What-is-the-Real-Scope-of-ISO-20000

I am sometimes asked whether the scope of the international standard for service management, ISO/IEC 20000, is only IT services or all services.

As the Convener of the working group within ISO responsible for the ISO/IEC 20000 series (JTC1/SC7/WG25), I can confirm that because ISO/IEC 20000-1 is a requirements standard used by auditors and by organizations wishing to demonstrate conformity and achieve certification, it must be interpreted as written. Clause 1.2 states: ” All requirements in this part of ISO/IEC 20000 are generic and are intended to be applicable to all service providers, regardless of type, size and the nature of the services delivered.”

I can also confirm that we were very careful when writing ISO/IEC 20000-1 not to use the term “IT” within the body of the standard, specifically for this reason. ISO/IEC 20000-1 is requirements for a service management system (SMS), not an IT service management system. The services supported by the SMS can be any type of services, often several different types. What an auditor/assessor cares about is whether the service provider meets the requirements of 20000-1. 

Say an organization wanted to provide financial services to external customers. The SMS could be used to help them design, build, test, implement and improve those financial services. If they wanted to provide health services via the internet, so customers could accurately track their medications, get health information or make Dr. appointments, they could use the SMS to deliver/manage those services. If the organization provided insurance services, or was a city council or a utility, a hotel or a travel agent they could use the SMS. 

The SMS is primarily used by service providers who manage technology enabled services, including telecommunications, cloud, broadband utility providers, managed services, many financial services and internal IT services. This is due to the need to tightly control change/risk/cost/delivery/potential failure for these services and because 20000-1 includes requirements that are essential for technology enabled services. A significant percentage of all services offered by service providers are technology enabled – these days it can actually be difficult to find examples of services that are not! In 2013, technology is considered a component of the capabilities required to deliver business outcomes, along with people, process and organizational structure. It is often not practical or efficient to be managed in isolation. 

Regardless of the services offered, the management system required to manage them should be consistent. This is why every organization with an SMS can have different customers and offer different services and it still works. The policies, resources and activities required to design, build, test, operate and improve services are very often the same, regardless of what those services are – it can increase efficiency, effectiveness and quality of service delivery and service management to align your organization’s SMS to support your IT services, technology enabled business services, telecommunications services, cloud services etc. The SMS is the engine of the car – the organization needs to decide where to drive and the engine gets the car where it needs to go. Sometimes in order to get where it is going the organization needs to focus not only on services but also security, or health and safety, or environment, or quality, or some combination. This becomes an integrated management system, rather than lots of engines in the same car.

So the big question everybody asks once they understand this is “Why does the title of ISO/IEC 20000-1 include Information Technology?” The answer is that every single standard from the JTC1 part of ISO gets this title automatically – it is on the template. ISO/IEC 27001 is a good example. The full title of that standard is: ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements. However, ISO/IEC 27001 is not just for IT security management, but enterprise wide security management. Can you imagine if access management were limited to only IT related access? There goes your corporate information! The scope of ISO/IEC 27001 includes physical locks on a door – that is not IT. ISO/IEC 20000-1 is the same in this regard – it is requirements for an SMS, not an IT SMS. Management systems are intended to bring organizations together so they can work more effectively, not segregate them further. 

ISO/IEC 20000-3:2012, Guidance on scope definition and applicability of ISO/IEC 20000-1 provides further information to assist organizations and individuals with scoping their SMS and includes scenarios.