Introduction to ISO/IEC 20000-1
ISO/IEC 20000-1 is the international standard for a Service Management System (SMS). It specifies the requirements an organisation must satisfy to plan, establish, implement, operate, monitor, review, maintain and continually improve the management and delivery of services. Where ISO 9001 governs quality management generically, ISO/IEC 20000-1 focuses specifically on the disciplined management of services - most commonly IT services, but the standard is deliberately technology-neutral and applies equally to managed security services, cloud services, business-process outsourcing and any other service that is planned, delivered and improved. It is the only auditable, certifiable international standard dedicated to service management and is the formal specification against which an organisation's SMS is assessed by an accredited certification body.
The standard is closely aligned with the ITIL body of practice, but the two are distinct. ITIL is a non-certifiable framework of good practice and guidance; ISO/IEC 20000-1 is a certifiable, shall-based specification of requirements. An organisation may adopt ITIL practices, COBIT, VeriSM, DevOps or any other approach as the means of meeting the requirements, but certification is granted only against ISO/IEC 20000-1. The current edition, ISO/IEC 20000-1:2018, was restructured onto Annex SL - the common High-Level Structure shared with ISO 9001, ISO/IEC 27001, ISO 22301 and ISO 14001 - which makes integrated management systems substantially easier to build and audit.
This guide is written for service-management leaders, process owners, internal auditors and certification project managers who need an auditor-grade understanding of every clause and requirement. It walks through the full structure of the standard, provides a master assessment checklist covering every clause and service-management process, and sets out a phased implementation approach, a capability model, an audit methodology, an evidence request list, roles, KPIs and framework mappings. British and Indian English spelling is used throughout.
Copyright note
ISO/IEC 20000-1 is a copyrighted standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The official normative text must be purchased from ISO, IEC or an authorised national standards body (for example BIS in India, BSI in the UK). This guide is an original, plain-language interpretation written to aid understanding and readiness. It paraphrases requirements and does not reproduce the copyrighted clause text of the standard. Always refer to the licensed edition of ISO/IEC 20000-1:2018 for the authoritative wording used in certification.
What is ISO/IEC 20000-1
ISO/IEC 20000-1:2018 specifies requirements for an organisation to establish, implement, maintain and continually improve a Service Management System. The SMS is the coordinated set of policies, objectives, plans, processes, documented information and resources that an organisation uses to direct and control its service-management activities and to deliver value to customers and users. The standard adopts the Plan-Do-Check-Act (PDCA) cycle and a process-based, risk-driven approach in which the organisation defines the services in scope, agrees service requirements with customers, delivers against those requirements, measures performance, and continually improves.
The 2018 edition is organised under the Annex SL High-Level Structure, giving it clauses 1 to 10. Clauses 1 to 3 are scope, normative references and terms. Clauses 4 to 10 contain the auditable requirements: Context of the organisation (4), Leadership (5), Planning (6), Support of the service management system (7), Operation of the service management system (8), Performance evaluation (9) and Improvement (10). Clause 8 is by far the largest and contains the service-management processes historically associated with the standard - service level management, service continuity and availability management, capacity management, information security management, incident and request management, problem management, change management, release and deployment management, configuration management, service reporting, budgeting and accounting, demand management, service catalogue management, the design and transition of new or changed services, and the management of suppliers and other parties involved in the service lifecycle.
Key facts about the standard are summarised below.
| Attribute | Detail |
|---|
| Full name | ISO/IEC 20000-1:2018 - Information technology - Service management - Part 1: Service management system requirements |
| Short name | ISO 20000-1 |
| Issuer | ISO and IEC, developed by joint technical committee ISO/IEC JTC 1/SC 40 |
| Current edition | Third edition, published September 2018 (supersedes 2011 edition) |
| Structure | Annex SL High-Level Structure, clauses 1-10 |
| Certifiable | Yes - by accredited certification bodies; three-year certificate cycle with surveillance audits |
| Scope object | The Service Management System (SMS) and the services within its defined scope |
| Related parts | ISO/IEC 20000-2 (guidance on applying an SMS), 20000-3 (scoping and applicability), 20000-6 (requirements for certification bodies), 20000-10 (concepts and vocabulary) |
| Region | Global |
| Alignment | ITIL, COBIT, VeriSM; harmonised with ISO 9001, ISO/IEC 27001, ISO 22301 via Annex SL |
Who must comply with ISO/IEC 20000-1
ISO/IEC 20000-1 is voluntary in the sense that no law mandates it universally, but certification is frequently required contractually - in public-sector tenders, managed-services agreements and outsourcing contracts it is often a mandatory qualification. Any organisation that plans, delivers and improves services can implement the standard, whether the services are delivered internally, to external customers, or sourced from third parties. The requirement to be met by the organisation is that it demonstrates control over its own SMS, even where parts of the service are provided by other parties.
