of its result to the client’s view.
Figure 6 presents the implementation timetable of the ISO/IEC 20000 in the company CJHT, composed by task, who is in charge, start date and end date.
Figure 6. Internal processes structure
Figure 7. Implementation Timetable. Source: Internal Documentation from company
The preparation for a certification is a moment that requires extra efforts from the organization members, for it is a period of time of continuous learning on the internal processes. Especially about the commitment of the managerial body so the improvement suggestions may be executed in time.

5.3. Processes

Work focused on processes is constituted by the four premises below:
Planning: Study the contract with the client and elaborate the Services Management Plan – SMP – including the implementation of the service management; issuance of service management processes; processes changes and new services.
The collaborators which perform activities in service management are capacitated based on education, training, skills and experience;
Implementation: Follows what is defined in the SMP regarding incidents and problems management; changes and release management; management of availability, capacity, continuity and configuration and continuous quality;
Service Provision: This process regards the definition, the agreements, the records and the services levels management;
Measurement and Monitoring: The performance compared to defined goals for service, client’s satisfaction, resources capacity use, tendencies and greater nonconformities are all monitored, measured and critically analyzed.
The focus on the processes was used when implementing the NBR ISO/IEC 20000, so it is believed the IT services management was performed in a thorough way.

6. Conclusions

6.1. Concerning the Objectives

The general objective of the research is reached through the elaboration of a detailed certification process, with all the implementation items detailed and accomplished.
The specific objectives are met the following way:
Definition of research methodology and strategy, classifying it as action-research;
Description of IT Management Services and its integration with the IT Governance, COBIT and ITIL, besides the NBR ISO 9001 and 27002 standards;
Mentioning the systematic of integrated management system audits;
Description of the object of case study;
Mentioning the implementation process of the NBR ISO 9001:2008;
Performing the critical analysis of the listed bibliographic references.
This way, it is possible to conclude that all the objectives were reached with the execution of this present research.

6.2. Concerning the Research

Managing the IT services became a critical task and a challenge for managers, once it is responsible for 60% to 90% of the total costs of its ownership [7]. This research presented an entire documented certification process in the ISO 20000, and contributed to the scientific communication being an important reference for future similar processes for comparisons.
According to Heldman [25], the lessons learned are the information collected and documented during the project which may be used for the benefit of the current project, future projects or any projects which may be under execution by the organization. Such lessons may be either positive or negative. During a project, knowledge should be transferred, integrated, created and explored in order to create new organizational value. This way, to obtain a ISO/IEC 20000 certification, collect information and meetings of the lessons learned were performed during all the project phases. The main results obtained after the implementation of the IT services management in the company CJHT were:
Benefits for the organization:
− Provide managed services to satisfy the business and the client, at a reasonable cost;
− Solve problems of continuity, availability, capacity of services supplied;
− Provide tools to comply with the level of hired services;
− Keep the Company competitive edge in the market;
− Keep current and future contracts with the client.
Benefits for the collaborators
− Work in a company which performs activities based on orientations and standards for services provision accepted worldwide;
− Acquire professional growth practices in the Company.
Difficulties encountered
− Interpretation of the NBR ISO 9001:2008 to implement the requirements, even after the training given on such standard;
− Physical distance of the consultant, being him in Brasília, causing the meetings to be help through video-conference;
− Conciliation of the ordinary activities and the activities of standard implementation, by the 20000 committee;
− Need of customization of the bought tool, Qualitor Web, to adequate it to the company business;
− Focus on the infrastructure area, causing considerable changes in the work routine and thus resistance.
Thusly, the organization understands that the IT services management must be used to assure the service provision in the best possible way.
The costs from the implementation of such standard and its consequent certification are high in comparison to the obtained results, because the client did not consider it as a requirement, but as a bonus, in his next order, once the other competitors had not implemented such standard in the organizations.
In the case of the company being studies, the use of action-research was attempted due to the direct participation of the authors in the project and academic studies. The objective of the action-research was to solve a problem and contribute to the academic area with the research. The main relevance of this research was to establish a reference model for the ISO/IEC 20000 implementation and certification. The reference presented here has a prescriptive characteristic, being available to be used by any provider which wishes to initiate a project of this caliber. It was also attempted to present the results and lessons learned in a clear way, serving as base for future studies about the subject.

6.3. Concerning Future Researches

This present research allows new analysis in various aspects to be implemented, such as:
Analyze qualitative and quantitative benefits in a mid to long term from the implementation of the standard;
Elaborate a market study evidencing the effect of the certification on the companies which got certified;
Elaborate a management model to aid the certification maintenance;
Analyze the requirements for implementing the ISO 9001, 20000 and 27002, evidencing the common grounds and how to simplify the parallel maintenance of such certifications, complying with all of their requirements.
In general, it is suggested that the subject be researched upon after implementation so to open a quite vast range of possibilities which shall serve as initial idea to numerous further researches.


The authors are grateful to the Fluminense Federal Institute, for supporting the research, and to the Company, for allowing the employees sharing its cultural knowledgement to the science progress.


