ISO/IEC TR 20000-17:2024

Technical
Report
ISO/IEC TR
20000-17
First edition
Information technology — Service
2024-10
management —
Part 17:
Scenarios for the practical application
of service management systems based
on ISO/IEC 20000-1:2018
Technologies de l'information — Gestion des services —
Partie 17: Scénarios pour l'application pratique des systèmes de
gestion des services sur la base de l'ISO/IEC 20000-1:2018
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview of ISO/IEC 20000-1:2018 . 1
5 Scenario-based examples . 3
5.1 Introduction to the scenarios .3
5.2 What types of services can be used with ISO/IEC 20000-1? .4
5.3 Can an SMS be sustainable? .7
5.4 Can an SMS be used with different methods, frameworks and technologies? .8
5.5 Who can be assigned as top management? .11
5.6 What is the difference between the many types of requirements in ISO/IEC 20000-1? .11
5.7 How does risk management fit within an SMS? .16
5.8 What are the four types of resources in ISO/IEC 20000-1? .21
5.9 How are suppliers managed within an SMS? . 23
5.10 Where is project management used within an SMS? . 25
5.11 What is organizational change management and how does it fit within an SMS? .27
5.12 How do change management activities operate within an SMS? . 29
5.13 Is it possible to be creative and innovative within an SMS? .31
5.14 How does continuous learning and feedback relate to an SMS? . 33
5.15 How does remote working impact the SMS? . 34
5.16 Can an SMS be used together with other management system standards? . 39
Annex A (informative) ISO/IEC 20000-1 clauses . 41
Bibliography .44

© ISO/IEC 2024 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 40, IT Service Management and IT Governance.
A list of all parts in the ISO/IEC 20000 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
iv
Introduction
This document provides scenarios, explanations and examples for the practical application of service
management systems (SMS) based on ISO/IEC 20000-1:2018.
These scenarios have arisen from comments resulting from the practical usage of ISO/IEC 20000-1:2018
over the years since its publication. These comments provided evidence of apparent misconceptions and a
lack of knowledge about how ISO/IEC 20000-1:2018 and an SMS can be applied.
This document aims to support users of ISO/IEC 20000-1:2018 in its application to establish and improve
an SMS using examples of practical situations. The list of scenario-based examples in this document is not
exhaustive and other scenarios are possible.

© ISO/IEC 2024 – All rights reserved
v
Technical Report ISO/IEC TR 20000-17:2024(en)
Information technology — Service management —
Part 17:
Scenarios for the practical application of service management
systems based on ISO/IEC 20000-1:2018
1 Scope
This document provides scenarios, explanations and examples for the practical application of service
management systems (SMS) based on ISO/IEC 20000-1:2018. These scenarios provide examples of situations
in which an SMS can be used and how the requirements of ISO/IEC 20000-1:2018 can be applied.
This document can be used with ISO/IEC 20000-1 as well as with ISO/IEC 20000-2, ISO/IEC 20000-3,
ISO/IEC TS 20000-5 and other parts of the ISO/IEC 20000 series.
This document is aimed at:
a) organizations that are intending to implement an SMS based on the requirements of ISO/IEC 20000-1;
b) organizations that have already implemented an SMS based on the requirements of ISO/IEC 20000-1;
c) consultants, trainers and other experts supporting these organizations.
This document does not add to, change or replace any of the requirements in ISO/IEC 20000-1. This document
is not intended to be used for a conformity assessment.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system
requirements
ISO/IEC 20000-10, Information technology — Service management — Part 10: Concepts and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 20000-1 and
ISO/IEC 20000-10 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 Overview of ISO/IEC 20000-1:2018
ISO/IEC 20000-1 specifies requirements for establishing, implementing, maintaining and continually
improving an SMS. An SMS supports the management of the service lifecycle, including the planning, design,

© ISO/IEC 2024 – All rights reserved
transition, delivery and improvement of services, which meet agreed requirements and deliver value for
customers, users and the organization delivering the services. The organization in the scope of the SMS can
be a whole or part of a larger organization. The organization in the scope of the SMS can also be known as
the service provider.
ISO/IEC 20000-1 is intentionally independent of specific guidance. The organization can use a combination
of generally accepted frameworks and its own experience. Appropriate tools for service management can be
used to support the SMS.
