How to define the scope of the SMS in ISO 20000

So, you have decided to prove your excellence in IT Service Management (ITSM) by implementing ISO 20000. Fair enough. And, then the headache starts. Let’s assume you already have ISO 9001 or ISO 27001 in place, and a relationship with a certification body. Naturally, you speak with them about certification on ISO 20000. The first question they would ask is: “What is your scope?” Silence? Well, you are not alone. When you decide to go for ISO 20000 certification, scope will be your first major decision. But, most probably, you’ll ask yourself: “How do I define the scope of the certification?”

Size matters

I have a customer who is a small company providing cloud services. They have a few employees in development, some more in support, one person in business development – and, that’s it. Do they have concerns regarding scope of the implementation? Do you want to guess again? No, they don’t have any concern – all services and the whole organization are in the scope of the ISO 20000 implementation (and, consequently, certification).

Then, when does it get complicated? Actually, it gets complicated when you have a bigger IT organization (e.g., 20, 30, 40, or more employees), when you support internal and external customers, when you have outsourced processes, and when you have plenty of different services. In such case you have to decide what will be the scope of the Service Management System (SMS) according to ISO 20000 implementation.

Purpose and characteristics

By setting up a scope, you will define the boundaries of your SMS, i.e., where the SMS is applicable. That means that scope will help you limit your activities and efforts only to the SMS. Sure, there could be processes and services that are outside of the scope, and they don’t have to fulfill the requirements of the ISO/IEC 20000-1. To learn more about ISO 20000, read the article Using ISO 20000 to control IT services.

Once you decide about the scope, you should write a scope statement. That will help you with two things:

  • When communicating with the certification body, the scope statement will be the first thing you will have to agree on. In such a way, they will know what to audit, i.e., what your scope of work includes.
  • A scope statement will help you to avoid ambiguity on what is included and excluded from the SMS, so you can focus your work on the agreed target.

Therefore, the scope statement will be part of your certification application and will define your SMS. When talking about SMS requirements – scope should be included in the SMS Plan.

Defining the scope

Clause 4.5.1 defines the scope of the SMS and sets requirements, i.e., considerations. Those considerations state that the following factors should be considered when defining the scope:

  • Geographical location from which you deliver the services
  • The customer and their location(s)
  • Technology used to provide services

Beyond those requirements, you should consider the following when defining your SMS scope:

  • Which organizational unit(s) provides the services
  • Which services you offer, and which ones will be included in the SMS scope (e.g., smaller organizations will include all services)
  • Other parties that contribute to the delivery of the service(s)

As you can see, the scope of the SMS can be a particular service, customer, or group of customers. It makes it easier in some cases when your customer requires that you are ISO 20000 certified for the services you provide to them – meaning, that is the scope of your SMS. Otherwise, consider scope carefully because if you define your scope too broadly, implementation could be complex and even unsuccessful.

When you articulate scope, take care of a few things:

  • Simplicity and wording – if you set a scope statement that very few people (or no one at all) understand, that’s not good. The scope should be a guideline for people involved in SMS implementation.
  • Enough information – when someone reads your scope statement, he/she should know what it is all about. It’s wrong to put too many details, because that will make it hard to read and understand (and consequently – act).
  • Unambiguity – from the scope statement it should be clear what is included and excluded.

Based on the above mentioned, the scope statement could be:

“The Service Management System supporting the provision of IT services in accordance with the Service Catalogue for the internal or external customers.”

ISO 20000-1 (requirements for the SMS) defines what you should consider when defining scope, but there is an ISO/IEC TR 20000-3 “Guidance on scope definition and applicability of ISO/IEC 20000-1,” which can help you clarify requirements of the standard and define your scope.

Importance of the first step

Setting the right scope of the SMS will direct your efforts while implementing the SMS. This means that you should be very careful when defining the scope. And, I don’t mean here only implementation of the SMS, but also continual improvement (also one of the mandatory requirements of the standard) in the long run. If you miss this first step (defining the scope) – steps in the wrong direction will get you exactly there – to the wrong place. And that’s where problems reside.

Use our free  ISO 20000 Gap Analysis Tool to check your compliance with ISO 20000 requirements and ease your scope definition.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.