Knowledge Center / ISO 20000-1
ISO / IEC · Global

ISO/IEC 20000-1

The international standard for an IT service management system (SMS).

Introduction to ISO/IEC 20000-1

ISO/IEC 20000-1 is the international standard for a Service Management System (SMS). It specifies the requirements an organisation must satisfy to plan, establish, implement, operate, monitor, review, maintain and continually improve the management and delivery of services. Where ISO 9001 governs quality management generically, ISO/IEC 20000-1 focuses specifically on the disciplined management of services - most commonly IT services, but the standard is deliberately technology-neutral and applies equally to managed security services, cloud services, business-process outsourcing and any other service that is planned, delivered and improved. It is the only auditable, certifiable international standard dedicated to service management and is the formal specification against which an organisation's SMS is assessed by an accredited certification body.

The standard is closely aligned with the ITIL body of practice, but the two are distinct. ITIL is a non-certifiable framework of good practice and guidance; ISO/IEC 20000-1 is a certifiable, shall-based specification of requirements. An organisation may adopt ITIL practices, COBIT, VeriSM, DevOps or any other approach as the means of meeting the requirements, but certification is granted only against ISO/IEC 20000-1. The current edition, ISO/IEC 20000-1:2018, was restructured onto Annex SL - the common High-Level Structure shared with ISO 9001, ISO/IEC 27001, ISO 22301 and ISO 14001 - which makes integrated management systems substantially easier to build and audit.

This guide is written for service-management leaders, process owners, internal auditors and certification project managers who need an auditor-grade understanding of every clause and requirement. It walks through the full structure of the standard, provides a master assessment checklist covering every clause and service-management process, and sets out a phased implementation approach, a capability model, an audit methodology, an evidence request list, roles, KPIs and framework mappings. British and Indian English spelling is used throughout.

Copyright note
ISO/IEC 20000-1 is a copyrighted standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The official normative text must be purchased from ISO, IEC or an authorised national standards body (for example BIS in India, BSI in the UK). This guide is an original, plain-language interpretation written to aid understanding and readiness. It paraphrases requirements and does not reproduce the copyrighted clause text of the standard. Always refer to the licensed edition of ISO/IEC 20000-1:2018 for the authoritative wording used in certification.

What is ISO/IEC 20000-1

ISO/IEC 20000-1:2018 specifies requirements for an organisation to establish, implement, maintain and continually improve a Service Management System. The SMS is the coordinated set of policies, objectives, plans, processes, documented information and resources that an organisation uses to direct and control its service-management activities and to deliver value to customers and users. The standard adopts the Plan-Do-Check-Act (PDCA) cycle and a process-based, risk-driven approach in which the organisation defines the services in scope, agrees service requirements with customers, delivers against those requirements, measures performance, and continually improves.

The 2018 edition is organised under the Annex SL High-Level Structure, giving it clauses 1 to 10. Clauses 1 to 3 are scope, normative references and terms. Clauses 4 to 10 contain the auditable requirements: Context of the organisation (4), Leadership (5), Planning (6), Support of the service management system (7), Operation of the service management system (8), Performance evaluation (9) and Improvement (10). Clause 8 is by far the largest and contains the service-management processes historically associated with the standard - service level management, service continuity and availability management, capacity management, information security management, incident and request management, problem management, change management, release and deployment management, configuration management, service reporting, budgeting and accounting, demand management, service catalogue management, the design and transition of new or changed services, and the management of suppliers and other parties involved in the service lifecycle.

Key facts about the standard are summarised below.

AttributeDetail
Full nameISO/IEC 20000-1:2018 - Information technology - Service management - Part 1: Service management system requirements
Short nameISO 20000-1
IssuerISO and IEC, developed by joint technical committee ISO/IEC JTC 1/SC 40
Current editionThird edition, published September 2018 (supersedes 2011 edition)
StructureAnnex SL High-Level Structure, clauses 1-10
CertifiableYes - by accredited certification bodies; three-year certificate cycle with surveillance audits
Scope objectThe Service Management System (SMS) and the services within its defined scope
Related partsISO/IEC 20000-2 (guidance on applying an SMS), 20000-3 (scoping and applicability), 20000-6 (requirements for certification bodies), 20000-10 (concepts and vocabulary)
RegionGlobal
AlignmentITIL, COBIT, VeriSM; harmonised with ISO 9001, ISO/IEC 27001, ISO 22301 via Annex SL

Who must comply with ISO/IEC 20000-1

ISO/IEC 20000-1 is voluntary in the sense that no law mandates it universally, but certification is frequently required contractually - in public-sector tenders, managed-services agreements and outsourcing contracts it is often a mandatory qualification. Any organisation that plans, delivers and improves services can implement the standard, whether the services are delivered internally, to external customers, or sourced from third parties. The requirement to be met by the organisation is that it demonstrates control over its own SMS, even where parts of the service are provided by other parties.