Internal documents of company CJHT:


[1]  ISO/IEC, “ISO/IEC 20000-1: Information technology - Service management - Part 1: Service management system requirements.” ISO - International Organization for Standardization, 04-Dec-2011.
[2]  ABNT, “NBR ISO 20000:1: Tecnologia da Informação – Gerenciamento de Serviços. Parte 1, Especificação,” Associação Brasileira de Normas Técnicas, Rio de Janeiro, Padrão 20000:1, 2008.
[3]  G. S. Santos and F. C. de Campos, “Integração das Normas ISO 20000 e ISO 9001 em Gestão de Serviços de TI [Integration of ISO 20000 and ISO 9001 in IT Service Management],” in XII Simpósio de Administração da Produção, Logística e Operações Internacionais, São Paulo, 2009, p. 16.
[4]  BSI, “Manual de Treinamento ISO 20000 Auditor [Training Manual ISO 20000 for Auditor],” Bristish Standard Institute, São Paulo, 2008.
[5]  APM Group, “ISO/IEC 20000 Certified Organizations,” ISO/IEC 20000 Organizational Certification Scheme, 2009. .
[6]  APM Group, “ISO/IEC 20000 white paper,” The IT Service Managment Forum, United Kingdon, 2012.
[7]  S. D. Galup, R. Dattero, J. J. Quan, and S. Conger, “An overview of IT service management,” Communications of the ACM, vol. 52, no. 5, p. 124, May 2009.
[8]  E. L. S. Silva and E. M. M. Menezes, Metodologia da Pesquisa e Elaboração de Dissertação, 4th ed. Florianópolis: UFSC, 2005.
[9]  R. K. Yin, Estudo de caso. Porto Alegre: Bookman, 2005.
[10]  V. L. Paes, H. R. M. da Hora, and L. E. V. Viera, “Utilização dos princípios da qualidade na implantação de um sistema de gestão da qualidade (SGQ) em uma empresa de saneamento básico,” in XV Simpósio de Engenharia de Produção, Bauru, 2008, vol. 2, p. 12.
[11]  M. T. Walter, “The implementation of ISO 9001: 2000 standard on the Brazilian Supreme Court’s Library,” Ciência da Informação, vol. 34, no. 1, pp. 104–113, Jan. 2005.
[12]  ISACA, “COBIT 5 - A Business Framework for the Governance and Management of Enterprise IT,” Information Systems Audit and Control Association, 2014. [Online]. Available: [Accessed: 07-Feb-2014].
[13]  C. Lahti and R. Peterson, Sarbanes-Oxley: conformidade usando COBIT e ferramentas open source. Rio de Janeiro: Alta Books, 2006.
[14]  S. Sahibudin, M. Sharifi, and M. Ayat, “Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations,” in Second Asia International Conference on Modeling Simulation, 2008. AICMS 08, 2008, pp. 749–753.
[15]  E. A. P. Moraes and S. R. H. Mariano, “Uma Revisão dos Modelos de Gestão Em TI [A Management Models in IT Review],” presented at the IV Congresso Nacional de Excelência em Gestão, Niterói, 2008.
[16]  ITGI, “Cobit Framework,” Steering Committee and IT Governance Institute, Technical Report, 2007.
[17]  I. L. Magalhães and W. B. Pinheiro, Gerenciamento de serviços de TI na prática: uma abordagem com base na ITIL. São Paulo, SP: Novatec, 2007.
[18]  L. M. Shimada and M. V. C. Júnior, “Aplicação do ITIL e ISO/IEC 20000 na Gestão de Serviços de Suporte em Microinformática,” Revista da Pós-Graduação, vol. 1, no. 2, Mar. 2008.
[19]  S. M. de C. Lopes, V. G. André, and J. M. S. das Neves, “Governança de TI - um estudo sobre ITIL e COBIT [IT governance - a study on ITIL and COBIT],” presented at the VII SEGeT – Simpósio de Excelência em Gestão e Tecnologia, Resende, 2010.
[20]  W. C. G. Neves, “Diretrizes para a Implantação da Governança de Tecnologia da Informação com Base no Cobit, a partir de ISO 9001: Aspectos de Gerenciamento de Projetos,” Mestrado em Gestão do Conhecimento e Tecnologia da Informação, Universidade Católica de Brasília (UCB), Brasília, 2007.
[21]  ABNT, “NBR ISO 9000:2005: Sistemas de gestão da qualidade - Fundamentos e vocabulário,” Rio de Janeiro, 30-Dec-2005.
[22]  ABNT, “NBR ISO 9001:2008 - Sistemas de gestão da qualidade,” Rio de Janeiro, 28-Nov-2008.
[23]  S. Polter, T. Verheijen, and L. van Selm, ISO/IEC 20000: An Introduction. Ireland: Van Haren Publishing, 2008.
[24]  C. Z. Calvi, “Gerenciamento de Serviços de TI e Modelagem do Processo de Configuração ITIL em uma plataforma de serviços sensíveis a contexto,” Master in Informatics, Universidade Federal do Espírito Santo (UFES), Vitória, 2007.
[25]  K. Heldman, Project management jumpstart. Hoboken, NJ: Wiley, 2011.