IRCA Briefing note

ISO/IEC 20000-1: 2011

How to apply for and maintain Training Organization Approval and Training Course Certification IRCA 3000

Contents
Introduction

Summary of the changes within ISO/IEC 20000-1:2011

Overview

Detail review

1.

Scope

2.

Normative references

3.

Terms and definitions

4.

Service management system general requirements

5.

Design and transition of new or changed services

6.

Service delivery processes

7.

Relationship processes

8.

Resolution processes

9.

Control processes

6-7

Appendix A

Copyright IRCA 2012

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic,
mechanical, photocopying, recording or otherwise without prior permission of the International Register of Certificated Auditors (IRCA).
WWW.IRCA.ORG

Page 2 of 9

IRCA Briefing note: ISO/IEC 20000:2011

Introduction
The International Register of Certificated Auditors (IRCA)
has prepared this briefing note to communicate to IRCA
Certificated Auditors, IRCA Approved Training Organizations
and other interested parties our understanding of ISO/IEC
20000-1:2011.

Overview
A principal constraint of ISO 20000-1:2005 when
implementing or assessing the conformance of an IT Service
Management System (ITSMS) was the number of mandated
processes; these were often worded such that they required
auditor interpretation and agreement with the auditee.

The content of this briefing note is provided in good faith

and is the opinion of IRCA. It should not be reproduced nor
used for commercial purposes. IRCA Certificated Auditors
and IRCA Approved Training Organizations are advised to
familiarise themselves with ISO/IEC 20000-1:2011.

Throughout ISO/IEC 20000-1:2011 many of these process

requirements are replaced with explicitly mandated
documented procedures. Many are extended with
prescribed minimum attributes that improve clarity of
review, understanding of intent and support conforming
implementation. As an indicator of the extent of changes to
conformance requirements it is interesting to note that:
ISO 20000-1:2005 had 171 shall statements
ISO 20000-1:2011 has 257 shall statements (+50%
approximately).

The provision of IT services and the development of their

underpinning Service Management Systems (SMS) has
evolved considerably since the original standard was
published in 2005. The sector has evolved from provision
of internal corporate IT systems and bespoke outsourcing
of corporate IT systems toward one that embraces
consumerization and offers provision of more generic,
utility IT services. Practices and methodologies such as
ITIL have evolved alongside those developments. ISO/IEC
20000-1:2011 requirements and conformance controls have
similarly changed to accommodate that.
The 2011 revision also reinforces alignment with other
management system standards, particularly ISO/IEC
9001:2008 Quality management systems Requirements
and ISO/IEC 27001:2005 Information technology Security
techniques Information security management systems
Requirements, improving and enabling an integrated,
process-based approach across disciplines as part of a
business management system.

The revision also reinforces alignment with other

management system standards, particularly ISO/IEC
9001:2008 Quality management systems and ISO/IEC
27001:2005 Information security management systems.
Auditors and assessors with experience of these standards
will be familiar with the common themes and terminology.
However those with experience only of ISO 20000-1:2005
may need to carefully review the current standard to ensure
an appropriate understanding of revised conformance
requirements.

Some may view the modifications of ISO/IEC 200001:2011 as a substantial change. Others may think it largely
captures good practices already implemented. IRCAs
view is that publication of ISO/IEC 20000-1:2011 provides
organizations implementing IT Service Management Systems
and organizations needing to conduct audits of IT Service
Management Systems an opportunity to re-assess their own
practices and identify improvement opportunities.

