Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:

Process to obtain ISO/IEC 20000 certification: Companies and individuals

Certification of companies

For an Organization to obtain the ISO/IEC 20000 certification, it has to engage the services of a Certification Body. Well, what is a Certification Body? Is a company that is responsible for providing certificates to companies that request their services and comply with the requirements of the standard against which they want to become certified. Examples of Certification Bodies are: Bureau Veritas, BSI, SGS, etc.

The Certification Bodies must also comply with rules and requirements of another ISO: ISO 17021, and also must be audited and licensed by local entities that are known as Accreditation Bodies.

Each country has an Accreditation Body that is responsible for auditing Certification Bodies to ensure they meet the requirements of the reference standard.


Let´s look at the steps that are necessary in the process of ISO/IEC 20000 certification, following the guidelines set in ISO 17021:

1. Request: The company that wants to certify against ISO/IEC 20000 requests a proposal (for example, to the Certification Body BSI). The request must state information about the company: number of people involved in the scope, main lines of business, scope, etc. Based on this information, the Certification Body calculates the number of days required, and depending on the number of days sets the price of the proposal. Finally, the Certification Body sends the proposal to the company.

2. Certification Audit: If the company approves the ISO/IEC 20000 certification proposal, it then carries out the certification audit. This audit is basically composed of two phases:

  • Phase 1: The audit team prepares an Audit Plan, which must contain all issues to be reviewed at this phase. It will also identify persons who will interview, and date and time of all activities to be undertaken during the audit. The activities carried out in this phase are basically the review of documentation generated by the company, i.e. mainly procedures, technical instructions, etc., and everything related to Management System (PDCA). Also, the company will plan dates and activities that will take place in the next stage, phase 2. As a result of phase 1, the audit team will develop and deliver an audit report to the company, which reflects all the detected deviations. So, the purpose of the phase 1 audit, also called Documentation Review, is to check whether the documentation is compliant with ISO/IEC 20000.
  • Phase 2: As in phase 1, the audit team will prepare an Audit Plan for this phase, which will contain all the things to do and all the people involved. In this second phase the audit team will review everything that has been pending management system and PDCA + operational implementation of all ISO/IEC 20000 processes. As a result of this phase, an Audit Report is generated, which will contain all deviations from phase 2, plus the deviations that have not been treated in phase 1. Therefore, we can say that this report will be the final report of the certification audit. So, the purpose of the phase 2 audit, also called the Main Audit, is to check whether the activities and processes in a company are compliant with the standard and with the documentation. In other words, to check whether the SMS works.

These two phases are needed only in the first certification audit, and therefore are not present in the surveillance audits and audits of recertification.

3. Obtaining the Certificate: If the company addresses all deviations of the report presented by the audit team and presents the necessary evidence to the Certification Body, the Certification Body then releases a Decision Evaluation Report, and finally approves the granting of the certificate to the company. The most common issue is that the certificate is granted, but sometimes may be rejected, due to the immaturity of the system.

4. Surveillance Visits: An ISO certificate is valid for 3 years, during which time surveillance visits are conducted. That is, after the first certification audit, in the next 2 years the company will have to face further audits.

5. Recertification Audit: Finally, after 3 years, when the certificate expires, the company will have to face a recertification audit to maintain the certificate.

Certification of individuals

Like other individual certifications (CISA, CISM, ITIL®, etc), there is also the possibility to be a certified Auditor and Lead Auditor in ISO/IEC 20000 (ISO/IEC 20000 certification for individuals). And as in other personal certifications, to achieve this it is necessary to prove:

  • Previous experience auditing (specific number of days of auditing)
  • Training (related to management services)
  • Specific training in ISO/IEC 20000

Currently, there are not many companies certified in ISO/IEC 20000, so the demand for Auditors and Lead Auditors certified in ISO/IEC 20000 is low, but it is predicted that the situation will likely reverse in the next few years.

To make your certification path easier, check out this free checklist List of questions to ask your ISO 20000 certification body.

Advisera Antonio Jose Segovia
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.