We offer here a sample SLA that represents good service level management practice. It should be used as a guide rather than a template since each organisation is unique and, if used as a template, the sample may be either deficient or irrelevant in some areas.
SAMPLE SERVICE LEVEL AGREEMENT
| Effective date: |
| Document owner: |
Version
Approvals
Approver sign-off is to signify agreement or acceptance of the document. Reviewer sign-off is to signify that they have read the document. All other recipients need take no further action.
2. Service availability and service hours
2.1 Planned maintenance and service exceptions
3. Help and service support service levels
3.1 Help and support available if you have an issue with the service
3.2 Major incident management and disaster recovery invocation
3.3 IT services response and target fix times
4.1 Sites/business functions covered by this agreement
This is a service level agreement (SLA) between IT service delivery and the organisation (referred to here on in as the business) and is intended to provide a high-level overview of the service levels the business can expect from key IT services.
This SLA shall remain valid until revised or terminated and will document:
• the key IT services provided to the business;
• the general levels of response, availability and maintenance associated with these services;
• the responsibilities of IT service delivery and the business.
This SLA is underpinned by operating level agreements (OLAs) with internal support providers (e.g. internal IT support teams) and underpinning contracts (UCs) with external service providers.
The SLAs contained in this document will initially be monitored and adjusted quarterly. Any revisions to this document will be communicated to the review and sign-off personnel.
Thereafter, an annual review and sign-off of this document will take place to ensure the service levels are still relevant to meeting business requirements.
This SLA will cover the following business services:
Service 1
Service 2
Service 3
Service 4
Application 1
Application 2
Application 4
Application 5
Application 6
2. SERVICE AVAILABILITY AND SERVICE HOURS
Production gold and silver services will be available for use 24 hours a day, 7 days a week, excluding planned maintenance weekends, emergency maintenance or in the event of a major incident (i.e. an incident with either the highest priority or the highest impact). The service level standards are specific measurable characteristics of the service levels, such as availability, performance, resilience and response. Table 2.1 sets out the key characteristics of the three service level standards.
Table 2.1 Key characteristics of the service level standards
Note: N = point in time at which disaster recovery is invoked. This will be after the diagnosis of an incident has been completed and assessed as representing a major incident.
2.1 Planned maintenance and service exceptions
Once a month, there may be an outage of up to six hours to allow for essential planned maintenance to be carried out on one or more services (or service components). This will usually be scheduled for the second weekend in the month, commencing at 9pm on Friday.
Dates will be published three months in advance and maintained on the change management schedule. For an up-to-date change management and maintenance schedule, please refer to the corporate intranet.
Planned maintenance is work that is approved by the IT CAB, and therefore this time is excluded from the availability calculation.
To minimise business impact, IT service delivery will endeavour to complete emergency maintenance outside core service hours and provide as much notice as possible. However, if a situation is critical it may be necessary to interrupt availability of a service at short notice.
To minimise the risk to our production environment during peak business periods, changes requested through projects, requests or planned maintenance may not be permitted during the change freeze. Table 2.2 illustrates the peak business periods.
| Period | Business reason |
| November, December and January | Peak trading, particularly post-Christmas |
| March and April | Finance very busy before and after financial year end |
3. SERVICE LEVELS FOR HELP AND SUPPORT
3.1 Help and support available if you have an issue with the service
The IT service desk is the single point of contact for all IT-related incidents, and any IT-related incident that impacts a user’s ability to use IT services should be reported to the IT service desk. Unless otherwise stated, the IT service desk is available 24 hours a day, 7 days a week. Please note that the level of resource on the service desk flexes in line with the business day, that is, there is a higher level of resource covering the hours of 8am to 6pm (UK time) Monday to Friday – these are referred to as ‘core service hours’.
Contact details:
Phone: Internal: nnnn (DDI: nnnn nnn nnnn).
Email: [email protected] (for reporting of non-urgent incidents only)
3.2 Major incident management and invocation of the IT service continuity plan
In the event of an incident that causes significant business disruption, the major incident process is initiated. Communication to impacted users will be from the IT service desk, either by means of email or telephone, to key business users at all affected sites. Regular updates will be provided hourly or more frequently, depending on the nature and status of the incident.
All priority 1 incidents as agreed against the SLA will be managed by a dedicated incident manager throughout the life cycle of the incident. The incident manager will follow the major incident management process, ensuring that:
• swift communication and effective updates are supplied to the business;
• the incident is managed effectively;
• a timely resolution is found.