All requirements specified in ISO/IEC 20000-1 are generic and are intended to be applicable to all
organizations, regardless of the organization’s type or size, or the nature of the services delivered. For
example, the services can be in the field of information technology (IT), business process outsourcing or
facilities management. While ISO/IEC 20000-1 can be used "regardless of the organization’s type or size,
or the nature of the services delivered", ISO/IEC 20000-1 has its roots in IT. It is intended for service
management of services using technology and digital information. The examples given in this document
illustrate a variety of uses of ISO/IEC 20000-1.
Exclusion of any of the requirements in ISO/IEC 20000-1:2018, Clauses 4 to 10, is not acceptable when the
organization claims conformity to ISO/IEC 20000-1, irrespective of the nature of the organization.
The organization cannot demonstrate conformity to the requirements specified in ISO/IEC 20000-1 if other
parties, such as suppliers, are used to provide or operate all services, all service components or all processes
within the scope of the SMS.
Figure 1 illustrates an SMS showing the clause content of ISO/IEC 20000-1. Numbers in parentheses in
Figure 1 indicate ISO/IEC 20000-1 clause numbers.

© ISO/IEC 2024 – All rights reserved
Figure 1 — Service management system
5 Scenario-based examples
5.1 Introduction to the scenarios
The scenarios, explanation and examples listed in this document are many and varied. Some are complex
and some are simple. Some relate to a single clause and others relate to multiple clauses in ISO/IEC 20000-1.
Each scenario has a title in the form of a question and an introduction. It is followed by explanation and
examples of how this scenario can be applied within an SMS. The relevant clause numbers of ISO/IEC 20000-1
at their lowest level are also shown. All clause numbers include their subclauses. See Annex A for a list of the
ISO/IEC 20000-1 clause numbers and titles.

© ISO/IEC 2024 – All rights reserved
5.2 What types of services can be used with ISO/IEC 20000-1?
Requirements for services contained in ISO/IEC 20000-1 are independent of service size, type, location
or characteristics and therefore can be applied to all services defined in an organization’s SMS. Services
provided by organizations that are managed in an SMS can have a variety of configurations. They can be
simple services or bundled services, depending on the needs of the customers. In addition, many services
and their components are a combination of internally provided and externally provided services. See Table 1.
Table 1 — Using ISO/IEC 20000-1 for different types of services
Topic ISO/IEC 20000-1:2018 clause
number
Can ISO/IEC 20000-1 be used with micro, aggregated, centralized, decentral- Clauses 4 – 10
ized or distributed services?
The requirements in ISO/IEC 20000-1 for managing services through an effective
SMS apply to all types of services regardless of their configuration, size or com-
plexity, or whether they are provided by internal or external service providers. A
service can be provided, supported and consumed from any location. Whether a
service is micro, aggregated, centralized, decentralized or distributed, it is critical
for each service component to be defined and documented for planning, imple-
menting, maintaining, improvement and retirement purposes. Examples of micro,
aggregated, centralized, decentralized and distributed services are:
— micro: the "buy" button when purchasing a product online;
— aggregated: an online banking service where all accounts for one user can be
accessed from one page;
— centralized: a centralized IT network where all users connect to a single
central server;
— decentralized: customers receive energy supplies from multiple sources;
— distributed: mobile phone networks which use multiple base stations to
provide connectivity.
Although all clauses are relevant to operating, supporting, measuring and improv-
ing the services defined in the SMS, of significance is configuration management
and its requirements to define services as configuration items (CIs). Each service
is comprised of multiple CIs which can include other internally or externally pro-
vided services, technical components, service support groups, service consumer
groups, facilities and documentation.
Once services have been defined in the SMS, their configurations and CI relation-
ships can be defined as well. This ensures that if there is an addition, modification
or removal of any service within the SMS, all requirements in ISO/IEC 20000-1 can
more easily be addressed and met.
In summary, ISO/IEC 20000-1 is applicable to all services defined in an SMS re-
gardless of:
— size: micro to large;
— composition: single or aggregated (comprised of multiple CIs or components);
— service provision source: centralized, decentralized or distributed services
provided internally or externally;
— service consumption source: internal or external customers/users.
