ISO 20000 Supplier Management – You lead the game

Sometimes, you can’t do everything alone. As this is valid in life, generally, so it’s valid in managing IT services. There are some parts of the service where you need someone to help you with implementation or operation – be it because you need someone’s expertise, or because someone delivers equipment (e.g., hardware or software) to you. Usually, that’s another organization – a supplier. Supplier Management is a process in the scope of ISO 20000, which manages suppliers and ensures that you receive quality services.

Before we begin, let me remind you to read our article that describes Supplier Management according to ITIL – ITIL Supplier management – the third party you depend on.

ISO 20000 role

What we very often do is focus on the customer, and our delivery to them. And the other side, meaning suppliers, remains “forgotten.” What I want to say is that quite often there is no single responsible person for every supplier, suppliers are not measured, there are no reports, detailed relationship matrix or even requirements that must be fulfilled, etc. And that’s wrong.

On the other side, ISO 20000 can be seen as a “tool” that IT organizations use to manage services they deliver. Or, to be more precise, ISO 20000 is a Service Management System (SMS) standard. When talking about SMS, “manage” means – plan, establish, implement, operate, monitor, review, maintain, and improve. It sound like there is not much left outside its control.

Supplier Management is in the scope of ISO 20000 and is, therefore, one of the managed processes. ISO 20000 emphasizes many parameters that must be taken into consideration regarding suppliers and the scope of Supplier Management.

Relationships1.pngFigure: There are many relationships between you, customers, suppliers, and their sub-contacted suppliers.

Keep it under control

Why? Because you are responsible to your customers. Guess whom they are going to ask if there is something wrong with a part of the service operated by one of your suppliers? You, their service provider. Therefore, you have strong motivation (and obligation, according to ISO 20000) to keep suppliers under control.

So, let’s see how can you use ISO 20000 requirements to manage (or control, if you prefer) your suppliers. By reading the standard, requirements may sound tiresome, but when “translated” into possibilities that you have – it’s much different:

  • Designated responsible person – each supplier should have a designated person who is responsible to manage that supplier. Of course, you may have one Supplier Manager (that’s just an example of the role) for several suppliers. But, the idea is to have a responsible person and therewith, you have a solid foundation to manage your suppliers.
  • Documented agreement – well, it’s nice to have a designated person (remember – a Supplier manager(s)), but you have to regulate relationships with your suppliers. And that’s where ISO 20000 is extensive. See, it’s positive – it’s not that there are many requirements, but that the standard gives you defined content of the agreement. So, you have to include (without going into every detail):
    • A description of the supported service, e.g., scope, dependencies on other services/processes, targets, etc.
    • Supplier’s obligations like requirements that must be fulfilled by the supplier, reporting, etc.
    • General items, e.g., charging, contract exception, authorities and responsibilities.
  • Documented roles and relationship between lead and sub-contracted suppliers – this is something that we often forget, and that suppliers use often – they have sub-suppliers. Well, ISO 20000 requires you to take care of that, as well, by asking you to get evidence from your supplier that they are managing their sub-contracted suppliers. That means that you have to ask your suppliers to provide you with names of their sub-contracted suppliers and how they regulate responsibilities and relationships with them. And it’s logical, because as long as they (sub-contracted suppliers) contribute to the services for which you have an SLA with the customer – you have to be responsible for them.
  • Monitoring, measurement, recording of results and review – this is your mightiest tool. It will provide you with facts and evidences. What you have to do is to take care that measurements are performed regularly, that they are agreed with suppliers, and that they are reviewed (I would suggest – together with your suppliers). In such a way – “all the cards are on the table.”


It’s crucial that you perform activities in the proper order. What I mean is that you have to have your Service Level Agreement (SLA) parameters and be familiar with them. Once you have them – then you know what to require from suppliers. When you negotiate with suppliers, you should try to agree on stronger criteria than you have in your SLA. For example, if you agreed in the SLA that incidents of priority level 2 will be resolved within 4 hours, and you require support from your supplier in certain areas – you should negotiate within 3 or 3.5 hours for the same priority. In that way you will leave some time for escalation if they are not timely.

Although one of the requirements says that you have to have a (documented) dispute procedure with your suppliers, you should do all that is possible to avoid that procedure. And, all other requirements are there so that you and your supplier don’t end up in dispute. Make the requirements clear to everyone, implement them with care, and manage the process all the time – and results will come.

You can also check out this free  ISO 20000 Gap Analysis Tool to check whether you are compliant with the Supplier Management process.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.