ISO 20000-1: An Introduction

Ever seen one of those cheesy romcoms where the protagonist realizes the right person for them has been in front of their eyes the whole time? Maybe they were just friends before, maybe they ran in different circles, or maybe they were distracted by other people. But then circumstances align and what previously wasn’t even a possibility they realize is precisely the right path.

At Schellman, we’re less matchmakers than providers of cybersecurity assessments, but consider this: according to a recent ISO survey, ISO/IEC 20000-1:2018 (ISO 20000-1) saw a 50% increase in worldwide certificates from 2020 to 2021.

When you think about ISO, you likely think of the incredibly popular ISO 27001 standard—not ISO 20000-1. But why has the latter seemingly, suddenly shot to more prominence?

Maybe your organization and ISO/IEC 20000-1 are right for one another, or maybe you’re not, but in this article, we’re going to help you understand one way or the other. We’ll delve into what ISO 20000-1 is and its requirements before we lay out exactly how it can help you.

Don’t miss out on what might be a perfect match for your organization—read on to find out if ISO 20000-1 is it.

What is ISO 20000-1?

As just one of the many standards of ISO, ISO 20000-1 is an international standard that defines the requirements for the development, implementation, monitoring, maintenance, and continuous improvement of an IT service management system (SMS).

Adopting an SMS means making a strategic decision that’s influenced by your objectives, the governing body, other parties involved in the service lifecycle, and the need for effective and resilient services. Once implemented, operating an SMS will provide ongoing visibility, better and centralized control of services, and continual improvement, leading to greater effectiveness and efficiency.

Though the ISO 20000-1 standard was originally published in 2005, the updates made in 2018 aligned the clause structure with the common high level structure (HLS) for management system standards—a move that has made it easier for you to align or integrate multiple management system standards. For example, an SMS can be integrated with:

  • An information security management system (ISMS) based on ISO/IEC 27001:2022 (ISO 27001);
  • A quality management system (QMS) based on ISO 9001:2015 (ISO 9001); or
  • A business continuity management system based on ISO 22301:2019 (ISO 22301).

(If you’re at all familiar with ISO 9001 and the QMS, you might be wondering if ISO 20000-1 and the SMS are actually all that different, but yes, they are—ISO 20000-1 and the SMS include additional requirements that are specifically related to your actual service.)

Based on the IT Infrastructure Library (ITIL)—a best practice framework—this standard isn’t just applicable or helpful for IT infrastructure. The ISO 20000-1 requirements are generic and can be appropriate for organizations of all sizes and industries, as well as for different other services, including cloud services and business process outsourcing.

Below represents how ISO 20000-1 relates to the ITIL and Control Objectives for Information and Related Technologies (COBIT) frameworks:

ISO 20000-1 and COBIT and ITIL

What Are the ISO 20000-1 Requirements?

When it comes to actually implementing an SMS, the clauses within the ISO 20000-1 standard are structured so that you can choose how to combine the requirements into your processes, which provides a bit of flexibility for each organization regarding its customers, users, and other interested parties.

Let’s examine these clauses 4-10 that lay out the requirements, including those specific operational ones found in clause 8:

Service Management System (SMS)

Context of the Organization (Clause 4)

Organization and its Context

Interested Parties

Scope of the SMS

Establish the SMS

Leadership (Clause 5)

Leadership and Commitment

Policy

Roles, Responsibilities, and Authorities

Planning (Clause 6)

Risks and Opportunities

Objectives

Plan the SMS

Support of the SMS (Clause 7)

Resources

Competence

Awareness

Communication

Documented Information

Knowledge

Operation of the SMS (Clause 8)

Operational Planning & Control

Relationship and Agreement

 

  • Business Relationship Management
  • Service Level Management
  • Supplier Management

Service Design, Build, & Transition

  • Change Management
  • Service Design and Transition
  • Release and Deployment Management

Service Portfolio

  • Service Delivery
  • Plan the Service
  • Control the Parties Involved in the Service Lifecycle
  • Service Catalog Management
  • Asset Management
  • Configuration Management

Supply & Demand

  • Budgeting & Accounting for Services
  • Demand Management
  • Capacity Management

Service Assurance

  • Service Availability Management
  • Service Continuity Management
  • Information Security Management

Performance Evaluation (Clause 9)

Improvement (Clause 10)

  • Monitoring, Measurement, Analysis, & Evaluation
  • Internal Audit
  • Service Reporting
  • Management Review
  • Nonconformity and Corrective Action
  • Continual Improvement

You’ll note that these do not represent a structural hierarchy, sequence, or different authority levels. There is no requirement for how you should apply these to your SMS, nor is there a requirement for your terms to be replaced by the standard’s specified terms—this is all up to you, to choose what suits your operations.