Can ISO/IEC 20000-1 be used with bundled services? Clauses 4 – 10
An example of a bundled service configuration is an online banking application
provided by a banking organization. This service includes multiple service and
technology components and is used by the bank’s customers. Examples of bundled
services include:
© ISO/IEC 2024 – All rights reserved
TTabablele 1 1 ((ccoonnttiinnueuedd))
Topic ISO/IEC 20000-1:2018 clause
number
— online banking application: the service component that processes online
banking transactions;
— support group: an internally-provided technical micro service;
— network services: the group that supports and enables enterprise network
and internet connectivity;
— internet service provider: an externally provided service to connect the
organization to the internet and which provides consumer access to the
online banking application;
— web hosting service: an externally-provided service that hosts the website of
the banking organization;
— internal service desk: provides first line support services to the staff of the
bank;
— customer service desk: provides technical support services to the customers
using the online banking application.
Each service listed can be considered micro to large depending upon the size of
the organization and can be centralized or decentralized depending upon the
requirements of the organization. In some cases, components of a bundled service
can also be known as underpinning services or can be bundled services them-
selves.
As a bundled service, each service and component is subject to the requirements of
ISO/IEC 20000-1. Due to the defined relationships between the services and com-
ponents within a bundle, any introduction, modification or removal of a service in
the bundle can affect other parts. These actions, for example, can be the result of a
modification to the context of the organization, a leadership decision or a change
to an externally provided service.
Management of change is essential for bundled services, to ensure that the impact
of any introduction, modification or removal of a service or component in the bun-
dle is assessed, and that changes are appropriately approved and controlled in line
with the requirements of ISO/IEC 20000-1.
A robust integrated service management toolset can support all service manage-
ment activities including the management of service definitions and CI relation-
ships within a service. This includes bundled services like the example above. Each
service is defined as a CI with its relationship to other CIs. Service management
tools can provide a visual service mapping allowing a view of the CI connectivi-
ty within a service bundle and any relationships to other services in the SMS. Of
equal importance is the storage of, or link to, service-related documentation.

© ISO/IEC 2024 – All rights reserved
TTabablele 1 1 ((ccoonnttiinnueuedd))
Topic ISO/IEC 20000-1:2018 clause
number
Can ISO/IEC 20000-1 be used with cloud-based services? 8.2.6
There are cloud-based services that provide requirements management, version 8.3.4
control, reporting, task management, build, test and release management capabil-
8.4.3
ities. The cloud-based services can cover the complete application lifecycle. When
8.5.1
deciding to use a cloud-based service, consider the requirements including the
8.6.1, 8.6.3
following points dependent on the context.
8.7.1, 8.7.2, 8.7.3
a) Supplier management: are regular supplier reviews carried out to ensure
functional requirements, service levels and performance requirements are
met and concerns are discussed?
b) Service availability management: how reliable is the service? Can the
customer’s service levels be achieved?
c) Capacity management: is there enough to meet the customer’s demands,
accounting for peaks in the service or development lifecycle?
d) Service continuity management: what is the supplier’s data back-up and
restore process? Does it meet the customer’s requirements? How often is this
tested?
e) Configuration management: how will the service manage new baselines?
f) Change management: what process is used, what is the approval mechanism?
g) Incident and problem management: what is the process for raising an incident
or problem?
h) Information security management: is the information secure in the cloud
service?
© ISO/IEC 2024 – All rights reserved
5.3 Can an SMS be sustainable?
Guided by the UN 2030 agenda for sustainable development and its sustainability development goals
(SDGs), organizations around the globe are adopting initiatives in areas that are crucial for the planet
across environmental, social and economic pillars. ISO/IEC 20000-1 specifies an SMS for managing services
across the lifecycle, by providing visibility, control and continual improvement. An SMS, as an element of the
management of services, can include support across all of the three sustainability pillars. See Table 2.
Table 2 — Sustainability within an SMS
Topic ISO/IEC 20000-1:2018 clause
number
Building sustainability into the SMS 4.1, 4.2
ISO/IEC 20000-1 specifies requirements for managing services across lifecycle stages 5.1, 5.2
of planning, support, operation, performance evaluation and improvement of services
6.1, 6.2, 6.3
to fulfil service requirements and deliver value.
8.2.3
Top management ensures that the organization’s sustainability vision and plan are
8.3.2
applied to the SMS through appropriate inclusions in the service management policy,
service management objectives and service management plan.
