In This Article
- ISO 20000-1:2018 requires approximately 20-25 items of documented information across Clauses 4-10
- The standard distinguishes between documents to "maintain" (policies, procedures, plans) and records to "retain" (evidence of activities)
- Documentation can be in any format — formal documents, tool configurations, wiki pages, or any controlled medium
- The service management plan (Clause 8.1) is the single most important document and the most commonly missing one
- Good documentation supports your SMS — it should reflect reality, not just satisfy audit requirements
Documentation Requirements Overview
ISO 20000-1:2018 uses the term "documented information" throughout the standard, encompassing both documents (information that is maintained and can be updated) and records (evidence of activities that is retained). Understanding what the standard explicitly requires is critical for certification readiness.
The standard signals documentation requirements in two ways:
- "Documented information shall be maintained" — this means you need a document, procedure, policy, or plan that is kept current
- "Documented information shall be retained" — this means you need records or evidence of activities performed
- "The organisation shall determine / establish / document" — this implies a documented output is needed
In addition to explicitly required documented information, there are items that, while not literally mandated, are practically necessary for demonstrating conformity. We've included these as "recommended" items in our checklist.
ISO 20000-1 does not prescribe document formats, naming conventions, or media. You can use Word documents, SharePoint pages, Confluence wikis, ITSM tool configurations, spreadsheets, or any other medium — provided the documented information is controlled, accessible, and adequate.
Clause 4: Context of the Organisation
Clause 4 establishes the foundation of your SMS by requiring you to understand your organisation's context and define the scope of the management system.
Required documented information
- Scope of the SMS (Clause 4.3) — A clearly defined and documented scope statement identifying the services, organisational boundaries, and locations covered by the service management system. The scope must consider the internal and external issues identified in Clause 4.1 and the requirements of interested parties in Clause 4.2.
- Service catalogue (Clause 4.3 / 8.2) — While primarily operational (Clause 8.2), the service catalogue must be established and maintained as documented information. It should list all services within the SMS scope and their key attributes.
Recommended documented information
- Analysis of internal and external issues affecting the SMS (context analysis)
- Register of interested parties and their requirements
- Interface and integration points with other parties involved in the service lifecycle
Clause 5: Leadership
Clause 5 requires top management to demonstrate leadership and commitment to the SMS.
Required documented information
- Service management policy (Clause 5.2) — A documented policy that is appropriate to the organisation's purpose, provides a framework for setting service management objectives, includes a commitment to satisfying applicable requirements, and includes a commitment to continual improvement. The policy must be communicated and available to interested parties as appropriate.
- Roles, responsibilities, and authorities (Clause 5.3) — Documentation of roles and responsibilities for the SMS, including who has authority for maintaining the SMS, reporting on performance, and ensuring service requirements are met.
Recommended documented information
- Organisation chart showing SMS governance structure
- Terms of reference for the service management committee or governance forum
- Evidence of management communication about the SMS to the organisation
Clause 6: Planning
Clause 6 addresses how the organisation plans for risk, sets objectives, and manages changes to the SMS.
Required documented information
- Risk assessment of the SMS (Clause 6.1) — Documented results of actions to address risks and opportunities to the SMS. This includes the risk assessment itself and the actions determined to address identified risks.
- Service management objectives (Clause 6.2) — Documented objectives that are consistent with the service management policy, are measurable, take into account applicable requirements, are monitored, and are communicated. The objectives must state what will be done, what resources are needed, who is responsible, when it will be completed, and how results will be evaluated.
- Service management plan (Clause 6.2 / 8.1) — The plan for achieving service management objectives and for implementing and managing the SMS. This is one of the most critical documents and must cover the full SMS lifecycle.
Recommended documented information
- Risk register with treatment decisions
- Objectives monitoring reports and dashboards
Clause 7: Support
Clause 7 covers the supporting elements needed for the SMS to function: resources, competence, awareness, communication, documented information, and knowledge.
Required documented information
- Competence records (Clause 7.2) — Evidence of competence for persons doing work that affects SMS performance. This includes education, training, and experience records.
- Document control procedure (Clause 7.5) — While not explicitly named, Clause 7.5 requires the organisation to control documented information — ensuring creation, updating, identification, storage, protection, retrieval, retention, and disposition are managed. A document control procedure or equivalent is needed.
- Knowledge management (Clause 7.6) — The organisation shall determine the knowledge necessary for the SMS and make it available. Evidence of knowledge management activities and repositories should be maintained.