WWW.IRCA.ORG

Page 3 of 9

Detail review
Many clauses of ISO 20000-1:2005 began with a statement
of the objective of that clause (though not clauses titled
General or Background). These have been removed and do
not appear in ISO/IEC 20000-1:2011.
1. Scope
It is this section that confirms the applicability of the standard
to the whole service management system lifecycle.
The general use cases described in 1.1 a) to f ) are derived
and developed from those in ISO 20000-1:2005 to clarify
the perspectives of the service provider, the organization
seeking services from a provider and the assessor or auditor
of conformity.
Figure 2 the Service Management System diagram
promotes a more consistent view of the relationship of
elements of ISO/IEC 20000-1:2011. Most notably, the
relationship with customers and other stakeholders is
added. The service management system requirements and
design and transition of new or changed services are added
as layers in the diagram to demonstrate their context and
relationship with service delivery, resolution, relationship
and control processes. Also of note, release and deployment
management is subsumed into the category of control
processes.
Clause 1.2 Application is added documenting further
clarification of requirements for conformance. Here it is
acknowledged that parts of the service delivery (clauses 5
to 9) may be provided by other parties and that evidence
of process governance from these sources is admissible.
However, it is emphasised that service management
responsibility, governance of other parties involved in
service provision, documentation management, resource
management and service establishment and improvement
defined in clause 4 must be evidenced only by the service
provider. No part of that clause may be delegated or
contracted to another party. ISO/IEC TR 20000-3 provides
additional guidance on scope definition and applicability
including further explanation about the governance of
processes operated by other parties.
2. Normative references
This empty clause is added only for the purpose of clause
numbering alignment with ISO/IEC 20000-2.
3. Terms and definitions
As would be expected from a technical revision, there are
now 37 defined terms in ISO /IEC 20000-1:2011 compared
with the 15 listed in ISO 20000-1:2005. Many of the additional
terms are adopted or adapted from ISO 9000:2005 Quality
management systems Fundamentals and vocabulary, ISO
27000:2009 Information technology Security techniques
Information security management systems Overview and
vocabulary and others are consistent with ITIL v3 (although
ISO/IEC 20000-1:2011 is independent of any specific
implementation methodology).
For example, clause 3.11 defines information security as
preservation of confidentiality, integrity and accessibility
of information. Accessibility is inconsistent with ISO
27000:2009 which uses the term availability, however

accessibility is used here to avoid conflict with the existing

ISO/IEC 20000-1:2011 definition of [IT service] availability
as per clause 3.1 of this standard.
The improved consistency of terms used with other
management systems standards is a welcome assistance
enabling an integrated, process-based approach across
disciplines. However before undertaking a conformity
assessment, care is needed to thoroughly review the
defined terms to ensure a common understanding of the
idiosyncrasies of some adapted terms.
4. Service management system general requirements
The use of clause 4 to define management system
requirements reinforces alignment with other management
system standards, particularly ISO/IEC 9001:2008 and ISO/
IEC 27001:2005.
Clause 4 of this standard is an extensive redevelopment of
clauses 3 and 4 of ISO 20000-1:2005, transferring the mature
management system principles established by ISO 9001 into
this standard. It is not a like-for-like adoption, however;
while the requirements and terminology may be familiar,
clause 4 of this standard amalgamates equivalent elements
from a number of ISO 9001 (and, similarly, ISO 27001) clauses
as outlined in Appendix A.
4.1 Management responsibility is a thorough re-work of ISO
20000-1:2005 clause 3.1, introducing a number of additional
requirements. Top management commitment, policy
management, authority and responsibility are specified and
the requirements of the Management Representative are
defined in more detail.
ISO 20000-1:2005 required mutual agreement of
interpretation of the term supplier when assessing
conformance of service delivery dependencies through the
supplier management clause (supplier was not a defined
term in that standard, although clause 7.2 Figure 3 indicated
an intention to consider only external suppliers). ISO/IEC
20000-1:2011 introduces clause 4.2 Governance of processes
operated by other parties to acknowledge and clarify the
range of parties involved in contributing to successful service
delivery (internal service provider groups, external suppliers
or customer contributions). Further, you will recall from
clause 1.2 that a service provider cannot rely on evidence
of the governance of processes operated by other parties for
the requirements in Clause 4: Conformance now requires
the service provider to demonstrate both an awareness of
the range of service delivery dependencies and governance
of those concerns. ISO/IEC TR 20000-3 provides further
guidance about the governance of processes operated by
other parties.
Clause 4.3 Documentation management defines a more
prescribed documentation set for the SMS and introduces
formalised document and record controls. A notable
addition is the explicit requirement to document a catalogue
of services as a separate and distinct document from the
Service Level Agreement (SLA); this foundation document is
referred to again in support of service design and its purpose
clarified in clause 6.1 Service level management.
4.4 Resource management clarifies the SMS definition of