Organizations can utilize the SMS to identify sustainability goals and legal or regula-
tory requirements applicable to service management, such as data centre greenhouse
gas emissions disclosure.
Any customer requirements for sustainability are taken into account for the SMS.
These can be discussed at customer reviews.
A sourcing strategy can be used to set out the requirements when selecting and
managing suppliers, taking into account alignment to the organization’s goals or
customer requirements for sustainability. Planning the SMS and designing services
includes identification and management of risks and opportunities around social and
environmental elements (e.g. health risks, carbon footprint). These also consider the
impact on economic aspects.
Improvements can arise from optimized IT asset utilization, responsible procurement,
sustainable supplier management, and improving IT facilities operations manage-
ment in terms of electricity, water and HVAC (heating, ventilation, air conditioning)
consumption and other actions that are relevant for the organization.
a
See ISO/IEC TS 20000-16:— for information on sustainability with service man-
agement.
Environmental aspects 8.1
An SMS can enable a sustainable supply chain through procurement practices with 8.2.5
evaluation and selection of appropriate suppliers and supplier performance mon-
8.3.4
itoring, for example, supplier policies for waste management, carbon neutrality,
8.4.2, 8.4.3
estimated lifetime cost of energy consumption of new equipment.
8.5.2
Asset management ensures that assets used to deliver the services are managed
according to legal and regulatory requirements and contractual obligations which
can include sustainability requirements, for example, selection of assets with min-
imum eco-footprint, asset tracking, re-use and effective disposal.
ISO/IEC 20000-1 requires demand management and capacity management to fore-
cast and manage capacity requirements as well as to monitor and optimize service
performance. An organization can design its services to use components that have
minimum environmental impact and optimized utilization enabling sustainabil-
ity, for example, to reduce energy consumption per service and reduce resource
requirements (e.g. CPU, memory, storage per service).

© ISO/IEC 2024 – All rights reserved
TTabablele 2 2 ((ccoonnttiinnueuedd))
Topic ISO/IEC 20000-1:2018 clause
number
Social aspects 7.1, 7.2, 7.3
Effective delivery of an SMS strategy which includes sustainability requires 8.2.3
allocation of human resources with the right awareness, skills and competency
8.3.4
levels to implement the sustainability vision, plan and actions designed within the
SMS. The cultures of the organization, sector and geography are also considered.
Supplier evaluation criteria and sustainability-related contractual obligations
influence supplier policies and actions (e.g. safe and secure working environment,
fair wages).
Economic aspects 8.4.1
ISO/IEC 20000-1 requires budgeting and accounting for services to enable effective
financial control and decision-making for services. Financial accounting can include
costs and cost savings from sustainability actions (e.g. asset reuse, circular economy).
Sustainable procurement and consumption practices affect service costs. Budgeting
and accounting includes monitoring and reporting on actual costs against budget
(e.g. asset reuse, circular economy).
a
Under preparation. Stage at the time of publication: ISO/IEC DTS 20000-16:2024.
5.4 Can an SMS be used with different methods, frameworks and technologies?
The service management and technology environment is constantly changing. That does not mean
that ISO/IEC 20000-1 needs to constantly change with each of these increments. The requirements in
ISO/IEC 20000-1 are generic and can be used with all types of methods, frameworks and technology. These
are unique to each organization and will impact how the SMS and the services are designed. See Table 3.
Table 3 — Operating an SMS with different methods, frameworks and technologies
Topic ISO/IEC 20000-1:2018 clause
number
The SMS and technology 1.2
ISO/IEC 20000-1 has been written as a generic International Standard that can
be applied regardless of the nature of services delivered or the type or size of
the organization. Even though the title of the document specifies “information
technology”, it is about managing the services and the technology used to deliver
the services, rather than about defining the technology used. ISO/IEC 20000-1 has
been applied in a wide range of services, including pure IT services (e.g. internet
services) and services using digital information (e.g. forestry management servic-
es). At the same time, hardly any services today do not make use of an IT compo-
nent, even if just for payment or registration to the services.

© ISO/IEC 2024 – All rights reserved
TTabablele 3 3 ((ccoonnttiinnueuedd))
Topic ISO/IEC 20000-1:2018 clause
number
The SMS and methodologies/frameworks/tools 1.2
Increasingly, organizations adopt service delivery practices that aim for faster
value creation for customers. Like technologies, the requirements in ISO/IEC
20000-1 are also independent of the methodology, products or tools used to imple-
ment and manage the SMS or provide the services. ISO/IEC 20000-1 specifies what
the organization is required to do, not how it is done.