Organisation typeWhy ISO/IEC 20000-1 applies / benefits
IT managed service providers (MSPs)Certification is a differentiator and is frequently mandated in RFPs; demonstrates repeatable, controlled delivery
Managed security service providers (MSSPs)Assures customers of disciplined incident, change and continuity management around security services
Cloud and hosting providersEvidences reliable capacity, availability, continuity and change management for hosted services
Internal IT / shared-services functionsImproves service quality to internal business units and provides an objective governance baseline
Business process outsourcing (BPO) providersApplies to any service, not only IT; demonstrates end-to-end service governance
Government and public-sector IT departmentsOften required by e-governance and public-procurement policies as a delivery-assurance baseline
Systems integrators and consultanciesCertification supports credibility when delivering or transitioning services for clients
Enterprises with mature ITSMFormalises and independently validates existing ITIL-based operations
  • There is no minimum organisation size - small and large providers alike can certify, provided the SMS scope is meaningful and the organisation retains management control of the services.
  • Certification is granted at the level of a defined scope (specific services, sites and delivery teams), not necessarily the whole organisation.
  • Where services rely on suppliers or internal groups, the organisation seeking certification must demonstrate governance of those parties (Clause 8.2.3) rather than certify the third party itself.
  • The standard is often adopted alongside ISO/IEC 27001 for security and ISO 22301 for continuity to present a single integrated management system.

Structure of ISO/IEC 20000-1

The 2018 edition follows the Annex SL structure. Clauses 4 to 10 carry the auditable requirements. Clause 8 (Operation of the service management system) is the largest and is subdivided into service-portfolio, relationship, supply, design/build/transition, resolution, and service-assurance groupings which contain the recognisable service-management processes. The table below sets out every clause and sub-clause group that an auditor will examine.

ClauseTitleWhat it covers
4Context of the organisationUnderstanding the organisation and its context, needs of interested parties, determining the scope of the SMS, and establishing the SMS itself
4.1Understanding the organisation and its contextInternal and external issues relevant to the purpose and outcomes of the SMS
4.2Understanding the needs and expectations of interested partiesIdentifying customers, users, suppliers and other stakeholders and their requirements
4.3Determining the scope of the SMSBoundaries and applicability, including services, parties and geographies in scope
4.4Service management systemEstablishing, implementing, maintaining and continually improving the SMS
5LeadershipTop-management commitment, service management policy, and organisational roles, responsibilities and authorities
5.1Leadership and commitmentTop-management accountability for the SMS and its effectiveness
5.2PolicyEstablishing and communicating a service management policy
5.3Organisational roles, responsibilities and authoritiesAssigning and communicating SMS roles
6PlanningActions to address risks and opportunities, service management objectives, and planning of the SMS and changes to it
6.1Actions to address risks and opportunitiesRisk-based thinking applied to the SMS
6.2Service management objectives and planning to achieve themMeasurable objectives and plans
6.3Plan the service management systemThe overall service management plan
7Support of the service management systemResources, people, competence, awareness, communication and documented information
7.1-7.4Resources, human resources, competence, awarenessProviding and managing resources and competencies
7.5Documented informationCreation, control and management of documented information; knowledge
7.6KnowledgeDetermining and managing knowledge to operate the SMS
8Operation of the service management systemOperational planning and control plus all service-management processes
8.1Operational planning and controlPlanning, implementing and controlling operational processes
8.2Service portfolioService delivery, planning the services, control of parties involved, service catalogue management, asset and configuration management
8.3Relationship and agreementBusiness relationship management, service level management, supplier management
8.4Supply and demandBudgeting and accounting for services, demand management, capacity management
8.5Service design, build and transitionChange management, service design and transition, release and deployment management
8.6Resolution and fulfilmentIncident management, service request management, problem management
8.7Service assuranceService availability management, service continuity management, information security management
9Performance evaluationMonitoring, measurement, analysis and evaluation; internal audit; management review; service reporting
10ImprovementNonconformity and corrective action; continual improvement of the SMS and services

Master assessment checklist

This is the core of the guide. It enumerates every clause of ISO/IEC 20000-1:2018 and every service-management process within Clause 8. Each group is presented with a table of what an auditor verifies and the typical evidence expected. Use it as a gap-assessment worksheet: mark each row as conformant, partial or nonconformant and attach the evidence reference.

