ISO/IEC 20000 FAQ

It is up to you when you book your transition visit – it just has to be completed by 29 September 2021.  If you have the resources to update your system now and feel you are ready in time for your next surveillance visit we encourage you to discuss this with your client manager so you can book in an appropriate transition date.

The standard does not specify what to use to review your organizational context and issues. When looking at this clause it is more important that you select an approach that allows you to look at issues impacting your organization – including anything coming in (external issues) – and ensure that it’s relevant to the purpose of your organization and the intended outcomes of your service management system. You may consider a SWOT as part of your approach – as you would any other business tools – the important part is that you clearly have intended outcomes and consider the issues that could impact them.

ISO 9001 requires organizations to implement a quality management system that gives them the ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements. Plus it facilitates opportunities to improve customer satisfaction.

As products and services are very different, the requirements for ISO 9001 ensure you deliver a good quality service, but it doesn’t go into any detail about service management and the specific service lifecycle requirements. That is where ISO/IEC 20000-1 is a differentiator that can be used as a stand-alone framework or as a complementary standard to build on an existing quality management system. It helps you with the detail behind delivering a resilient service, one that is reliable, effective and delivers value for stakeholders.

What are the key differences between ISO 9001 and ISO/IEC 20000-1?

• ISO 9001 is focused on quality management
• ISO/IEC 20000-1 is focused on service management
• ISO 9001 is generic and aimed at any organization providing products or services
• ISO/IEC 20000-1 is specifically targeted at the services part of a providers system and the more specific focus points to address service management. In fact the word 'product' is not used in ISO/IEC 20000-1. It also has specific requirements for service lifecycle processes. These are shown in figure 1, primarily in clause 8 - Operation of the SMS.

• If you already have ISO 9001 and ISO/IEC 27001 in place, you will already be meeting some of the HLS requirements that are common across all the standards. You can create an integrated management system for these and there is a new standard that is expected next year that will provide guidance on bringing these three management systems together. It is however important to remember that you need to look at everything from a service management perspective. For example your information security policy must be reviewed to ensure it is relevant to services. Your quality policy that is general needs to be specific to services and service management to support the ISO/IEC 20000-1 requirements.

  Also ISO/IEC 20000-1 notes that the ISO/IEC 27000 series specifies requirements and provides guidance to support the implementation and operation of an information security management system and ISO/IEC 27013 already exists to provides guidance on the integration of ISO/IEC 27001 and ISO/IEC 20000-1.

At this stage we only have information based on ISO/IEC 20000-1:2011. However there will be information specific to cloud service providers in the new ISO/IEC 20000-1 handbook that is in development and due for release in early 2019

A lot of detail that was very specific on the “how” in the 2011 version has been removed. The new standard is now much more focused on the “what” to do rather than how, which does enable the use of agile methods as long as you still meet the requirements in ISO/IEC 20000-1.