Key Takeaways
  • SMS scope determines what services, locations, organisational units, and technology the certification covers — get it wrong and audits become costly or ineffective.
  • The service catalogue is the anchor of your scope statement: every in-scope service should be traceable to it.
  • Supplier and outsourced-service dependencies must be addressed under Clause 8.3.4, even if those suppliers are not themselves certified.
  • Scoping too broadly increases audit cost and implementation effort; scoping too narrowly can exclude critical dependencies and lead to nonconformities.
  • A well-documented scope statement gives auditors confidence, accelerates Stage 1, and makes the certificate meaningful to customers.

Why Scoping Matters

The scope of your Service Management System (SMS) is arguably the single most important decision you make before pursuing ISO 20000-1 certification. It defines the boundary within which every clause of the standard will be assessed, every process will be audited, and every piece of evidence will be evaluated. A poorly defined scope can derail your entire certification programme, while a well-crafted scope sets the foundation for a smooth, cost-effective journey.

Impact on Audit Efficiency

Auditors plan their time based on your scope. A clear, well-bounded scope allows the certification body to estimate audit days accurately, assign auditors with the right competence, and focus assessment effort where it delivers value. Ambiguous scope statements lead to extended Stage 1 reviews, scope clarification requests, and potential delays before Stage 2 can proceed.

Impact on Cost

Certification fees are directly linked to scope complexity. More services, more locations, and more technology platforms mean more audit days. Organisations that over-scope often face certification costs that are two to three times higher than necessary — not just for the initial audit, but for every surveillance and recertification cycle thereafter.

Impact on Credibility

Your ISO 20000-1 certificate will carry a scope statement visible to customers, partners, and regulators. A scope that clearly describes the services certified provides commercial value. A vague or overly generic scope (“IT services”) raises questions about what is actually covered and reduces customer confidence. The goal is a scope statement that is meaningful, verifiable, and aligned with the services your customers actually consume.

Alignment with Business Objectives

Effective scoping starts with understanding why you are pursuing certification. Common business drivers include:

  • Customer requirements: A specific client or tender requires ISO 20000-1 certification for particular services.
  • Market differentiation: Certification provides competitive advantage for your managed services or service desk operations.
  • Internal improvement: You want to drive process maturity across your IT service delivery functions.
  • Regulatory or contractual obligations: Industry regulations or framework contracts mandate service management certification.

Each driver shapes the scope differently. A customer-driven scope will be tightly focused on the services that customer consumes. A market-driven scope may cover a broader portfolio to maximise the certificate’s commercial appeal.

Scope Statement Components

A complete ISO 20000-1 scope statement must address several dimensions. Think of it as answering five fundamental questions: What services? Where? Who? With what technology? Through which suppliers?

Services

The most critical component. List the specific services covered by the SMS. Avoid generic descriptions. Instead of “IT services,” specify “Managed Desktop Support, Cloud Infrastructure Hosting, and Service Desk Operations for enterprise customers.”

Each service should be defined with a clear name, a brief description of what it delivers, and ideally a reference to the service catalogue entry. This level of specificity is what auditors expect and what makes the certificate meaningful.

Locations

Specify all physical locations where service management activities take place. This includes:

  • Primary offices where service desk, incident management, and change management teams operate
  • Data centres (owned or co-located) hosting in-scope services
  • Remote or home-working locations if staff delivering in-scope services work remotely
  • Disaster recovery or business continuity sites

Organisational Units

Identify the departments, teams, and business units involved in delivering in-scope services. In many organisations, service delivery spans multiple teams: service desk, infrastructure, applications, security, procurement, and vendor management. All teams that contribute to in-scope service delivery are within scope.

Technology

List the key technology platforms that underpin in-scope services. This includes ITSM tools (for incident, problem, change management), monitoring platforms, configuration management databases (CMDBs), cloud platforms, and any other technology integral to service delivery.

Suppliers and External Parties

Identify third-party suppliers, subcontractors, and outsourcing partners that contribute to in-scope services. Under Clause 8.3.4, the organisation must manage these relationships and demonstrate that externally provided services meet SMS requirements.

The Service Catalogue Anchor

The service catalogue is the single most important document for scoping your SMS. It is the definitive listing of all services the organisation offers, and it provides the structure around which scope decisions are made.

Why the Service Catalogue Is Central

ISO 20000-1:2018 Clause 8.2 requires the organisation to maintain a service catalogue. The catalogue is not just a list — it is a living document that describes each service, its components, its dependencies, and its relationship to customers. When defining SMS scope, the service catalogue provides:

  • A service-centric view: Scope is defined around services, not departments or technologies. This aligns with the standard’s intent.
  • Traceability: Every in-scope service can be traced to a catalogue entry with defined attributes.
  • Dependency mapping: The catalogue reveals dependencies between services, helping you identify what must be included or excluded.
  • Customer alignment: The catalogue reflects what customers actually consume, making the scope statement commercially meaningful.

