Hello ISO 20000 (2018), We’ve Been Expecting You

At the end of last year, the service management standard ISO/IEC 20000, usually referred to as simply ISO 20000, was given a revision. With its last update in 2011, and some pretty big changes in the worlds of business, technology, and service management since then, it’s safe to say that we’ve been expecting it.

The update to the standard, now labeled ISO 20000: 2018, prompted me to write this blog post explaining the major differences between the two versions, what makes ISO 20000 so special, and of course, what it actually is (because that’s always worth covering isn’t it?).

What is ISO 20000 (and a little history)?

ISO 20000 is an internationally recognized service management standard that first came to life in 2005. In fact, it’s the only international service management standard out there. Plus, it doesn’t only relate to IT service management (ITSM).

It’s based on BS 15000 (the world’s first standard for service management) which was developed by the British Standards Institution (BSI) and made obsolete in 2007. Since its introduction, ISO 20000 has been revised twice – once in 2011 and now again in 2018.

The formal view of ISO/IEC 20000-1 is that the standard gives the requirements for:

“Establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery, and improvement of services, which meet agreed requirements and deliver value for customers, users and the organization delivering the services.”

The ISO 20000 standard is a series that’s split into two main parts. It gives organizations both the requirements of a service management system (part one, i.e. ISO 20000-1) and guidance on best practices for the application of service management systems based on those requirements (part two, ISO 20000-2).

There are additional aspects of the series too, including guidance on the relationship between ISO 20000-1 and other service management frameworks (such as ITIL and COBIT), all of the concepts of the standard and the vocabulary used, and guidance on the scope definition and applicability of ISO 20000-1.

Certification of ISO 20000-1 is available for organizations (unlike with ITIL), the other parts of the series are not certifiable as they’re provided for guidance only and don’t list certifiable requirements.

Certification of ISO 20000-1 is obtained by passing a robust audit procedure through which organizations must show that they’re familiar with the processes and principles of the standard, provide evidence that the standard’s processes are adhered to, and produce all of the relevant documentation that ISO 20000-1 calls for.

6 reasons why ISO 20000 was updated

Reason 1 – structure conformance

Many other standards, such as ISO/IEC 27001, ISO 14001, and ISO 9001, follow the Annex SL structure (a management system format) but, until now, ISO 20000 hasn’t done so.

ISO 20000 following the same structure (as other standards) makes it easier for organizations who wish to implement multiple standards. So, it made sense for ISO 20000 to join the party too.

Reason 2 – new rules

New “rules” related to the terms within the ISO 20000 standard have been issued, which has meant that some terms have been updated, others removed entirely, and some new terms have been added.

For example, the term “internal group” is now “internal supplier” and the term “supplier” is now “external supplier.” It might sound persnickety but it’s incredibly important for standards to use the correct vocabulary and follow the rules set out for their use.

Reason 3 – lesser reliance on documentation for certification

In older versions of ISO 20000, certification could only be gained if there was a rich amount of documentation available within an organization. These documents had to detail everything about how the organization aligned itself with ISO 20000 and show evidence that ISO 20000 was understood and actioned within all of its service management processes.

The 2018 update of the certification still requires documentation. However, it calls for much less of it than previously asked for – needing only key documents, such as a service management plan.

This seems to be a nod towards a more Agile way of working, which – from a software-development perspective – favors “working software over documentation.” Digital transformation is, after all, changing the world of service management which means that standards and frameworks will need to change with it.

Reason 4 – wider applicability

The ISO 20000 update recognizes that service management – in its ITSM form – is moving away from IT and being embraced by the organization as a whole. And that it’s not just IT services that can benefit from ISO 20000, with the standard recognizing that service management is starting to be conducted holistically.

Reason 5 – recognizing multi-supplier scenarios

ISO 20000: 2018 also understands that, in today’s world where opportunities are aplenty, organizations are no longer using a single supplier for their needs and instead are using multiple suppliers – internal and external –to get the best services available to them.

Requirements for multi-supplier management – or service integration and management (SIAM) – are therefore now included within the standard.

Reason 6 – reflecting changes in other service management approaches

Some parts of the standard provide guidance on the relationship between ISO 20000-1 and service management approaches such as ITIL. And, because of the aforementioned major developments – and drivers of change – within service management, the IT industry is also seeing updates to many related approaches too, which naturally means that the guidance on the relationship will also need to change.

Once such example is ISO 20000-11 – guidance on mapping to ITIL – which is awaiting the publication of ITIL 4 before being produced. And additional new parts are being added too, such as ISO 20000-13, a guidance report on the relationship between ISO 20000 and the new COBIT 2019. This is likely due to be published in late 2019 due to the recent update of the COBIT framework.

The 6 major differences between ISO 20000 (2011) and ISO 20000 (2018)

In some respects, this is very similar to the reasons for change already outlined above. Many people will want to know what the differences are, so please forgive the need to slightly repeat some of the above – albeit in less detail.

Difference 1 – Terms have been updated, added, or eliminated to reflect recent terminology “rule” changes.

Difference 2 – A reduction in the amount of required documentation, with ISO 20000 now calling only for key documents to be produced in relation to an organization’s SMS.

Difference 3 – Some parts from the 2011 series have been withdrawn completely. For instance, ISO 20000-4 was a process-reference model and ISO 20000-9 related to the application of ISO 20000-1 to cloud services. Both of which are now outdated and no longer necessary in the 2018 series.