| Organisation type | Why ISO/IEC 20000-1 applies / benefits |
|---|
| IT managed service providers (MSPs) | Certification is a differentiator and is frequently mandated in RFPs; demonstrates repeatable, controlled delivery |
| Managed security service providers (MSSPs) | Assures customers of disciplined incident, change and continuity management around security services |
| Cloud and hosting providers | Evidences reliable capacity, availability, continuity and change management for hosted services |
| Internal IT / shared-services functions | Improves service quality to internal business units and provides an objective governance baseline |
| Business process outsourcing (BPO) providers | Applies to any service, not only IT; demonstrates end-to-end service governance |
| Government and public-sector IT departments | Often required by e-governance and public-procurement policies as a delivery-assurance baseline |
| Systems integrators and consultancies | Certification supports credibility when delivering or transitioning services for clients |
| Enterprises with mature ITSM | Formalises and independently validates existing ITIL-based operations |
- There is no minimum organisation size - small and large providers alike can certify, provided the SMS scope is meaningful and the organisation retains management control of the services.
- Certification is granted at the level of a defined scope (specific services, sites and delivery teams), not necessarily the whole organisation.
- Where services rely on suppliers or internal groups, the organisation seeking certification must demonstrate governance of those parties (Clause 8.2.3) rather than certify the third party itself.
- The standard is often adopted alongside ISO/IEC 27001 for security and ISO 22301 for continuity to present a single integrated management system.
Structure of ISO/IEC 20000-1
The 2018 edition follows the Annex SL structure. Clauses 4 to 10 carry the auditable requirements. Clause 8 (Operation of the service management system) is the largest and is subdivided into service-portfolio, relationship, supply, design/build/transition, resolution, and service-assurance groupings which contain the recognisable service-management processes. The table below sets out every clause and sub-clause group that an auditor will examine.
| Clause | Title | What it covers |
|---|
| 4 | Context of the organisation | Understanding the organisation and its context, needs of interested parties, determining the scope of the SMS, and establishing the SMS itself |
| 4.1 | Understanding the organisation and its context | Internal and external issues relevant to the purpose and outcomes of the SMS |
| 4.2 | Understanding the needs and expectations of interested parties | Identifying customers, users, suppliers and other stakeholders and their requirements |
| 4.3 | Determining the scope of the SMS | Boundaries and applicability, including services, parties and geographies in scope |
| 4.4 | Service management system | Establishing, implementing, maintaining and continually improving the SMS |
| 5 | Leadership | Top-management commitment, service management policy, and organisational roles, responsibilities and authorities |
| 5.1 | Leadership and commitment | Top-management accountability for the SMS and its effectiveness |
| 5.2 | Policy | Establishing and communicating a service management policy |
| 5.3 | Organisational roles, responsibilities and authorities | Assigning and communicating SMS roles |
| 6 | Planning | Actions to address risks and opportunities, service management objectives, and planning of the SMS and changes to it |
| 6.1 | Actions to address risks and opportunities | Risk-based thinking applied to the SMS |
| 6.2 | Service management objectives and planning to achieve them | Measurable objectives and plans |
| 6.3 | Plan the service management system | The overall service management plan |
| 7 | Support of the service management system | Resources, people, competence, awareness, communication and documented information |
| 7.1-7.4 | Resources, human resources, competence, awareness | Providing and managing resources and competencies |
| 7.5 | Documented information | Creation, control and management of documented information; knowledge |
| 7.6 | Knowledge | Determining and managing knowledge to operate the SMS |
| 8 | Operation of the service management system | Operational planning and control plus all service-management processes |
| 8.1 | Operational planning and control | Planning, implementing and controlling operational processes |
| 8.2 | Service portfolio | Service delivery, planning the services, control of parties involved, service catalogue management, asset and configuration management |
| 8.3 | Relationship and agreement | Business relationship management, service level management, supplier management |
| 8.4 | Supply and demand | Budgeting and accounting for services, demand management, capacity management |
| 8.5 | Service design, build and transition | Change management, service design and transition, release and deployment management |
| 8.6 | Resolution and fulfilment | Incident management, service request management, problem management |
| 8.7 | Service assurance | Service availability management, service continuity management, information security management |
| 9 | Performance evaluation | Monitoring, measurement, analysis and evaluation; internal audit; management review; service reporting |
| 10 | Improvement | Nonconformity and corrective action; continual improvement of the SMS and services |
Master assessment checklist
This is the core of the guide. It enumerates every clause of ISO/IEC 20000-1:2018 and every service-management process within Clause 8. Each group is presented with a table of what an auditor verifies and the typical evidence expected. Use it as a gap-assessment worksheet: mark each row as conformant, partial or nonconformant and attach the evidence reference.
