866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Introducing ISO 20000-1 Blog Feature
Daniel Valentin

By: Daniel Valentin

Print/Save as PDF

Introducing ISO 20000-1

ISO Certifications

Ever seen one of those cheesy romcoms where the protagonist realizes the right person for them has been in front of their eyes the whole time? Maybe they were just friends before, maybe they ran in different circles, or maybe they were distracted by other people. But then circumstances align and what previously wasn’t even a possibility they realize is precisely the right path.

At Schellman, we’re less matchmakers than providers of cybersecurity assessments, but consider this: according to a recent ISO survey, ISO/IEC 20000-1:2018 (ISO 20000-1) saw a 50% increase in worldwide certificates from 2020 to 2021.

When you think about ISO, you likely think of the incredibly popular ISO 27001 standard—not ISO 20000-1. But why has the latter seemingly, suddenly shot to more prominence?

Maybe your organization and ISO/IEC 20000-1 are right for one another, or maybe you’re not, but in this article, we’re going to help you understand one way or the other. We’ll delve into what ISO 20000-1 is and its requirements before we lay out exactly how it can help you.

Don’t miss out on what might be a perfect match for your organization—read on to find out if ISO 20000-1 is it.

What is ISO 20000-1?

As just one of the many standards of ISO, ISO 20000-1 is an international standard that defines the requirements for the development, implementation, monitoring, maintenance, and continuous improvement of an IT service management system (SMS).

Adopting an SMS means making a strategic decision that’s influenced by your objectives, the governing body, other parties involved in the service lifecycle, and the need for effective and resilient services. Once implemented, operating an SMS will provide ongoing visibility, better and centralized control of services, and continual improvement, leading to greater effectiveness and efficiency.

Though the ISO 20000-1 standard was originally published in 2005, the updates made in 2018 aligned the clause structure with the common high level structure (HLS) for management system standards—a move that has made it easier for you to align or integrate multiple management system standards. For example, an SMS can be integrated with:

  • An information security management system (ISMS) based on ISO/IEC 27001:2022 (ISO 27001);
  • A quality management system (QMS) based on ISO 9001:2015 (ISO 9001); or
  • A business continuity management system based on ISO 22301:2019 (ISO 22301).

(If you’re at all familiar with ISO 9001 and the QMS, you might be wondering if ISO 20000-1 and the SMS are actually all that different, but yes, they are—ISO 20000-1 and the SMS include additional requirements that are specifically related to your actual service.)

Based on the IT Infrastructure Library (ITIL)—a best practice framework—this standard isn’t just applicable or helpful for IT infrastructure. The ISO 20000-1 requirements are generic and can be appropriate for organizations of all sizes and industries, as well as for different other services, including cloud services and business process outsourcing.

Below represents how ISO 20000-1 relates to the ITIL and Control Objectives for Information and Related Technologies (COBIT) frameworks:

What is ISO 20000-1 Table

What Are the ISO 20000-1 Requirements?

When it comes to actually implementing an SMS, the clauses within the ISO 20000-1 standard are structured so that you can choose how to combine the requirements into your processes, which provides a bit of flexibility for each organization regarding its customers, users, and other interested parties.

Let’s examine these clauses 4-10 that lay out the requirements, including those specific operational ones found in clause 8:

Service Management System (SMS)

Context of the Organization (Clause 4)

Organization and its Context

Interested Parties

Scope of the SMS

Establish the SMS

Leadership (Clause 5)

Leadership and Commitment

Policy

Roles, Responsibilities, and Authorities

Planning (Clause 6)

Risks and Opportunities

Objectives

Plan the SMS

Support of the SMS (Clause 7)

Resources

Competence

Awareness

Communication

Documented Information

Knowledge

Operation of the SMS (Clause 8)

Operational Planning & Control

Relationship and Agreement

  • Business Relationship Management
  • Service Level Management
  • Supplier Management

Service Design, Build, & Transition

  • Change Management
  • Service Design and Transition
  • Release and Deployment Management

Service Portfolio

  • Service Delivery
  • Plan the Service
  • Control the Parties Involved in the Service Lifecycle
  • Service Catalog Management
  • Asset Management
  • Configuration Management

Supply & Demand

  • Budgeting & Accounting for Services
  • Demand Management
  • Capacity Management

Service Assurance

  • Service Availability Management
  • Service Continuity Management
  • Information Security Management

Performance Evaluation (Clause 9)

Improvement (Clause 10)
  • Monitoring, Measurement, Analysis, & Evaluation
  • Internal Audit
  • Service Reporting
  • Management Review

You’ll note that these do not represent a structural hierarchy, sequence, or different authority levels. There is no requirement for how you should apply these to your SMS, nor is there a requirement for your terms to be replaced by the standard’s specified terms—this is all up to you, to choose what suits your operations.

