An Introduction to ISO/IEC 20000:2018

What is ISO/IEC 20000
ISO/IEC 20000-1:2018
The Service Management System
What are the Benefits of ISO/IEC 20000?
The Certification Process
Where can I find out more?

What is ISO/IEC 20000

ISO/IEC 20000 is an international standard and consists of a number of requirements that an organisation can be formally audited against to show that it is proficiently operating its service delivery to a pre-determined ‘standard’. Its full title is ISO/IEC 20000 Information technology – Service management, sometimes just for brevity called ISO 20000 (or ISO20000).

Whilst organisations that operate service management can be assessed against ITIL®, this is a best practice framework that allows an organisation to be selective about which elements they do, and there is no minimum number of processes that must be performed, or indeed which parts of a process need to be performed – whereas ISO/IEC 20000 specifies a set of processes and an over-arching management framework (known as a service management system) that must be effectively performed and managed, and evidence shown of that.

There are a number of parts to ISO/IEC 20000, but it is Part 1 (Service management system requirements) that specifies the mandatory aspects that any organisation must perform (and show evidence of) in order to achieve certification. The other parts of ISO/IEC 20000 that currently exist (as at November 2018) are:

  • ISO/IEC 20000-2: 2012 – Guidance on the application of service management systems
    • Guidance and recommendations to support the implementation of Part 1
  • ISO/IEC 20000-3: 2012 – Guidance on scope definition and applicability of ISO/IEC 20000-1
    • Provides guidance on scope definition and applicability. It is used in certification schemes and at the early stages of planning the implementation of ISO/IEC 20000
  • ISO/IEC 20000-4: 2010 – Process reference model
    • Describes processes at an abstract level in terms of purpose and outcomes (Note. due to be withdrawn and included within the ISO 33000 series)
  • ISO/IEC 20000-5: 2013 – Exemplar implementation plan for ISO/IEC 20000-1
    • Example implementation guide; this is planned for a major revision as it is not current
  • ISO/IEC 20000-6: 2017 – Requirements for bodies providing audit and certification of service management systems
    • Published in 2017 and is applicable for both 2011 and 2018 editions
  • ISO/IEC 20000-7 – Guidance on the Integration and Correlation of ISO/IEC 20000-1:2018 to ISO 9001:2015 and ISO/IEC 27001:2013
    • A new standard currently under development
  • ISO/IEC 20000-9: 2015 – Guidance on the application of ISO/IEC 20000-1 to cloud services
    • Due to be withdrawn as the key elements from it are now included in Part 1
  • ISO/IEC 20000-10: 2018 – Concepts and vocabulary
    • Latest version published 18th September 2018 and is aligned with the new Part 1
  • ISO/IEC 20000-11: 2015 – Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: ITIL®
    • Awaiting publication of ITIL4 in early 2019 before commencing work on updating the content
  • ISO/IEC 20000-12: 2016 – Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: CMMI-SVC®
    • Update activities to align this with the 2018 edition of Part 1 have started, but publication not likely until 2020
  • ISO/IEC 20000-13 – Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: COBIT
    • Development of this new standard has commenced, but is not due for publication until 2020

The Standard provides senior business and IT managers with a method of measuring the effectiveness and efficiency of the IT service operation, assuring compliance and governance. Part 1 contains the mandatory aspects that are required to be fulfilled if an organisation is to achieve the certification. An organisation will have to show evidence that not only are all of the processes and policies in place, but that the processes are being operated on a day-to-day, business-as-usual basis. Typically, organisations will have to show an auditor three months’ worth of evidence to support the operation of the processes.

ISO/IEC 20000-1:2018

Saturday 15th September 2018 saw the launch of the latest iteration of the international standard ISO/IEC 20000-1 Information technology – Service management, Part 1: Service management system requirementsPart 1 is supported by a number of other parts within the ISO/IEC 20000 series (as listed above), but it is this part that organisations are certified against. It features the set of mandatory requirements that an organisation must comply with if they are to be officially certified as being compliant with the Standard.