Clause 4 - Context of the organisation
| What to verify | Typical evidence |
|---|
| Internal and external issues relevant to the SMS have been identified and are reviewed | Context analysis, PESTLE/SWOT record, strategy documents, review minutes |
| Interested parties (customers, users, suppliers, regulators) and their requirements are documented | Stakeholder register, interested-parties requirements matrix |
| The SMS scope is defined in terms of services, sites, parties and exclusions | Scope statement, service scope document, applicability record referencing ISO/IEC 20000-3 |
| Where other parties operate processes, the organisation retains governance and demonstrates control | Governance model, RACI, supplier/internal-group control records |
| The SMS is established, documented, maintained and continually improved | SMS manual/description, process architecture, document register |
Clause 5 - Leadership
| What to verify | Typical evidence |
|---|
| Top management demonstrates commitment and accountability for the SMS | Management review minutes, signed policy, resource-approval records |
| A service management policy exists, is appropriate, communicated and available | Approved policy document, intranet publication, communication logs |
| The policy provides a framework for setting and reviewing service management objectives | Policy content, objectives traceable to policy |
| Roles, responsibilities and authorities for the SMS are assigned and communicated | Org chart, RACI matrix, role descriptions, appointment records |
| A responsible person / management representative oversees the SMS | Appointment letter, terms of reference |
Clause 6 - Planning
| What to verify | Typical evidence |
|---|
| Risks and opportunities to the SMS and services are identified and actioned | Risk register, opportunity log, treatment plans, review evidence |
| Actions to address risks are integrated into SMS processes and their effectiveness evaluated | Risk treatment records, effectiveness reviews |
| Measurable service management objectives are set at relevant functions and levels | Objectives register with targets, owners and timelines |
| Plans define what will be done, resources, responsibility, completion dates and evaluation | Service management plan, project plans, milestone tracking |
| Changes to the SMS are planned in a controlled manner | Change plans, transition plans, version-controlled SMS documents |
Clause 7 - Support (resources, competence, awareness, communication, documented information, knowledge)
| What to verify | Typical evidence |
|---|
| Resources needed for the SMS are determined and provided | Budget approvals, staffing plans, tooling inventory |
| Personnel competence requirements are defined and met through education, training or experience | Competence matrix, training records, CVs, certifications |
| Awareness of policy, objectives and individual contribution is established | Induction records, awareness campaigns, quiz/attendance logs |
| Internal and external communications relevant to the SMS are determined and executed | Communication plan, stakeholder comms records |
| Documented information required by the standard and by the organisation exists and is controlled | Document register, version control, review/approval workflow |
| Documented information is protected, retained, and controlled for distribution and access | Access-control settings, retention schedule, backup evidence |
| Knowledge needed to operate the SMS is determined, maintained and made available | Knowledge base, known-error database, handover documentation |
Clause 8.1 - Operational planning and control
| What to verify | Typical evidence |
|---|
| Processes needed to meet service requirements are planned, implemented and controlled | Process definitions, procedures, workflow configuration |
| Criteria for processes and their control are established | Process criteria, control points, acceptance criteria |
| Documented information demonstrates processes are carried out as planned | Records, tickets, logs, dashboards |
| Outsourced processes are controlled | Supplier controls, OLAs, monitoring reports |
Clause 8.2 - Service portfolio: service delivery, planning services, control of parties, service catalogue, asset and configuration management
| What to verify | Typical evidence |
|---|
| Services delivered meet agreed and documented requirements | Service agreements, delivery reports, SLA attainment |
| Services are planned including changes to services and their impacts | Service plans, change-impact assessments |
| Parties involved in the service lifecycle (external suppliers, internal groups, customers acting as suppliers) are governed and their performance monitored | Party register, governance model, performance reviews |
| A service catalogue is defined, maintained and made available to relevant parties | Service catalogue, publication records, review log |
| Configuration items (CIs) are identified, recorded and controlled with defined interfaces | CMDB/CMS extract, CI records, configuration baseline |
| Configuration information is accurate and reconciled through audits | CMDB audit reports, discrepancy logs, reconciliation records |
| Assets used to deliver services are managed through their lifecycle | Asset register, asset lifecycle records, disposal records |
Clause 8.3.1 - Business relationship management
| What to verify | Typical evidence |
|---|
| Customers and interested parties are identified and relationships managed | Customer register, relationship-owner assignments |
| Communication mechanisms and service reviews are established with customers | Service review minutes, meeting cadence, agenda records |
| Customer satisfaction is measured and acted upon | CSAT/NPS surveys, satisfaction analysis, action plans |
| Complaints are recorded, managed and resolved | Complaints log, resolution records, escalation trail |
Clause 8.3.2 - Service level management (SLM)
| What to verify | Typical evidence |
|---|
