What is ISO20000? Overview Guide

This guide provides an overview of the ISO20000 standard and what is involved when implementing an IT Service Management System (ITSMS).

What is ISO20000?

The ISO/IEC 20000 international standard for Information Technology Service Management (ITSM) part one (referred to here as simply “ISO20000”) was originally published by ISO in 2005 and is based upon the earlier British standard BS15000. Revised in 2018, ISO20000 part one specifies the requirements that your Service Management System (SMS) will need to meet for your organisation to become certified to the standard.

The requirements in ISO20000 part one is supplemented by guidance contained in part two. Even though it isn’t a requirement for certification, part two is well worth reading as it fills in some of the gaps in understanding how the requirements in part one should be met and gives more clues about what the auditor may be looking for.

How can implementing ISO20000 benefit an organisation?

There are great benefits to organisations becoming certified to the ISO20000 standard. Once certified, you can add the standard logo to your marketing to improve customer perception. Additionally, the planning that goes with complying to the standard can help reduce business risk and the ISO20000 supports service management framework, such as ITIL.

Other benefits include:

• Complying to ISO20000 can highlight areas for improvement, and allows your organisation to continually improve its service.

• It can give your organisation a competitive advantage, especially when tendering for public sector contracts.

• As with all ISO standards, it displays a culture of continual improvement that can have a positive impact across the whole organisation.

What is a Service Management System?

When looking at IT service management the emphasis is usually on the delivery of IT services and the processes used to support them. And it’s right that this should be the focus; it is, after all, the main deliverable of the whole ITSM idea.

The ISO20000 standard proposes that we don’t just need a set of processes; we need a Service Management System or SMS. The function of the SMS is to wrap itself around the processes (such as incident, change and configuration management) and ensure among other things that:

1. There is ongoing management commitment to the provision of quality IT services.

2. Everyone understands what we’re trying to achieve and what their role is.

3. The IT services continue to meet the business needs.

4. We have a good idea of what the current threats to the continuity and security of our services are.

5. Everybody knows about the policies, processes and procedures and how to use them.

6. We update the processes and associated documentation when things change around it.

7. We measure how well we’re doing.

8. The effectiveness of service delivery gets better over time.

What does the ISO20000 standard consist of?

The ISO20000 standard consists of a number of major headings which are common across other standards:

1. Scope

2. Normative references

3. Terms and definitions

4. Context of the organisation

5. Leadership

6. Planning

7. Support

8. Operation

9. Performance evaluation

10. Improvement

As with many of the ISO standards, sections 1-3 are for reference and don’t cover the requirements that are in sections 4-10. Section 0 is the introduction. The requirements of sections 4-10 are mandatory and if they are not being met, then a nonconformity will be raised by the auditor and the organisation will need to address it to gain or keep their certification to the standard.

Becoming certified to ISO20000

It’s important to note that there’s no obligation to go for certification to ISO20000 and many organisations choose to simply use the standard as a set of good practice principles to guide them along the way to managing their IT services effectively. However, if you are able to do so as an organisation, it is best practise to become certified as this confirms your compliance.

The steps to certification are similar of all the ISO standards, and involve:

1. Implementing procedures and methods as requirements of the standard.

2. Perform an internal audit to highlight any nonconformities before the external audit. We advise an internal audit to be completed by an independent third-party auditor or an impartial qualified auditor within your organisation.

3. The final external audit to achieve certification is by an accredited Registered Certification Body (RCB). This is in two stages. Stage one is basically a review of how ready you are for the main event, the stage two certification audit. You may pick up a few pointers for improvement (known as nonconformities) at stage two but, if these aren’t too serious, your organisation will become certified and can advertise the fact to anyone with an interest.

Once certified, you will then have an annual surveillance audit to confirm your compliance, and then every three years there will be a re-certification audit, which is when you will be re-issued certification.

How can CertiKit help?

Written by an ITIL Expert and qualified ISO/IEC 20000 manager, auditor and consultant, our ISO20000 Toolkit includes all the policies, IT service management processes and procedures you need to align your service provision with best practice and meet the requirements of the ISO20000:2018 standard. With a comprehensive set of templates and guides and a support package included, you can meet the requirements of standard simply and effectively.