Back to Journal ISO Standards

ISO/IEC 20000-1 - IT Service Management System — Certification Guide

A complete guide to ISO/IEC 20000-1, the international standard for IT service management. Learn how to build an SMS that improves service quality, satisfies enterprise clients, and achieves certification.

Savadub GRC Team ·
ISO/IEC 20000-1 - IT Service Management System — Certification Guide

ISO/IEC 20000-1: IT Service Management Certification for Managed Service and Technology Providers

IT service providers, managed service providers (MSPs), and internal IT departments face increasing pressure to demonstrate that their service management practices are systematic, governed, and capable of delivering consistently high-quality services. ISO/IEC 20000-1:2018 is the international standard that certifies exactly this — a structured Service Management System (SMS) that plans, implements, operates, monitors, and improves IT service delivery.

What ISO 20000-1 Covers

ISO 20000-1 specifies requirements for a Service Management System covering the governance and operational processes needed to deliver managed IT services. It follows the same high-level structure as ISO 27001 and ISO 22301 (Plan-Do-Check-Act, Clauses 4–10) with an additional Clause 8 that specifies service management practice requirements.

Key service management practices covered:

Service portfolio management: Planning, governance, and management of the portfolio of services — what services are offered, to whom, at what service levels, and at what cost.

Relationship and agreement management: Managing relationships with customers, internal teams, and external suppliers. Service level agreements, operational level agreements, and underpinning contracts.

Supply chain management: Governance of the supplier ecosystem — vendor contracts, performance monitoring, and supplier risk management for services that depend on third-party providers.

Incident and service request management: Processes for logging, categorising, prioritising, and resolving incidents and service requests within agreed timeframes.

Change and configuration management: Authorised, tested, and documented change management processes and a configuration management database (CMDB) tracking IT assets and their relationships.

Problem management: Proactive and reactive investigation of the root causes of recurring incidents to eliminate them permanently.

Availability and capacity management: Planning and monitoring to ensure services meet availability commitments and that capacity is available to support current and future demand.

Business continuity management: IT-specific continuity planning ensuring service continuity during disruption.

Information security management: Security controls for IT services — integrating with or complementing ISO 27001.

Who Needs ISO 20000-1

ISO 20000-1 is most valuable for:

Managed Service Providers (MSPs): Demonstrating to enterprise clients that IT service delivery follows internationally recognised, independently audited processes — a significant competitive differentiator and increasingly a procurement requirement.

IT outsourcing providers: Enterprise contracts for IT outsourcing routinely include ISO 20000-1 certification requirements as a contractual obligation.

Internal IT departments of large organisations: Demonstrating service management maturity to internal stakeholders and enabling fair comparison of internal IT service performance against external benchmarks.

Cloud and software service providers: Particularly those providing services with strong operational SLA commitments where service management process maturity is directly tied to service quality.

Government and public sector IT providers: Government procurement frameworks in many countries explicitly require or prefer ISO 20000-1 certified service providers.

The Relationship Between ISO 20000-1 and ITIL

ISO 20000-1 and ITIL are complementary rather than competing frameworks. ITIL (IT Infrastructure Library, currently ITIL 4) provides detailed guidance, practices, and a vocabulary for IT service management. ISO 20000-1 provides the certifiable requirements framework.

ITIL 4 practices map directly to ISO 20000-1 requirements — organisations that have implemented ITIL practices will find significant alignment with ISO 20000-1 requirements. However, ITIL alone does not produce a certifiable management system, while ISO 20000-1 certification requires the formal management system structure (governance, documentation, internal audit, management review) that ITIL doesn't mandate.

The most effective approach is to use ITIL practices as the operational content of your SMS and ISO 20000-1 as the governance structure that ensures those practices are consistently implemented, monitored, and improved.

The ISO 20000-1 Certification Path

Gap Assessment: Comparing current IT service management practices against all ISO 20000-1 requirements to identify gaps in processes, documentation, governance, and tooling.

SMS Design: Designing the service management system structure — governance bodies, process ownership, documentation framework, measurement and reporting approach.

Process Implementation: Documenting and implementing the required service management processes, including the tooling (ITSM platform, CMDB, monitoring systems) that supports them.

Internal Audit: Conducting internal audits of the SMS to identify nonconformities before the certification audit.

Management Review: Conducting a formal management review of the SMS performance, covering audit results, customer satisfaction, service performance against SLAs, supplier performance, and improvement opportunities.

Stage 1 Audit (Document Review): The certification body reviews the SMS documentation for completeness.

Stage 2 Audit (Implementation Assessment): Auditors assess whether the SMS is implemented, operational, and effective. They interview service management personnel, review service records, and assess process adherence.

Certificate Issuance: Three-year certificate with annual surveillance audits.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like