| Services and service level targets are agreed and documented in SLAs | Signed SLAs, service level targets, service catalogue linkage |
| Service performance is monitored against SLA targets and reported | SLA performance reports, dashboards, trend analysis |
| Underpinning agreements (OLAs and supplier contracts) support SLA targets | OLAs, supplier contracts, dependency mapping |
| SLAs are reviewed at planned intervals and when services change | SLA review minutes, revision history |
| Breaches are identified, investigated and improvement actions raised | Breach reports, root-cause records, improvement log |
Clause 8.3.3 - Supplier management
| What to verify | Typical evidence |
|---|
| Suppliers are identified and managed to deliver services meeting requirements | Supplier register, contracts, scope of supply |
| Supplier performance is monitored against contractual and service targets | Supplier scorecards, performance review minutes |
| Contractual disputes and end-of-contract/transition are managed | Dispute records, exit/transition plans |
| Where sub-contracted (lead-supplier) arrangements exist, accountability is maintained | Lead-supplier agreements, sub-contractor oversight records |
Clause 8.4.1 - Budgeting and accounting for services
| What to verify | Typical evidence |
|---|
| Costs of service provision are budgeted and controlled | Service budgets, cost models, variance reports |
| Costs are accounted for against services with defined granularity | Cost allocation records, chargeback/showback reports |
| Financial performance is monitored and reported to relevant parties | Financial reports, forecast-vs-actual records |
Clause 8.4.2 - Demand management
| What to verify | Typical evidence |
|---|
| Current and forecast demand for services is determined | Demand forecasts, business-volume data, workload models |
| Demand is monitored and used to inform capacity and resource planning | Demand-vs-capacity analysis, planning inputs |
| Consumption of services is measured | Consumption metrics, usage reports |
Clause 8.4.3 - Capacity management
| What to verify | Typical evidence |
|---|
| Capacity requirements covering human, technical and financial resources are determined | Capacity plan, resource requirement records |
| Capacity is planned to meet agreed current and future demand | Capacity forecasts, scenario models, thresholds |
| Capacity and performance are monitored against thresholds with tuning actions | Utilisation reports, threshold alerts, tuning records |
Clause 8.5.1 - Change management
| What to verify | Typical evidence |
|---|
| Change policy defines categories, CIs and services under change control | Change management policy, scope definition |
| Changes are recorded, classified, assessed for risk/impact and authorised | Change records (RFCs), risk assessments, CAB minutes |
| Emergency changes follow a defined expedited yet controlled route | Emergency change procedure, emergency change records |
| Changes are scheduled, communicated and reflected in a change schedule | Forward schedule of change, communication records |
| Change success is reviewed and unsuccessful changes are backed out | Post-implementation reviews, back-out records, failure analysis |
Clause 8.5.2 - Service design and transition of new or changed services
| What to verify | Typical evidence |
|---|
| New or changed services are planned considering cost, quality, risk and impact | Service design plan, business case, impact assessment |
| Requirements for new/changed services are determined and documented | Service requirements specification, acceptance criteria |
| Services are designed and documented to meet agreed requirements | Design documents, architecture, SLA/OLA drafts |
| New/changed services are transitioned to live operation with acceptance criteria met | Transition plan, test/acceptance results, go-live approval |
| Post-transition review confirms outcomes and lessons learned | Early-life-support records, transition review minutes |
Clause 8.5.3 - Release and deployment management
| What to verify | Typical evidence |
|---|
| A release policy defines frequency, type and grouping of releases | Release policy, release calendar |
| Releases are planned, built, tested and verified before deployment | Release plans, build records, test results, verification sign-off |
| Deployment into live environment is controlled and success verified | Deployment records, verification checks, rollback provisions |
| Failed releases are reversed or remediated and reviewed | Rollback records, incident linkage, release review |
Clause 8.6.1 - Incident management
| What to verify | Typical evidence |
|---|
| Incidents are recorded, classified, prioritised and managed to resolution | Incident tickets, priority matrix, resolution records |
| Target resolution times are defined and monitored | SLA targets for incidents, breach reports |
| Escalation and communication procedures are followed | Escalation records, user communications |
| Users are kept informed of progress and resolution | Notification logs, ticket update history |
Clause 8.6.1 - Major incident management
| What to verify | Typical evidence |
|---|
| Major incidents are defined with agreed criteria and a dedicated procedure | Major incident definition, procedure, priority criteria |
| Responsibility, escalation and management of major incidents is assigned | Major-incident manager role, war-room/bridge records |
| Major incidents are reviewed post-resolution for improvement | Major incident reviews, problem records raised |
Clause 8.6.2 - Service request management
| What to verify | Typical evidence |
|---|
| Service requests are recorded, classified and fulfilled within targets | Request tickets, request catalogue, fulfilment SLA |
| Standard request types have documented fulfilment procedures | Request models, standard-request procedures |
| Requesters are kept informed and closure is confirmed | Notification logs, closure confirmation, CSAT on requests |
Clause 8.6.3 - Problem management
| What to verify | Typical evidence |
|---|
