ISO/IEC 20000 is a Service Management System (SMS) standard that specifies requirements for an organisation to establish, implement, maintain, and continually improve a service management system (SMS). The requirements specified in the standard include the planning, design, transition, delivery, and improvement of services to meet the service requirements and deliver value. It enables IT institutions to ensure their IT service management processes are aligned to the needs of the business and customers, whilst following international best practices.
Iso 20000 Standard.pdf
ISO 20000 is also a very similar SMS (Service Management System). It defines, implements, manages, and improves IT service from its design through management and improvement after its release into the live environment. It goes beyond what the service does and includes how the service is built, how it is used, and how it handles issues that occur. It includes details on how you set up your organisation, how you handle third parties, how you report customer satisfaction, complaints, and compliments, etc. Many of the same or similar elements can be found in the ISO 27001 standard, but these are seen from a different point of view.
ISO 20000 is process-based and although ISO 27001 is not explicitly process-based, when you review the list of controls detailed in Annex A there are many where you would need to define a process to deal with the particular requirement. Seen from the ISO 20000 point of view, the standard requires Information Security Management, IT Service Continuity and Availability processes to be implemented. Requirements for those two processes are very much in line with ISMS requirements defined by ISO 27001.
Although both standards offer specific approaches, ISO 20000 is service based whereas ISO 27001 is risk management based; it has risk management at its core. ISO 20000 considers risks as one of the building elements of the IT service management and goes deep into the daily operation of the organisation, meaning that it coincides with some parts of the ISO 27001 (like information classification, access control, etc.) but looks at a far wider context.
In addition to information security, ISO 20000 gives an overall view on the service, including financial aspects, design, release, and deployment of the IT service. While ISO/IEC 20000 specifies a standard for service management, ISO/IEC 27001 focuses on risk assessment.
In ISO 20000 some common processes such as incident, change or capacity management, go into much more detail in order to manage IT services than those found in an ISMS aligned to the requirements of ISO 27001.
A certificate issued by third party registrar to demonstrates that your IT management system has been certified against requirements of ISO 20000 requirements. Implementation of ISO 20000-1 by setting up of internal processes gives confidence to customers about the delivering capability through use of IT infrastructure.
ISO 20000-1:2011 is the first global standard that specifically targets the IT Service Management with an integrated set of management processes for effective delivery of services. ISO 20000:1-2011 is based on the ITIL (Information Technology Infrastructure Library) framework. The standard defines the requirements for an organization to deliver services of an acceptable quality. The scope of ISO 20000-1 includes requirements for a management system; planning and implementing service management; planning and implementing new or changed services; service delivery process; relationship processes; resolution processes; control processes and release processes. The standard is designed to shape consistency into the management of IT services and infrastructure, either internal or outsourced, benefiting employees and clients.
ISO 20000-1:2011 is the latest version of IT Service Management System which is applicable to all Information technology service providers (internal or external Scope) and organization depending on information technology suppliers to carry out its business activities, or simply wishes to improve IT service management system.
ISO 20000-2 is a Code of Practice that describes the best practices for Service Management processes within the scope of ISO 20000-1. The Code of Practice is particularly useful for organizations preparing for an audit against ISO 20000-1 or planning service improvements. The certificate is issued for ISO 20000-1: 2011 only.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 20000-1 service management system (SMS) standard. It is intended to help design, transition, deliver and improve services to fulfil agreed service requirements. For more information, see
India's Ministry of Electronics and Information Technology (MeitY) has defined the Information Technology Security Guidelines as a set of standards and guidelines that cloud services can be certified against in areas including security, interoperability, data portability, service level agreement, contractual terms and conditions. These guidelines are based on global information security standards such as ISO/IEC 27001:2013; ISO/IEC 20000:1; ISO/IEC 27017:2015; ISO/IEC 27018:2014; and TIA-942/ UPTIME (Tier III or higher). For more information, see _0.pdf
Since the end of 2005 the international standard ISO 20000 has been deployed for IT service management (ITSM) as a standard for the provision of IT services. Meanwhile, a growing number of IT service providers undergoes ISO 20000 certification in order to provide evidence for their conformity with the standard and to keep it as a quality signal for their customers.
The ISO 20000 standard follows the demand to transfer standardization as a principle of industrial production to the provision of IT services. Besides, quality management approaches similar to the ISO 9000 standard are pursued. By means of a targeted and systematic use of a set of instruments, the needs, requirements and expectations of customers with regard to quality and cost of IT services should be met. The main instruments are:
Companies are awarded certificates according to ISO 20000 upon request and after examination by registered certification bodies (RCB). Fig. 3 illustrates the main stages and tasks of such a certification project.
Finally, the certification authority provides a report analyzing the audit results and explaining measures for possible improvement to be implemented before the next examination. In case of a positive overall result the company receives an official certificate confirming conformity of IT service provision with the requirements of ISO 20000.
So far, 421 companies have been certified according to ISO 20000 (Fig. 4). As regards Europe, relatively many companies are based in the UK (54), which can partly be explained by the fact that a British predecessor existed with the national standard BS 15000, from which companies could switch to ISO 20000 in a simplified transition process until mid 2007.
The comparatively small number of 20 certified companies in the USA confirms the currently prevailing assumption that standards such as ISO 20000 and reference models such as ITIL (still) do not receive great attention in the USA; verified investigations, however, are not available. The large number of certificates in Asia can be explained by the fact that many of these IT vendors offer their services in offshoring transactions to companies in Western Europe and North America and intend to signal trustworthiness and reputation by means of the certificate. In Germany, currently 27 companies are certified, which are listed in Tab. 1.
The number of companies certified according to ISO 20000 is expected to increase in the coming years. This will mainly result from increasing customer pressure calling for an evidence of compliance with minimum requirements of IT services. The relevant literature cites predictions according to which future procurement projects in both public and private companies increasingly and explicitly require certification under the terms of ISO 20000 (Gartner Group, according to Buchsein et al. 2007, p. 51). In addition, IT providers will more and more try to achieve competitive advantages by using the certificate as a quality signal for indicating trustworthiness and reputation. 2ff7e9595c
Comments