Clause 4 - Context of the organisation

What to verifyTypical evidence
Internal and external issues relevant to the SMS have been identified and are reviewedContext analysis, PESTLE/SWOT record, strategy documents, review minutes
Interested parties (customers, users, suppliers, regulators) and their requirements are documentedStakeholder register, interested-parties requirements matrix
The SMS scope is defined in terms of services, sites, parties and exclusionsScope statement, service scope document, applicability record referencing ISO/IEC 20000-3
Where other parties operate processes, the organisation retains governance and demonstrates controlGovernance model, RACI, supplier/internal-group control records
The SMS is established, documented, maintained and continually improvedSMS manual/description, process architecture, document register

Clause 5 - Leadership

What to verifyTypical evidence
Top management demonstrates commitment and accountability for the SMSManagement review minutes, signed policy, resource-approval records
A service management policy exists, is appropriate, communicated and availableApproved policy document, intranet publication, communication logs
The policy provides a framework for setting and reviewing service management objectivesPolicy content, objectives traceable to policy
Roles, responsibilities and authorities for the SMS are assigned and communicatedOrg chart, RACI matrix, role descriptions, appointment records
A responsible person / management representative oversees the SMSAppointment letter, terms of reference

Clause 6 - Planning

What to verifyTypical evidence
Risks and opportunities to the SMS and services are identified and actionedRisk register, opportunity log, treatment plans, review evidence
Actions to address risks are integrated into SMS processes and their effectiveness evaluatedRisk treatment records, effectiveness reviews
Measurable service management objectives are set at relevant functions and levelsObjectives register with targets, owners and timelines
Plans define what will be done, resources, responsibility, completion dates and evaluationService management plan, project plans, milestone tracking
Changes to the SMS are planned in a controlled mannerChange plans, transition plans, version-controlled SMS documents

Clause 7 - Support (resources, competence, awareness, communication, documented information, knowledge)

What to verifyTypical evidence
Resources needed for the SMS are determined and providedBudget approvals, staffing plans, tooling inventory
Personnel competence requirements are defined and met through education, training or experienceCompetence matrix, training records, CVs, certifications
Awareness of policy, objectives and individual contribution is establishedInduction records, awareness campaigns, quiz/attendance logs
Internal and external communications relevant to the SMS are determined and executedCommunication plan, stakeholder comms records
Documented information required by the standard and by the organisation exists and is controlledDocument register, version control, review/approval workflow
Documented information is protected, retained, and controlled for distribution and accessAccess-control settings, retention schedule, backup evidence
Knowledge needed to operate the SMS is determined, maintained and made availableKnowledge base, known-error database, handover documentation

Clause 8.1 - Operational planning and control

What to verifyTypical evidence
Processes needed to meet service requirements are planned, implemented and controlledProcess definitions, procedures, workflow configuration
Criteria for processes and their control are establishedProcess criteria, control points, acceptance criteria
Documented information demonstrates processes are carried out as plannedRecords, tickets, logs, dashboards
Outsourced processes are controlledSupplier controls, OLAs, monitoring reports

Clause 8.2 - Service portfolio: service delivery, planning services, control of parties, service catalogue, asset and configuration management

What to verifyTypical evidence
Services delivered meet agreed and documented requirementsService agreements, delivery reports, SLA attainment
Services are planned including changes to services and their impactsService plans, change-impact assessments
Parties involved in the service lifecycle (external suppliers, internal groups, customers acting as suppliers) are governed and their performance monitoredParty register, governance model, performance reviews
A service catalogue is defined, maintained and made available to relevant partiesService catalogue, publication records, review log
Configuration items (CIs) are identified, recorded and controlled with defined interfacesCMDB/CMS extract, CI records, configuration baseline
Configuration information is accurate and reconciled through auditsCMDB audit reports, discrepancy logs, reconciliation records
Assets used to deliver services are managed through their lifecycleAsset register, asset lifecycle records, disposal records

Clause 8.3.1 - Business relationship management

What to verifyTypical evidence
Customers and interested parties are identified and relationships managedCustomer register, relationship-owner assignments
Communication mechanisms and service reviews are established with customersService review minutes, meeting cadence, agenda records
Customer satisfaction is measured and acted uponCSAT/NPS surveys, satisfaction analysis, action plans
Complaints are recorded, managed and resolvedComplaints log, resolution records, escalation trail

Clause 8.3.2 - Service level management (SLM)

What to verifyTypical evidence
Services and service level targets are agreed and documented in SLAsSigned SLAs, service level targets, service catalogue linkage
Service performance is monitored against SLA targets and reportedSLA performance reports, dashboards, trend analysis
Underpinning agreements (OLAs and supplier contracts) support SLA targetsOLAs, supplier contracts, dependency mapping
SLAs are reviewed at planned intervals and when services changeSLA review minutes, revision history
Breaches are identified, investigated and improvement actions raisedBreach reports, root-cause records, improvement log

