ITIL & ISO 20000 Blog

Deji Dayspring

List of mandatory documents required by ISO 20000-1 (2018 revision)

The revision of ISO/IEC 20000-1, published September 2018, now aligns with the high-level structure used for most management system standards like ISO/IEC 27001, ISO 22301, ISO 9001, etc. Thus, it suffices to say that there would be alterations to the structure and presentation of the required documents and records. One might ask, are there many more or fewer documents required? Which ISO/IEC 20000-1 documents are mandatory in the 2018 version?

Mandatory documents and records required by ISO/IEC 20000-1:2018

blogpost-banner-20000-consultants-en

Here are the documents you need to produce if you want to be compliant with ISO/IEC 20000-1:2018:

  • Scope of the Service Management System (SMS) (clause 4.3)
  • Service management policy and objectives (clauses 5.2 and 6.2)
  • Risk assessment and management for the SMS (clause 6.1.2)
  • Service management plan (clause 6.3)
  • Change management policy (clauses 7.5.4 d and 8.5.1.1)
  • Information security policy (clauses 7.5.4 d and 8.7.3.1)
  • Service continuity plan(s) (clauses 7.5.4 d and 8.7.2)
  • Processes of the organization’s SMS (clause 7.5.4 e)
  • Service requirements (clauses 7.5.4 f, 8.2.2, and 8.3.3)
  • Service catalogue(s) (clauses 7.5.4 g and 8.2.4)
  • Service level agreement(s) (clauses 7.5.4 h and 8.3.3)
  • Contract(s) with external suppliers (clauses 7.5.4 i and 8.3.4.1)
  • Agreements with internal supplier(s) or customers acting as a supplier (clauses 7.5.4 j and 8.3.4.2)
  • Services that are provided or operated by other parties (clause 8.2.3.1a)
  • Service components that are provided or operated by other parties (clause 8.2.3.1b)
  • Processes, or parts of processes, in the organization’s SMS that are operated by other parties (clause 8.2.3.1c)
  • Customers, users and other interested parties of the services provided (clause 8.3.2)
  • Release acceptance criteria (clause 8.5.3)
  • Risks for service availability, service continuity and information security (clauses 8.7.1, 8.7.2, and 8.7.3.2)
  • Procedure for classifying and managing a major incident (clause 8.6.1)
  • Procedure for continuing operations in the event of a major loss of service (clause 8.7.2 b)
  • Procedure for restoring normal working conditions after service disruption (clause 8.7.2 e)
  • Capacity requirements (clause 8.4.3)
  • Design of new or changed services (clause 8.5.2.2)
  • Service availability requirements and targets (clause 8.7.1)

List of mandatory documents required by ISO 20000-1 (2018 revision)

And here are the mandatory records:

  • Records of training, skills, experience and qualifications (clause 7.2)
  • Results of service availability monitoring (clause 8.7.1)
  • Configuration information (clause 8.2.6)
  • Records of any service complaints (clause 8.3.2)
  • Records of any disputes between the organization and external suppliers (clause 8.3.4.1)
  • Request for change (clause 8.5.1.2)
  • Incidents (clause 8.6.1)
  • Service requests (clause 8.6.2)
  • Problems (clause 8.6.3)
  • Known errors (clause 8.6.3)
  • Test results of service continuity plan(s) (clause 8.7.2)
  • Information security incidents (clause 8.7.3.3)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)
  • Opportunities for improvement (clause 10.2)

Learn more about what else is new in the ISO 20000 2018 revision in the blog post Infographic: ISO 20000:2011 vs. ISO 20000:2018 revision – What has changed.

Other documents

There are other documents that can be used for ISO/IEC 20000-1 implementation. Usage might vary from organization to organization based on complexity and structure. However, I find these documents to be most commonly used:

  • Procedure for determining context of the organization and interested parties (clauses 4.1 and 4.2)
  • Procedure for addressing risks and opportunities (clause 6.1)
  • Procedure for competence, training and awareness (clauses 7.1.2, 7.2, and 7.3)
  • Procedure for document and record control (clause 7.5)
  • Procedure for management of nonconformities and corrective actions (clauses 10.1)
  • Procedure for monitoring customer satisfaction (clause 8.3.2)
  • Procedure for internal audit (clause 9.2)
  • Procedure for management review (clause 9.3)

Safe way to develop adequate documentation and reduce the number of documents

There you have it. Using this documents and records guide, you should be well on your way towards developing adequate documentation that satisfies the requirements of the revised ISO/IEC 20000-1 standard. In addition, the high-level structure adopted in this revision reduces the number of documents required, especially when implementing within an environment that already has management systems like ISO/IEC 27001 and ISO 22301 running.

To see how long it takes to implement all of these documents, use this ISO 20000 implementation duration calculator.


About the author:

Deji Dayspring is a seasoned IT Professional, specializing in Service Management and IT Compliance relating to ISMS & BCMS. He holds a MSc. in Computing & Information Technology with experience in implementing and auditing management systems. He is also certified to best practice standards and frameworks including ITIL Practitioner, ISO/IEC 20000(2011) Practitioner, and Auditor. Known for his ability to grasp business needs, he translates them to clear, concise specifications for operational implementation. This directly translates to the successful implementation of more than 12 ISO certification projects that cut across various industrial sectors including finance, telecoms, and electronic payments.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 20000 and ITIL standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.