| Problems are identified from incident trends and recorded | Problem records, trend analysis, incident linkage |
| Root-cause analysis is performed and known errors documented | RCA records, known-error database (KEDB) |
| Corrective actions and workarounds are managed and their effectiveness reviewed | Workaround records, corrective actions, effectiveness reviews |
| Problem management reduces recurring incidents over time | Recurrence metrics, trend improvement evidence |
Clause 8.7.1 - Service availability management
| What to verify | Typical evidence |
|---|
| Availability requirements and targets are agreed and documented | Availability targets in SLAs, availability requirements |
| Availability is monitored, measured and reported | Availability reports, uptime dashboards |
| Availability risks are assessed and unplanned unavailability investigated | Availability risk assessment, downtime root-cause records |
| Availability plans address single points of failure and resilience | Availability plan, resilience design records |
Clause 8.7.2 - Service continuity management
| What to verify | Typical evidence |
|---|
| Continuity requirements are determined from risk assessment and business impact | Continuity requirements, BIA, risk assessment |
| Service continuity plans are documented, maintained and accessible | SCM plans, recovery procedures, contact lists |
| Continuity plans are tested at planned intervals and after significant change | Test schedules, test/exercise reports, findings |
| Recovery targets (RTO/RPO) are defined and achievable | RTO/RPO definitions, test results validating targets |
Clause 8.7.3 - Information security management
| What to verify | Typical evidence |
|---|
| An information security policy relevant to services is established and approved | Information security policy, management approval |
| Security controls are implemented to protect service confidentiality, integrity and availability | Control set, access controls, technical safeguards (often mapped to ISO/IEC 27001) |
| Security risks affecting services are assessed and treated | Security risk assessment, treatment plan |
| Information security incidents are managed and reviewed | Security incident records, response evidence, reviews |
| Physical, technical and organisational controls are applied to service assets | Control implementation evidence, audit records |
Clause 9 - Performance evaluation (monitoring, internal audit, management review, service reporting)
| What to verify | Typical evidence |
|---|
| What is monitored and measured, and the methods, are determined | Measurement plan, KPI definitions, tooling configuration |
| SMS and service performance are analysed and evaluated | Performance analysis, KPI reports, evaluation minutes |
| Internal audits are planned, conducted and results reported at planned intervals | Audit programme, audit reports, auditor competence records |
| Management reviews of the SMS are conducted at planned intervals with defined inputs and outputs | Management review minutes covering all required inputs, action items |
| Service reporting produces agreed reports for identified needs and audiences | Service report catalogue, delivered reports, distribution records |
Clause 10 - Improvement (nonconformity, corrective action, continual improvement)
| What to verify | Typical evidence |
|---|
| Nonconformities are identified, controlled and corrected | Nonconformity register, corrective-action requests |
| Root causes of nonconformities are addressed to prevent recurrence | RCA records, corrective actions, verification of effectiveness |
| Continual improvement of the SMS and services is managed against evaluation criteria | Improvement register (CSI log), prioritisation, benefit tracking |
| Opportunities for improvement from audits, reviews and metrics are captured and actioned | Improvement backlog, closed-improvement evidence |
Scoping the Service Management System
Defining the SMS scope correctly is one of the most consequential decisions in an ISO/IEC 20000-1 programme, and ISO/IEC 20000-3 provides dedicated guidance on scope definition and applicability. The scope must be meaningful: it should describe the services covered, the parties delivering them, the technologies and locations involved, and any exclusions. A scope that is too narrow can render certification commercially worthless; a scope that is too broad can make the programme unmanageable.
A critical constraint in the 2018 edition is the concept of governance of processes operated by other parties. The organisation seeking certification must retain accountability for the SMS. It cannot exclude a service-management process simply because a supplier or another internal group performs it; instead it must demonstrate that it governs that party, sets requirements, and monitors performance. If the organisation cannot demonstrate this control, the service cannot legitimately be included in scope.
- Define scope by service, not merely by technology - list the services from the service catalogue that are covered.
- State the organisational units, delivery teams and physical/cloud locations included.
- Identify all parties (external suppliers, internal groups, customers acting as suppliers) and confirm the organisation governs them.
- Document justified exclusions and confirm no Clause 4-10 requirement is excluded (all requirements are mandatory; only the range of services is scoped).
- Reference ISO/IEC 20000-3 when assessing whether a proposed scope is demonstrable and defensible.
- Ensure the scope statement is a controlled document, approved by top management and made available to interested parties.
Scope and outsourcing
Unlike some standards, ISO/IEC 20000-1 does not permit an organisation to disclaim responsibility for a process just because it is outsourced. If a supplier runs your service desk, incident management is still in scope and you must show you govern the supplier. Failing to demonstrate this control is a common reason for scope challenges during certification audits.