Clause 8.3.3 - Supplier management

What to verifyTypical evidence
Suppliers are identified and managed to deliver services meeting requirementsSupplier register, contracts, scope of supply
Supplier performance is monitored against contractual and service targetsSupplier scorecards, performance review minutes
Contractual disputes and end-of-contract/transition are managedDispute records, exit/transition plans
Where sub-contracted (lead-supplier) arrangements exist, accountability is maintainedLead-supplier agreements, sub-contractor oversight records

Clause 8.4.1 - Budgeting and accounting for services

What to verifyTypical evidence
Costs of service provision are budgeted and controlledService budgets, cost models, variance reports
Costs are accounted for against services with defined granularityCost allocation records, chargeback/showback reports
Financial performance is monitored and reported to relevant partiesFinancial reports, forecast-vs-actual records

Clause 8.4.2 - Demand management

What to verifyTypical evidence
Current and forecast demand for services is determinedDemand forecasts, business-volume data, workload models
Demand is monitored and used to inform capacity and resource planningDemand-vs-capacity analysis, planning inputs
Consumption of services is measuredConsumption metrics, usage reports

Clause 8.4.3 - Capacity management

What to verifyTypical evidence
Capacity requirements covering human, technical and financial resources are determinedCapacity plan, resource requirement records
Capacity is planned to meet agreed current and future demandCapacity forecasts, scenario models, thresholds
Capacity and performance are monitored against thresholds with tuning actionsUtilisation reports, threshold alerts, tuning records

Clause 8.5.1 - Change management

What to verifyTypical evidence
Change policy defines categories, CIs and services under change controlChange management policy, scope definition
Changes are recorded, classified, assessed for risk/impact and authorisedChange records (RFCs), risk assessments, CAB minutes
Emergency changes follow a defined expedited yet controlled routeEmergency change procedure, emergency change records
Changes are scheduled, communicated and reflected in a change scheduleForward schedule of change, communication records
Change success is reviewed and unsuccessful changes are backed outPost-implementation reviews, back-out records, failure analysis

Clause 8.5.2 - Service design and transition of new or changed services

What to verifyTypical evidence
New or changed services are planned considering cost, quality, risk and impactService design plan, business case, impact assessment
Requirements for new/changed services are determined and documentedService requirements specification, acceptance criteria
Services are designed and documented to meet agreed requirementsDesign documents, architecture, SLA/OLA drafts
New/changed services are transitioned to live operation with acceptance criteria metTransition plan, test/acceptance results, go-live approval
Post-transition review confirms outcomes and lessons learnedEarly-life-support records, transition review minutes

Clause 8.5.3 - Release and deployment management

What to verifyTypical evidence
A release policy defines frequency, type and grouping of releasesRelease policy, release calendar
Releases are planned, built, tested and verified before deploymentRelease plans, build records, test results, verification sign-off
Deployment into live environment is controlled and success verifiedDeployment records, verification checks, rollback provisions
Failed releases are reversed or remediated and reviewedRollback records, incident linkage, release review

Clause 8.6.1 - Incident management

What to verifyTypical evidence
Incidents are recorded, classified, prioritised and managed to resolutionIncident tickets, priority matrix, resolution records
Target resolution times are defined and monitoredSLA targets for incidents, breach reports
Escalation and communication procedures are followedEscalation records, user communications
Users are kept informed of progress and resolutionNotification logs, ticket update history

Clause 8.6.1 - Major incident management

What to verifyTypical evidence
Major incidents are defined with agreed criteria and a dedicated procedureMajor incident definition, procedure, priority criteria
Responsibility, escalation and management of major incidents is assignedMajor-incident manager role, war-room/bridge records
Major incidents are reviewed post-resolution for improvementMajor incident reviews, problem records raised

Clause 8.6.2 - Service request management

What to verifyTypical evidence
Service requests are recorded, classified and fulfilled within targetsRequest tickets, request catalogue, fulfilment SLA
Standard request types have documented fulfilment proceduresRequest models, standard-request procedures
Requesters are kept informed and closure is confirmedNotification logs, closure confirmation, CSAT on requests

Clause 8.6.3 - Problem management

What to verifyTypical evidence
Problems are identified from incident trends and recordedProblem records, trend analysis, incident linkage
Root-cause analysis is performed and known errors documentedRCA records, known-error database (KEDB)
Corrective actions and workarounds are managed and their effectiveness reviewedWorkaround records, corrective actions, effectiveness reviews
Problem management reduces recurring incidents over timeRecurrence metrics, trend improvement evidence

