How ISO 20000 Has Stayed Useful for Twenty Years

Illustrated header showing Lynda Cooper and Roman Zhuravlev as stylized figures seated on large colorful 3D letters representing ISO 20000

Summary

ISO 20000 has stayed useful for thirty years by doing one thing most standards get wrong: separating what good service management requires from how you deliver it. The 2018 edition completed that shift, stripping the standard back to around 20 pages of requirements and leaving the “how” to whichever framework the organization uses. That structure is why ISO 20000 can absorb agile, DevOps, and now AI without rewriting its core. Lynda Cooper, who edited the last two editions, has been making this argument since the mid-1990s, and the standard has largely caught up with her.

People keep mixing up standards and frameworks. Lynda Cooper has spent thirty years trying to stop them. She’s been on the BSI committee for service management standards since the mid-1990s. She edited the last two editions of ISO 20000 (2011 and 2018). She runs a consultancy focused on getting organizations through ISO 20000 and ISO 27001 certification. If anyone has earned the right to be opinionated about how standards should work, it’s her.

Her view, across her Conversations with Giants episode with Roman Jouravlev: the most useful thing ISO 20000 ever did was stop trying to tell people how to do service management.

What changed with ISO 20000 in 2018

Earlier editions of ISO 20000 were longer and more prescriptive. They told you which reports to produce, how to structure things, and what specific methods to use. The 2018 edition stripped all of that out. What’s left is around 20 pages of requirements describing what a service management system needs to deliver, with no opinion on how you deliver it. The “how” lives in frameworks: ITIL, COBIT, or whatever your organization uses.

It’s not just tidying up. The “how” of IT service management (ITSM) changes every few years. The technology moves, the practices evolve, and agile gets folded in, then DevOps, then artificial intelligence (AI). If a standard tries to lock in the “how,” it dates fast and gets in the way of the people using it.

The “what” is more durable. Does the organization manage incidents, plan capacity, and handle changes coherently? That question doesn’t go out of date.

Asked what she’d change about how ISO 20000 has been developed, Lynda would have stripped out the “how” much earlier than 2018. The standard would have been more useful, sooner.

Three reasons organizations use ISO 20000

Three things drive most of the use Lynda sees in her consulting work.

The first ISO 20000 use is contractual

ISO 20000 is increasingly written into supplier requirements. The UK government has added it to a recent procurement framework. The Chinese government uses it for IT service provider requirements. Outsourcing providers in particular need it because their clients ask for it.

The second ISO 20000 use is competitive positioning

Service providers use certification to demonstrate they’re good at what they do, and that they meet an externally verified bar. It’s the use case that pushed ISO 20000 outside the UK in its early years. Indian IT outsourcers wanted the recognition, and they wanted it before the British standard had gone international.

The third ISO 20000 use is self-assessment without certification

It’s the use Lynda thinks more organizations should be making of the standard. Most don’t need to be certified. They want a short, plain reference for what good service management requires, brief enough to read on a train. ISO 20000 Part 1 is around 20 pages with roughly half a page per topic. Pair that with whatever framework you prefer, and you have a workable starting point, regardless of whether you’ll ever fly an external auditor in.

The certification path is its own decision. It requires external audits every year. It requires that everything in the requirements is being done, all of it, with evidence. It improves things, in Lynda’s experience, but it’s a commitment.

Where to start

If certification isn’t on the table, the simplest way in is to get hold of Part 1 and treat it as a self-assessment baseline against whatever framework you already work with. The framework you’re using will say how to close any gaps you find.

If certification is in scope, treat the standard as the destination, not the starting point. Lynda’s view is to spend the first half-day or full day on what the organization wants out of the work, who the stakeholders are, and what outcome they expect, before opening the standard at all. Skipping that step is how organizations end up with management systems they don’t recognize and procedures they can’t use.

How a single standard tracks moving technology

The way ISO 20000 has stayed current with new ways of working isn’t through endless re-edits of Part 1. It’s through a growing set of guidance parts that connect the standard to specific contexts. There are around twelve of them now: using ISO 20000 with agile and DevOps, using it with ITIL 4, applying it to experience management, and working with sustainability requirements. The most recent addition, just agreed, is a guidance part on using ISO 20000 with AI.

It’s the multi-part structure doing its job. Part 1 doesn’t change. It states what’s required. The guidance parts move at the pace of the rest of the industry. When ITIL released version 4, a guidance part was produced to cover it. When AI began showing up in service management tooling, a new guidance part was started. The standard tracks the industry without rewriting itself.

It also produces some cross-pollination. Working on the ITIL side, you find yourself adjusting content to align with how the relevant ISO standard frames things. Working on the ISO side, the same happens in reverse. The frameworks and the standards inform each other.

A standard specifies what a working service management system must deliver. A framework says how to deliver it. Keeping that distinction clear is why ISO 20000 has remained useful as long as it has.

