ISO 20000-1 Requirements Explained: Clauses 4-10 Detailed Breakdown

Overview of ISO 20000-1 Requirements

ISO/IEC 20000-1:2018 follows the Annex SL high-level structure common to all modern ISO management system standards. The standard contains 10 clauses, of which Clauses 4 through 10 contain the auditable requirements. Clauses 1-3 cover scope, normative references, and terms and definitions -- these are informational and not audited directly.

The requirements are designed to work together as a system. Clause 4 establishes the foundation (context, scope, SMS), Clause 5 sets direction (leadership, policy), Clause 6 plans the approach (risks, objectives), Clause 7 provides the enablers (resources, competence, documentation), Clause 8 covers the operational processes (the core of ITSM), Clause 9 evaluates performance (monitoring, audit, review), and Clause 10 drives improvement (corrective action, continual improvement).

A critical point for organizations to understand is that all requirements in Clauses 4-10 are mandatory. Unlike ISO 27001, where Annex A controls can be excluded via the Statement of Applicability, ISO 20000-1 does not permit exclusions. However, the depth and complexity of implementation can be scaled proportionally to the organization's size, complexity, and service portfolio.

Clause 4: Context of the Organization

Clause 4 establishes the foundation for the SMS by requiring the organization to understand its environment, stakeholders, and boundaries.

What It Requires

• 4.1 Understanding the organization and its context: Determine external and internal issues relevant to the organization's purpose and that affect its ability to achieve the intended outcomes of the SMS
• 4.2 Understanding the needs and expectations of interested parties: Identify relevant interested parties (customers, users, suppliers, regulators) and their requirements for the SMS
• 4.3 Determining the scope of the SMS: Define the boundaries and applicability of the SMS, considering the issues from 4.1 and requirements from 4.2. The scope must specify the services included
• 4.4 Service management system: Establish, implement, maintain, and continually improve the SMS, including the processes and their interactions needed

Practical Guidance

The scope statement is one of the most critical documents in the SMS. It must clearly identify which services are included, the organizational units responsible, and any geographic boundaries. A common mistake is defining the scope too broadly (making the system unmanageable) or too narrowly (excluding services that customers expect to be covered).

When identifying interested parties, consider customers, end users, service owners, suppliers, subcontractors, regulatory bodies, and internal stakeholders such as senior management and finance.

Typical Documents and Evidence

• SMS scope statement
• Context analysis (internal and external factors)
• Interested parties register with their requirements
• Service management plan

Common Nonconformities

• Scope statement does not list specific services included
• Interested parties not identified or their requirements not documented
• Scope excludes services that are clearly interdependent with included services
• No evidence that external and internal issues have been analysed

Clause 5: Leadership

Clause 5 establishes the requirements for top management engagement and accountability for the SMS.

What It Requires

• 5.1 Leadership and commitment: Top management must demonstrate leadership and commitment to the SMS by ensuring policy and objectives are established, resources are available, the importance of effective service management is communicated, and the SMS achieves its intended outcomes
• 5.2 Policy: Establish a service management policy that is appropriate to the purpose of the organization, provides a framework for setting objectives, includes a commitment to satisfy applicable requirements, and includes a commitment to continual improvement
• 5.3 Organizational roles, responsibilities, and authorities: Ensure that responsibilities and authorities for relevant roles are assigned, communicated, and understood within the organization. Appoint a person or group accountable for the SMS

Practical Guidance

Top management commitment is not just about signing a policy document. Auditors look for evidence of active involvement: participation in management reviews, allocation of adequate resources, visible support for the SMS programme, and evidence that service management performance is discussed at senior leadership level.

The service management policy should be concise, relevant, and communicated to all relevant parties. Avoid generic policies copied from templates -- the policy must reflect your organization's specific service management context and ambitions.