Clause 8.7.1 - Service availability management

What to verifyTypical evidence
Availability requirements and targets are agreed and documentedAvailability targets in SLAs, availability requirements
Availability is monitored, measured and reportedAvailability reports, uptime dashboards
Availability risks are assessed and unplanned unavailability investigatedAvailability risk assessment, downtime root-cause records
Availability plans address single points of failure and resilienceAvailability plan, resilience design records

Clause 8.7.2 - Service continuity management

What to verifyTypical evidence
Continuity requirements are determined from risk assessment and business impactContinuity requirements, BIA, risk assessment
Service continuity plans are documented, maintained and accessibleSCM plans, recovery procedures, contact lists
Continuity plans are tested at planned intervals and after significant changeTest schedules, test/exercise reports, findings
Recovery targets (RTO/RPO) are defined and achievableRTO/RPO definitions, test results validating targets

Clause 8.7.3 - Information security management

What to verifyTypical evidence
An information security policy relevant to services is established and approvedInformation security policy, management approval
Security controls are implemented to protect service confidentiality, integrity and availabilityControl set, access controls, technical safeguards (often mapped to ISO/IEC 27001)
Security risks affecting services are assessed and treatedSecurity risk assessment, treatment plan
Information security incidents are managed and reviewedSecurity incident records, response evidence, reviews
Physical, technical and organisational controls are applied to service assetsControl implementation evidence, audit records

Clause 9 - Performance evaluation (monitoring, internal audit, management review, service reporting)

What to verifyTypical evidence
What is monitored and measured, and the methods, are determinedMeasurement plan, KPI definitions, tooling configuration
SMS and service performance are analysed and evaluatedPerformance analysis, KPI reports, evaluation minutes
Internal audits are planned, conducted and results reported at planned intervalsAudit programme, audit reports, auditor competence records
Management reviews of the SMS are conducted at planned intervals with defined inputs and outputsManagement review minutes covering all required inputs, action items
Service reporting produces agreed reports for identified needs and audiencesService report catalogue, delivered reports, distribution records

Clause 10 - Improvement (nonconformity, corrective action, continual improvement)

What to verifyTypical evidence
Nonconformities are identified, controlled and correctedNonconformity register, corrective-action requests
Root causes of nonconformities are addressed to prevent recurrenceRCA records, corrective actions, verification of effectiveness
Continual improvement of the SMS and services is managed against evaluation criteriaImprovement register (CSI log), prioritisation, benefit tracking
Opportunities for improvement from audits, reviews and metrics are captured and actionedImprovement backlog, closed-improvement evidence

Scoping the Service Management System

Defining the SMS scope correctly is one of the most consequential decisions in an ISO/IEC 20000-1 programme, and ISO/IEC 20000-3 provides dedicated guidance on scope definition and applicability. The scope must be meaningful: it should describe the services covered, the parties delivering them, the technologies and locations involved, and any exclusions. A scope that is too narrow can render certification commercially worthless; a scope that is too broad can make the programme unmanageable.

A critical constraint in the 2018 edition is the concept of governance of processes operated by other parties. The organisation seeking certification must retain accountability for the SMS. It cannot exclude a service-management process simply because a supplier or another internal group performs it; instead it must demonstrate that it governs that party, sets requirements, and monitors performance. If the organisation cannot demonstrate this control, the service cannot legitimately be included in scope.

  • Define scope by service, not merely by technology - list the services from the service catalogue that are covered.
  • State the organisational units, delivery teams and physical/cloud locations included.
  • Identify all parties (external suppliers, internal groups, customers acting as suppliers) and confirm the organisation governs them.
  • Document justified exclusions and confirm no Clause 4-10 requirement is excluded (all requirements are mandatory; only the range of services is scoped).
  • Reference ISO/IEC 20000-3 when assessing whether a proposed scope is demonstrable and defensible.
  • Ensure the scope statement is a controlled document, approved by top management and made available to interested parties.
Scope and outsourcing
Unlike some standards, ISO/IEC 20000-1 does not permit an organisation to disclaim responsibility for a process just because it is outsourced. If a supplier runs your service desk, incident management is still in scope and you must show you govern the supplier. Failing to demonstrate this control is a common reason for scope challenges during certification audits.

Implementation approach

A pragmatic ISO/IEC 20000-1 implementation follows a phased path aligned to the PDCA cycle. The following five phases take an organisation from initiation to certification and beyond. Each phase lists key activities and the deliverables an auditor will later expect to see.

Phase 1 - Initiation and gap assessment

Establish the mandate, secure top-management sponsorship, and understand the current state against the standard.

  • Activities: appoint a project sponsor and SMS manager; define provisional scope; conduct a clause-by-clause and process-by-process gap assessment against ISO/IEC 20000-1:2018; identify interested parties and their requirements; produce a business case.
  • Deliverables: gap assessment report, provisional scope statement, stakeholder register, project charter and high-level plan, business case.

