Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

The ISO20000 Standard in a Nutshell...

The ISO/IEC 20000 international standard for “Information technology — Service management – Part 1: Service management system requirements” (referred to in this guide as simply “ISO/IEC 20000”) was originally published by the ISO in 2005 and is based upon the earlier British standard BS15000. Revised in 2018, ISO/IEC 20000 specifies the requirements that your SMS will need to meet in order for your organization to become certified to the standard. The requirements in ISO/IEC 20000 are supplemented by guidance contained in ISO/IEC 20000 Part 2 which was also revised in 2019. ISO/IEC 20000 Part 2 is well worth reading as it fills in some of the gaps in understanding how the requirements in ISO/IEC 20000 Part 1 should be met and gives more clues about what the auditor may be looking for.

The ISO/IEC 20000 Family

There are a number of other documents published within the ISO/IEC 20000 series and many of them provide useful supporting information for organizations going for ISO/IEC 20000 certification (or simply using it for guidance). Some of the commonly-referenced ones are:

  1. ISO/IEC 20000 Part 3 – Guidance on scope definition and applicability
  2. ISO/IEC 20000 Part 5 – Implementation guidance
  3. ISO/IEC 20000 Part 9 – Guidance on the application of ISO/IEC 20000-1 to cloud services
  4. ISO/IEC 20000 Part 10 – Concepts and vocabulary

It’s worth pointing out that, although useful, none of these are required reading for ISO/IEC 20000 so if you are limited in time and budget, ISO/IEC 20000 Part 2 is still your best bet.

There’s no obligation to go for certification to ISO/IEC 20000 and many organizations choose to simply use the standard as a set of good practice principles to guide them along the way to managing their IT services effectively.

The Basic Layout

After the foreword (which mainly describes the differences between the old and the new versions) and the introduction (which sets out the structure of the clauses), the standard consists of a total of ten sections. Sections 1 to 3 don’t contain any requirements and so an organization wouldn’t be audited against those. They are worth a read however as they provide some useful background to what the standard is about and how it should be interpreted.

The Requirements

Sections 4 to 10 set out the requirements of the standard. Requirements are often referred to as the “shalls” of the standard because that is the word usually used by ISO to show that what is being stated is compulsory if an organization is to be compliant. So the (internal and external) auditing process is basically an exercise to check whether all of the requirements are being met by the organization. Requirements are not optional and if they are not being met then a “nonconformity” will be raised by the auditor and the organization will need to address it to gain or keep their certification to the standard (see the section on auditing later in this guide).

Show Me the Evidence...

In order to show that the requirements are being met the auditor will need to see some evidence. This can take many forms and used to be defined as a combination of “documents” (evidence of intention such as policies, processes and procedures) and “records” (evidence that something has been done) although the general term “documented information” is now used. This is often a major culture change in many organizations. Just doing something is no longer enough; you must be able to prove that you did something. This means keeping records in areas you maybe don’t keep records at the moment, a good example often being meeting minutes. Meetings happen and things are discussed and decisions are made but the auditor won’t just accept your word for it. The auditor will want to see the minutes. Other examples could be training records – who was trained to do what and when? Or service continuity tests – what was tested, by whom, when and what was the outcome?

If all of this sounds rather onerous, then it’s true, it can mean more work at least in the short term. But doing IT service management according to the ISO/IEC 20000 standard is about doing it right. You will be taking advantage of the knowledge of a wide variety of experienced people who have come together to define the best way to create an SMS that works; people from all over the world in a wide variety of industries and organizations large and small.

Reaping the Rewards

From our experience what often happens during the process of implementing an international standard such as ISO/IEC 20000 is that initially you will put things in place just because the standard says you should. Some of the requirements may seem unnecessary, over the top or excessively bureaucratic. But gradually, as times goes by and your SMS becomes more established you will start to see why they are included and the difference it makes to your organization and the delivery of your services. Soon you will begin to implement procedures and methods that go further than the requirements of the standard because you can see that they would be useful and will provide better service for your organization. You’ll start to see that it’s about becoming more proactive in everything you do and how in the long term this reduces the amount of reactive activities necessary. In simple terms, you’ll start to “get it” (but be patient, it can take a while!).

But in the meantime, you’ll need to create some of those “documents and records”. And that’s where the CertiKit ISO/IEC 20000 Toolkit comes in…


More ISO20000 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO20000:2018 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO20000 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

Keep pitching what you do... It works and wins when comparing to perceived competition. Almost a personal touch springs to mind. Personally I like the product, and the way it's delivered.

Reality Consulting
Jersey

View all Testimonials