ISO 20000 is the international standard for IT service management.
This is the simplest answer to the question of what ISO 20000 is.
However, there is more to the standard than a one-line answer. ISO/IEC 20000-1 was first published in 2005, and the current edition of it came out in 2018.
Organizations use this standard to prove that their service management system is mature, to themselves and also to the customers who ask for the proof.
For most IT teams, ISO 20000 does not come up on its own. It comes up when a customer contract asks for it, a tender lists it, or an auditor mentions it in a meeting.
So, this guide helps you understand ISO 20000 from the ground up, what the standard covers, what it requires at a high level, how it compares with ITIL, and whether your organization actually needs it.
So, let's get started.
What ISO 20000 is and what it covers?
ISO 20000, or in full ISO/IEC 20000, is a multi-part standard for IT service management.
Among these parts, ISO/IEC 20000-1 is the requirements document, and it is the only part an organization can be certified against. The other parts, such as 20000-2 and 20000-3, are guidance documents that help you apply Part 1.
Put simply, when a company says it is "ISO 20000 certified", it is talking about Part 1.
The scope of the standard is to define the requirements for a Service Management System (SMS).
An SMS can be termed as the management system that an IT organization uses to plan, deliver, and improve its IT services. It includes the policies, the processes, the roles, and the records that keep the service delivery under control.
One thing worth knowing here, ISO 20000 does not tell organizations how to run their services. Also, it does not pick your tools, and it does not write your incident process for you. It only defines what an effective SMS must have in place, and the how is left entirely to the organization.
This is the reason two certified organizations can run their IT very differently, and still both meet the standard.
What ISO 20000 requires (the high-level framework)?
The requirements of ISO/IEC 20000-1 are organized into seven clauses, which are numbered from 4 to 10.
If you are wondering why it starts from 4, the answer is simple. The first three clauses of the document are introductory, so the requirements that an auditor actually checks begin from clause 4.
Here is what each clause asks for:
Now, out of these seven clauses, clause 8 is the one where most of the day-to-day IT work sits. It covers the processes that an IT team would already recognize, such as incident management, change management, problem management, service level management, capacity management, and supplier management.
The rest of the clauses exist to support clause 8. They make sure that these processes are planned, resourced, measured, and improved, and not just existing on paper.
Also, this clause structure is not something unique to ISO 20000. ISO uses the same high-level structure across all its management system standards.
So, if your organization is already certified against ISO 9001 or ISO 27001, this layout will look familiar to you.
ISO 20000 vs. ITIL: How do they relate?
ISO 20000 and ITIL are not competing with each other.
ITIL is a framework of best practices for service management, while ISO 20000 is a standard that an organization can be certified against.
Put simply, ITIL suggests good ways to run your services, and ISO 20000 checks that your service management system meets a defined bar.
There is also one difference that clears up most of the confusion. ITIL has no certification for organizations, the ITIL certifications from PeopleCert are for individuals. ISO 20000 works the other way around, the certificate goes to the organization, and a third-party body audits it.
Here is how the two compare side by side:
This is the reason the two usually show up in the same journey. Many organizations adopt ITIL practices first to mature their service management, and then go for ISO 20000 certification when a customer or the market needs the external proof of it.
So, you do not have to choose between them. Plenty of organizations run ITIL practices inside an ISO 20000 certified SMS, and the two fit together without any conflict.
Who ISO 20000 is for (and who doesn't need it)
The organizations that pursue ISO 20000 usually do it for one of four reasons.
- Customer or contractual requirements: This is the most common one. Government contracts and regulated industries often list the certification as a condition for bidding, so the organization gets certified because the deal asks for it.
- Competitive differentiation: Managed service providers operate in a crowded market, and the certificate is a way of standing out in a bid against providers who do not have it.
- Internal maturity benchmarking: Some organizations use the standard as a bar to measure their own service management against, even before any customer asks for it.
- Vendor due diligence: When prospects send long questionnaires about how your IT is run, an ISO 20000 certificate answers a good part of them in one line.
Now, the honest part. Who does not need it?
If your organization has no external pressure, no customer mandate, no regulatory requirement, and no tenders that list the standard, then formal certification is rarely worth the cost and the audit time. The certificate proves a point, and if nobody is asking you to prove that point, you are paying to answer a question that was never asked.
For most teams in that position, adopting ITIL practices without the ISO certification is the right path. You get the maturity that the standard is checking for, and you skip the formality of proving it to a third party.
So, the decision is less about how good your IT team is, and more about who needs to see the proof.
Frequently asked questions
1. Is ISO 20000 the same as ISO 27001?
No. ISO 20000 is the standard for IT service management, and ISO 27001 is the standard for information security management.
Indeed, the two follow the same high-level clause structure, which is the reason organizations often pursue them together, however, they certify different things. One covers how you deliver IT services, and the other covers how you protect information.
2. Is ISO 20000 mandatory?
No, ISO 20000 is a voluntary standard, and no law requires an organization to be certified against it. However, it can become mandatory in practice when a government tender, a customer contract, or a regulated industry lists the certification as a condition for doing business.
3. What's the difference between ISO 20000 and ISO 9001?
ISO 9001 is the standard for quality management in general, and it applies to any organization in any industry. ISO 20000 is specific to IT service management.
Put simply, ISO 9001 checks the quality of how you run your business, while ISO 20000 checks how you deliver IT services.
4. Who can certify against ISO 20000?
ISO itself does not certify anyone. Certification is done by accredited third-party certification bodies, such as BSI, DNV, or LRQA, which audit the organization against ISO/IEC 20000-1 and issue the certificate. The accreditation part matters, since a certificate from a non-accredited body carries little weight in tenders and due diligence.
Final thoughts
ISO 20000 is a standard you certify against, and ITIL is a framework you practice. That is the distinction this whole guide comes down to.
Whichever of the two your organization leans on, both of them assume the same thing underneath, that your team has working service management workflows in place. The standard audits those workflows and the framework shapes them, however, neither one runs them. That part happens in your ITSM ticketing system, where requests get logged, routed, and resolved every day.
And if your next step is the certification itself, the audit process and the compliance side deserve their own read, which is covered in our guide on ISO 20000 compliance.