Phase 2 - Design and documentation

Design the SMS, its policy, objectives, process architecture and documented information.

  • Activities: draft the service management policy and objectives; design the process architecture covering all Clause 8 processes; define the service catalogue; write procedures, RACIs and templates; establish the risk and improvement registers; select or configure ITSM tooling; define measurement and reporting.
  • Deliverables: service management policy, service management plan, process procedures, service catalogue, RACI matrices, risk register, improvement (CSI) log, KPI/measurement plan, tool configuration.

Phase 3 - Implementation and operation

Deploy the SMS into live operation and begin generating records.

  • Activities: roll out processes and tooling; train staff and build awareness; agree SLAs, OLAs and supplier contracts; commence incident, request, problem, change, release and configuration management in earnest; begin service reporting; operate the SMS long enough to generate an audit trail (typically three to six months of records).
  • Deliverables: signed SLAs/OLAs, training records, live process records (tickets, changes, releases), populated CMDB, service reports, competence matrix.

Phase 4 - Evaluation and internal audit

Check that the SMS is working and correct weaknesses before external assessment.

  • Activities: measure and analyse KPIs; conduct a full internal audit covering all clauses and processes; hold a management review with all required inputs and outputs; raise and close nonconformities and improvements.
  • Deliverables: internal audit programme and reports, management review minutes, nonconformity and corrective-action records, updated improvement log, KPI performance packs.

Phase 5 - Certification and continual improvement

Engage an accredited certification body and sustain the SMS.

  • Activities: select an accredited certification body; undergo Stage 1 (documentation and readiness review) and Stage 2 (implementation) audits; address any findings; achieve certification; operate surveillance audits and recertification; drive continual improvement.
  • Deliverables: Stage 1 and Stage 2 audit responses, corrective-action plans, certificate of registration, surveillance-audit records, ongoing CSI evidence.

Capability and maturity model

ISO/IEC 20000-1 certification is binary - an SMS either conforms or it does not - but organisations benefit from a maturity view to plan improvement and to communicate progress. The model below combines a five-level process-capability scale (aligned with the spirit of ISO/IEC 33000 and CMMI) with the PDCA emphasis of the standard. Use it to score each process and target a consistent minimum before seeking certification.

LevelNameCharacteristicsCertification readiness
0IncompleteProcess is not performed or fails to achieve its purpose; ad hoc, undocumentedNot ready
1PerformedProcess is carried out and achieves its outcomes, but is reactive and inconsistently appliedNot ready - significant gaps
2ManagedProcess is planned, monitored and adjusted; work products are controlled; roles definedApproaching - foundational conformance
3Established / DefinedA standard, documented process is tailored and consistently used across the scopeCertification-capable baseline
4Predictable / MeasuredProcess operates within defined quantitative limits; performance is measured and predictableStrong - supports robust surveillance
5OptimisingContinual improvement is embedded; process is proactively optimised against business goalsBest practice - exemplary CSI

For certification, an organisation should generally target at least Level 3 (Established) across all in-scope processes, with Clause 9 evaluation and Clause 10 improvement demonstrably operating to move toward Levels 4 and 5 over time.

Assessment and audit approach

Certification audits by an accredited body follow a defined two-stage model, followed by a three-year cycle of surveillance and recertification. Internal audits and pre-assessments follow a similar methodology. The following steps describe an auditor-grade approach.

  1. Define audit scope and criteria: confirm the SMS scope, services, sites and the applicable edition (ISO/IEC 20000-1:2018) as the audit criteria.
  2. Conduct a Stage 1 (readiness / documentation) review: examine the SMS documentation, scope, policy, objectives, risk approach and internal-audit and management-review evidence to confirm the SMS is designed and ready for the implementation audit.
  3. Plan the Stage 2 audit: prepare an audit plan and schedule sampling each clause (4-10) and every in-scope Clause 8 process, allocating time and interviewees.
  4. Gather objective evidence: interview process owners and staff, inspect records (tickets, changes, releases, CMDB, reports), observe operations and trace transactions end to end.
  5. Test the PDCA loop: verify that monitoring, internal audit, management review and improvement actually drive corrective action and continual improvement, not just documentation.
  6. Assess governance of other parties: confirm suppliers and internal groups delivering in-scope processes are governed and monitored.
  7. Classify findings: record conformities, opportunities for improvement, minor nonconformities and major nonconformities against specific clauses.
  8. Report and require corrective action: issue an audit report; the organisation submits root-cause analysis and corrective-action plans for nonconformities.
  9. Make the certification decision: an independent reviewer confirms closure of major nonconformities before the certificate is granted.
  10. Operate the surveillance cycle: conduct annual (or semi-annual) surveillance audits covering a rolling subset of the SMS, and a full recertification audit before the three-year certificate expires.