Detailed guidance to manage an SMS and the services can be found in frameworks
a b
such as ITIL® and process reference models such as CMMI® for Services. There
c d e
are many others that can be considered, such as FitSM®, COBIT® and VeriSM®.
Frameworks such as Lean, Agile or DevOps, or a combination of these, can be used
to support the management of services.
An organization can even choose to provision services using their own framework
or no framework at all; the nature of the services with the size and maturity of the
organization determines what is most appropriate.
When multiple suppliers are used, the organization can choose to utilize service
TM f
integration and management, SIAM , which provides a framework to manage
multiple suppliers centrally using a service integrator function.
For more information, see:
— ISO/IEC TS 20000-11 for guidance on using ITIL with an SMS;
— ISO/IEC TS 20000-14 for guidance on using SIAM with an SMS;
— ISO/IEC 20000-3 for examples of the use of a service integrator with an SMS;
— ISO/IEC TS 20000-15 for guidance on using Agile and DevOps with an SMS.
The ISO/IEC 20000 Handbook: IT service management – A practical guide, also
contains useful information on this topic.
The SMS and digital transformation 4
Digital disruption has escalated and the speed of change is evident across indus- 6
tries resulting in new business models. The use of digital technologies in business
7.6
services and the need to adapt the organization to them is referred to as digital
8.3.2, 8.3.3
transformation.
8.7.2
Digital transformation can include the use of basic technologies such as process
automation or advanced technologies (e.g. cloud computing, software-defined
infrastructure, internet-of-things (IoT) and artificial intelligence (AI)).
The common aspects of current digital transformation technologies suggest the
following:
— rapidly changing business models present benefits and challenges to the SMS,
providing stability and reliability to assure business and service continuity,
while simultaneously offering flexibility and agility to respond to changing
business demands;
— the SMS has to focus first on knowledge of the business and service objectives
and second on enabling processes and tools;
— in a significant change in customer expectations, success is all about the
customer experience as judged by the customers themselves, indicating that
an “outside-in” perspective is essential when designing and improving the
SMS;
— services are most effective when defined from the perspective of the end-to-
end business processes and when they include all the components that enable
delivery of the services beyond the technologies that enable it;
— the organization addresses the risk that services will increasingly rely on
complex and sophisticated technologies.

© ISO/IEC 2024 – All rights reserved
TTabablele 3 3 ((ccoonnttiinnueuedd))
Topic ISO/IEC 20000-1:2018 clause
number
See the ISO/IEC 20000 Handbook: IT service management – A practical guide, for
useful information on this topic.
Example: Process automation 8.3.2
The incident management requirement in ISO/IEC 20000-1 is just one example 8.6.1
of a process that can benefit from this type of automation. For some services, the
process of opening, resolving and closing incidents can be automated, removing
the need for human intervention.
For example, a cloud-based service can have automation in place that collects
events from the servers and storage to decide, based on specific rules, to switch
over to backup processing and storage if the primary servers become unavailable.
Automation can create an incident ticket for this event, switch over the systems to
backup, test the availability of the services and, if successful, resolve and close the
incident, noting the action taken to restore the services. With the agreed policies
and processes in place, process automation can speed up incident resolution and
as a result, enhance the customer experience. It is important to ensure that the
organization is able to demonstrate evidence of meeting the requirements of ISO/
IEC 20000-1 when process automation is put in place.
a
ITIL® is a registered trade mark and product owned by AXELOS Limited. This information is given for the conven-
ience of users of this document and does not constitute an endorsement by ISO or IEC of the product named. Equiva-
lent products may be used if they can be shown to lead to the same results.
b
CMMI® is a registered trademark of the CMMI Institute, LLC. This information is given for the convenience of users
of this document and does not constitute an endorsement by ISO or IEC of the product named. Equivalent products
may be used if they can be shown to lead to the same results.
c
FitSM® is a registered trademark of ITEMO. This information is given for the convenience of users of this docu-
ment and does not constitute an endorsement by ISO or IEC of the product named. Equivalent products may be used
if they can be shown to lead to the same results.