WWW.IRCA.ORG

Page 4 of 9

resources (omitted from clause 2) as human, technical,

information and financial resources with the conformance
requirements for determination and provision of these.
4.5 Service management system planning and
implementation, derived from ISO 20000-1:2005 clause 4,
has been re-worked in this standard. While the principles
and structural outline have been maintained, there are
numerous detailed requirement changes throughout which
remove many points of ambiguity and interpretation and
enable improved consistency of application. For example, the
service management plan shall now contain or reference...
..statutory and regulatory requirements... and ...criteria for
accepting risks, analogous to ISO 27001 information security
management system control requirements.
Due to the broad and detailed redevelopment, a thorough
review of clause 4 is required to become familiar with and
understand the revised and new conformance requirements.
5. Design and transition of new or changed services
Practices and requirements defined by ISO 20000-1:2005
clause 5 have been reworked and expanded to create clause 5
in this standard.
Clause 5.1 re-emphasises change management as the prime
controlling process. While acknowledging that the planning
and design of new or changed services may result in some
proposed changes that are rejected, the clause makes clear
that the service provider shall take necessary actions to
ensure that the remaining accepted changes are sufficient to
perform the new or changed service effectively (an indirect
conformance requirement for post-change effectiveness
monitoring and review that is made more explicitly in clause
9.2).
Clauses 5.2 and 5.3 list quite comprehensive requirements
for planning, design and development of new or changed
services including specific requirements for services that
are to be removed (mothballed, closed or retired) and due
diligence of dependencies with other parties contributing to
the provision of service components.
5.4 Transition of new or changed services redefines
requirements for pre-deployment service testing against
service provider and stakeholder pre-agreed acceptance
criteria, use of the revised release and deployment control
process to migrate the service into the live environment and a
post-deployment review against expected outcomes.
6. Service delivery processes
The overall structure and purpose of this clause remains
unchanged. However, a detailed review reveals many
additional conformance requirements where ISO 200001:2005 statements have been clarified and refined. More
significant changes are outlined below.

that a customer may contract a portfolio of IT services

from a provider and that these shall now be be defined in a
catalogue of services for that customer that includes the
dependencies between services and service components. This
is then supplemented with one or more SLAs for each of the
services being delivered.
The other change echoes Governance of processes operated
by other parties (clause 4.2): Distinct from supplier
management (addressed later in clause 7.2), the final
paragraph of clause 6.1 mandates governance requirements
for service components provided by an internal group or the
customer.
Clause 6.2 Service reporting is broadly unchanged in
principle, however the conformance requirements for service
report context and content is more prescribed.
6.3 Service continuity and availability management has
been expanded and logically restructured into three subclauses with clarified conformance requirements as follows.
Clause 6.3.1 Service continuity and availability
requirements re-emphasises risk assessment of service
continuity and availability as the first step in identifying
and agreeing requirements with the customer and other
interested parties. However in assessing the conformance
of a service provider that delivers a standardised service
to a range of customers, the continuity and availability of
that service would be risk-assessed and service level targets
committed as part of the pre-contract service specification
and SLA offered to those customers. The commercial
contract would then constitute customer agreement to those
prescribed continuity and availability commitments.
6.3.2 Service continuity and availability plans does not
continue the former requirement to ensure that requirements
are met as agreed in all circumstances as that contradicted
the risk-based nature of service continuity and availability
management. The clause does prescribe service continuity
plan and service availability plan content, with the note that
these plans may be combined into one document.
6.3.3 Service continuity and availability monitoring and
testing drops the requirement to review the plans at least
annually; This standard takes an event-driven approach to
mandate review after testing the plans or after invoking the
service continuity plan. As previously, Service continuity and
availability plans shall be re-tested after major changes to the
service environment. Further, the tests are to be conducted
against continuity and availability requirements, results
recorded and reviewed, necessary actions taken and the
result of those actions reported.

There are two notable changes to clause 6.1 Service level

management.

6.4 Budgeting and accounting for services remains broadly

unchanged although the revised layout and wording aids
clarification. One notable addition is the requirement for a
defined interface between the budgeting and accounting for
services process and other financial management processes.

The first change updates the ISO 20000-1:2005 requirement

that each service was to be defined, agreed and documented
in one or more SLAs. ISO/IEC 20000-1:2011 recognises

Similarly, 6.5 Capacity management generally replicates

the previous version of the standard, though again there
are subtle changes. The scope of resources to be managed