Typical Documents and Evidence

• Service management policy (signed by top management)
• Organizational chart showing SMS roles and responsibilities
• RACI matrix for service management processes
• Management review minutes showing top management engagement
• Resource allocation records

Common Nonconformities

• Policy is generic and does not reflect the organization's specific context
• Top management cannot demonstrate awareness of SMS performance
• Roles and responsibilities are not clearly defined or communicated
• No designated person or group accountable for the SMS

Clause 6: Planning

Clause 6 requires the organization to plan how to address risks and opportunities, set objectives, and manage changes to the SMS.

What It Requires

• 6.1 Actions to address risks and opportunities: Determine risks and opportunities that need to be addressed to ensure the SMS can achieve its intended outcomes, prevent or reduce undesired effects, and achieve continual improvement
• 6.2 Service management objectives and planning to achieve them: Establish measurable objectives for service management at relevant functions and levels. Plan how to achieve these objectives, including what will be done, what resources are required, who is responsible, and when it will be completed
• 6.3 Plan the service management system: Create, implement, and maintain a service management plan that includes the service management processes, their policies, objectives, resources, technology, and relationships with other parties

Practical Guidance

Risk management in ISO 20000-1 follows the same principles as other Annex SL standards. Organizations should establish a risk assessment methodology, identify risks that could impact service delivery, and implement appropriate treatments. This is distinct from the operational risk assessments that happen within individual processes like change management.

Service management objectives must be measurable and aligned with the service management policy. Examples include: "Reduce mean time to resolve P1 incidents by 15% within 12 months" or "Achieve 99.9% availability for Tier 1 services." Vague objectives like "improve service quality" are insufficient.

Typical Documents and Evidence

• Risk register with risk treatments
• Service management objectives with measurement criteria
• Service management plan
• Improvement plans

Common Nonconformities

• No formal risk assessment has been conducted for the SMS
• Service management objectives are not measurable
• Service management plan is incomplete or outdated
• Objectives are not monitored or reported on

Clause 7: Support of the SMS

Clause 7 addresses the enablers that support the operation of the SMS: resources, competence, awareness, communication, documented information, and knowledge.

What It Requires

• 7.1 Resources: Determine and provide the resources needed for establishing, implementing, maintaining, and continually improving the SMS
• 7.2 Competence: Determine the necessary competence of persons doing work that affects service management performance, ensure these persons are competent based on education, training, or experience, and retain evidence of competence
• 7.3 Awareness: Persons working under the organization's control must be aware of the service management policy, their contribution to the SMS, and the implications of not conforming to SMS requirements
• 7.4 Communication: Determine the internal and external communications relevant to the SMS, including what to communicate, when, with whom, and how
• 7.5 Documented information: The SMS must include documented information required by the standard and determined by the organization as being necessary for SMS effectiveness
• 7.6 Knowledge: Determine and maintain the knowledge necessary for the operation of the SMS and service delivery

Practical Guidance

Competence management goes beyond simply having trained staff. The organization must define competence requirements for each SMS role, assess current competence against those requirements, identify gaps, take action (training, mentoring, recruitment), and evaluate the effectiveness of actions taken. Maintain records such as training certificates, competence assessments, and qualifications.

Knowledge management (Clause 7.6) is a requirement introduced in the 2018 edition. It requires organizations to capture, maintain, and make available the knowledge needed for service delivery. This includes operational procedures, known error databases, configuration data, and lessons learned from incidents and changes.

Typical Documents and Evidence

• Competence matrix or skills inventory
• Training records and certificates
• Communication plan
• Document and record control procedures
• Knowledge base or known error database

Common Nonconformities

• No defined competence requirements for SMS roles
• Training records are incomplete or not maintained
• Staff are unaware of the service management policy or their SMS responsibilities
• No systematic approach to knowledge management
• Document control is inconsistent (e.g., outdated versions in use)

Clause 8: Operation of the SMS

Clause 8 is the heart of ISO 20000-1, containing requirements for all service management operational processes. It is the most extensive clause and typically accounts for 50% or more of audit time. The clause is organized into six process groups that collectively cover the service lifecycle.