d
COBIT® is a registered trademark of ISACA. This information is given for the convenience of users of this docu-
ment and does not constitute an endorsement by ISO or IEC of the product named. Equivalent products may be used
if they can be shown to lead to the same results.
e
VeriSM® is a registered trademark of IFDC. This information is given for the convenience of users of this document
and does not constitute an endorsement by ISO or IEC of the product named. Equivalent products may be used if
they can be shown to lead to the same results.
f
SIAM™ is the trademark of a product supplied by EXIN. This information is given for the convenience of users of
this document and does not constitute an endorsement by ISO or IEC of the product named. Equivalent products may
be used if they can be shown to lead to the same results.
NOTE  Within SIAM, the term "supplier" is referred to as "service provider".

© ISO/IEC 2024 – All rights reserved
5.5 Who can be assigned as top management?
Top management is a term used in ISO/IEC 20000-1 and other management system standards. This can be a
point of confusion about what exactly is meant and who can take up the role. See Table 4.
Table 4 — Top management within an SMS
Topic ISO/IEC 20000-1:2018 clause
number
Top management 5.1
Top management is defined in ISO/IEC 20000-1:2018, 3.1.21, as "person or group 5.2.1
of people who directs and controls an organization at the highest level.
5.3
Note 1 to entry: Top management has the power to delegate authority and provide
8.6.1
resources within the organization.
9.3
Note 2 to entry: If the scope of the management system covers only part of an or-
ganization, then top management refers to those who direct and control that part
of the organization."
Top management can be one person or a group of people with specific responsibil-
ities. The key is in Note 1 to entry of the definition – that they have the power to
delegate authority and provide resources.
For a small organization or an organization where the provision of services is the
whole organization, top management is the person or board at the top of the or-
ganization. For a large organization, as stated in Note 2 to entry of the definition,
top management is the top of the relevant part of the organization in scope of the
SMS (e.g. the top of the IT service department if that is the scope of the SMS).
Where SIAM is involved, if the customer organization is the scope of the SMS, then
top management is in the customer organization. If the SIAM supplier is the scope
of the SMS, then top management is in the SIAM supplier.
It is not possible to outsource the role of top management who always remain
accountable for the SMS and delivery of services. Top management has specific
responsibilities for leadership and management review. In addition, for major inci-
dents, top management are kept informed.
Refer to ISO/IEC 20000-2 and ISO/IEC TS 20000-5 for other useful information
about the role of top management. Refer to ISO/IEC TS 20000-14 for guidance on
using SIAM with an SMS.
5.6 What is the difference between the many types of requirements in ISO/IEC 20000-1?
There are many types of requirements in ISO/IEC 20000-1. These include general requirements (referred to
hereafter as "shall statements"), service requirements and capacity requirements. To establish an SMS, it is
important to understand the difference between the different type of requirements. See Table 5.
Table 5 — Different types of requirements in ISO/IEC 20000-1
Topic ISO/IEC 20000-1:2018 clause
number
"Shall statements" Clauses 4 – 10
In ISO/IEC documents, the language used is significant. The following verbal forms
are used to indicate specific provision types:
a) “shall” indicates a requirement;
b) “should” indicates a recommendation;
c) “may” indicates a permission;
d) “can” indicates a possibility or a capability.

© ISO/IEC 2024 – All rights reserved
TTabablele 5 5 ((ccoonnttiinnueuedd))
Topic ISO/IEC 20000-1:2018 clause
number
Information marked as “NOTE” is for guidance in understanding or clarifying the
associated requirement.
A "shall statement" indicates a requirement that needs to be met by an organization
if it wants to demonstrate conformity to the document. For example, the simple
statement "The organization shall retain documented information on the service
management objectives" requires an organization to be able to provide evidence of
the documentation about the service management objectives to demonstrate con-
formity to this requirement.
ISO/IEC 20000-1:2018, 4.4. states "The organization shall establish, implement,
maintain and continually improve an SMS, including the processes needed and their
interactions, in accordance with the requirements of this document."
Similarly in ISO/IEC 20000-1:2018, 5.3, top management assigns responsibility and
authority for "ensuring that the SMS conforms to the requirements of this docu-
ment."
The phrase "requirements specified in this document" is also referred to in planning
for the SMS and for documentation. Internal audit requirements in ISO/IEC 20000-
1:2018, 9.1, state the need to check that the SMS conforms to "the requirements of
this document."