Recommended documented information
- Training plan and training records
- Communication plan for the SMS
- Knowledge base or knowledge management system records
- Document register or master list of documented information
Clause 8: Operation of the SMS
Clause 8 is the largest clause in ISO 20000-1 and covers all operational processes of the SMS. This is where the majority of documented information is required.
8.1 Operational planning and control
- Service management plan — The detailed plan for how the SMS will operate, including process definitions, roles, tools, and timelines
- Plans for services (individual service plans) — For new or changed services, documented plans covering design, build, transition, and acceptance
8.2 Service portfolio
- Service catalogue — Documented catalogue of all services within the SMS scope, including service descriptions, service levels, and dependencies
- Service portfolio documentation — Pipeline services, active services, and retired services
8.3 Relationship and agreement management
- Service level agreements (SLAs) — Documented agreements with customers specifying service targets, responsibilities, and escalation procedures
- Supplier contracts and agreements — Documented contracts with suppliers and other parties involved in service delivery, including service requirements and performance targets
- Service requirements documentation — Agreed and documented service requirements from customers and other interested parties
- Records of service reviews — Evidence of regular service reviews with customers and suppliers, including outcomes and actions
8.4 Supply and demand
- Capacity plan — Documented capacity management activities including current capacity, demand forecasts, and planned adjustments
- Budget and accounting records — Evidence of budgeting and accounting for services (financial management for services)
8.5 Service design, build, and transition
- Change management policy and procedure — Documented process for managing changes to services, including assessment, approval, and review
- Change records — Records of all changes including requests, assessments, approvals, implementation details, and post-implementation reviews
- Release and deployment policy and plans — Documented criteria for accepting new or changed services, including release plans and deployment procedures
- Release records — Evidence of release planning, testing, approval, and deployment activities
8.5.4 Service availability and continuity
- Service availability plan — Documented plan for maintaining and improving service availability
- Service continuity plan — Documented plan for maintaining or restoring services following a major disruption, including recovery procedures, roles, and communication plans
- Service continuity test records — Evidence that continuity plans have been tested and results documented
8.5.5 Information security
- Information security policy — Within the SMS context, a documented policy addressing information security for services
- Information security controls — Documentation of security controls applied to protect service information
8.6 Resolution processes
- Incident management procedure — Documented process for logging, classifying, prioritising, investigating, resolving, and closing incidents
- Incident records — Records of all incidents including classification, priority, resolution, and closure details
- Major incident records — Specific records for major incidents including root cause analysis and post-incident reviews
- Service request procedure — Documented process for handling service requests
- Problem management procedure — Documented process for identifying, recording, analysing, and resolving problems
- Problem records — Records of problems including root cause analysis, known errors, and resolution status
8.7 Service assurance
- Configuration management records — Configuration management database (CMDB) or equivalent records of configuration items, their attributes, and relationships
- Asset management records — Records of service assets within the SMS scope
Clause 9: Performance Evaluation
Clause 9 requires the organisation to monitor, measure, analyse, and evaluate the SMS and services.
Required documented information
- Monitoring and measurement results (Clause 9.1) — Records of service performance against agreed targets, including SLA reports, KPI dashboards, and trend analysis
- Service reports (Clause 9.1) — Regular reports on service performance provided to customers and management
- Internal audit programme and results (Clause 9.2) — A documented audit programme covering scope, frequency, methods, and auditor assignments. Plus audit reports with findings, conclusions, and corrective action requirements
- Management review records (Clause 9.3) — Minutes or records of management reviews covering all required inputs (status of previous actions, changes to the SMS, service performance, audit results, risks, nonconformities, and improvement opportunities) and outputs (decisions and actions)
Recommended documented information
- Audit schedule and auditor competence records
- Customer satisfaction survey results and analysis
- Service performance trend reports
Clause 10: Improvement
Clause 10 covers nonconformity management, corrective action, and continual improvement.
Required documented information
- Nonconformity and corrective action records (Clause 10.1) — Records of all nonconformities identified (from audits, incidents, complaints, or other sources), including the nature of the nonconformity, actions taken, root cause analysis, corrective actions implemented, and verification of effectiveness
- Continual improvement records (Clause 10.2) — Evidence of improvement activities, including identified opportunities, implementation plans, and results achieved. The organisation must demonstrate that it is continually improving the SMS and the services
Recommended documented information
- Improvement register or log
- Corrective action tracking database
- Improvement project plans and status reports
Master Documentation Checklist
The following table provides a comprehensive reference of all documented information required or recommended for ISO 20000-1:2018 certification.