8.2 Service Portfolio Management

8.2.1 Service Delivery

The organization must plan and implement services based on the service management plan. Service delivery must be managed and controlled to meet agreed requirements.

8.2.2 Plan the Services

Services must be planned with consideration of policies, service requirements, technologies, resources, dependencies, and constraints. New or changed services must be planned through the service design, build, and transition process.

8.2.3 Control of Parties Involved in the Service Lifecycle

When other parties are involved in service delivery, the organization must control them through documented agreements, defined interfaces, and performance monitoring. This includes internal groups, suppliers, and customer-provided resources.

8.2.4 Service Catalogue Management

The organization must create and maintain a service catalogue that includes all services, their dependencies, and interfaces to the service management processes. The catalogue must be accurate, current, and available to relevant parties.

8.2.5 Asset Management

Service assets must be managed throughout their lifecycle. The organization must maintain information about assets that is necessary for service delivery, including configuration information.

8.2.6 Configuration Management

Configuration items (CIs) must be defined, recorded, and controlled. The configuration management database (CMDB) or equivalent must reflect the current state of the infrastructure and services, and must be verified for accuracy.

Typical Documents: Service Portfolio

• Service catalogue
• Service management plan
• Agreements with other parties
• Asset register
• Configuration management database (CMDB)
• Configuration management policy and procedures

8.3 Relationship and Agreement Management

8.3.1 General

The organization must manage relationships with customers, users, and other relevant stakeholders.

8.3.2 Business Relationship Management

Arrangements for business relationship management must be established, including identifying and managing stakeholders, understanding current and future needs, ensuring satisfaction is measured and acted upon, and communicating service constraints and performance.

8.3.3 Service Level Management

Service Level Agreements (SLAs) must be documented, agreed with customers, and include measurable service level targets. The organization must monitor, review, and report performance against SLAs and take action when targets are not met.

Typical Documents: Relationship and Agreement

• Service Level Agreements (SLAs)
• Customer satisfaction surveys and results
• Service review meeting minutes
• Service level performance reports
• Complaints and escalation records

8.4 Supply and Demand Management

8.4.1 Budgeting and Accounting for Services

Budgets must be created for service management and services. Costs must be accounted for and monitored against budgets.

8.4.2 Demand Management

Current and anticipated demand for services must be determined and managed. Demand management ensures that adequate resources are available to meet service requirements without over-provisioning.

8.4.3 Capacity Management

Service capacity requirements must be determined, resources must be planned and deployed to meet capacity requirements, and capacity must be monitored. Capacity plans must be maintained for services within the SMS scope.

Typical Documents: Supply and Demand

• Service budgets and financial reports
• Demand forecasts
• Capacity plan
• Capacity monitoring reports

8.5 Service Design, Build, and Transition

8.5.1 Change Management

All changes to services and SMS components must be managed through a formal change management process. Changes must be recorded, classified, assessed for risk and impact, approved, planned, tested, and reviewed after implementation. Emergency change procedures must be defined.

8.5.2 Service Design and Transition

New or significantly changed services must be planned through a structured process covering requirements analysis, design, build, testing, acceptance, and transition into operation. Acceptance criteria must be defined and verified before go-live.

8.5.3 Release and Deployment Management

Releases must be planned, built, tested, and deployed in a controlled manner. Release policies must define release types, frequency, and deployment procedures. Post-deployment verification must confirm successful implementation.

Typical Documents: Design, Build, and Transition

• Change management policy and procedures
• Change records (RFCs, CAB minutes, approvals)
• Service design packages
• Release and deployment plans
• Test plans and results
• Acceptance criteria and sign-offs

8.6 Resolution and Fulfilment

8.6.1 Incident Management

All incidents must be recorded, classified, prioritized, escalated (where appropriate), resolved, and closed. Incident priority must be determined based on impact and urgency. Major incident procedures must be defined for high-impact incidents. Incident records must be maintained.