Evidence request list

Auditors and internal assessors typically request the following categorised evidence. Prepare an evidence index that maps each item to its clause.

Governance and leadership

  • Service management policy and objectives
  • SMS scope statement and applicability record
  • Management review minutes and action logs
  • Organisational roles, RACI and appointment records
  • Risk register and treatment plans

Service portfolio and configuration

  • Service catalogue
  • CMDB/CMS extract and configuration baselines
  • Configuration audit and reconciliation reports
  • Asset register and lifecycle records
  • Party/supplier register and governance model

Agreements and relationships

  • Signed SLAs, OLAs and underpinning contracts
  • Supplier scorecards and performance reviews
  • Customer satisfaction survey results
  • Complaints log and resolution records
  • Service review meeting minutes

Operational process records

  • Incident and major-incident records
  • Service request records and request catalogue
  • Problem records, RCA and known-error database
  • Change records (RFCs), CAB minutes, change schedule
  • Release and deployment records with test/verification results

Service assurance

  • Availability reports and downtime analyses
  • Service continuity plans and test reports (with RTO/RPO)
  • Information security policy, risk assessment and incident records
  • Capacity plans and utilisation reports
  • Demand forecasts and consumption metrics

Financials, evaluation and improvement

  • Service budgets, cost models and financial reports
  • KPI dashboards and service reports
  • Internal audit programme and reports
  • Nonconformity and corrective-action records
  • Continual improvement (CSI) log and closed-improvement evidence

Roles and responsibilities

Clear ownership is essential. The table below sets out typical roles in an ISO/IEC 20000-1 SMS and their core responsibilities. Titles vary by organisation; the accountabilities do not.

RoleCore responsibilities
Top management / Executive sponsorAccountable for the SMS, approves policy and objectives, provides resources, chairs or receives management reviews
SMS manager / Service management leadOwns the SMS end to end; coordinates processes, audits, reviews and improvement; primary contact for certification body
Service level managerNegotiates, agrees and reviews SLAs and OLAs; monitors and reports service performance
Change and release managerRuns change and release/deployment processes; chairs the CAB; controls the change schedule
Incident and problem managerManages incident (including major incident) resolution and problem/root-cause analysis
Configuration / asset managerMaintains the CMDB and asset register; runs configuration audits
Capacity and availability managerOwns capacity, demand, availability planning and reporting
Service continuity managerOwns continuity plans, testing and RTO/RPO achievement
Information security managerOwns the security policy, risk treatment and security incident handling for services
Supplier / commercial managerManages supplier contracts, performance and governance of other parties
Internal auditorPlans and conducts internal audits of the SMS and reports findings independently
Process ownersAccountable for the design, effectiveness and improvement of individual processes

KPIs to track

A balanced set of KPIs demonstrates both service performance and SMS health. Track at least the following, defining targets, owners and reporting frequency for each.

  • SLA attainment rate (percentage of service level targets met)
  • Incident resolution within target and mean time to resolve (MTTR)
  • Major incident count, duration and repeat rate
  • Service request fulfilment within target time
  • First-contact / first-line resolution rate
  • Change success rate and percentage of emergency changes
  • Failed change and change-related incident rate
  • Release success rate and rollback frequency
  • Problem closure rate and reduction in recurring incidents
  • CMDB accuracy (percentage of CIs verified in audits)
  • Service availability against agreed targets (uptime percentage)
  • Continuity plan test coverage and RTO/RPO achievement
  • Information security incident count and mean time to contain
  • Capacity threshold breaches and forecast accuracy
  • Customer satisfaction (CSAT/NPS) and complaint resolution time
  • Internal audit findings closed within target
  • Nonconformity closure rate and corrective-action effectiveness
  • Number and value of continual improvements delivered

Readiness checklist

Work through this checklist before engaging a certification body. Every item should be evidenced.

  • Top management has approved the service management policy and provided resources
  • SMS scope is defined, documented and demonstrably governs all parties in scope
  • Service management objectives are measurable and linked to the policy
  • Risks and opportunities to the SMS are identified, assessed and treated
  • All Clause 8 processes are documented, operating and generating records
  • A current, accessible service catalogue exists
  • SLAs, OLAs and supplier contracts are signed and aligned
  • CMDB/CMS is populated, controlled and audited for accuracy
  • Incident, request, problem, change, release and configuration processes are live
  • Availability, capacity, continuity and information security processes are operating with reports
  • Service continuity plans have been tested and RTO/RPO validated
  • Competence matrix and training records are complete
  • Service reporting is delivering agreed reports to defined audiences
  • At least one full internal audit covering all clauses has been completed
  • A management review with all required inputs and outputs has been held
  • Nonconformities and improvements are logged and being actioned
  • Three to six months of operational records are available as evidence
  • An accredited certification body has been selected and Stage 1 scheduled

Common gaps and pitfalls

The following weaknesses recur in ISO/IEC 20000-1 audits. Address them proactively.