WWW.IRCA.ORG

Page 5 of 9

is explicitly listed as human, technical, information and

financial resources. Further, there is a subtle change of
wording that mandates the required outcome:
ISO 20000-1:2005 stated that Methods, procedures and
techniques shall be identified to monitor service capacity,
tune service performance and provide adequate capacity.
An arguable interpretation of this statement is that the
provider could identify methods, procedures and techniques
without actually committing to use these to provide
adequate capacity.
ISO/IEC 20000-1:2011 requires quite unambiguously
that The service provider shall provide sufficient capacity to
fulfil agreed capacity and performance requirements.
6.6 Information security management has been reworked
to improve alignment with the requirements of ISO 27001. It
has been divided into clauses covering information security
policy, [risk] controls and change and incident management.
The new policy and control requirements, although
lightweight compared with ISO 27001, are more prescriptive
than the previous version of this standard and may
challenge some organizations that have not implemented an
information security management system conforming to ISO
27001.
In comparison, 6.6.3 Information security changes and
incidents should be less challenging as this generally
replicates the requirements of the previous version of this
standard to integrate information security management into
existing change management, incident management and
improvement processes.
7. Relationship processes
The overall structure and content of this clause remains
unchanged, though there are some detailed changes.
7.1 Business relationship management has more focus
upon the customer and is less prescriptive about the
relationship with other stakeholders.
The annual service review specified in ISO 20000-1:2005
has been replaced in this standard by the requirement for an
unspecified communication mechanism, enabling a variety
of arrangements from an annual review to a continuous,
on-demand review tailored to business requirements.
The purpose of this communication is defined, though the
wording is a little ambiguous; a reasonable interpretation
is recommended as to promote [mutual] understanding of
the business environment in which the services operate and
requirements for new or changed services. This would enable,
for example:
the service provider to remain aware of the customers
business and operational environment and requirements
for change arising from the customer, and
the service provider to respond to changes in their own
strategic and commercial environment and improve, adjust
or replace elements of a generic service provided to a
number of customers.
Whilst the requirements for management of customer
complaints remains unchanged, customer satisfaction now
takes a pragmatic view and enables measurements and

analysis based on a representative sample of the customers

and users of the services.
7.2 Supplier management now documents a prescriptive list
of elements that must be included or referenced in a supplier
contract.
The annual major review of the [supplier] contract or
formal agreement specified in ISO 20000-1:2005 has been
replaced with the more passive requirement to monitor the
performance of the supplier at planned intervals.
Of particular note are the replacement of two process
requirements with:
the requirement for the supplier contract to define or
reference activities and responsibilities for termination of
the contract and the transfer of services to a different party,
ensuring that this is proactively addressed and documented
before the need for transfer or termination arises, and
the requirement for a documented procedure to manage
contractual disputes.
8. Resolution processes
8.1 Incident and service request management
acknowledges contemporary practice in many organizations
to process incident reports and service change requests
through one customer-facing unit and one common process;
in this standard, the administration of service requests is
lifted out of the Change management clause and placed
here.
The standard requires the incident and service request
management process to be defined by two separate
documented procedures for incident and service request
lifecycle management from recording to closure. Information
to be made available to personnel performing the process is
prescribed and includes information from the Release and
deployment management process.
The final paragraph prescribes how Major incidents are now
to be managed using a documented procedure.
8.2 Problem management remains broadly unchanged
although the revised layout and wording aids clarity. One
notable improvement is the explicit acknowledgement that
not all problems are permanently resolvable; commercial,
technical or external constraints may prevent that from
happening. The clause now states that where the root cause
has been identified, but the problem has not been permanently
resolved, the service provider shall identify actions to reduce or
eliminate the impact of the problem on the services.
9. Control processes
Configuration and change management clauses are
significantly more prescriptive in this version of the standard.
9.1 Configuration management requirement changes
include:
minimum mandatory asset information fields for each CI in
the CMDB,
a documented procedure for recording, controlling and
tracking versions of CIs that incorporates asset-risk-based
control,
master copies of CIs recorded in the CMDB shall be stored

WWW.IRCA.ORG

Page 6 of 9

in secure physical or electronic libraries referenced by the

configuration records,
audit of the records stored in the CMDB at planned
intervals.
9.2 Change management requirement changes include:
minimum change management policy content,
Removal or transfer of a service shall be classified as a
change to a service with the potential to have a major
impact,
a documented procedure to record, classify, assess and
approve requests for change,
a documented procedure for managing emergency changes.
The requirements to manage requests for change are similarly
more robust as follows:
 Requests for change classified as having the potential to
have a major impact on the services or the customer shall
be managed using the design and transition of new or
changed services process. All other requests for change
to CIs defined in the change management policy shall be
managed using the change management process.
The service provider and interested parties shall make
decisions on the acceptance of requests for change
The activities required to reverse or remedy an unsuccessful
change shall be planned and, where possible, tested.
The service provider shall review changes for effectiveness
(ISO 20000-1:2005 required only that changes shall be
reviewed for success).
9.3 Release and deployment management, now recognised
as a control process, has an overall purpose and content
that remains unchanged, although there are some detailed
changes. Notable additional requirements are as follows.
There is now an explicit requirement to coordinate the
deployment plan with the change management process and
include references to the related requests for change, known
errors and problems which are being closed through the
release. Planning must also include the dates for deployment
of each release, the associated deliverables and intended
methods of deployment.
The definition of an emergency release must be documented
and the release managed according to a documented
procedure that interfaces to the emergency change procedure.
For each release, acceptance criteria for the release must
be agreed with the customer and interested parties. Prior to
deployment, the release must be verified against the agreed
acceptance criteria and approved. If the criteria are not met,
the customer and interested parties must be involved in the
decision about what actions are necessary to proceed.

