ITIL is the most widely recognised IT service management framework. It is also not certifiable as an organisational practice — only individuals can hold ITIL certifications. For organisations that need to demonstrate, externally, that their service management actually operates to a defined standard, ISO/IEC 20000 fills that gap. It is the international standard for an IT Service Management System (SMS), and it is increasingly relevant for IT service providers, managed service vendors, and internal IT functions whose customers expect demonstrable service management capability.
How ISO 20000 Relates to ITIL
ITIL provides detailed service management practices — incident management, problem management, change enablement, service request management, and many more. ISO 20000 specifies what an organisation's service management system must include and how it must operate, at a more abstract level. The two are largely compatible: an organisation implementing ITIL practices to a meaningful depth typically satisfies most of ISO 20000's requirements. The standard adds the management system architecture (leadership, planning, performance evaluation, improvement) that ITIL itself does not specify.
The Process Areas the Standard Covers
ISO 20000 organises service management into a set of process areas covering service delivery, relationship, resolution, control, and release. Within each, the standard specifies what the organisation must do — define service levels with customers, manage capacity, manage information security in services, manage incidents and service requests, manage problems, manage changes, manage configurations, manage releases. The list is recognisable to anyone familiar with ITIL; the difference is that ISO 20000 specifies them as required components of a certifiable system.
Service Level Management Done Properly
Service level management under ISO 20000 is more demanding than the SLAs many organisations have in place. The standard expects documented service catalogues, service level targets agreed with customers, monitoring of performance against targets, regular reporting, and improvement actions when targets are not met. SLAs that exist in contracts but have no operational measurement, no reporting, and no improvement loop fail the standard's expectations. Organisations preparing for certification frequently discover their existing SLAs are weaker than they thought.
A pattern that surfaces during certification audits: the organisation has SLAs with each major customer, but the SLAs are inconsistent in structure, measured against different definitions of "incident," and reported through different formats. The standard does not require uniform SLAs across customers, but it does require coherent measurement and reporting across the service portfolio. The remediation is usually a service catalogue rationalisation that should have happened years earlier.
Who Needs Certification
External IT service providers and managed service vendors face the strongest case — customers increasingly include ISO 20000 in procurement requirements, and the certification reduces friction in deals. Internal IT functions in regulated industries sometimes pursue certification as governance evidence. Cloud service providers and infrastructure-as-a-service vendors integrate it with ISO 27001 to demonstrate combined service management and security capability. Organisations whose IT services are entirely internal, with no external commitments, often gain less from formal certification than from rigorous internal ITIL practice.
How to Approach Implementation
- Define the SMS scope precisely — which services, customers, locations are covered
- Build the service catalogue and align SLAs to a coherent measurement structure
- Implement the standard's required processes; document where you go beyond minimum requirements
- Establish the management system layer — internal audit, management review, continual improvement
- Integrate with ISO 27001 if you hold it; the management system structures align cleanly
- Treat the implementation as 12-18 months of work for organisations with informal ITSM today; faster if ITIL is already mature