Implementation approach
A pragmatic ISO/IEC 20000-1 implementation follows a phased path aligned to the PDCA cycle. The following five phases take an organisation from initiation to certification and beyond. Each phase lists key activities and the deliverables an auditor will later expect to see.
Phase 1 - Initiation and gap assessment
Establish the mandate, secure top-management sponsorship, and understand the current state against the standard.
- Activities: appoint a project sponsor and SMS manager; define provisional scope; conduct a clause-by-clause and process-by-process gap assessment against ISO/IEC 20000-1:2018; identify interested parties and their requirements; produce a business case.
- Deliverables: gap assessment report, provisional scope statement, stakeholder register, project charter and high-level plan, business case.
Phase 2 - Design and documentation
Design the SMS, its policy, objectives, process architecture and documented information.
- Activities: draft the service management policy and objectives; design the process architecture covering all Clause 8 processes; define the service catalogue; write procedures, RACIs and templates; establish the risk and improvement registers; select or configure ITSM tooling; define measurement and reporting.
- Deliverables: service management policy, service management plan, process procedures, service catalogue, RACI matrices, risk register, improvement (CSI) log, KPI/measurement plan, tool configuration.
Phase 3 - Implementation and operation
Deploy the SMS into live operation and begin generating records.
- Activities: roll out processes and tooling; train staff and build awareness; agree SLAs, OLAs and supplier contracts; commence incident, request, problem, change, release and configuration management in earnest; begin service reporting; operate the SMS long enough to generate an audit trail (typically three to six months of records).
- Deliverables: signed SLAs/OLAs, training records, live process records (tickets, changes, releases), populated CMDB, service reports, competence matrix.
Phase 4 - Evaluation and internal audit
Check that the SMS is working and correct weaknesses before external assessment.
- Activities: measure and analyse KPIs; conduct a full internal audit covering all clauses and processes; hold a management review with all required inputs and outputs; raise and close nonconformities and improvements.
- Deliverables: internal audit programme and reports, management review minutes, nonconformity and corrective-action records, updated improvement log, KPI performance packs.
Phase 5 - Certification and continual improvement
Engage an accredited certification body and sustain the SMS.
- Activities: select an accredited certification body; undergo Stage 1 (documentation and readiness review) and Stage 2 (implementation) audits; address any findings; achieve certification; operate surveillance audits and recertification; drive continual improvement.
- Deliverables: Stage 1 and Stage 2 audit responses, corrective-action plans, certificate of registration, surveillance-audit records, ongoing CSI evidence.
Capability and maturity model
ISO/IEC 20000-1 certification is binary - an SMS either conforms or it does not - but organisations benefit from a maturity view to plan improvement and to communicate progress. The model below combines a five-level process-capability scale (aligned with the spirit of ISO/IEC 33000 and CMMI) with the PDCA emphasis of the standard. Use it to score each process and target a consistent minimum before seeking certification.
| Level | Name | Characteristics | Certification readiness |
|---|
| 0 | Incomplete | Process is not performed or fails to achieve its purpose; ad hoc, undocumented | Not ready |
| 1 | Performed | Process is carried out and achieves its outcomes, but is reactive and inconsistently applied | Not ready - significant gaps |
| 2 | Managed | Process is planned, monitored and adjusted; work products are controlled; roles defined | Approaching - foundational conformance |
| 3 | Established / Defined | A standard, documented process is tailored and consistently used across the scope | Certification-capable baseline |
| 4 | Predictable / Measured | Process operates within defined quantitative limits; performance is measured and predictable | Strong - supports robust surveillance |
| 5 | Optimising | Continual improvement is embedded; process is proactively optimised against business goals | Best practice - exemplary CSI |
For certification, an organisation should generally target at least Level 3 (Established) across all in-scope processes, with Clause 9 evaluation and Clause 10 improvement demonstrably operating to move toward Levels 4 and 5 over time.
Assessment and audit approach
Certification audits by an accredited body follow a defined two-stage model, followed by a three-year cycle of surveillance and recertification. Internal audits and pre-assessments follow a similar methodology. The following steps describe an auditor-grade approach.
- Define audit scope and criteria: confirm the SMS scope, services, sites and the applicable edition (ISO/IEC 20000-1:2018) as the audit criteria.
- Conduct a Stage 1 (readiness / documentation) review: examine the SMS documentation, scope, policy, objectives, risk approach and internal-audit and management-review evidence to confirm the SMS is designed and ready for the implementation audit.
- Plan the Stage 2 audit: prepare an audit plan and schedule sampling each clause (4-10) and every in-scope Clause 8 process, allocating time and interviewees.
- Gather objective evidence: interview process owners and staff, inspect records (tickets, changes, releases, CMDB, reports), observe operations and trace transactions end to end.
- Test the PDCA loop: verify that monitoring, internal audit, management review and improvement actually drive corrective action and continual improvement, not just documentation.
