New ISO 20000-1:2018

On September 18th, 2018, the newest version of ISO 20000-1:2018 Service Management was released. The Standard has been revised from previous ISO 20000-1:2011 with new features and updated guidance, allowing businesses to improve how they provide services through the improvement of processes that are in line with modern techniques and expectations

ISO 20000-1:2018 considers the latest market trends in IT service management and provides a new, updated list of applicable terminology and definitions.

There is a transition period for certified organizations to move to the 2018 edition. Understanding the mapping from the old to the new will support this transition.

Transition dates from ISO 20000-1:2011 to the 2018 edition

Certificates can be updated during any audit scheduled before 09/30/2021. 

The International Accreditation Forum (IAF) decided that all audits (initial or recertification) must comply with the 2018 version of the standard 18 months after transition starting date.

Here are the important ISO 20000-1 certification milestones:

  1. 30 September 2018: Transition starting date. Organizations may choose to get certified against the 2018 edition from this date. Certifications for the 2011 edition are still acceptable.
  2. 31 March 2020: All new certifications and re-certifications must be to ISO 20000-1:2018 after this date.
  3. 29 September 2021: End of the transition period. All existing certificates must be transitioned to ISO 20000-1:2018 before this date. The 2011 edition certification will be invalid.

It is important to timely plan the implementation of the new requirements and, consequently, the transition audit execution.  During the transition period, already certified organizations can choose to make the transition to the new standard:

  • during a surveillance audit
  • during a recertification audit
  • in-between to programmed audits, programming an extra audit.

Note: ISO 20000-1:2018 transition dates above have been setup by IAF. National accreditation bodies may have set slightly different rules or dates – Contact us to find out the precise rules applicable to your organization.

Prepare for the transition to the new standard. Quick Plan.

  • Familiarise with the new ISO 20000-1:2018 standard contents
  • Perform a gap analysis between new requirements and current organisation’s systems procedures
  • Train interested personnel and prepare them for the main changes
  • Plan the implementation of all changes to your service management system
  • Program the transition and execute the audit
  • Assess the implementation effectiveness and define further actions if necessary.

The history of ISO 20000

ISO 20000 is the only internationally recognized service management standard and came to life in 2005. Keep in mind that it doesn’t only relate to IT service management (ITSM). The formal view of its requirements.

“Establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery, and improvement of services, which meet agreed requirements and deliver value for customers, users and the organization delivering the services.”

The ISO 20000 standard consists of two main parts. Firstly, gives organizations the requirements of a service management system (part one, i.e. ISO 20000-1) and secondly, gives guidance on best practices for the application of SMS based on the previous requirements (part two, i.e. ISO 20000-2).

Additional aspects of the series exist too, such as guidance on the relationship between ISO 20000-1 and other service management frameworks (such as ITIL and COBIT), or guidance on the scope definition and applicability of ISO 20000-1.

Your organization gets certified for ISO 20000-1 after a robust audit procedure through which you must show that:

  • Being familiar with the processes and principles of the standard,
  • Provide evidence of the standard’s processes are adhered to,
  • Produce all of the relevant documentation that ISO 20000-1 calls for.

Important terms and definitions of new ISO 20000-1

There are some new terms, and some have changed. The2 basic terms are:

  • The term “service” (in ISO 20000-1) refers to the service or services in the scope of the SMS
  • The term “organization” refers to the organization that manages and delivers services to customers. (Previously called “service provider”)

Comparison of main changes in definitions are shown below:

2011 edition 2018 edition
Service provider Organization
Internal group Internal group
Supplier External supplier
Availability Service availability
Information security Information security – definition now matches ISO/IEC 27001
Asset, service catalogue, service level target, value. Other new terms are also present.
CMDB Configuration information is used in the requirements but is not a defined term. CMDB is no longer used in ISO/IEC 20000-1 but is referred to in the guidance standards.

Benefits of new ISO 20000-1:2018 and why obtain it

As stated, ISO 20000-1:2018 specifies requirements for an organization to establish, implement, maintain, and continually improve a service management system (SMS).

Who seeks for an ISO 20000-1?