Building a Scope-Ready Service Catalogue

For each service in the catalogue, document:

  • Service name and ID: Unique identifier for traceability.
  • Service description: What the service delivers to customers.
  • Service owner: Accountable individual or role.
  • Customers/Users: Who consumes the service.
  • Supporting services: Infrastructure, applications, and other services this service depends on.
  • Suppliers: External parties involved in delivering this service.
  • SLA/OLA references: Service level agreements and operational level agreements.
  • Scope status: In scope / Out of scope / Under review.
Service Catalogue Tip

If your organisation does not yet have a formal service catalogue, building one is a prerequisite for ISO 20000-1 certification. Start with the services you plan to include in scope, then expand the catalogue over time. Many organisations find that the process of building a service catalogue itself drives significant improvement in how services are understood and managed.

Including & Excluding Services

Scope decisions ultimately come down to which services are in and which are out. This is where organisations most often struggle — and where auditors pay the closest attention.

Criteria for Including Services

Include a service if:

  • It is a service the organisation wishes to certify (business driver)
  • It is a dependency of another in-scope service (technical driver)
  • It is required by a customer, contract, or regulation (compliance driver)
  • It shares processes, people, or technology with in-scope services to the extent that excluding it would be impractical

Criteria for Excluding Services

Exclude a service only if:

  • It is genuinely independent — no shared processes, people, or technology with in-scope services
  • It has no dependency relationship with any in-scope service
  • Its exclusion does not undermine the integrity of in-scope service delivery
  • The exclusion can be clearly justified to the certification body

Scope Approach Comparison

Approach Description Advantages Risks
Full Portfolio All services in the catalogue are in scope Single certificate covers everything; strong commercial message High audit cost; all processes must meet the standard across all services
Customer-Facing Only Only external customer services in scope Focused on commercial value; manageable audit scope Internal supporting services may still need to be included as dependencies
Single Service Line One service or service line in scope Fastest path to certification; lowest cost Narrow certificate may not satisfy all customer expectations
Phased Expansion Start with core services, expand scope at surveillance or recertification Manageable implementation; early certification; progressive improvement Multiple scope changes require auditor reassessment each cycle

The phased expansion approach is increasingly popular. Organisations certify their most critical or customer-visible services first, demonstrate maturity, and then extend scope at surveillance audits. This delivers early business value while managing implementation effort.

Supplier Dependencies

Clause 8.3.4 of ISO 20000-1:2018 (“Management of external parties”) is one of the most frequently misunderstood areas in scoping. Many organisations assume that if a supplier is external, it is “out of scope.” This is incorrect.

What the Standard Requires

The organisation must:

  • Identify all externally provided services that support in-scope services
  • Define and agree service requirements with each supplier (contractual or SLA)
  • Monitor supplier performance against agreed requirements
  • Manage changes to supplier services that could affect in-scope services
  • Address disputes and contractual issues through defined processes

Supplier Categorisation

Not all suppliers carry equal risk. Categorise suppliers based on their impact on in-scope services:

  • Critical suppliers: Their failure directly disrupts in-scope service delivery (e.g., cloud infrastructure provider, network carrier). Requires robust SLAs, performance monitoring, and contingency planning.
  • Important suppliers: Their performance affects service quality but alternatives exist (e.g., hardware vendor, software licensor). Requires contractual controls and periodic reviews.
  • Standard suppliers: Limited direct impact on in-scope services (e.g., office supplies, generic software). Managed through standard procurement controls.

Documenting Supplier Relationships

For each critical and important supplier, document:

  • Supplier name and services provided
  • Which in-scope services depend on this supplier
  • Contractual or SLA requirements
  • Performance monitoring approach and frequency
  • Escalation and dispute resolution process
  • Change management interface

Cloud & Outsourced Services

Cloud computing and outsourcing have fundamentally changed how services are delivered. For ISO 20000-1 scoping, these arrangements require careful consideration because the organisation retains accountability for service delivery even when activities are performed by third parties.