- Assess governance of other parties: confirm suppliers and internal groups delivering in-scope processes are governed and monitored.
- Classify findings: record conformities, opportunities for improvement, minor nonconformities and major nonconformities against specific clauses.
- Report and require corrective action: issue an audit report; the organisation submits root-cause analysis and corrective-action plans for nonconformities.
- Make the certification decision: an independent reviewer confirms closure of major nonconformities before the certificate is granted.
- Operate the surveillance cycle: conduct annual (or semi-annual) surveillance audits covering a rolling subset of the SMS, and a full recertification audit before the three-year certificate expires.
Evidence request list
Auditors and internal assessors typically request the following categorised evidence. Prepare an evidence index that maps each item to its clause.
Governance and leadership
- Service management policy and objectives
- SMS scope statement and applicability record
- Management review minutes and action logs
- Organisational roles, RACI and appointment records
- Risk register and treatment plans
Service portfolio and configuration
- Service catalogue
- CMDB/CMS extract and configuration baselines
- Configuration audit and reconciliation reports
- Asset register and lifecycle records
- Party/supplier register and governance model
Agreements and relationships
- Signed SLAs, OLAs and underpinning contracts
- Supplier scorecards and performance reviews
- Customer satisfaction survey results
- Complaints log and resolution records
- Service review meeting minutes
Operational process records
- Incident and major-incident records
- Service request records and request catalogue
- Problem records, RCA and known-error database
- Change records (RFCs), CAB minutes, change schedule
- Release and deployment records with test/verification results
Service assurance
- Availability reports and downtime analyses
- Service continuity plans and test reports (with RTO/RPO)
- Information security policy, risk assessment and incident records
- Capacity plans and utilisation reports
- Demand forecasts and consumption metrics
Financials, evaluation and improvement
- Service budgets, cost models and financial reports
- KPI dashboards and service reports
- Internal audit programme and reports
- Nonconformity and corrective-action records
- Continual improvement (CSI) log and closed-improvement evidence
Roles and responsibilities
Clear ownership is essential. The table below sets out typical roles in an ISO/IEC 20000-1 SMS and their core responsibilities. Titles vary by organisation; the accountabilities do not.
| Role | Core responsibilities |
|---|
| Top management / Executive sponsor | Accountable for the SMS, approves policy and objectives, provides resources, chairs or receives management reviews |
| SMS manager / Service management lead | Owns the SMS end to end; coordinates processes, audits, reviews and improvement; primary contact for certification body |
| Service level manager | Negotiates, agrees and reviews SLAs and OLAs; monitors and reports service performance |
| Change and release manager | Runs change and release/deployment processes; chairs the CAB; controls the change schedule |
| Incident and problem manager | Manages incident (including major incident) resolution and problem/root-cause analysis |
| Configuration / asset manager | Maintains the CMDB and asset register; runs configuration audits |
| Capacity and availability manager | Owns capacity, demand, availability planning and reporting |
| Service continuity manager | Owns continuity plans, testing and RTO/RPO achievement |
| Information security manager | Owns the security policy, risk treatment and security incident handling for services |
| Supplier / commercial manager | Manages supplier contracts, performance and governance of other parties |
| Internal auditor | Plans and conducts internal audits of the SMS and reports findings independently |
| Process owners | Accountable for the design, effectiveness and improvement of individual processes |
KPIs to track
A balanced set of KPIs demonstrates both service performance and SMS health. Track at least the following, defining targets, owners and reporting frequency for each.
- SLA attainment rate (percentage of service level targets met)
- Incident resolution within target and mean time to resolve (MTTR)
- Major incident count, duration and repeat rate
- Service request fulfilment within target time
- First-contact / first-line resolution rate
- Change success rate and percentage of emergency changes
- Failed change and change-related incident rate
- Release success rate and rollback frequency
- Problem closure rate and reduction in recurring incidents
- CMDB accuracy (percentage of CIs verified in audits)
- Service availability against agreed targets (uptime percentage)
- Continuity plan test coverage and RTO/RPO achievement
- Information security incident count and mean time to contain
- Capacity threshold breaches and forecast accuracy
- Customer satisfaction (CSAT/NPS) and complaint resolution time
- Internal audit findings closed within target
- Nonconformity closure rate and corrective-action effectiveness
- Number and value of continual improvements delivered
Readiness checklist
Work through this checklist before engaging a certification body. Every item should be evidenced.