8.6.2 Service Request Management

Service requests must be recorded, classified, fulfilled, and closed. The process for handling service requests must be defined, including approval workflows for requests that require authorization.

8.6.3 Problem Management

Problems must be identified (reactively from incident trends and proactively from analysis), recorded, investigated through root cause analysis, and resolved. Known errors and workarounds must be documented. The relationship between problem management and incident management must be clear and operational.

Typical Documents: Resolution and Fulfilment

• Incident management procedures
• Major incident procedures
• Incident records and reports
• Service request catalogue and fulfilment procedures
• Problem records with root cause analysis
• Known error database

Common Nonconformities: Resolution and Fulfilment

• Incidents classified inconsistently or without impact/urgency assessment
• No major incident procedure or it has never been tested
• Problem management is reactive only -- no proactive problem identification
• Root cause analysis is superficial or not performed
• Known error database does not exist or is not maintained
• Link between recurring incidents and problem records is missing

8.7 Service Assurance

8.7.1 Service Availability Management

Service availability requirements must be determined, documented (typically in SLAs), monitored, and reported. Availability management must consider single points of failure, redundancy, and resilience. Availability plans must be maintained for services requiring specific availability targets.

8.7.2 Service Continuity Management

Service continuity plans must be established, implemented, and tested. Plans must identify the services that require continuity, the scenarios addressed, recovery objectives, recovery procedures, and the resources required for recovery. Plans must be tested at planned intervals and updated based on test results and changes.

8.7.3 Information Security Management

An information security policy must be established and implemented. Information security controls must address confidentiality, integrity, and availability of information within the SMS scope. Security incidents must be managed through the incident management process. Where ISO 27001 is implemented, its ISMS can satisfy these requirements.

Typical Documents: Service Assurance

• Availability plan and monitoring reports
• Service continuity plans
• Continuity test plans, results, and improvement actions
• Information security policy
• Security incident records
• Access control procedures

Clause 9: Performance Evaluation

Clause 9 establishes the requirements for monitoring, measuring, analysing, and evaluating the SMS and its services.

What It Requires

• 9.1 Monitoring, measurement, analysis, and evaluation: Determine what needs to be monitored and measured, the methods for monitoring and measurement, when monitoring and measuring shall be performed, and when results shall be analysed and evaluated
• 9.2 Internal audit: Conduct internal audits at planned intervals to provide information on whether the SMS conforms to the organization's own requirements and the requirements of ISO 20000-1, and is effectively implemented and maintained
• 9.3 Management review: Top management must review the SMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. The review must include consideration of the status of actions from previous reviews, changes in internal and external issues, service management performance, nonconformities and corrective actions, audit results, and opportunities for improvement
• 9.4 Service reporting: Service reports must be produced and delivered to relevant interested parties. Reports must include performance against SLAs, workload information, trends, customer satisfaction, and details of nonconformities and corrective actions

Practical Guidance

Service reporting is a specific requirement in ISO 20000-1 that goes beyond the general monitoring requirements of other Annex SL standards. Reports must provide meaningful information about service performance, not just raw data. Ensure reports include trend analysis, commentary on performance, and recommendations for improvement.

Internal audit must cover all requirements of the standard over a planned cycle. Auditors should be independent of the areas being audited. Audit criteria, scope, frequency, and methods must be defined. Audit results must be reported to relevant management.

Typical Documents and Evidence

• Monitoring and measurement plan (KPIs, metrics)
• Service performance dashboards and reports
• Internal audit programme and schedule
• Internal audit reports and findings
• Management review agenda, minutes, and action items
• Customer satisfaction survey results

Common Nonconformities

• Service reports do not include performance against SLA targets
• Internal audit programme does not cover all SMS requirements
• Internal auditors are not independent of areas being audited
• Management review does not address all required inputs
• Actions from management review are not tracked to completion
• No evidence of trend analysis in service reports

Clause 10: Improvement

Clause 10 requires the organization to manage nonconformities, take corrective action, and drive continual improvement of the SMS.

