ISO/IEC 20000-1:2018 is the certifiable standard for IT service management. Here's how it differs from ITIL, what auditors check, and a five-step path to a working SMS.
ITIL describes, ISO 20000 certifies
ITIL is a library of best practice. ISO 20000-1 is a certifiable management system standard. Most ISO 20000 implementations use ITIL as the operational playbook and ISO 20000-1 as the audit framework that proves the playbook is actually followed.
For managed service providers and SaaS vendors, an ISO 20000 certificate has become a shorthand answer to procurement questionnaires that previously took weeks to complete.
The clause structure (Annex SL)
ISO 20000-1:2018 follows the Annex SL high-level structure shared with ISO 27001, 9001, 42001 and 22301. Clauses 4–10 cover context, leadership, planning, support, operation, performance evaluation and improvement. If you already run another Annex SL standard, you can reuse the management-system shell directly.
A five-step implementation path
Step 1
Scope the SMS
Clause 4 — define which services, customers, locations and suppliers the SMS covers. Most failed audits start with a scope that is too broad or too vague.
Step 2
Map your service portfolio
Inventory every service you deliver, who it is for, the SLAs that govern it and the underlying suppliers and contracts. The service catalogue is the spine of the SMS.
Step 3
Implement the operational processes
Incident, problem, change, release, configuration, capacity, continuity, information security, supplier and service-level management. Each needs a documented procedure, named owner and evidence the process runs.
Step 4
Wire in service assurance
Clause 9 — monitor SLAs, run internal audits, do management review. Service reporting is what auditors sample most; produce it consistently from day one.
Step 5
Improve, then certify
Clause 10 — corrective action and continual improvement. Run the system for three to six months, raise and close real nonconformities, then book Stage 1 with an accredited body.
One workspace for your SMS, ISMS and QMS
ISO 20000 rarely lands alone — it usually arrives alongside ISO 27001 and 9001. Running them in three separate tools triples the work for no audit benefit.
ISO-STANDARD.app ships a ready-to-adopt ISO 20000-1 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
Frequently asked questions
What's the difference between ISO 20000 and ITIL?
ITIL is a framework of best practices for IT service management; you adopt what's useful. ISO 20000-1 is a certifiable standard that specifies requirements for a Service Management System (SMS). ITIL informs how you operate; ISO 20000 proves you do.
Who needs ISO 20000-1?
Managed service providers, cloud and SaaS vendors, internal IT functions in regulated industries, and any organisation whose customers require a certified service management capability in contracts.
What processes does ISO 20000-1 require?
Service portfolio, relationship and agreement, supply and demand, service design, build and transition, resolution, service assurance — plus the governance, planning, support and improvement clauses of any Annex SL standard.
How long does certification take?
Typically 6–12 months for a new SMS. A mature ITIL-aligned organisation can usually achieve certification in 4–6 months because most processes already exist.