Once resolved, the major incident manager will also provide a reason-for-outage report to the business within five working days, summarising the incident and actions to be taken as preventative measures in the future.
In the event that a major incident to the service necessitates a level of recovery that requires utilising the continuity environment, IT management, in conjunction with the business continuity management team, will invoke the IT service continuity plan.
The plan provides a method for invoking a failover of the production environment to the continuity environment and a basis for running services in this environment, perhaps at a reduced service level for an agreed period of time.
3.3 IT services response and target fix times
Table 3.1 shows the response and target fix times for Gold, Silver and Bronze services by priority.
Table 3.1 Incident response and target fix times
Note: Response = IT resolver group (for example, server support team) response to an incident in the form of a communication to the end-user acknowledging the incident and information on what steps are to be taken to resolve the incident, if they are known at that time.
A priority value (1 to 4; see Table 3.2) is given to every incident to indicate its relative importance in terms of business impact and urgency, in order to ensure the appropriate allocation of resources and to determine the time frame within which action is required.
| Priority | Business impact |
| Critical (P1) | Critical visibility incident such as any of the following:
• nn users affected; • major impact on financial processes; • cost impact >£10,000; • services not available – no usable or productive workaround available. |
| High (P2) | Major visibility incident such as any of the following:
• 25 to 49 users affected; • degradation in system response times or loss of system functionality; • moderate impact on financial processes, cost impact £2,000–10,000; • services partially unavailable for short periods. |
| Medium (P3) | Minor visibility incident such as any of the following:
• 10 to 25 users; • minimum loss of system functionality; • minor impact on financial processes; • cost impact <£2,000. |
Limited or no visibility incident, where: • no direct impact on users or clients; • system resource low, but no impact yet; • reduced system capacity (e.g. emergency maintenance); • no impact on financial processes. |
|
Business responsibilities and/or requirements in support of this agreement include the following.
• To facilitate restoration of IT service with minimal business impact within agreed SLA and business priorities, IT incidents should only be reported to the IT service desk.
• Availability of business process owners when resolving a service-related incident or request.
• The business requirements for new and modified IT services are subject to acceptance by IT governance and business sponsors. SLAs will be discussed and agreed at the start of the project.
• Attendance at monthly IT reviews with the SLM. Core business attendees are required to attend or assign a delegate to attend in their absence.
• Any increases to the current business unit personnel headcount (see Section 4.1 below) of 5 per cent or more must be communicated to IT service delivery in advance so that the potential impact on the agreed service levels in this document can be assessed.
• Participating in business continuity tests, as follows.
▪ Availability of business process owners and/or service owners to participate in the tests.
▪ Coordinate the business resources.
▪ Execute the test as per the agreed test plan.
▪ Produce the business report for business continuity management.
▪ Planned test schedules will be agreed with the business one month in advance ensuring all third party obligations are incorporated and understood.
▪ Production service failover to disaster recovery will be tested twice yearly.
• Supporting the IT security policy, as follows.
▪ Interruptions to availability of a service due to non-compliance with the ‘IT Acceptable Use Policy’ are not covered by this agreement.
▪ Compliance with the corporate security policy. Please refer to the following documents that are available on the corporate intranet:
– IT Security Manual – all users
– IT Acceptable Use Policy
– IT Data Classification Policy
– Fraud Policy and procedures
• Standards and guidelines on data protection are available on the corporate intranet from time to time and all signatories must undertake to review these documents, in particular data security breach management.
4.1 Sites/business functions covered by this agreement
Table 4.1 lists the sites/offices covered by this agreement.
KBS 1
KBS 1 is the service that…
KBS 2
KBS 2 is the service that…
KBS 3
KBS 3 is the service that…
KBS 4
KBS 4 is the service that…
For further information, please refer to Table 2.1.
| Services | Service level standard |
| KBS 1 | Gold |
| KBS 2 | Gold |
| KBS 3 | Gold |
| KBS 4 | Silver |
Service reports will be made available on a monthly basis and will be issued prior to the monthly service review chaired by the SLM. The reports will detail performance against service levels in addition to key metrics, such as those contained in Table 5.2, that the business depends on to perform vital business functions.
| Business service | Key performance measures |
| KBS 1 | Measure 1 Measure 2 |
| KBS 2 | Measure 1 Measure 2 |
| KBS 3 | Measure 1 Measure 2 |
| KBS 4 | Measure 1 Measure 2 |
The adoption of new metrics will be based on criteria such as whether they are required by the business, whether they are measured each month and whether the necessary toolsets/skills are in place to capture such metrics.