Home
Cloud
Compliance
ISO 20000
ISO/IEC 20000, also referred to as ISO 20000, is the international standard for IT service management (ITSM), developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ITSM is the practice of delivering IT services that enable an organization to meet the needs of its users (both employees and customers) and achieve its business goals. ISO 20000 outlines requirements, best practices, benchmarks and guidance for planning, designing, implementing, maintaining and continually improving a service management system (SMS).
First published in 2004, ISO 20000 was revised in 2011 and again in 2018; the latest revision is the most current and referred to as ISO 20000:2018.
ISO 20000 has gained popularity in recent years among IT service providers and organizations in all industries who strive to continually improve overall ITSM performance, reduce risks and evolve service quality by incorporating greater efficiency and productivity in their service management processes.
IBM® Infrastructure as a Service (IaaS) and IBM Platform as a Service (PaaS) offerings have a service management process in place that is ISO 20000-1:2018 compliant.
IBM ISO 20000 certificates are published and generally available. The following services are ISO 20000 certified. Services below issue ISO certificates at least once each year.
ISO 20000-1 (ISO/IEC 20000-1:2018) is the primary standard, providing the methodology for developing, implementing, maintaining and continually improving their service management system. (ISO 20000 and ISO 20000-1 are sometimes used interchangeably.) ISO 20000-1 includes requirements and specifications applicable to the entire IT service lifecycle. Among other things, it provides guidance on:
- Gauging the SMS needs within the context of the organization
- Establishing a leadership structure for the development, maintenance and evolution of an SMS
- Planning and preparing for SMS development and improvement, including determining organizational objectives and risks and opportunities
- Supporting the SMS once it is built
- Operating, controlling and servicing the SMS
- Evaluating the performance of an SMS, including monitoring and internal audits
- Improving an SMS, including corrective actions and enhancements
Additional ISO 20000 companion documents
Additional ISO 20000 parts, or companion documents, have been added to help explain address different elements of how to meet or apply the primary standard in certain circumstances.
ISO/IEC committees add, revise and withdraw these parts as needed. The year of the most recent release is appended to the full name (as in ISO/IEC 20000-5:2022). Notable parts include:
ISO 20000-2 (ISO/IEC 20000-2:2019) offers guidance to organizations on the application of service management systems based on ISO 20000-1. The guidance includes examples and suggestions for interpreting and applying the primary standard under ISO 20000-1.
ISO 20000-3 (ISO/IEC 20000-3:2019), which offers guidance on the scope of the ISO 20000-1 to help organizations assess whether the primary standard applies to their circumstances. ISO 20000-3 explains how to define the scope of an SMS and may assist organizations in planning for a conformity assessment by a certification body against ISO 20000-1.
The document includes examples of scope statements for an SMS, using various examples from relatively straightforward to complex supply chain scenarios.
ISO 20000-5 (ISO/IEC 20000-5:2022), which provides guidance on the implementation of service management systems that conform to ISO 20000-1.
ISO 20000-6 (ISO/IEC 20000-6:2017), which addresses requirements for certification bodies that verify whether an organization’s SMS conforms to the ISO 20000-1 standard. ISO 20000-6 may also be used by accreditation bodies that evaluate certification bodies.
ISO 20000-10 (ISO/IEC 20000-10:2018), which defines the taxonomy, concepts and vocabulary of terms used in ISO 20000-1.
ISO 20000-11 (ISO/IEC 20000-11:2021), which provides guidance on the correlations between the ISO 20000-1 and the framework set out in the IT infrastructure library (ITIL), an established framework of best practices for managing and improving IT support and service delivery. ISO 20000-11 is intended to:
- Assist organizations that already conform to ISO 20000-1 but want to use ITIL to enhance their SMS;
- Help organizations using ITIL to demonstrate how their SMS conforms to the standards of ISO 20000-1; and
- Provide SMS auditors with a better understanding of the use of ITIL as a support for reaching conformity with ISO 20000-1.
ISO 20000-14 (ISO/IEC 20000-14:2023), which focuses primarily on Service Integration and Management (SIAM) within an SMS, providing guidance to organizations managing multiple service providers within an SMS.
ISO 20000-15 (ISO/IEC 20000-15:2024), which addresses how project management frameworks, such as Agile, and software development principles, such as DevOps, can be applied in a service management system that conforms to ISO 20000-1.
ISO 20000-16 (ISO/IEC 20000-16:2025), under development at the time this was written, will provide guidance for sustainability within an SMS based on ISO 20000-1.
Organizations that implement ISO 20000 for their SMS can decide to undergo a certification process to verify that their service management system requirements meet the international standard.
Various certification bodies can audit organizations seeking to conform with ISO 20000. The certification process usually requires organizations to keep detailed documentation of their service management system requirements and processes and how they adhere to the standard.
ISO 20000 certification might be required for other important certifications or credentials. For example, cloud service providers seeking empanelment with India’s Ministry of Electronics and Information Technology (MietY) must demonstrate and maintain compliance with ISO 20000 and other security standards.
A 2022 ISO survey showed that ISO 20000 certification is the eighth most popular ISO standard certification worldwide based on number of certified organizations. Many organizations pursue ISO 20000 certification to reassure customers of their ITSM best practices.
However, the ISO has been clear that third-party certification is not the only reason to conform to the standard, and that organizations can realize the benefits of ISO 20000’s framework and guidance for SMS implementation, evaluation and continuous improvement with or without certification.
Again, ITSM is the practice of delivering IT services that enable an organization to meet the needs of its users (both employees and customers) and achieve its business goals. Organizations have used the ISO 20000 to address various ITSM issues including, but not limited to:
- Business relationship management
- Change management
- Service level management
- Capacity management
- Availability management
- Problem management
- Incident management
- Demand management
- Supply chain management
ISO 20000 and ITIL are similar in that they are the leading sources of best practices for IT service management systems. Both the international standard and ITIL cover the lifecycle of an SMS. They are often used together in the planning, implementation, maintenance and continual improvement of such systems.
While ISO 20000 provides a generic methodology for ITSM best practices, ITIL details the specific practices that should be used to achieve the objectives outlined in the ISO 20000 methodology. And while ISO 20000 was developed with the ITIL framework in mind, it can also be used with other IT service management frameworks, such as COBIT framework or the Microsoft Operations Framework.
ISO 20000 is an international standard written to apply to organizations of all sizes in all geographies, regardless of the nature of the services being delivered. Because of that, organizations and businesses from across all industries have used ISO 20000 as their benchmark for developing SMS. Users and use cases include:
- Organizations that want to demonstrate their ability to design, maintain and improve their provision of services
- Organizations looking to audit and review the performance of their SMS
- Customers looking for quality assurance of an organization’s SMS
- Customers looking for a consistent approach to IT service management by all its providers, including as part of a supply chain
- SMS consultants and advisors
- Organizations performing conformity assessments against ISO 20000
ISO 20000 was designed with other international standards in mind because of the need for integration with quality and security management systems. Standards that relate to ISO 20000 include:
ISO 9001 (ISO/IEC 9001), the international standard for quality management systems. It sets out the requirements for the establishment, implementation, maintenance and continual improvement of a quality management system (QMS).
ISO 22301 (ISO/IEC 22301), the international standard for business continuity management systems. It is intended to help organizations protect themselves from, reduce the chances of and recover from incidents that disrupt their services.
ISO 27001 (ISO/IEC 27001), the international standard for information security management systems (ISMS). It defines requirements that an ISMS must meet, helps organizations manage data security risks and assists them in implementing best practices for information security, data protection and cybersecurity.