Cloud Services in Scope

If your in-scope services rely on cloud platforms (IaaS, PaaS, or SaaS), the cloud services must be addressed within your SMS. This does not mean your cloud provider needs to be ISO 20000-1 certified. It means you must:

  • Include cloud services in your service catalogue as supporting services
  • Define service requirements for the cloud provider (availability, performance, security)
  • Monitor cloud service performance against those requirements
  • Manage changes that affect cloud-hosted in-scope services
  • Integrate cloud incidents and problems into your SMS processes
  • Address cloud capacity management and continuity planning

Outsourced Service Delivery

When service delivery activities are outsourced (e.g., a third-party service desk or managed infrastructure), the scope implications are more complex:

  • Process integration: The outsourced provider’s processes must align with your SMS. If your incident management process requires specific escalation timelines, the outsourcer must follow them.
  • Evidence and records: You need access to records and evidence from the outsourced operations. The audit will examine these records as if they were your own.
  • Governance: Regular governance meetings, performance reviews, and service improvement discussions should be documented.
  • Audit access: Your agreement with the outsourcer should permit the certification body to audit the outsourced activities if required.

Shared Responsibility Models

Service Model Your Responsibility Provider Responsibility Scope Implication
IaaS (e.g., AWS EC2) OS, applications, data, service management processes Physical infrastructure, hypervisor, network You own most SMS processes; provider managed via supplier management
PaaS (e.g., Azure App Service) Application, data, service configuration Platform runtime, OS, infrastructure Shared process responsibility; clear interface definition needed
SaaS (e.g., ServiceNow) Configuration, data, user management Application, platform, infrastructure Heavy reliance on provider; strong supplier governance required
Full Outsource Governance, performance monitoring, customer relationship End-to-end service delivery Outsourcer’s processes assessed as part of your SMS; audit access essential
Cloud Governance Tip

When your ITSM tool itself is a SaaS product (e.g., ServiceNow, Freshservice), it is both a technology platform within scope and a supplier relationship to manage. Document how you govern the ITSM tool provider, how changes to their platform are managed, and how you ensure continuity of the tool itself.

Common Scoping Mistakes

Having assessed hundreds of organisations pursuing ISO 20000-1 certification, certain scoping mistakes appear repeatedly. Avoiding these saves significant time, cost, and frustration.

Mistake 1: Scoping Too Broadly

Some organisations include every service in their portfolio on the assumption that a broader scope means a more impressive certificate. The reality is that every additional service increases audit complexity, requires SMS processes to cover that service, and adds to ongoing compliance effort.

Impact: Higher certification costs, longer implementation timelines, diluted management attention, and risk of nonconformities in areas that didn’t need to be included.

Fix: Start with the services that deliver the most business value from certification. Expand scope progressively once the SMS is mature.

Mistake 2: Scoping Too Narrowly

The opposite extreme is equally problematic. Organisations that scope too narrowly often exclude services that are dependencies of in-scope services. For example, scoping “Cloud Hosting” without including the network services, monitoring, or change management processes that underpin it.

Impact: Auditors identify excluded dependencies as nonconformities. The certification body may refuse to certify until the scope is corrected.

Fix: Conduct dependency mapping for every in-scope service. If a service is a prerequisite for in-scope delivery, it must be addressed — either by including it or by demonstrating robust supplier management for it.

Mistake 3: Excluding Critical Dependencies

Related to narrow scoping, some organisations explicitly exclude services like “security management” or “capacity management” because they believe those are separate functions. ISO 20000-1 requires these as SMS processes. They cannot be excluded simply because a different team performs them.

Impact: Major nonconformity at Stage 1 or Stage 2. Potential audit postponement.

Fix: Ensure all SMS processes required by ISO 20000-1 are addressed for in-scope services, regardless of which team performs them.

Mistake 4: Department-Centric Scoping

Defining scope around departments (“the IT department”) rather than services. ISO 20000-1 is service-centric. Auditors assess services, not org charts.

Impact: Misalignment between scope statement and audit approach. Confusion about what is being assessed.

Fix: Always define scope in terms of services. Use the service catalogue as the anchor.

Mistake 5: Ignoring Remote and Distributed Delivery

With distributed teams and remote working now standard, organisations sometimes omit remote locations from scope. If staff delivering in-scope services work from home or satellite offices, those locations are within scope.

Impact: Auditors may request to verify controls at remote locations. If these locations are not acknowledged in scope, it creates gaps.

Fix: Include a statement about remote and distributed working in your scope documentation. Define how SMS controls apply to remote delivery.

Documenting Scope

Your scope documentation is the first thing a certification body reviews. It must be clear, complete, and structured. The following elements should be documented formally.

Scope Statement Structure

  1. Organisation identity: Legal entity name, registration number, and trading name(s).
  2. SMS description: Brief overview of the SMS and its purpose.
  3. Services in scope: List of services with references to the service catalogue.
  4. Locations: Physical sites where service management activities take place.
  5. Organisational units: Teams and departments involved in delivering in-scope services.
  6. Technology platforms: Key technology underpinning in-scope services.
  7. Suppliers and external parties: Critical and important suppliers addressed under Clause 8.3.4.
  8. Exclusions: Services or areas explicitly excluded, with justification for each.
  9. Interfaces and boundaries: How in-scope services interact with out-of-scope activities.
  10. Applicable standard: ISO/IEC 20000-1:2018.