  • Treating outsourced processes as out of scope instead of demonstrating governance of the supplier (Clause 8.2.3) - a frequent scope failure.
  • Documentation that describes an idealised process which staff do not actually follow in practice.
  • Weak or absent evidence that the PDCA loop closes - metrics collected but no resulting improvement actions.
  • Management reviews that omit required inputs or produce no actionable outputs.
  • Inaccurate or stale CMDB with no configuration audits, undermining change and incident management.
  • SLAs not underpinned by OLAs and supplier contracts, leaving targets unachievable.
  • Service continuity plans that exist on paper but have never been tested, or untested RTO/RPO assumptions.
  • Information security treated as a bolt-on rather than integrated with the SMS (often resolved by aligning with ISO/IEC 27001).
  • Problem management not distinguished from incident management, so recurring incidents are never eliminated.
  • Insufficient operational history - too few records to evidence that processes work over time.
  • Objectives that are vague or not measurable, preventing meaningful performance evaluation.
  • Internal audits that are superficial or do not cover every clause and process before Stage 2.

ISO/IEC 20000-1 mapped to other frameworks

Because ISO/IEC 20000-1 uses the Annex SL structure, it integrates cleanly with other management-system standards, and its Clause 8 processes correspond closely to ITIL practices. The table below maps key ISO/IEC 20000-1 areas to related frameworks to aid integrated implementation.

ISO/IEC 20000-1 areaITIL 4 / ITIL v3ISO/IEC 27001COBIT 2019ISO 9001 / Other
SMS and PDCA (Clauses 4-10)Service value system / CSIISMS clauses 4-10 (Annex SL)Governance & Management Objectives (EDM/APO)ISO 9001 QMS clauses 4-10
Service level management (8.3.2)Service level management practiceA.5 policies / service agreementsAPO09 Manage service agreementsISO 9001 8.2 customer requirements
Incident management (8.6.1)Incident management practiceA.5.24-5.26 incident managementDSS02 Manage service requests and incidents-
Problem management (8.6.3)Problem management practice-DSS03 Manage problems-
Change management (8.5.1)Change enablement practiceA.8.32 change managementBAI06 Manage IT changes-
Release and deployment (8.5.3)Release management / deployment managementA.8.31 development/test/prod separationBAI07 Manage IT change acceptance-
Configuration and asset (8.2.6)Service configuration / IT asset managementA.5.9 inventory of assetsBAI09/BAI10 Manage assets and configuration-
Service continuity (8.7.2)Service continuity management practiceA.5.29-5.30 ICT readiness / continuityDSS04 Manage continuityISO 22301 BCMS
Information security (8.7.3)Information security management practiceFull ISO/IEC 27001 ISMSAPO13/DSS05 Manage security-
Availability & capacity (8.7.1/8.4.3)Availability & capacity/performance mgmtA.8.6 capacity managementBAI04 Manage availability and capacity-
Supplier management (8.3.3)Supplier management practiceA.5.19-5.22 supplier relationshipsAPO10 Manage vendors-
Continual improvement (Clause 10)Continual improvement practice10.1/10.2 improvementAPO11 / MEA Manage qualityISO 9001 clause 10
How CyberSigma helps
CyberSigma provides end-to-end ISO/IEC 20000-1 advisory, implementation and audit-readiness services. Our CERT-In empanelled and QSA-qualified consultants run a clause-by-clause gap assessment against the 2018 edition, design and document your Service Management System, define a demonstrable and defensible scope (including governance of suppliers under Clause 8.2.3), and stand up every Clause 8 process from incident and change through continuity and information security. We configure ITSM tooling and reporting, build your risk, CMDB and continual-improvement registers, train your teams, and conduct internal audits and a management review so you enter the certification body's Stage 1 and Stage 2 audits with confidence. Because we also deliver ISO/IEC 27001 and ISO 22301, we can build a single integrated management system on the shared Annex SL structure - reducing duplication and audit fatigue. Talk to CyberSigma to move from readiness to certified in a controlled, evidence-backed programme.

Frequently asked questions

Is ISO 20000-1 the same as ITIL?
No — ITIL is best-practice guidance; ISO 20000-1 is the certifiable service-management standard that ITIL practices help you meet.
Official documents

Need help with ISO 20000-1?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.