Difference 4 – References to the plan-do-check-act (PDCA) cycle have been removed in line with Annex SL which does not specifically reference the cycle itself.

Difference 5 – The 2018 version of ISO 20000 is less precise in some of its requirements. This is in an effort to allow organizations more freedom in how they meet them.

Difference 6 – ISO 20000 now includes the management of multiple suppliers and the need to show the value of the services being offered.

The why – 8 benefits of an ISO 20000-1 certification

So far, I’ve covered what ISO 20000 is and how the new version has moved the 2011 version on. But why should you care? Here are eight organization-related benefits of ISO 20000 adoption:

1. Increased credibility, especially for suppliers. ISO 20000 certification gives organizations a level of credibility that they would otherwise be unable to achieve. The reason for this is that ISO 20000-1 is an international standard in service management, therefore it’s recognized around the world and proves that the certified business co-operates with best practices and that its SMS is fully compliant. A good example of this benefit is where a government agency might mandate that suppliers submitting tenders for new work must be ISO 20000 certified.
2. Increased customer confidence. Because of this increased credibility, customer confidence grows. Because with customers knowing that services are managed effectively and that the supplier organization is compliant with international standards, customers can be confident that their services are being handled professionally and potentially optimally.
3. Increased organizational growth. With an ISO 20000-1 certificate, your business is likely to be able to grow more quickly thanks to the certification providing an inroad into otherwise closed markets – it’s a bedrock on which the organization can build. As your organization’s portfolio changes, and takes on more services, the “structural elements” are already in place to handle these. Plus, because the certification offers standardized practices to follow, your organization can reduce the risk of knowledge loss when staff leave. If your company is growing quickly, it can also look to employ ISO 20000-1 qualified individuals to reduce the level of training required when they come on board.
4. Incident and outage reduction. An ISO 20000-1 certification means that an organization’s SMS is fully compliant with the standard, which guides the business on service management best practices. Due to this, organizations that become certified often find that they can reduce their major outages and IT incidents. Plus, by following clearly-defined requirements and knowing how to apply best practice to their own service management lifecycle, organizations have a better chance of delivering the value that their customers expect.
5. Proactive service management. Following on from the reduction in incidents and business outages, and as an organization becomes more adept at service management, it will then be able to offer a more proactive service management experience to its customers. Especially because the ISO 20000-1 certification is all about delivering value to customers, whose expectations are growing all the time. And to keep customers happy, service management needs a shift from traditional incident management – fixing something that’s reported as broken – to fixing that something before it has a chance to adversely impact the customer. In fact, the definition of the term “incident” in ISO 20000 includes “an event that has not yet impacted the service to the customer.”
6. Reduction in costs. This proactive service management helps costly issues and mistakes to be avoided and processes to run more smoothly. Along with the reduction in incidents, less money is spent on support costs and less is lost through business outages because they become less frequent (or perhaps avoided altogether).
7. Continual improvement and the benefits this brings. An ISO 20000-1 certification helps organizations to implement a culture of change and continual improvement. As organizations work to keep up with the best practices of service management, which can evolve due to emerging technology and system capabilities, it’s important that they can handle rapid change and continually look for new ways to work smarter.
8. Positive cultural change. Along with developing a working environment that handles change well and is driven to keep on improving, ISO 20000 assists organizations in changing their culture and to work holistically (rather than in the traditional siloes that are commonly prevalent in the service management space). In particular, finger-pointing and blame are reduced because everyone is encouraged to take ownership for services rather than pushing responsibility onto the IT department.

4 ways the ISO 20000 standard differs from ITIL

You might have read all of the above but still feel that you need to know more. For instance, how does ISO 20000 differ from the ITIL framework? Here’s my take.

Because ISO 20000 provides guidance on service management best practices along the entire service lifecycle can confuse people, who ask:

• “Doesn’t ITIL do that?”
• “Do we need both?”
• “What’s the difference?”

And at first glance, it can be pretty confusing. So, here are four ways ISO 20000 differs to the ITIL ITSM best practice framework.

1. ISO 20000 is a standard for service management that details requirements for everything related to a service management system. ITIL is a framework designed to guide businesses on the best practices for ITSM – it gives advice on what organizations can do but it’s not a standard providing requirement that must be met.
2. Organizations can gain certification in ISO 20000-1 (due to it being a standard) whereas an ITIL certification for an organization doesn’t exist (as it’s a framework designed for guidance only). There is, however, the Pink Elephant PinkVERIFY certification scheme for ITSM tools that’s based on ITIL.
3. ITIL qualifications and ISO 20000 qualifications are available for individuals, such that people can prove their knowledge in these areas. However, a group of qualified ITIL employees does not hold the same credibility as an organization with people certified in ISO 20000-1. It’s often stated that, although the two are aligned, ITIL is the better choice for less mature organizations who wish to get a handle on their service management processes before heading into the world of certification and standards. ISO 20000-1 is an incredibly tough certification for organizations to acquire and is best for organizations that already have a good hold on ITIL and a solid understanding of the workings of their service management processes.
4. ISO 20000 is flexible and fully scalable, so it doesn’t matter about the size or structure of an organization – any company can become certified once they’re ready. ITIL, however, doesn’t necessarily work in this way and so it offers special considerations for smaller organizations.

There’s a lot to know about the revised ISO 20000 standard, so hopefully, my blog post has answered your burning questions about what it’s used for, why it needed an update, and what’s changed. If you want to know more, then please leave me a comment.