What It Requires

• 10.1 Nonconformity and corrective action: When a nonconformity occurs, the organization must react to it, evaluate the need for action to eliminate the causes, implement any action needed, review the effectiveness of corrective action taken, and make changes to the SMS if necessary
• 10.2 Continual improvement: The organization must continually improve the suitability, adequacy, and effectiveness of the SMS and the services. Determine criteria and methods for evaluating and selecting improvement opportunities, and manage approved improvements

Practical Guidance

Continual improvement must be systematic, not ad hoc. Establish a formal process for identifying improvement opportunities (from audits, management reviews, service reports, incident trends, customer feedback), evaluating and prioritizing them, implementing approved improvements, and measuring their effectiveness.

Corrective action must address root causes, not just symptoms. Use structured root cause analysis techniques (5 Whys, fishbone diagrams, fault tree analysis) and document the analysis. Track corrective actions to completion and verify that the nonconformity has not recurred.

Typical Documents and Evidence

• Nonconformity and corrective action records
• Continual improvement register (CSI register)
• Improvement plans with measurable objectives
• Evidence of improvement effectiveness review

Common Nonconformities

• Corrective actions address symptoms rather than root causes
• No formal process for identifying and managing improvement opportunities
• Improvement register does not exist or is not actively maintained
• No evidence that improvement actions are tracked and verified
• Continual improvement is perceived as a separate activity rather than embedded in the SMS

ISO 20000-1 Documentation Map

The following table summarizes the key documented information required or recommended across the standard:

The volume of documentation should be proportional to your organization's size and complexity. Avoid over-documenting: focus on documentation that adds value, supports consistent execution, and provides evidence of conformity. Well-implemented ITSM tools can generate much of the required documented information automatically.

Frequently Asked Questions

How many clauses does ISO 20000-1 have?

ISO 20000-1:2018 has 10 clauses. Clauses 1-3 cover scope, normative references, and terms and definitions. Clauses 4-10 contain the auditable requirements: Context of the Organization (4), Leadership (5), Planning (6), Support (7), Operation (8), Performance Evaluation (9), and Improvement (10). Clause 8 (Operation) is the most extensive, covering all service management processes across six sub-groups.

What is Clause 8 of ISO 20000-1?

Clause 8 (Operation of the SMS) is the heart of ISO 20000-1, containing requirements for all service management processes. It covers service portfolio management (catalogue, configuration, assets), relationship and agreement management (SLAs, customer relationships), supply and demand management (budgets, capacity), service design, build and transition (change, release, deployment), resolution and fulfilment (incident, problem, service request), and service assurance (availability, continuity, security).

What documents are required for ISO 20000-1?

ISO 20000-1 requires documented information including: service management policy, service management plan, risk register, service catalogue, SLAs, capacity plan, service continuity plan, information security policy, incident and problem records, change records, release and deployment plans, internal audit records, management review minutes, and continual improvement register. The depth of documentation should be proportional to organizational size and complexity.

What are the most common ISO 20000-1 nonconformities?

Common nonconformities include: incomplete or inaccurate service catalogue, SLAs without measurable targets, lack of root cause analysis in problem management, change management not covering all change types, insufficient capacity and availability planning, poor supplier performance monitoring, missing or incomplete service reports, and weak integration between incident, problem, and change processes.

Can ISO 20000-1 requirements be excluded?

No. Unlike ISO 27001 where Annex A controls can be excluded via the Statement of Applicability, ISO 20000-1 does not allow exclusion of any requirement in Clauses 4-10. All requirements are mandatory. However, the way requirements are implemented can be scaled to the organization's size, complexity, and service portfolio. ISO/IEC 20000-3 provides guidance on scope definition and applicability.