Product & Regulatory

ISO 20000-1 — service management that holds up.

A service management system for IT and digital service providers — designed around service portfolio, relationships, resolution, and control, and audited to an internationally recognised standard.

Request a readiness assessment Our approach

What it is

The international standard for service management systems.

ISO/IEC 20000-1 specifies the requirements for a service management system. It applies to any organisation that provides services — internal IT to a parent organisation, managed services to external customers, or cloud and SaaS services. The 2018 revision adopted the high-level structure shared across ISO management-system standards and expanded the emphasis on value, governance, and outsourced parties.

The standard is aligned with, but distinct from, ITIL. ITIL is a body of practice; ISO 20000-1 is a certifiable management-system standard. Many organisations adopt ITIL for depth of practice and certify to ISO 20000-1 for external attestation that their practice meets a defensible baseline.

Who needs it

IT service providers — internal and external — where service reliability is contractual.

Managed service providers, BPO and ITeS firms, SaaS and cloud operators, shared-service centres within large groups, telecommunications operators, and internal IT functions serving regulated parent businesses. ISO 20000-1 is a frequent complement to ISO 27001 for technology firms; information security handles the protection of information, while service management handles the reliable delivery of the services that handle that information.

Benefits

What a well-built BIFMA system earns you.

Procurement eligibility.

Public sector, large enterprise, and managed-service RFPs increasingly list ISO 20000-1 as a shortlisting criterion, often alongside ISO 27001.

SLA discipline.

Service level agreements backed by documented service management processes and measured SLO / SLA performance move from negotiation artefacts to operational reality.

Change control maturity.

Clause 8.5 addresses design, transition, delivery, and improvement of services — the discipline that separates change as a routine event from change as a source of incidents.

Supplier management.

The standard explicitly covers internal and external suppliers. Managing the sub-supplier chain becomes a certified capability, not a contractual afterthought.

Integrated with 27001.

Combined 27001 + 20000-1 certification is highly efficient. The two management systems share risk, internal audit, management review, and document control infrastructure.

Service catalogue discipline.

The service portfolio and catalogue requirements force an honest statement of what the organisation actually delivers — often the first rigorous one it has ever had.

Requirements, in outline

What the standard actually asks of you.

Clauses 4 through 7 follow the harmonised management-system structure: context, leadership, planning, and support. The distinctive substance sits in Clause 8 — operational requirements spanning service portfolio (planning, control of parties involved in the service lifecycle, service catalogue, asset and configuration management), relationship and agreement (business relationship, service level management, supplier management), supply and demand (budgeting and accounting for services, demand management, capacity management), service design, build and transition (change management, service design and transition, release and deployment), resolution and fulfilment (incident management, service request management, problem management), and service assurance (service availability management, service continuity management, information security management).

Clause 9 covers evaluation — monitoring and measurement, internal audit, management review, and service reporting. Clause 10 covers non-conformity, corrective action, and continual improvement. Particular attention is paid to controlled parties involved in the service lifecycle — the 2018 revision made clear that outsourcing does not remove accountability.

Our approach

Five stages, from discovery to certificate.

Service portfolio scoping

Define services honestly, agree SLOs, identify internal and external parties in the service lifecycle, and baseline current practice against Clause 8 sub-areas.

Process implementation

Gap closure across the relationship, resolution, control, and delivery process groups. Workshop-led design with the teams that actually run them, not template imposition.

Tooling alignment

Most clients already use an ITSM platform (ServiceNow, Jira Service Management, Freshservice, Zendesk). We align process artefacts to what the tool can evidence rather than producing parallel documentation.

Internal audit & management review

Full audit cycle with process owners, SLA performance review, supplier management review, and a management review to the depth a Stage 2 auditor will apply.

Certification audit

Stage 1 and Stage 2 attendance. For combined 27001 + 20000-1 engagements, we run a unified audit plan with the certification body.

Timeline & investment

Honest ranges, not placeholder pricing.

An organisation with an existing ITSM platform and reasonable process maturity typically reaches Stage 2 in twelve to eighteen weeks. Combined 27001 + 20000-1 engagements from a 27001-mature base typically add eight to twelve weeks to the ISMS timeline.

Fees depend on service portfolio complexity, number of customers, tooling maturity, and whether supplier audits need to be coordinated. Certification body fees are separate; combined audits are materially more economical than sequential ones.

Frequently asked

Questions we answer on most BIFMA calls.

No. ITIL is a framework of best practices with no certification of organisations. ISO 20000-1 is a certifiable management-system standard. An ITIL-mature organisation is usually well-placed to certify to ISO 20000-1, but the certificate is the external attestation, not the framework adoption.

Yes — the scope is whatever you define, provided it is internally coherent and clearly stated on the certificate. Excluding activities that are demonstrably in the service lifecycle of what is in scope is not permitted.

Hyperscale cloud providers are controlled parties in your service lifecycle. Their own certifications (ISO 27001, ISO 27017, SOC 2) are evidence within your supplier management process, but do not remove your accountability for service delivery.

The standard requires asset and configuration management sufficient to support the services in scope. Whether that materialises as a formal CMDB or a combination of discovery tools, spreadsheets, and inventory records depends on service complexity. Fit for purpose beats fit for orthodoxy.

They serve different audiences. SOC 2 is a Trust Services Criteria attestation designed primarily for US and enterprise customers. ISO 20000-1 is an international service management standard. Many of our SaaS clients hold both.

Related services

Get a readiness assessment for ISO 20000-1.

Half a day with a senior consultant, a clause-level gap report, and a candid timeline. No commitment beyond the assessment itself.

Request assessment