  1. a customer that seeks services and requires assurance regarding the quality of those services (e.g. a government agency or a b2b supplier)
  2. a customer that requires a consistent approach to the service lifecycle by all its service providers
  3. an organization to demonstrate its capability for the planning, design, transition, delivery, and improvement of services
  4. an organization to monitor, measure, and review its SMS and the services
  5. an organization that looks for continual improvement of services through effective implementation and operation of an SMS
  6. an organization or other party performing conformity assessments against the requirements specified in the standard
  7. a provider of training or advice in service management

Organization benefits of ISO 20000-1 certification

  1. Increased credibility and corporate image, especially for suppliers. ISO 20000 certification gives the level of credibility that they would otherwise be unable to achieve. An ISO 20000-1 certified business co-operates with best practices and its SMS is fully compliant. (e.g. many government agencies nowadays mandate organization to be ISO 20000 certified for competing in new contracts).
  2. Increased organizational growth and revenues. With an ISO 20000-1 certificate, your business is likely to be able to grow more quickly thanks to the certification providing an inroad into otherwise closed markets.
  3. Reduce the risk of knowledge loss when staff leave because the certification offers standardized practices to follow
  4. Increased customer confidence. If customers know that services are managed effectively and that the supplier organization is compliant with international standards, they can be confident that their services are being handled professionally and potentially optimally.
  5. Reduce process errors and strengthen incident management. Organizations that become certified (usually) reduce their major outages and service incidents. With clearly-defined requirements organizations get a better chance of delivering the value that their customers expect.
  6. Improve response times and reduce interruptions. This proactive SMS helps costly issues and mistakes to be avoided, processes to run more smoothly, less money to be spent on support costs and less to be lost through business outages.
  7. Continual improvement. With an ISO 20000-1 certification organizations implement a culture of change and continual improvement. Organizations handle rapid change and continually look for new ways to work smarter.
  8. Positive cultural change. Everyone is encouraged to take ownership for services rather than pushing responsibility. Also, employees are aware of and comply with relevant laws.

Why ISO 20000-1 was updated…

The standard has been rewritten to guarantee service management integrated and aligned with different corporate strategies, making services management system performance more effective for organisations, customers and suppliers.

  1. The standard adopts the HLS (High Level Structure) structure common to all the new ISOs (e.g.: ISO 9001: 2015, ISO/IEC 27001: 2013) allowing the best interaction of multiple integrated management systems (Annex XL structure)
  2. Terms have been updated, added, or eliminated to reflect recent terminology “rule” changes. it’s important for standards to use the correct vocabulary. Incident management, service request management, availability management, service continuity management, service level management, service catalogue management, capacity management and demand management have been distinguished. Another example: the term “internal group” is now “internal supplier” and the term “supplier” is now “external supplier.”
  3. A reduction in the amount of required documentation. ISO 20000 now calls only for key documents to be produced in relation to an organization’s SMS (such as a service management plan), so as to make its definition more strictly aligned with the organisation needs. Additionally, this is a more Agile approach, and nowadays digital transformation plays an important role in the world of service management (so standards and frameworks need to change with it)
  4. Some parts from the 2011 series have been withdrawn completely. For instance, ISO 20000-4 was a process-reference model and ISO 20000-9 related to the application of ISO 20000-1 to cloud services, so as to make the application of the service management systems easier for any organisation. it’s not just IT services that can benefit from ISO 20000, with the standard recognizing that service management is starting to be conducted holistically
  5. References to the plan-do-check-act (PDCA) cycle have been removed in line with Annex SL which does not specifically reference the cycle itself.
  6. The 2018 version of ISO 20000 is less precise in some of its requirements. This is in an effort to allow organizations more freedom in how they meet them.
  7. ISO 20000 now includes the management of multiple suppliers, the need to show the value of the services being offered and get the best services available. Requirements for service integration and management (SIAM) or multi-supplier management are now included within the standard.

ISO 20000-1:2018 Structure and Clauses

The ISO 20000-1:2018 clauses display the requirements to be institutionalized within an organization to achieve certification. Each of the mandatory ISO 20000-1 requirements define specific activities to be planned and performed.

