The ISO 20000-series of service management standards address a range of considerations for organizations with a Service Management System (SMS) implementation in place. Here are some of the more relevant standards that can guide you on your SMS journey, and help you optimize your approach.

• ISO 20000-1 Service Management — Part 1: Service Management System Requirements

  Amd 1:2024: Climate Action Changes

• ISO 20000-2 Service Management — Part 2: Guidance on the Application of Service Management Systems

  Amd 1:2020

• ISO 20000-3 Service Management — Part 3: Guidance on Scope Definition and Applicability of ISO/IEC 20000-1

• ISO 20000-4 Service Management — Part 3: Process Reference Model [Withdrawn]

  NOTE: ISO 20000-4 has been replaced by ISO 33054 Process Reference Model and ISO 33704 Process Assessment Model

• ISO 20000-5 Service Management — Part 5: Implementation Guidance for ISO/IEC 20000-1

• ISO 20000-6 Service Management — Part 6: Requirements for Bodies Providing Audit and Certification of Service Management Systems

• ISO 20000-7 Service Management — Part 7: Guidance on the Integration and Correlation of ISO 20000-1:2018 and ISO 27001:2013 [Withdrawn]

  NOTE: ISO 20000-7 was withdrawn in mid-2022 just prior to the release of the revision to ISO 27001:2022.

• ISO 20000-8 [Absorbed into ISO 20000-1:2018]

• ISO 20000-9 Service Management — Part 9: Guidance on the Application of ISO/IEC 20000-1 to Cloud Services [Withdrawn]

  NOTE: This standard was withdrawn by ISO in September of 2018 after the publication of the ISO 20000-1:2018 revision.

• ISO 20000-10 Service Management — Part 10: Concepts and Vocabulary

• ISO 20000-11 Service Management — Part 11: Guidance on the Relationship Between ISO 20000-1 and Service Management Frameworks: ITIL

• ISO 20000-12 [Reserved]

• ISO 20000-13 [Reserved]

• ISO 20000-14 Service Management — Part 14: Guidance on the Application of Service Integration and Management to ISO/IEC 20000-1

• ISO 20000-15 Service Management — Part 15: Guidance on the Application of Agile and DevOps Principles in a Service Management System

• ISO 20000-16 Service Management — Part 16: Guidance on Sustainability Within a Service Management System Based on ISO/IEC 20000-1

• ISO 20000-17 Service Management — Part 17: Scenarios for the Practical Application of Service Management Systems Based on ISO/IEC 20000-1:2018

ISO Steering Committee 40 (SC 40) is responsible for the world of IT Service Management, to include ISO 20000-1:2018 Service Management System Requirements which aligns with ITILv4 (Infrastructure Technology Information Library). SC 40 is also responsible for the ISO 30105-series of standards that address IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes. The full collection of ISO 20000-series and ISO 30105-series standards can be found here.

The collection of Service Management System (SMS) standards are a specialized version of a quality management system focused on services, whereas ISO 9001 QMS standard that addresses both products and services. Services are built to provide value to organizations, their partners, and customers. While ISO 20000-1 is very similar to ISO 9001, the processes that define service management are far more comprehensive.

Many of the elements of the ISO 20000 processes and controls are found in modern DevSecOps system development life cycles (SDLC). ISO 20000 also has a strong relationship with other ISO management systems, like ISO 22301 (Business Continuity Management Systems) and ISO 27001 (Information Security Management Systems).

ISO 27013:2021 Guidance on the Integrated Implementation of ISO/IEC 27001 and ISO/IEC 20000-1 provides a clear explanation of the areas where a Service Management System and an Information Security Management System overlap, and where they differ. In ISO 20000-1, Clause 9.7.3 identifies that an organization must have an information security program, but it does not mandate the use of the ISO 27001 standard for information security. However, at a minimum an organization must have an information security policy structure, information security controls, and an information security incident approach.

Here are some notable areas where organizations need to understand and manage the differences between service management and information security management:

• Risk management: Risks to services do not always fall within the information security objectives of confidentiality, integrity and availability. An organization’s approach to service management risk needs to consider how the delivery of services might be (or potential could be) compromised, disrupted, or otherwise impacted adversely.

• Incident management: An incident can be a service incident, an information security incident, both, or neither. When a SEV-1 incident occurs, the priority of the service management team is to restore the service as soon as possible. However, this may be certain information security interests, like preservation of evidence, at risk. ISO 27013 explains how to address such challenges.

NOTE: Due to new statutory, regulatory, and other perspectives, new forms of incidents can emerge. Artificial intelligence (AI) is a recent example. An AI incident, as may be defined by law, may be a service incident, an information security incident, both, or neither.

NOTE: ISO 20000-7:2019 Guidance on the Integration and Correlation of ISO/IEC 20000-1:2018 to ISO 9000-1:2015 and ISO/IEC 27001:2013 was withdrawn in mid-2022 just prior to the release of the revised ISO 27001 revision.