However, an SMS cannot exclude any of the requirements specified in the ISO 20000-1 standard. That flexibility lies in your combination and coordination of the following as they relate to service management:

  • Objectives
  • Policies
  • Processes
  • Resources
  • Documentation

Implementing ISO 20000-1

As with all ISO management systems, ISO 20000-1 follows the Plan Do Check Act (PDCA) Methodology and Structure for effective implementation. We can match these clauses to the PDCA cycle as such:

What is ISO 20000-1 Clauses

PDCA should continue through the life of your SMS, though it’s designed, you can focus on the Do / Check / Act steps. However, when you introduce changes—things like scope expansions, changes in leadership or process, and changes in the risk landscape—at that point, you’d need to reassess and revise the Plan (clauses 4, 5, 6, and 7) and then follow the Do / Check / Act on those changes.

For help with implementation, ISO/IEC 20000-2 provides guidance on the application of service management systems, including examples of how to meet the requirements specified in ISO 20000-1.

Benefits of ISO 20000-1

But once in place, if your SMS is effective, it should empower you to more easily direct and control the related activities, including the identification and mitigation of relevant risks so that you can more clearly realize any opportunities to improve.

Here are some other advantages you can reap from being certified against ISO 20000-1:

  • Competitive Advantage:Implementing an SMS will help you provide more efficient and effective services—that reliability, including the independent certification confirming such, will give you a significant differentiator when compared to your competitors.
  • New Doors Opened: To do business with the American federal government, contractors must first get certified against ISO 20000 in order to compete.
  • Increased Internal Productivity and Control:Because you’ll have standardized everything—including creating documents for relevant policies and procedures—your personnel should experience less confusion and increased efficiency in their roles.
  • Potentially Reduced Compliance Costs: Implementation of this standard can reduce your costs of conformance with other regulations like Sarbanes-Oxley and PCI DSS—both of which would be easier and cheaper to meet with a certified SMS in place.
  • Culture of Improvement: Being ISO 20000-1 certified, you’ll be obligated to continuously take into account the concerns and needs of your customers and improve your processes accordingly. But the established deeper understanding of your service management that you’ll have will also allow you to find opportunities for improvement in other areas as well.
  • Increased Customer Confidence: And of course, the most important benefit of all—ISO 20000-1 and its focus on quality service will mean you score more points with your customer base.

Next Steps for ISO 20000-1 Certification

An SMS supports the lifecycle of your service, including the planning, design, transition, delivery, and improvement, as well as meeting the agreed requirements, while also delivering value for both you and users of the service.

In setting a high standard for your service management processes, an ISO 20000-1 certificate demonstrates that you’ve implemented the right management procedures to deliver efficient and reliable services. Not only that but your customers will understand and appreciate that you’re committed to regularly monitoring, reviewing, and improving those services.

Now that we’ve shed light on this possible option, maybe you’re realized that it’s actually perfect for your needs. Or maybe you want to continue researching other helpful ISO standards, in which case we’ve also got you covered—read our other content on the different certifications so that you can feel even more secure in your path forward:

About Daniel Valentin

Daniel Valentin is a Manager with Schellman based in Tampa, Florida. Prior to joining Schellman in 2014, Daniel worked as an Internal Auditor in the industry as part of a Risk Management department specializing in physical safety and security for over 150 locations in the U.S. and Puerto Rico. Before focusing his career on professional services, Daniel worked as a Corporate Internal Auditor specializing in audit and compliance which included Sarbanes-Oxley (SOX), Mergers and Acquisitions (M&A), and fraud investigations where he gained experience in IT system analysis and project management. Daniel is now focused primarily on ISO certifications for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.