In many cases organizations have already invested time and resource to address specific processes, such as a service tool utilized to track customer requests through the service management lifecycle to ensure that customer’s needs are being met. All the ISO 20000-1:2018 are listed here

Section Number Expectations
1-3 ISO Scope, References, Terms
  • General introduction notes to the standard
4 Context of the Organization
  • Determining the scope and structure of an organization’s Service Management System (SMS)
  • Identify issues, opportunities, needs and expectations of interested parties
5 Leadership
  • Leadership Commitment
  • Define roles and responsibilities
6 Planning
  • Promote risk-based thinking
  • Define actions to address risk and opportunities
  • Identify Service Management System objectives
  • Planning for Service Management System
7 Support for the Service Management System
  • Resources to support the Service Management System
  • Awareness and Communication
  • Maintain Organizational Knowledge
  • Document Management
8 Operation of the Service Management System
  • Operational Planning and Control
  • Service Portfolio Management
  • Asset Management
  • Supplier Management
  • Budget and Accounting
  • Capacity Management
  • Change Management
  • Service, Design, Transition and Release Management
  • Service Request, Incident, and Problem Management
  • Availability and Continuity Management
  • Information Security Management
9 Performance Evaluation
  • Monitoring, Measurement, and Analysis
  • Service Reporting
  • Internal Audit
  • Management Review
10 Continual Improvement
  • Corrective Action
  • Improvements

The ISO 20000-1:2018 standard may look far more complex than the 2011 edition because many clauses have been split into smaller clauses. However, the standard is much more in line with how services align to an organization. The comparison of clauses between ISO 20000-1:2011 and ISO 20000-1:2018 is shown below.

A Comparison of ISO 20000-1:2011 vs ISO 20000-1:2018

ISO 20000-1:2011 ISO 20000-1:2018
4.0 Service Management System General Requirements

4.5 Establish and Improve the SMS

4.5.1 Define the Scope

4.0 Context of the Organization

  • Define Scope

 

4.0 Service Management System General Requirements

4.1 Management Responsibility

5.0 Leadership

  • Management Commitment
  • Policy
  • Roles and Responsibilities
4.0 Service Management System General Requirements

4.5 Establish and Improve the SMS

4.5.2 Plan the SMS

6.0 Planning
4.0 Service Management System General Requirements

4.3 Documentation Management

4.4 Resource Management

7.0 Support for the Service Management System
4.0 Service Management System General Requirements

4.2 Governance of Processes Operated by other Parties

5.0 Design and Transition of New or Changed Services

6.0 Service Delivery Processes

6.1 Service Level Management

6.3 Service Continuity and Availability

6.4 Budget and Accounting

6.5 Capacity Management

6.6 Information Security Management

7.0 Relationship Processes

8.0 Resolution Processes

9.0 Control Processes

8.0 Operation of the Service Management System
4.0 Service Management System General Requirements

4.5 Establish and Improvement the SMS

4.5.4 Monitor and Review the SMS

6.0 Service Delivery Processes

6.2 Service Reporting

9.0 Performance
4.0 Service Management System General Requirements

4.5 Establish and Improvement the SMS

4.5.5 Maintain and Improve the SMS

10.0 Improvement
4.4 Resource management 7.1 Resources

7.2 Competence
7.3 Awareness

6.1 Service level management 8.2.4 Service catalogue management

8.3.3 Service level management

8.3.4.2 Management of internal suppliers and customers acting as a supplier

6.5 Capacity management 8.4.2 Demand management
8.4.3 Capacity management
8.1 Incident and service request management 8.6.2 Incident management
8.6.3 Service request management
6.3 Service continuity and availability management 8.7.1 Service availability management
8.7.2 Service continuity management

New Clauses in ISO 20000-1:2018

There are a few new clauses:

  • 1 Understanding the Organization and its Context, which is covered in all updated management system standards
  • 2.2 Plan to Achieve Objectives
  • 6 Knowledge Management
  • 4.2 Demand Management
  • 2.2 Plan the Services

Revised clauses in ISO 20000-1:2018

Some clauses have been renamed and updated as shown below:

2011 edition 2018 edition
4.2 Governance of processes operated by other parties 8.2.3 Control of parties involved in the service lifecycle
5 Design and transition of new or changed services 8.5.2 Service design and transition

Detailed comparison of ISO 20000-1:2018 and 2011 edition

ISO/IEC 20000:2018, part 1, section Changes to the previous 2011 edition (ISO/IEC 20000:2011-1)
Sections 1 – 3 The first three sections of ISO 20000:2018, Part 1 do not contain requirements which must be fulfilled.
Section 1 is for the standard’s intended use and applicability.
Section 2 has normative references
Section 3 lists terms and definitions.
4 Context of the organization This is a New Section

Requirements in Section 4 are more generic and refer to:

  • any internal and external factors that affect the organization’s ability to achieve the intended outcomes
  • any interested parties and their requirements

A new requirement has been introduced:

  •   “establish, implement, maintain and continually improve a service management system (SMS)”.
5 Leadership Updated Requirements regarding leadership (include)

  • deliver value to customers
  • control of all parties involved in the service lifecycle
  • integrate SMS requirements into the organization’s processes
  • assign and communicate responsibilities
  • continual improvement
6 Planning A requirement has been added that service management objectives be established at all relevant levels. A new statement clarifies that planning is not only about managing risk, but also about seizing opportunities. Management of risk are now described in more detail

When planning for the SMS some aspects are now specified in more detail.

7 Support of the service management system
  • Staff must be aware of their contribution to the effectiveness of the SMS and the provision of services.
  • Internal and external communications aspects are now described in more detail.
  • ISO 20000:2018 now refers to “documented information” (no more records), includes appropriate identification and description, is stored in suitable format and is subject to review and approval.
  • Document control: Documented information shall be available and suitable for use, as well as adequately protected. Now includes contracts with external suppliers and agreements with internal suppliers. External documents are now required to be controlled.
  • Knowledge management requirements have been added.
8 Operation of the service management system
8.1 Operational planning and control
  • Control changes to the SMS,
  • Review the consequences of unintended changes
  • Take corrective action if necessary.
  • Integrate services and processes that are provided or operated by internal or external parties.
  • Coordinate activities with third parties involved in the service lifecycle.
8.2 Service portfolio
  • Determine criticality of services,
  • Determine duplication between services.
  • External parties may provide or operate processes, services or service components.
  • ISO 20000:2018 now refers to “configuration information“, references to the CMDB have been dropped.
  • CI should be recorded to a level of detail appropriate to the criticality and type of services.
8.3 Relationship and agreement
  • (Pre previous) suppliers may provide or operate services, service components or (parts of) processes.
  • Contracts with external suppliers shall specify requirements and define contractual obligations and other responsibilities (now are more generic).
8.4 Supply and demand
  • Budgeting and accounting for services.
  • Dropped “create, implement and maintain a capacity plan”.
  • Capacity Management is now more generic and the list of specific factors influencing service capacity has been deleted.
8.5 Service design, build and transition
  • A list of potential impacts has been introduced
  • ISO 20000:2018 now refers to “configuration information
  • More detailed requirements for the transferal of services to other parties.
  • CIs affected by new or changed services are to be managed through configuration management.
8.6 Resolution and fulfilment
  • Incident management and service request management have been separated out into two sets of requirements.
  • Dropped the “documented procedure to manage incidents”
  • There is now an explicit requirement to record actions taken to resolve incidents, problems and service requests.
8.7 Service assurance
  • Service availability management and service continuity management have been separated out into two sets of requirements.
  • Service availability requirements shall be documented
  • Information security requirements are now more generic
  • Assess security risks at planned intervals (specific requirement)
  • Control information security risks related to external organizations (explicit requirement)
  • Detailing the procedure to be used for dealing with security incidents.
9 Performance evaluation
  • Monitoring and measurement are now more detailed.
  • Management review shall include consideration of measured performance and effectiveness of the SMS and the services.
  • The reporting requirements are now more generic
10 Improvement
  • Updated requirement: nonconformity and corrective action
  • Evaluation criteria to be aligned with the service management objectives.
  • A documented procedure for improvement is no longer a specific requirement.