Example Scope Statement

“The Service Management System of [Company Name] covers the delivery and management of the following services as defined in the Service Catalogue (version X.X): Managed Desktop Support (SC-001), Cloud Infrastructure Hosting (SC-002), and 24/7 Service Desk Operations (SC-003) for enterprise customers. Service management activities are performed at [Location A] and [Location B], with supporting infrastructure hosted in [Data Centre / Cloud Region]. The SMS processes are operated by the Service Delivery, Infrastructure, and Service Desk teams. External suppliers providing critical underpinning services include [Supplier 1 — network connectivity] and [Supplier 2 — cloud infrastructure], managed in accordance with Clause 8.3.4. Internal IT development services (SC-010, SC-011) are excluded from scope as they operate independently with no dependency relationship to in-scope services.”

Presenting Scope to the Certification Body

When submitting your application to a certification body, provide:

  • The formal scope statement (as above)
  • A copy of the service catalogue (or the relevant extract)
  • A scope diagram showing services, locations, and key interfaces
  • A list of exclusions with justification
  • A supplier register identifying critical and important suppliers

This level of documentation demonstrates maturity and helps the certification body plan the audit efficiently. It also minimises scope clarification requests during Stage 1.

Scope Review & Change

Your SMS scope is not static. It should be reviewed regularly and updated when the organisation’s service portfolio, technology landscape, or business context changes.

When to Review Scope

  • Annually: As part of the management review process (Clause 9.3).
  • Before surveillance audits: Confirm scope remains accurate before the certification body’s visit.
  • After significant changes: New services launched, services retired, major technology migrations, organisational restructuring, or new outsourcing arrangements.
  • After mergers or acquisitions: New entities, services, or locations may need to be included.

Scope Change Process

When scope changes are needed:

  1. Assess the change: Determine what services, locations, or suppliers are affected.
  2. Update documentation: Revise the scope statement, service catalogue, and any affected processes.
  3. Notify the certification body: Inform your CB of scope changes before the next surveillance audit. Significant expansions may require additional audit time.
  4. Implement controls: Ensure SMS processes cover the new scope elements before the audit.
  5. Communicate internally: All teams involved in the changed scope must understand their responsibilities.

Scope Reduction

Reducing scope (removing services) is also possible but requires careful handling. The certification body will verify that the reduction does not leave gaps in service delivery management. If a service is removed from scope, ensure that dependencies with remaining in-scope services are addressed.

Treat your scope as a living document. The best SMS scoping decisions are reviewed, challenged, and refined over time. What worked for initial certification may not be optimal two years later as your service portfolio evolves.

Frequently Asked Questions

What should be included in an ISO 20000-1 scope statement?

An ISO 20000-1 scope statement should include the organisation name and legal entity, the services covered (referencing the service catalogue), geographical locations, organisational units, technology platforms, supplier and outsourcing arrangements, and any exclusions with clear justification. The statement should be specific enough that an auditor can understand exactly what is being certified.

Can I exclude services from my ISO 20000-1 scope?

Yes, you can exclude services that are genuinely independent of the services in scope. However, you cannot exclude services that are dependencies of in-scope services, and every exclusion must be justified. Auditors will verify that exclusions do not undermine the integrity of service delivery. If a service supports in-scope services (even indirectly), it must either be included or managed through supplier management processes.

How does the service catalogue relate to ISO 20000-1 scope?

The service catalogue is the definitive anchor for your SMS scope. It lists all services the organisation delivers and clearly identifies which are within scope for certification. The service catalogue ensures scope is service-centric rather than department-centric, provides the auditor with a structured view of what is being assessed, and reveals dependency relationships that inform inclusion or exclusion decisions.

Do I need to include outsourced and cloud services in scope?

If outsourced or cloud services underpin in-scope services, they must be addressed within the SMS. Clause 8.3.4 requires you to manage externally provided services. You don’t need to certify your suppliers, but you must demonstrate governance, contractual controls, monitoring, and integration with your SMS processes. The level of control required depends on the criticality of the supplier to in-scope service delivery.

What is the most common scoping mistake for ISO 20000-1?

The most common mistake is scoping too broadly or too narrowly. A scope that is too broad adds unnecessary cost and complexity, while a scope that is too narrow may exclude critical dependencies and result in nonconformities during the audit. The best approach is to start with the services that deliver the most business value from certification, ensure all dependencies are included, and expand scope progressively over time.

ISO 20000-1 Scope Definition Service Management