- Top management has approved the service management policy and provided resources
- SMS scope is defined, documented and demonstrably governs all parties in scope
- Service management objectives are measurable and linked to the policy
- Risks and opportunities to the SMS are identified, assessed and treated
- All Clause 8 processes are documented, operating and generating records
- A current, accessible service catalogue exists
- SLAs, OLAs and supplier contracts are signed and aligned
- CMDB/CMS is populated, controlled and audited for accuracy
- Incident, request, problem, change, release and configuration processes are live
- Availability, capacity, continuity and information security processes are operating with reports
- Service continuity plans have been tested and RTO/RPO validated
- Competence matrix and training records are complete
- Service reporting is delivering agreed reports to defined audiences
- At least one full internal audit covering all clauses has been completed
- A management review with all required inputs and outputs has been held
- Nonconformities and improvements are logged and being actioned
- Three to six months of operational records are available as evidence
- An accredited certification body has been selected and Stage 1 scheduled
Common gaps and pitfalls
The following weaknesses recur in ISO/IEC 20000-1 audits. Address them proactively.
- Treating outsourced processes as out of scope instead of demonstrating governance of the supplier (Clause 8.2.3) - a frequent scope failure.
- Documentation that describes an idealised process which staff do not actually follow in practice.
- Weak or absent evidence that the PDCA loop closes - metrics collected but no resulting improvement actions.
- Management reviews that omit required inputs or produce no actionable outputs.
- Inaccurate or stale CMDB with no configuration audits, undermining change and incident management.
- SLAs not underpinned by OLAs and supplier contracts, leaving targets unachievable.
- Service continuity plans that exist on paper but have never been tested, or untested RTO/RPO assumptions.
- Information security treated as a bolt-on rather than integrated with the SMS (often resolved by aligning with ISO/IEC 27001).
- Problem management not distinguished from incident management, so recurring incidents are never eliminated.
- Insufficient operational history - too few records to evidence that processes work over time.
- Objectives that are vague or not measurable, preventing meaningful performance evaluation.
- Internal audits that are superficial or do not cover every clause and process before Stage 2.
ISO/IEC 20000-1 mapped to other frameworks
Because ISO/IEC 20000-1 uses the Annex SL structure, it integrates cleanly with other management-system standards, and its Clause 8 processes correspond closely to ITIL practices. The table below maps key ISO/IEC 20000-1 areas to related frameworks to aid integrated implementation.
| ISO/IEC 20000-1 area | ITIL 4 / ITIL v3 | ISO/IEC 27001 | COBIT 2019 | ISO 9001 / Other |
|---|
| SMS and PDCA (Clauses 4-10) | Service value system / CSI | ISMS clauses 4-10 (Annex SL) | Governance & Management Objectives (EDM/APO) | ISO 9001 QMS clauses 4-10 |
| Service level management (8.3.2) | Service level management practice | A.5 policies / service agreements | APO09 Manage service agreements | ISO 9001 8.2 customer requirements |
| Incident management (8.6.1) | Incident management practice | A.5.24-5.26 incident management | DSS02 Manage service requests and incidents | - |
| Problem management (8.6.3) | Problem management practice | - | DSS03 Manage problems | - |
| Change management (8.5.1) | Change enablement practice | A.8.32 change management | BAI06 Manage IT changes | - |
| Release and deployment (8.5.3) | Release management / deployment management | A.8.31 development/test/prod separation | BAI07 Manage IT change acceptance | - |
| Configuration and asset (8.2.6) | Service configuration / IT asset management | A.5.9 inventory of assets | BAI09/BAI10 Manage assets and configuration | - |
| Service continuity (8.7.2) | Service continuity management practice | A.5.29-5.30 ICT readiness / continuity | DSS04 Manage continuity | ISO 22301 BCMS |
| Information security (8.7.3) | Information security management practice | Full ISO/IEC 27001 ISMS | APO13/DSS05 Manage security | - |
| Availability & capacity (8.7.1/8.4.3) | Availability & capacity/performance mgmt | A.8.6 capacity management | BAI04 Manage availability and capacity | - |
| Supplier management (8.3.3) | Supplier management practice | A.5.19-5.22 supplier relationships | APO10 Manage vendors | - |
| Continual improvement (Clause 10) | Continual improvement practice | 10.1/10.2 improvement | APO11 / MEA Manage quality | ISO 9001 clause 10 |
How CyberSigma helps
CyberSigma provides end-to-end ISO/IEC 20000-1 advisory, implementation and audit-readiness services. Our CERT-In empanelled and QSA-qualified consultants run a clause-by-clause gap assessment against the 2018 edition, design and document your Service Management System, define a demonstrable and defensible scope (including governance of suppliers under Clause 8.2.3), and stand up every Clause 8 process from incident and change through continuity and information security. We configure ITSM tooling and reporting, build your risk, CMDB and continual-improvement registers, train your teams, and conduct internal audits and a management review so you enter the certification body's Stage 1 and Stage 2 audits with confidence. Because we also deliver ISO/IEC 27001 and ISO 22301, we can build a single integrated management system on the shared Annex SL structure - reducing duplication and audit fatigue. Talk to CyberSigma to move from readiness to certified in a controlled, evidence-backed programme.