| Document / Record | Clause | Status |
|---|---|---|
| Scope of the SMS | 4.3 | Required |
| Service management policy | 5.2 | Required |
| Roles, responsibilities, and authorities | 5.3 | Required |
| Risk assessment and treatment actions | 6.1 | Required |
| Service management objectives | 6.2 | Required |
| Service management plan | 6.2 / 8.1 | Required |
| Competence records | 7.2 | Required |
| Document control procedure | 7.5 | Required |
| Knowledge management evidence | 7.6 | Required |
| Service catalogue | 8.2 | Required |
| Service level agreements (SLAs) | 8.3 | Required |
| Supplier contracts / agreements | 8.3.4 | Required |
| Service review records | 8.3 | Required |
| Capacity plan | 8.4.1 | Required |
| Change management procedure and records | 8.5.1 | Required |
| Release and deployment plans and records | 8.5.2-8.5.3 | Required |
| Service availability plan | 8.5.4 | Required |
| Service continuity plan and test records | 8.5.4 | Required |
| Information security policy and controls | 8.5.5 | Required |
| Incident management procedure and records | 8.6.1 | Required |
| Problem management procedure and records | 8.6.2 | Required |
| Configuration management records (CMDB) | 8.7 | Required |
| Monitoring and measurement results / service reports | 9.1 | Required |
| Internal audit programme and reports | 9.2 | Required |
| Management review records | 9.3 | Required |
| Nonconformity and corrective action records | 10.1 | Required |
| Continual improvement evidence | 10.2 | Required |
Tips for Document Management
Effective documentation supports your SMS without creating unnecessary bureaucracy. Here are practical tips based on our audit experience:
1. Write for the users, not the auditors
Documentation should help the people who use it. If a procedure is so complex that nobody reads it, it's not serving its purpose. Keep procedures concise, clear, and practical. Use flowcharts, checklists, and templates where appropriate.
2. Leverage your ITSM tool
Modern ITSM tools (ServiceNow, Jira Service Management, Freshservice, BMC Remedy, etc.) generate records automatically. Incident records, change records, problem records, and configuration items maintained in the tool constitute valid documented information. Don't duplicate in separate documents what your tool already captures.
3. Implement version control
Every document must be identifiable — with a title, version number, date, author, and approval authority. Implement a consistent version control system and ensure only current versions are available at points of use. Retain superseded versions for reference but mark them clearly as obsolete.
4. Plan retention periods
Define how long records are retained. ISO 20000-1 doesn't prescribe specific retention periods, but you need a policy. Consider legal, regulatory, contractual, and operational requirements. A common approach is to retain records for at least the current certification cycle (3 years) plus one year.
5. Conduct regular document reviews
Schedule annual reviews of all policies, plans, and procedures to ensure they remain current. Changes in services, processes, tools, or organisational structure should trigger document updates. Stale documentation is one of the most common audit findings.
6. Create a document register
Maintain a master list of all documented information within the SMS. This register should show the document name, owner, current version, last review date, and next review date. It serves as your single source of truth for documentation status and is invaluable during audits.
The best documentation is the documentation that people actually use. If your procedures sit in a shared folder gathering dust, they're not supporting your SMS. Make documents accessible, practical, and relevant — and review them regularly to keep them that way.
Frequently Asked Questions
How many mandatory documents does ISO 20000-1 require?
ISO 20000-1:2018 explicitly requires approximately 20-25 items of documented information including policies, plans, procedures, catalogues, agreements, and records. The exact count varies based on interpretation, but our comprehensive checklist identifies all items where the standard uses "shall be documented" or "documented information shall be maintained/retained."
What is the difference between a document and a record in ISO 20000-1?
Documents are controlled information that can be updated over time — such as policies, procedures, and plans. Records are evidence of activities performed — such as audit reports, incident logs, and management review minutes. ISO 20000-1 uses the unified term "documented information" but the distinction matters for document control purposes.
Does ISO 20000-1 prescribe document formats?
No. ISO 20000-1 does not prescribe specific formats. Documented information can be in any format — Word documents, wiki pages, ITSM tool configurations, spreadsheets, or any other medium. What matters is that the information is controlled, accessible, and adequate for its intended purpose.
What is the most commonly missing document in ISO 20000-1 audits?
The service management plan (Clause 8.1) is frequently missing or inadequate. Organisations often implement processes but fail to create the overarching plan that describes how the SMS will be designed, transitioned, delivered, and improved — including objectives, resources, timelines, and roles.
Can we use our ITSM tool as documentation evidence?
Yes. ITSM tools (such as ServiceNow, Jira Service Management, or BMC Remedy) are excellent sources of documented information. Tool configurations, workflows, dashboards, and records generated by the tool all constitute valid documented information. Ensure the tool data is accessible during audits and that configuration changes are controlled.