However, an SMS cannot exclude any of the requirements specified in the ISO 20000-1 standard. That flexibility lies in your combination and coordination of the following as they relate to service management:

  • Objectives
  • Policies
  • Processes
  • Resources
  • Documentation

Implementing ISO 20000-1

As with all ISO management systems, ISO 20000-1 follows the Plan Do Check Act (PDCA) Methodology and Structure for effective implementation. We can match these clauses to the PDCA cycle as such:

PDCA methodology & ISO 20000-1

PDCA should continue through the life of your SMS, though it’s designed, you can focus on the Do / Check / Act steps. However, when you introduce changes—things like scope expansions, changes in leadership or process, and changes in the risk landscape—at that point, you’d need to reassess and revise the Plan (clauses 4, 5, 6, and 7) and then follow the Do / Check / Act on those changes.

For help with implementation, ISO/IEC 20000-2 provides guidance on the application of service management systems, including examples of how to meet the requirements specified in ISO 20000-1.

Benefits of ISO 20000-1

But once in place, if your SMS is effective, it should empower you to more easily direct and control the related activities, including the identification and mitigation of relevant risks so that you can more clearly realize any opportunities to improve.

Here are some other advantages you can reap from being certified against ISO 20000-1:

  • Competitive Advantage:Implementing an SMS will help you provide more efficient and effective services—that reliability, including the independent certification confirming such, will give you a significant differentiator when compared to your competitors.
  • New Doors Opened: To do business with the American federal government, contractors must first get certified against ISO 20000 in order to compete.
  • Increased Internal Productivity and Control:Because you’ll have standardized everything—including creating documents for relevant policies and procedures—your personnel should experience less confusion and increased efficiency in their roles.
  • Potentially Reduced Compliance Costs: Implementation of this standard can reduce your costs of conformance with other regulations like Sarbanes-Oxley and PCI DSS—both of which would be easier and cheaper to meet with a certified SMS in place.
  • Culture of Improvement: Being ISO 20000-1 certified, you’ll be obligated to continuously take into account the concerns and needs of your customers and improve your processes accordingly. But the established deeper understanding of your service management that you’ll have will also allow you to find opportunities for improvement in other areas as well.
  • Increased Customer Confidence: And of course, the most important benefit of all—ISO 20000-1 and its focus on quality service will mean you score more points with your customer base.

Next Steps for ISO 20000-1 Certification

An SMS supports the lifecycle of your service, including the planning, design, transition, delivery, and improvement, as well as meeting the agreed requirements, while also delivering value for both you and users of the service.

In setting a high standard for your service management processes, an ISO 20000-1 certificate demonstrates that you’ve implemented the right management procedures to deliver efficient and reliable services. Not only that but your customers will understand and appreciate that you’re committed to regularly monitoring, reviewing, and improving those services.

Now that we’ve shed light on this possible option, maybe you’re realized that it’s actually perfect for your needs. Or maybe you want to continue researching other helpful ISO standards, in which case we’ve also got you covered—read our other content on the different certifications so that you can feel even more secure in your path forward:

 

About the Author

Daniel Valentin

Daniel Valentin is a Manager with Schellman based in Tampa, Florida. Prior to joining Schellman in 2014, Daniel worked as an Internal Auditor in the industry as part of a Risk Management department specializing in physical safety and security for over 150 locations in the U.S. and Puerto Rico. Before focusing his career on professional services, Daniel worked as a Corporate Internal Auditor specializing in audit and compliance which included Sarbanes-Oxley (SOX), Mergers and Acquisitions (M&A), and fraud investigations where he gained experience in IT system analysis and project management. Daniel is now focused primarily on ISO certifications for organizations across various industries.

More Content by Daniel Valentin

No Previous Articles

Next Article
ISO/IEC 27001:2022 Has Been Published: What Now?
ISO/IEC 27001:2022 Has Been Published: What Now?

ISO 27001:2022 is now published. Find out 4 things you need to know about this significant update and what ...