CA-16 · ISO clásica · servicios TI

ISO 20000

The international standard for IT service management. For managed service providers, B2B SaaS companies and IT departments that want to formalise their ITIL processes into a certifiable, auditable system recognised by public and private sector clients.

StandardISO/IEC 20000-1:2018
Duration6-9 months
ProfileMSP · B2B SaaS · Internal IT

ISO/IEC 20000-1:2018 is the only internationally certifiable standard for IT service management. Published by ISO in conjunction with IEC, it translates ITIL v4 best practices into auditable requirements: a service catalogue with documented service level agreements (SLAs), structured management of incidents, problems and changes, and a measurable continuous improvement cycle with real indicators. Unlike ITIL certification — which is personal — ISO 20000 certifies the organisation and the scope of the service it provides, making it a credential that can be demanded in public tenders and contracts with large enterprises.

The standard covers the full IT service lifecycle: from catalogue design and capacity and availability management, through daily operations (incident, problem, request and access management), to service transition and change management. It requires establishing internal operational level agreements (OLAs) and external SLAs or contracts, managing suppliers and subcontractors, and maintaining an internal audit programme and management reviews. Its current 2018 version introduced explicit alignment with the ISO High Level Structure (HLS), which facilitates integration with ISO 27001 (information security) and ISO 22301 (business continuity).

At Summum we guide implementation from the initial diagnosis through to the certification audit with the accredited body of the client's choice — AENOR, Bureau Veritas, SGS, Lloyd's Register or others. We are consultants, not certifiers: our work ends when the external auditor issues the certificate. Since 2007 we have been supporting management system implementations in Castile and León and the Canary Islands, with approximately 200 ISO certifications accompanied over that time. In ISO 20000, our key differentiator is that we always start from the processes the client already has in place — we do not reinvent the service to achieve certification; we organise what works and correct what does not.

The ISO 20000 process.

The process · four stages
01

ITSM Maturity Diagnosis

We assess the current state against the requirements of ISO/IEC 20000-1:2018: which processes exist, which are documented, which have real metrics and which critical gaps block certification. We deliver a gap report with risk-prioritised actions and a realistic roadmap. No assumptions: we look at what is there, not what should be.

02

System Design and Service Catalogue

We build the service catalogue with SLAs per tier (basic, advanced, critical), internal operational level agreements (OLAs) with the teams, and the procedures for the mandatory ITSM processes: incident, problem, change, configuration, request, capacity, availability and IT service continuity management. We adapt the document templates to the tool the client already uses (ServiceNow, Jira Service Management, Freshservice or even manual management).

03

Implementation, Training and Internal Audit

We support the launch of new or improved processes during the run-in period — typically three to six months. We train the process owners and technical team on the requirements of the standard. We carry out the internal audit prior to certification with an auditor independent of the implementation team, produce the non-conformity report and support its closure before the external audit.

04

Certification Audit and Follow-up

We coordinate the certification audit with the chosen accredited body. We attend as observers during audit sessions, manage detected non-conformities and support the presentation of evidence. After certification, we plan the annual surveillance audits and the triennial renewal to keep the certificate valid.

What is included

What ISO 20000 includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Diagnosis and gap map

    Gap report against ISO/IEC 20000-1:2018 with prioritisation by certification risk and a phased roadmap.

  • Service catalogue and SLAs

    Formal catalogue with description of each service, service levels (response time, resolution, availability) and monitoring metrics.

  • Documented ITSM procedures

    Procedures for the mandatory processes: incidents, problems, changes, configuration, requests, capacity, availability and IT service continuity.

  • Management system policy

    IT service management policy, measurable objectives, roles and responsibilities (RACI) and an internal audit programme.

  • Technical team training

    In-person or remote training sessions for the operations team, process managers and the system owner. Includes a mock audit.

  • Certification support

    Coordination with the accredited body (AENOR, BV, SGS…), support during audit sessions and management of non-conformity closure through to certificate issuance.

Frequently asked questions about ISO 20000.

What is the difference between ISO 20000 and ITIL?

ITIL is a framework of best practices for IT service management; it describes what to do but is not externally certifiable or auditable. ISO/IEC 20000-1:2018 is an international standard that is certifiable: it establishes concrete requirements — not just recommendations — and allows an accredited body (such as AENOR or Bureau Veritas) to audit compliance and issue a recognised certificate. A company can implement ITIL without seeking any formal accreditation; ISO 20000 requires demonstrating compliance to third parties. Both are compatible: the standard aligns with the terminology and processes of ITIL v4.

Which organisations get certified in ISO 20000?

Primarily managed service providers (MSPs), software-as-a-service (SaaS) companies that provide technical support to B2B clients, IT departments of large enterprises or public administrations that manage internal services as a product, and hosting, telecommunications or systems integration companies. It also applies to any company wishing to win public contracts that require demonstrating IT service management capability through a certifiable standard.

How long does it take to obtain ISO 20000 certification?

In most projects, between six and nine months from the initial diagnosis to the certification audit. The time depends on the starting point: if the company already has mature ITIL processes and active ticketing management tools, the project can run towards the lower end. If starting from scratch — with no documented procedures or SLA metrics — it is common for the pre-audit run-in period to extend in order to accumulate sufficient evidence (a minimum of three months of operation with the system in place).

Does Summum issue the ISO 20000 certificate?

No. Summum is a consultancy: we support the design, implementation and preparation through to the audit. The certificate is issued by a certification body accredited by ENAC (the National Accreditation Entity) in Spain: AENOR, Bureau Veritas, SGS, Lloyd's Register, among others. This separation between consultancy and certification is the industry standard and guarantees the independence of the audit.

Is ISO 20000 compatible with ISO 27001 or ISO 22301?

Yes, and in practice it is common to integrate all three systems. ISO/IEC 20000-1:2018 follows the High Level Structure (HLS) common to all modern ISO management system standards, which allows sharing the policy, objectives, internal audit cycle and management review with ISO 27001 (information security) and ISO 22301 (business continuity). Integration reduces documentary burden and audit sessions, and presents the client or contracting authority with a coherent picture of the IT provider.