WWW.IRCA.ORG

Page 7 of 9

Appendix A
Service management system general requirements compared with ISO/IEC 9001 & ISO/IEC 27001.

ISO 20000:2011

ISO 9001:2008

ISO 27001:2005

4.1 Management responsibility

5 Management responsibility

5 Management responsibility

4.1.1 Management commitment

5.1 Management commitment

5.1 Management commitment

4.1.2 Service management policy

5.3 Quality policy

4.2.1 b) Define an ISMS policy...

4.1.3 A
 uthority, responsibility and
communication

5.5 R
 esponsibility, authority and
communication

5.1 c) establishing roles and

responsibilities for information
security and Annex A control1 A.6.1.2
(approximate correlation)

4.1.4 Management representative

5.5.2 Management representative

5.1 c) establishing roles and

responsibilities for information security
and Annex A controls1 A.6.1.1 & A.6.1.2
(approximate correlation)

4.2 G
 overnance of processes operated
by other parties

7.4 P
 urchasing (approximate
correlation)

Numerous Annex A controls1 ,

particularly A.6.1.2 to A.6.1.6 and
A.6.2 (approximate correlation)

4.3 Documentation management

4.2 Documentation requirements

4.3 Documentation requirements

4.3.1 Establish and maintain documents

4.2.1 General

4.3.1 General

4.3.2 Control of documents

4.2.3 Control of documents

4.3.2 Control of documents

4.3.3 Control of records

4.2.4 Control of records

4.3.3 Control of records

4.4 Resource management

6 Resource management

5.2 Resource management

4.4.1 Provision of resources

6.1 Provision of resources

5.2.1 Provision of resources

4.4.2 Human resources

6.2 Human resources

5.2.2 T
 raining, awareness and
competence

4.5 Establish and improve the SMS

Numerous references (as below)

4.2 E
 stablishing and managing the
ISMS

4.5.1 Define scope

4.4.2 a
 ) Quality manual QMS scope
definition

4.2.1 a) Define the scope and

boundaries of the ISMS

4.5.2 Plan the SMS (Plan)

5.4.2 Quality management system

planning

4.2.1 b) Define an ISMS policy,

through to j) Prepare a Statement of
Applicability (approximate correlation)

4.5.3 I mplement and operate the SMS

(Do)

4.1 G
 eneral requirements (approximate
correlation)

4.2.2 Implement and operate the ISMS

4.5.4 M
 onitor and review the SMS
(Check)

5.6 Management review

4.2.3 Monitor and review the ISMS

4.5.4.1 General

8.1 M
 easurement, analysis and
improvement - general

4.2.3 Monitor and review the ISMS

4.5.4.2 Internal audit

8.2.2 Internal audit

6 Internal ISMS audits

4.5.4.3 Management review

5.6 Management review

7 Management review of the ISMS

4.5.5 M
 aintain and improve the SMS
(Act)

8.5 Improvement

8 ISMS improvement

4.5.5.1 General

8.5.1 Continual improvement

8.1 Continual improvement

4.5.5.2 Management of improvements

5.6 Management review

7 Management review of the ISMS,

supplemented by 4.2.1 d) Identify
the risks to i) Obtain management
authorization (approximate correlation)

1. ISO 27001:2005 conformance does not require implementation of all control objectives and controls in Annex A of the standard as these are selected based upon the defined scope of the Information
Security Management System. However, it would be very unusual for an organisation to justify exclusion of control objectives and controls defined in A.6.1.

WWW.IRCA.ORG

Page 8 of 9

International Register of Certificated Auditors (IRCA)

2nd Floor North
Chancery Exchange
10 Furnival Street
London EC4A 1AB
United Kingdom
Email: irca@irca.org
Tel: +44 (0) 20 7245 6833
Fax: +44 (0) 20 7245 6755
WWW.IRCA.ORG