verified_user
Standardful
Homechevron_rightStandardschevron_rightISO/IEC 20000-1:2018
ActiveInternational Standardupdate Standard Updated: Sept 2018fact_check Fact checked: Jun 28, 2026

ISO/IEC 20000-1:2018

Information technology — Service management — Part 1: Service management system requirements

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO/IEC 20000-1:2018 is the international standard for IT service management systems (SMS). Published in September 2018 as the third edition, it specifies requirements for an organization to establish, implement, maintain, and continually improve a service management system. The standard is closely aligned with ITIL best practices and follows the ISO High Level Structure, enabling integration with ISO 27001, ISO 9001, and other management system standards.

The standard covers the complete service lifecycle including planning, design, transition, delivery, and improvement of services. It requires organizations to define service management policies, manage service portfolios and service levels, implement incident, problem, and change management processes, and establish supplier and relationship management. ISO/IEC 20000-1 certification is increasingly expected in IT outsourcing contracts, cloud service agreements, and government IT procurement worldwide.

support_agent

Service Management System

Specifies requirements for establishing, implementing, maintaining, and continually improving a service management system (SMS) to deliver value through services.

sync

ITIL Alignment

Closely aligned with ITIL best practices. Provides a certifiable framework that formalizes IT service management processes across the service lifecycle.

integration_instructions

High Level Structure

Follows the ISO High Level Structure (HLS), enabling seamless integration with ISO 27001, ISO 9001, and other management system standards.

list_alt SMS Clauses (4-10)

  • Context of the organization and interested parties
  • Leadership commitment and service management policy
  • Planning including risk and opportunities
  • Support — resources, competence, awareness, communication
  • Service portfolio and service level management
  • Relationship and supplier management
  • Incident, problem, and change management
  • Performance evaluation and continual improvement

Who Needs to Comply?

groups

IT service providers (internal or external), managed service providers, cloud service providers, and any organization that wants to demonstrate its ability to design, deliver, and improve services that meet service requirements consistently.

Key Requirements

1

Service Management System

Establish, implement, and maintain an SMS covering service planning, design, transition, delivery, and improvement. Define the SMS scope and service management policy.

2

Service Level Management

Define, agree, monitor, and report on service levels. Maintain service level agreements (SLAs) and ensure services meet agreed requirements.

3

Incident & Problem Management

Implement processes to restore normal service operation as quickly as possible (incident management) and identify root causes to prevent recurrence (problem management).

4

Change & Release Management

Control changes to the SMS and services through a formal change management process. Plan, test, and deploy releases to minimize impact on service quality.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare scope, leadership and objectives

Define the service management system scope across services, customers, service teams, suppliers, service assets, and service lifecycle processes. Confirm leadership accountability, interested parties, legal and contractual obligations, policy commitments, and measurable objectives before detailed control work begins.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis and risk assessment

Assess current practices against ISO/IEC 20000-1 requirements and the organization's risk context. Review service planning, service catalogue, service levels, incident and request management, change control, supplier management, and continual improvement, then prioritize gaps by compliance exposure, customer impact, operational risk, and audit readiness.

3
Phase 3schedule Duration: 8-16 weeks

Implement processes, controls and records

Deploy or improve the required processes, operating controls, responsibilities, training, monitoring, documented information, and corrective-action workflows. Build evidence around service catalogues, SLAs, incident records, change records, supplier reviews, capacity and availability reports, and improvement plans.

4
Phase 4schedule Duration: Ongoing

Audit, review and continually improve

Run internal audits, management reviews, performance monitoring, and corrective actions before the certification audit. Keep the system current after incidents, process changes, customer feedback, regulatory changes, or audit findings.

Compliance Checklist

0 / 12

checklist Scope and governance

checklist Operational controls and evidence

checklist Performance and improvement

Penalties & Enforcement

warning

No direct legal penalties — ISO 20000-1 is a voluntary certification. However, loss of certification can result in disqualification from IT service contracts, particularly in government and financial sector procurement where ISO 20000-1 is often a prerequisite.

Frequently Asked Questions

Who needs ISO/IEC 20000-1?

expand_more

ISO/IEC 20000-1 is relevant for organizations that need a disciplined service management system covering services, customers, service teams, suppliers, service assets, and service lifecycle processes. It is often adopted because customers, regulators, procurement teams, or market expectations require demonstrable controls and repeatable performance.

Is ISO/IEC 20000-1 certifiable or auditable?

expand_more

Yes, organizations can normally pursue a certification audit against ISO/IEC 20000-1 where certification or accreditation infrastructure exists. Even when certification is not the immediate goal, the standard can be used as an internal operating and assurance framework.

How long does implementation take?

expand_more

A focused implementation often takes several months, depending on scope, maturity, number of sites, process complexity, and evidence quality. Organizations with mature processes can move faster, while multi-site or regulated environments usually need more time.

What is the most important first step?

expand_more

Start with clear scope, leadership accountability, and an honest gap assessment. Without a stable scope and process ownership, teams usually create documents that do not match how work is actually performed.

What evidence do auditors expect?

expand_more

Auditors look for operating evidence, not just policy documents. Useful evidence includes service catalogues, SLAs, incident records, change records, supplier reviews, capacity and availability reports, and improvement plans, plus proof that findings are reviewed and improved over time.

How often are internal audits needed?

expand_more

Internal audits should be performed at planned intervals based on risk, process importance, prior findings, and changes. Many organizations audit the full system annually and use targeted audits after incidents or major changes.

How does continual improvement work?

expand_more

Continual improvement uses performance data, audit findings, incidents, customer feedback, management review decisions, and corrective actions to strengthen the system. Improvement should be visible in objectives, controls, and measurable outcomes.

Can it be integrated with other standards?

expand_more

Yes. ISO/IEC 20000-1 can usually be integrated with other management-system standards by sharing governance, document control, internal audit, corrective action, risk management, and management review processes.

Official Documentation

View All

Implementation Timeline

flag
Dec 2005
ISO/IEC 20000-1:2005 first published (based on BS 15000)
update
Apr 2011
ISO/IEC 20000-1:2011 second edition published
new_releases
Sept 2018
ISO/IEC 20000-1:2018 third edition published with HLS alignment
check_circle
Mar 2020
All new certifications must be to 2018 edition
event_busy
Sept 2021
Transition period ends — all certificates must be 2018 edition

Related Categories