For control of parties involved in the service lifecycle, ISO/IEC 20000-1:2018,
8.2.3.1, states "The organization shall retain accountability for the requirements
specified in this document and the delivery of the services regardless of which party
is involved in performing activities to support the service lifecycle."
In all these cases, the requirements are referring to the "shall statements" in the
document. It is the "shall statements" which refer to the other types of requirements
which are explained below.
The other verbal forms (should, can, may) do not indicate requirements and organ-
izations do not need to demonstrate conformity to these. However, conformity to
them is likely to be useful.
The definition of service management in ISO/IEC 20000-1:2018, 3.2.22 has a useful
note referring to requirements: "This document provides a set of requirements that
are split into clauses and subclauses. Each organization can choose how to combine
the requirements into processes. The subclauses can be used to define the processes
of the organization’s SMS."
Requirements (overview) 4.2
A requirement is defined in ISO/IEC 20000-1:2018, 3.1.19, as a "need or expectation 4.3
that is stated, generally implied or obligatory." The first two notes which accompany
5.2.1
this definition are important:
6.1.1
"Note 1 to entry: “Generally implied” means that it is custom or common practice for
6.2.1
the organization and interested parties that the need or expectation under consid-
8.1
eration is implied.
8.3.4.1
Note 2 to entry: A specified requirement is one that is stated, for example, in docu-
mented information."
© ISO/IEC 2024 – All rights reserved
TTabablele 5 5 ((ccoonnttiinnueuedd))
Topic ISO/IEC 20000-1:2018 clause
number
There are many places in ISO/IEC 20000-1 which refer to requirements generically.
For example, in ISO/IEC 20000-1:2018, 4.2, "The organization shall determine the rel-
evant requirements of these interested parties" followed by a note stating that these
requirements can be of various types such as service, legal, regulatory or contractual
obligations.
These requirements from ISO/IEC 20000-1:2018, 4.2, are then referred to again to
ensure that the requirements are carried through when determining the scope of the
SMS as well as the risks and opportunities.
There is a requirement that the service management policy "includes a commitment
to satisfy applicable requirements." Similarly, "applicable requirements" are to be
taken into account when setting service management objectives. These "applicable
requirements" are those identified in ISO/IEC 20000-1:2018, 4.2, as well as all other
requirements within the document as relevant to the service management policy and
objectives. Operational planning and control requirements are covered in "plan, im-
plement and control the processes needed to meet requirements" and "establishing
performance criteria for the processes based on requirements." These requirements
are as above, i.e. gathered from looking at the context of the organization and all others
within the document.
Management of external suppliers refers to "requirements to be met by the external
supplier." These are very specific requirements that will vary depending on the service
or product that is being purchased from the external supplier (e.g. service targets,
product specification, information security requirements).
SMS requirements 4.2, 4.4
The SMS requirements are those built into the design and establishment of the SMS. 5.1 f), 5.1 h)
The SMS is established to meet the requirements of ISO/IEC 20000-1. How this is
7.3
done is different for each organization according to their own processes, policies
9.2.1 a) 1)
and services. The SMS requirements are embodied in the plans, policies, processes
and procedures that make up the SMS.
There is a critical requirement for top management to ensure "the integration of
the SMS requirements into the organization’s business processes." This means that
the SMS is not just an add-on to the normal business activities, but is integrated into
them. The internal audit process is required to check for conformity to "the organi-
zation’s own requirements for its SMS".
Ensuring awareness of the SMS requirements including the benefits and implica-
tions of not meeting them is important.
Service requirements 4.2, 4.3
Service requirements are defined in ISO/IEC 20000-1:2018, 3.2.26, as "needs of cus- 5.1 b)
tomers, users and the organization related to the services and the SMS that are stated
6.1.2 a) 2), 6.3
or obligatory
7.1 , 7.5.4 f)
Note 1 to entry: In the context of an SMS, service requirements are documented and
8.2
agreed rather than generally implied. There can also be other requirements such as
8.3
legal and regulatory requirements."
8.4.3
ISO/IEC 20000-1 frequently refers to service requirements. Examples are service level
8.5
targets, hours of service, functionality and information security.
8.7
The design of new or changed services includes requirements for "changes to human,
technica
...