The Conversations with Giants series is created by Roman Jouravlev. ITSM.tools publishes accompanying articles and embeds each episode. Watch this episode with Lynda Cooper here:

ISO 20000 FAQs

What is ISO 20000?

ISO 20000 is an international standard for service management. It specifies requirements for establishing, implementing, maintaining, and continually improving a service management system (SMS) so organizations can consistently deliver services that meet customer and business requirements.

What is the difference between ISO 20000 and ITIL?

ITIL is a best-practice framework that provides guidance on how to manage services. ISO 20000 is a certifiable requirements standard. Many organizations use ITIL practices to help meet ISO 20000 requirements, but ITIL itself is not a certification of the organization’s service management system.

Who should consider ISO 20000 certification?

In terms of IT, organizations that provide IT or technology-enabled services, including internal IT departments, managed service providers (MSPs), SaaS companies, outsourcing providers, and public-sector IT organizations. Certification is especially useful when customers or regulators require evidence of mature service management practices.

What does ISO 20000 certification cover?

Certification covers the organization’s service management system and the defined scope of services included in that SMS. Auditors assess whether the organization meets the standard’s requirements, not whether every IT activity in the company is certified.

How long does ISO 20000 certification take?

Timelines vary widely by organization size, maturity, and scope. A realistic range is 3–12 months for organizations that already have documented service management processes, and longer for organizations starting from scratch.

How much does ISO 20000 certification cost?

Costs typically include consulting or implementation support (if used), internal staff time, training, tooling changes, internal audits, and certification body audit fees. The largest variable is usually the amount of process redesign and evidence collection required.

Is ISO 20000 mandatory?

No. It is generally voluntary, but some customers, contracts, procurement frameworks, or regulatory environments may effectively make certification a commercial requirement.

Can a small IT team or MSP get certified?

Yes. The standard is scalable. Small organizations often succeed by keeping the scope focused, documenting only what is necessary, and demonstrating consistent operational evidence rather than creating excessive paperwork.

What are the main requirements auditors focus on?

Auditors commonly look for:

A clearly defined SMS scope and service catalog
Documented policies, objectives, and governance
Evidence of incident, change, problem, and service continuity management controls (as applicable to scope)
Supplier management controls where third parties affect service delivery
Risk management, performance monitoring, and continual improvement activities
Internal audits, management reviews, and corrective actions.

Do we need a specific ITSM tool to comply with ISO/IEC 20000?

No. The standard does not mandate a particular tool. However, organizations must be able to demonstrate controlled processes, records, metrics, and evidence. Many service management platforms can support these requirements.

What is the relationship between ISO 20000 and ISO 9001?

ISO 9001 is a generic quality management system (QMS) standard, while ISO 20000 is specific to service management. Organizations may integrate the two management systems, but compliance with one does not automatically mean compliance with the other.

What is the relationship between ISO 20000 and ISO 27001?

ISO 27001 focuses on information security management, while ISO 20000 focuses on service management. Many organizations implement both because secure, reliable service delivery often requires coordinated service and security controls.

What are the benefits of ISO 20000 certification?

Common benefits include more consistent service delivery, clearer accountability, better customer confidence, improved supplier oversight, stronger audit readiness, and a structured continual improvement mechanism. Commercially, certification can help in procurement and competitive bids where independent verification matters.

What is the biggest mistake organizations make during implementation?

Over-documenting. Successful implementations usually focus on operational evidence, clear ownership, measurable objectives, and continual improvement rather than creating large volumes of procedures that teams do not actually follow.

Do we need external consultants?

Not necessarily. Organizations with experienced service management, audit, and management-system personnel can implement internally. Consultants can accelerate gap assessments, roadmap creation, evidence preparation, and audit readiness, but they are optional.

How often are surveillance and recertification audits performed?

Certification bodies typically perform periodic surveillance audits during the certification cycle and a recertification audit before the certificate expires. The exact schedule is defined by the certification body and accreditation rules applicable in your region.

What evidence should we start collecting first?

Start with the basics: service scope, service catalog, policy, objectives, process owners, change records, incident records, supplier records, risk register (if used), internal audit results, management review minutes, corrective actions, and service performance metrics. These artifacts usually reveal the biggest gaps early.

Sophie Danby
Sophie Danby

Sophie is a freelance ITSM marketing consultant, helping ITSM solution vendors to develop and implement effective marketing strategies.

She covers both traditional areas of marketing (such as advertising, trade shows, and events) and digital marketing (such as video, social media, and email marketing). She is also a trained editor.

Want ITSM best practice and advice delivered directly to your inbox? Why not sign up for our newsletter? This way you won't miss any of the latest ITSM tips and tricks.

nl subscribe strip imgage

More Topics to Explore

Leave a Reply

Your email address will not be published. Required fields are marked *