Home → News & Resources → Experts Talk

ISO/IEC 20000-1 Q&A Session

This session covers the most frequently asked questions about ISO/IEC 20000-1:2018, a standard which specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain, and improve an Service Management System. By getting certified against ISO/IEC 20000-1, an organization will have a reliable, effective, consistent, and continually improved IT Service Management System.

1. Why is the ISO/IEC 20000 standard divided into parts?

The ISO/IEC 20000 family contains more than one standard to provide readers with different types of support on how to establish, develop, manage, measure, and improve an SMS properly.

The first part is ISO/IEC 20000-1:2018 and it covers the controls needed to have an effective SMS. It  has a lot of requirements covering all the components and processes of an SMS as mentioned above.

Part two, ISO/IEC 20000-2:2019 provides guidance on the application of service management systems. It supports readers on interpreting the requirements of the first part of the standard by providing examples and recommendation about how to implement the SMS.

Part three, ISO/IEC 20000-3:2019 gives guidance on scope definition of an SMS and the applicability of the first part to different types of service providers.

2. What is the connection between ISO/IEC 20000 and ITIL and how can ITIL help in the certification process?

ISO/IEC 20000 is based on two main components. The first one, is the common requirements for a management system that ISO Annex SL Appendix 2 covers clearly, and which exists in any other ISO management system. The second one, is ITSM processes which are taken from ITIL v3 and 2011 edition.

The ISO/IEC 20000-1 includes 17 explicit ITIL processes while there are others covered implicitly.

3. What is the purpose of ISO/IEC 20000-1 and why is this standard so important?

ISO/IEC 20000-1 aims to specify clear requirements for establishing, implementing, maintaining, and continually improving a Service Management System (SMS), which assists organizations in developing, building, testing, delivering, managing, and improving the provision of IT services. It is considered as a sign of high quality for IT service providers and a guarantee for their customers.

4. Is ISO/IEC 20000-1 intended only for IT organizations or can it be used also by other industries?

ISO/IEC 20000-1 is intended for IT service providers while other providers of different types of services can also benefit from following its requirements in order to provide a better service. All other service management fields, such as Call Center, Outsourcing, and Data Management, among others, can benefit from implementing one part or all parts of ISO/IEC 20000-1:2018.

5. Which are the most important clauses of the ISO/IEC 20000-1 standard?

Although the ITSM processes in clause 8 (Operation of the service management system) are very important as they represent the core of this standard, we cannot reduce the importance of the other parts as they support directly or indirectly those processes to achieve the intended results. I believe that these processes cannot achieve their purpose if:

  • The organization context is not well defined;
  • There is no top management commitment; 
  • There are not enough competent resources, awareness, or training;
  • There is no risk management; 
  • There are no clear objectives in addition to the absence of measurement and continual improvement.

In short, all the components of the ISO/IEC 20000-1 are integral and cannot be separated or distinguished.

6. How is service management defined in ISO/IEC 20000-1?

The term service management in ISO/IEC 20000-1 is defined as a set of capabilities and processes to direct and control the organization’s activities and resources for the planning, design, transition, delivery, and improvement of services to deliver value. This definition is clearly based on ITIL’s definition.

7. Which security-related benefits can be obtained by ISO/IEC 20000-1?

ISO/IEC 20000-1 addresses the information security as a dedicated process covered in clause 8.7.3 Information security management, however, we cannot consider this standard an information security dedicated one.

ISO/IEC 20000-1 covers information security and its incidents in the Information Security Management process, while ISO/IEC 27001:2013 is totally dedicated to information security management and has more security requirements and 114 dedicated controls in its Annex A.

8. What other management systems standards can ISO/IEC 20000-1 be aligned with?

ISO/IEC 20000 is not the only Management Systems Standards (MSS) which was issued since 2012 by the ISO organization that follows the Annex SL Appendix structure. It has a unified structure for any MSS to support and make it easier for organizations that intend to implement or get certified to more than one ISO standard. I think that among other standards, ISO/IEC 20000-1 is totally aligned with:

  • ISO 9001 Quality Management System (QMS);
  • ISO 22301 Business Continuity Management System (BCMS);
  • ISO/IEC 27001 Information Security Management System (ISMS); and
  • ISO/IEC 27701 Privacy Information Management System (PIMS)

So, for example if your organization wants to implement ISO/IEC 20000-1:2018, ISO/IEC 27001:2013, and ISO/IEC 27701:2019, and the three standards will be managed by the same department, this can be achieved easily by integrating clauses 4 (Context of the organization), 5 (Leadership), 6 (Planning), 7 (Support), 9 (Performance evaluation), and 10 (Improvement) which cover the same requirements for these three standards. On the other hand, clause 8 (Operation) is different and needs separate implementation in each standard as it covers the core requirements of each standard.

