ITIL and ISO 20000: A Comparison

I get a lot of advice requests from IT people about ITIL certification and compliance. Usually, these are personal inquiries on certification paths after the ITIL foundations exam, but lately IT managers ask me to recommend ITIL implementation paths for their business organizations.

Of course, since ITIL V2 there are a lot of more-or-less developed methodologies and frameworks for ITIL implementation in IT Service organizations. About a year ago I started recommending ISO/IEC 20000 certification to them.

Why is that so? Let me give you an example: a friendly customer of mine, IT Service Company, educated dozens of its employees in ITIL Foundations during the last 10 years. Due to workforce fluctuation trends, a lot of them left the company and settled in the neighborhood, doing the same job for someone else. So the company funded the competency matrix of its competition.

Best practices vs. standard

Back to basics: ITIL is a library, a set of best practices, described processes and functions in a service lifecycle path. It is mostly descriptive, not prescriptive. Life is full of possibilities with ITIL. You can, but you don’t have to, implement any of the processes. Or all. Or none. Although ITIL was often addressed as a de facto standard in IT Service Management (ITSM), it is important to state that ITIL is a best practices library; it is NOT a standard. ITIL is full of advice, what you could, sometimes should do, what would be best and so on. It does not have hard requirements about what HAS to be done in order to comply. Therefore, ITIL is not fully auditable.

ISO/IEC 20000, on the other hand, is an auditable norm. The 2011 version has 256 hard requirements which have to be met. It provides a full set of processes a company HAS to implement if it wishes to obtain a certificate. A bit more precisely, the norm has two main parts:

  • ISO/IEC 20000-1 – requirements, what SHALL be done
  • ISO/IEC 20000-2 – code of practice, a guidance as to HOW it should be done in more detail


Certification of individuals vs. certification of organizations

Another important aspect: the ITIL certification path is created for individuals. People study and pass foundations, intermediate and expert levels. They get the certificate and take it with them. ISO/IEC 20000 is focused on the IT Service Organization. It helps to capture knowledge about IT Services as an intellectual property of the company, and helps individual employees to get by in a day-to-day IT Service realm by following a set of simple but strict rules established during a process of preparation for the certification.

An overview of ITIL…

ITIL has come quite a long way from the previous V2 version where we had only 10 processes and one function. In its current version, ITIL is based on five volumes representing the five service lifecycle stages addressing some 26 processes and four functions. For the new people in the house, let’s have a quick overview of lifecycle stages and processes/functions:

ITIL-lifecycle-stages-and-processes1.png

ITIL experienced a significant increase of content volume in 2007 when version V3 was introduced, and more still in a 2011 refresh. The big difference is a strong turn toward copyrighting, probably in order to finance the growing ITIL food chain: publishers, authorized training organizations, examination boards, etc.  On the other hand, creating this volume of relevant knowledge and best practices was a remarkable effort and one has to think about the future.

… And a bit about ISO 20000

A 2011 edition of ISO/IEC 20000 addressed some of the changes in ITIL 2011 and also adhered to other neighboring ISO norms. This motivated a lot of IT Service organizations to consider ISO20k as a service management improvement tool. Here is a quick schematic diagram of ISO/IEC 20000 processes:

ISO-20000-processes1.png

How do ITIL and ISO 20000 fit together?

In an ITSM pyramid things are layered in the following order:
ITSM-pyramid1.png

ISO/IEC 20000 provides strict requirements (WHAT) and a simple code of practice (HOW). The story is further expanded by ITIL experience and best practice framework as a detailed guidance about processes and functions. At the base are basic in-house procedures and work instructions, from core business and other implemented standards/methodologies (ISO, PMI…)

Both stories came from the same place and both got refreshed in 2011. How well do they fit together and have they grown apart? In a nutshell, ISO 2000 emerged initially from ITIL V2, and did not evolve much in volume, but requirements got much more realistic in 2011. On the other hand, ITIL was inflated almost double in V3, so the 2011 refresh also was more about quality then quantity.

An IT Service organization can use ITIL to implement ITSM processes according to best practices, and ISO20k can be used for implementation and measurement of essential processes.

The pyramid can be approached from both sides. A question for you: in the current maturity stage, what would you do first it in your organization – would you go for ITIL implementation or ISO/IEC 20000 certification?

You can also check out this free whitepaper:  ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping and get more details on this topic.

Advisera Branimir Valentic
Author
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.