Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

ITIL Underpinning Contract vs. ISO 20000 Supplier Contract – Similarities and differences

Most of the clients I work with are focused on their customers and the services they deliver to them. Accordingly, I always receive a bunch of questions related to the Service Level Agreement (SLA; i.e., the contract an organization has with its customers), which is reasonable. But, what I often witness is that many companies get into trouble with their suppliers because they quite often take them for granted and don’t pay much attention while defining relationships with them.

What does that mean? Well, the fact is that there are situations when your company can’t do everything by itself – you need someone to “jump in.” And, that’s OK. But, to be sure that you are managing third parties, there are a lot of elements that require a serious approach. Both ITIL and ISO 20000 can help you define (and document) your relationships with third parties (or, we usually say – suppliers). There are many common elements, but also some differences between ITIL and ISO 20000.

The motivational factor

First of all, you can have the best people managing your IT services throughout their lifecycle (from idea up to operational support in the live environment), including excellent relationships with suppliers, but experience says that sooner or later you will get into a dispute. For example, your understanding of requirements could be different, or the requirements for suppliers are not in line with the company’s responsibilities towards their customers… So, having a written agreement will define the “rules of the game” between you and your suppliers, as well as what to do if someone doesn’t stick to the rules.

Besides the fact that your agreement with a supplier defines your relationship with them, as well as related roles, responsibilities, activities, etc., it is also your basis for further evaluation. For example, if you need a supplier to deliver a certain functionality, check the database with all relevant data about all your suppliers and process the information. It will give you an idea of whom to work with and whom to avoid. Or, talk to colleagues who have experience with a targeted supplier. A prerequisite should be to have a documented agreement and, if possible, feedback or measurements of the supplier’s performance. When I say feedback, I remember a case when quality management inside my company sent a supplier satisfaction survey. Once all the feedback was gathered, we could access the results and gain useful information while evaluating a potential supplier.

Similarities and differences

ITIL and ISO 20000 have many common requirements (in the case of ISO 20000-1:2011, i.e., Service Management System requirements) and recommendations (in the case of ITIL best practice implementation). Here are few areas covered by both ITIL and ISO 20000, as an example:

  • Service – includes a description of (service-related) requirements towards suppliers, scope of what needs to be delivered by the supplier, and service targets
  • Organization and communication –includes a communication matrix, interfaces between the two companies, and integration of activities of both parties
  • Management and finances – includes charging and measurement

Well, when we talk about differences, the biggest one is – naming. ITIL uses “Underpinning Contract” as the document name (for the document that regulates relationships between IT service providers and suppliers), whereas ISO 20000 uses “Contract” (which is, according to its application, named “Supplier Contract”). Additionally, ITIL emphasizes integration of the Supplier Management process (and, consequently, the appropriate contract) with other processes in the scope of ITSM, while ISO 20000 does not. Additionally, ISO 20000 emphasizes the role of sub-suppliers and the IT organization’s obligation to control them.

The content

Let’s see what would be the usual content of the Supplier Agreement. As usual, ISO 20000 sets quite direct requirements about the content of such an agreement (which you need to include if you want to be ISO 20000 certified), while ITIL gives reasoning and details on how to implement it. Besides the ISO 20000 requirements and ITIL recommendations, experience shows that the usual content of the supplier agreement is as follows:

  • Operational processes – if your supplier is involved in your ITSM processes – define the process. That could be, e.g., the Incident Management process or the Change Management process.
  • Contacts and communication – as already stated, ISO 20000 and ITIL are quite demanding in having a clear picture of who is doing what, i.e., who is responsible for what. After all, it’s in everyone’s best interest to have clear definition of roles and related responsibilities.
  • Performance (evaluation) – when we are talking about performance, the guideline would be – whatever you signed in the SLA, you need to be even stricter towards your supplier. Of course, only if that’s possible. For example, if you agreed with your customer (in the SLA) that incidents of priority 2 will be resolved in 4 hours, then you need to require from your supplier to resolve the same incidents in, e.g., 3 hours. Just as you are obliged towards your customers to deliver certain performance – so you need to require that from your suppliers. Measure and review the results.
  • Contract review – that could occur regularly (as mentioned above – measuring the performance of the supplier and comparing it to the agreement), or upon the contract’s extension date. If you are reviewing your supplier regularly, you can include the supplier’s performance or fulfillment of any other terms and obligations. On renewal of the contract, scope of cooperation and scope of the service supported will be reviewed first (together with feedback on that particular supplier).
  • Formal meetings – just as you do with your customer, you will regularly meet with your supplier. If it’s included in the agreement – it’s official.

Customer, in the background

Why bother with all these details, someone could ask? Well, if you have a supplier who is cooperating with you for a longer time, then an agreement may seem obsolete. But, even in that situation, you should have in mind that your company is on the front line towards your customers. If everything is OK with the services you deliver – no one will complain. But, if something goes wrong, your customers will not care whose fault it really is. For them, the answer is clear – it’s yours. And that’s logical because they have the agreement with you.

Whether you can do everything by yourselves, or you need someone else – they don’t care. So, it’s your job and responsibility to protect the services you deliver, and certainly your company’s. An agreement with your suppliers is the right approach. And, sometimes, the only thing you can do.

Click here to see a free preview of an  Underpinning Contract template to see what such an agreement looks like.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.