For instance, ISO/IEC 20000-1, clause 8 covers the requirements of the ITIL processes such as:

  • Service availability, capacity, continuity, and security in addition to service catalogue; 
  • Service level management; 
  • Incident management;
  • Request fulfilment;
  • Problem management;
  • Change management among others.

While clause 8 in ISO/IEC 27001 covers the requirements of:

  • Operational planning and control;
  • Information security risk assessment;
  • Information security risk treatment.

In short, ISO/IEC 20000-1 is about IT Service Management, while ISO/IEC 27001 is about Information Security Management. To sum it up, all MSS issued from 2012 have the same requirements for the management system except for clause 8, which is a distinctive clause in each ISO standard.

9. What are the differences between ISO/IEC 20000-1 and ISO/IEC 27001?

ISO/IEC 20000-1 is for Service Management System (SMS) which covers all the aspects of IT service management during the lifecycle of any IT service including security aspects.

Meanwhile, ISO/IEC 27001 is completely dedicated to information security represented in clear requirements and controls. They can be easily combined to have a great integrated management system which can support service providers more.

10. Is there any information about cloud service providers in ISO/IEC 20000-1?

ISO/IEC 20000-1 covers IT Service Management whether IT services are on cloud or on premises as the concepts are the same. At the same time, there is a dedicated guidance for Security techniques and code of practice for information security controls based on ISO/IEC 27002, for cloud services specifically.

There are two ISO standards in the ISO/IEC 27000 family dedicated to cloud service providers:

  • ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services supports cloud service providers in understanding the implementation of ISO/IEC 27002 controls easily with some additional controls specifically chosen for the cloud.
  • ISO/IEC 27018:2019 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors based on the privacy principles in ISO/IEC 29100 for the public cloud computing environment and in ISO/IEC 27002 controls, is dedicated to PII in public cloud and this topic is highly important nowadays after the emerge of many PII regulations all over the world, such as GDPR.

Both of these standards can be combined to constitute a great source of guidance to cloud service providers.

11. How does the certification audit against ISO/IEC 20000-1 help organizations?

ISO/IEC 20000-1 helps organization to keep and improve their IT Service Management all the time and prove to their customers that they have a stable management system for the provided IT services.

Before the certification audit, an organization should prepare and have qualified personnel that are familiar with the requirements of the standards. Besides other requirements, internal audit and management review meeting should be conducted and documented before the external audit. Reaching to the certification audit stage requires a lot of efforts from the organization. Therefore, it can be considered as the celebration time for great efforts and a long journey.

ISO/IEC 20000-1 has a lot of benefits for organizations planning to get certified such as:

  • Documented processes which can increase the productivity and reduce rediscovering knowledge;
  • Powerful internal audit program which can discover nonconformities and follow up their correction;
  • Increasing the provided services availability, capacity, continuity, and security based on well defined processes;
  • Clear and well-organized service catalogue for IT users and staff; Continual improvement;
  • Top management commitment; and
  • A clear assurance of providing high quality IT services after being certified.

12. What are some tips and advice to get ready for a certification audit against ISO/IEC 20000-1?

Try to have all the ITSM processes organized, integrated, and well-documented. The participation of everyone counts, so do not underestimate proper awareness and its impact on the management system and its components.

Having a clear implementation plan and proper training courses on how to implement and audit the SMS, can be of great value for those who seek smooth implementation and auditing.

About the Responder

Mostafa Alshamy, MSECB auditor for ISO/IEC 20000; ISO/IEC 27001; ISO/IEC 27701; ISO 22301; ISO 9001.

Mostafa AlShamy is a valuable member of our pool of auditors who has been conducting audits on behalf of MSECB since 2017. As a highly experienced professional, he has demonstrated remarkable audits against ISO/IEC 20000-1, ISO/IEC 27001, ISO/IEC 27701, ISO 22301, and ISO 9001. His auditing expertise are helping organizations achieve excellence day by day. We are fortunate to be able to work with an industry expert such as Mostafa AlShamy who left us astounded by the level of dedication and hard work that he puts in every situation.


MSECB is accredited by IAS to offer audit and certification services for a wide range of ISO Standards. If you are interested to certify your management systems start by getting a Free Quote

Other Articles