Last published in 2011, the 2018 version sees numerous changes that in some cases expands on previous content, whereas some other requirements have been simplified (with certain elements moved to Part 2 as guidance), and new requirements have been added. For those familiar with the previous edition, some of the key changes are as follows:

  • The supporting management framework for the service management system (SMS) has been restructured and expanded, and now has the following key elements:
    • Context of the organisation
    • Leadership
    • Planning
    • Support of the SMS
  • All processes are now under a heading of Operation of the SMS
  • The 2011 process of Service continuity and availability management has been split into Service availability management and Service continuity management
  • The 2011 process of Incident and service request management has been split into Incident management and Service request management
  • New requirements have been added that focus on areas such as Service catalogue management and Asset management
  • Design and transition of new or changed services is no longer titled as such, with certain elements moved elsewhere within the Operation of the SMS structure so that it better aligns to the lifecycle of a service

It should be noted that much of the content remains the same, or with minor revisions. Many of the 2011 processes, whilst they remain, have been simplified in respect of the mandatory requirements that an organisation needs to show evidence of. A good example of this is Capacity management, where previously a capacity plan needed to be maintained and a specific list of contents for this plan was also defined. The 2018 revision now states that the organisation needs to plan capacity. This change in emphasis is important as it is less prescriptive and gives an organisation more freedom in how they go about demonstrating to an auditor their capacity planning activities.

Non-IT organisations should also be aware be that whilst this Standard has ‘information technology’ in the title, it can be applied to any organisation that delivers services, IT or otherwise.

The Service Management System

The service management system and its clauses sit above the processes to provide a controlled management environment. The framework is constructed in a way that there is alignment with the management systems of ISO 9001 (QMS – quality management system) and ISO/IEC 27001 (ISMS – information security management system). This enables relevant policies, processes, procedures, etc. to be utilised across all of these management systems, or at least used as the basis for creating new ones. Organisations seeking certification of (for example) ISO/IEC 20000 can therefore benefit if they are already certified against ISO 9001 and/or ISO/IEC 27001.

This diagram represents the service management system for ISO/IEC 20000-1:2018:
ISO 20000 SMS

What are the Benefits of ISO/IEC 20000

Developing an ISO/IEC 20000 compliant IT service organisation will take time and will often lead to some organisational change, however some of the benefits of having a proven, conformant best practice IT service provision are:

  • A more competitive business.
  • IS/IT strategy aligned with the overall business strategy.
  • More effective risk management and a reduction in risk.
  • More effective cost management and a potential reduction in costs.
  • Faster time to implement change.
  • Improved reliability and availability of services, leading to improved customer satisfaction.
  • Suppliers and partners will become more integrated and service focused.
  • Possibility of benchmarking with other organisations.

The Certification Process

Once an organisation has decided that they wish to attain the ISO/IEC 20000 certificate, they should engage with a Registered Certification Body (RCB). The RCB will be able to work with the organisation in defining what the scope of the certificate will be; this is an important stage as it may be that the organisation is not suitable or eligible for the certificate. The scope will also help dictate the work that will need to take place prior to the RCB attending to perform a formal audit.

Audits are normally split into two separate stages: Stage 1 is a review of supporting documentation and other evidentiary artefacts of the SMS to validate that they conform to the relevant requirements; Stage 2 then occurs (subject to passing the initial stage) where the operation of the SMS is reviewed. The typical timeframe for completing these activities ranges from between 5 to 15 days, but could be more for extremely large organisations.

If the RCB finds that all requirements of the Standard have not been achieved, deficient areas will be highlighted and the organisation will be given a period of time to implement the appropriate improvements before the auditors return to review the improvements that have been made. A certificate, once granted, is valid for a period of three years. The RCB will perform interim audits on an annual basis, but will then perform a full audit at the end of three years.

Where Can I find out more?
  • Copies of the standard, and the supporting material, can be purchased via the BSI Group web-site.
  • Click here for the itSMF UK website.
  • Click here for APMG International’s ISO/IEC 20000 website which provides more information on ISO/IEC 20000 certification and qualifications.