ISO/IEC TR 20000-3:2009

TECHNICAL ISO/IEC
REPORT TR
20000-3
First edition
2009-11-01
Information technology — Service
management —
Part 3:
Guidance on scope definition and
applicability of ISO/IEC 20000-1
Technologies de l'information — Gestion des services —
Partie 3: Directives pour la définition du domaine d'application et
l'applicabilité de l'ISO/CEI 20000-1

Reference number
©
ISO/IEC 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved

Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Fulfilling the requirements specified in ISO/IEC 20000-1.1
5 Applicability of ISO/IEC 20000-1 .2
5.1 Introduction.2
5.2 Governance of processes operated by other parties .3
5.3 The extent of technology used to deliver services.4
6 General principles for an SMS scope.4
6.1 Introduction.4
6.2 Integrating or aligning with other management systems .5
6.3 The scope of the SMS .5
6.3.1 Defining the scope .5
6.3.2 Limits to the scope.5
6.4 Service contracts between customers and the service provider.6
6.5 Scope definition parameters .6
6.5.1 Permitted types of scope definition parameters.6
6.5.2 Currency of parameters.6
6.6 Changing the scope .7
6.7 Supply chains and SMS scope .7
6.7.1 Reliance on suppliers .7
6.7.2 Supply chains .7
6.7.3 Suppliers, lead suppliers and sub-contracted suppliers .8
6.7.4 Demonstrating conformity.9
6.7.5 Maintaining an accurate scope statement.9
Annex A (informative) Main points on applicability of ISO/IEC 20000-1, scope definition of the
SMS and conformity to ISO/IEC 20000-1.10
Annex B (informative) Examples of scope statements .12
Bibliography.24

Figures
Figure 1 — Relationship with supplier.8
Figure 2 — Relationship with lead suppliers and sub-contracted suppliers .8
Figure B.1 — Scenario 1 .12
Figure B.2 — Scenario 2 .13
Figure B.3 — Scenario 3 .15
Figure B.4 — Scenario 4 .16
Figure B.5 — Scenario 5 .17
Figure B.6 — Scenario 5 redrawn to show Service provider 5, part of Organization V .18
Figure B.7 — Scenario 6 .19
Figure B.8 — Scenario 7 .20
Figure B.9 — Scenario 8 .22

© ISO/IEC 2009 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report
of one of the following types:
— type 1, when the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts;
— type 2, when the subject is still under technical development or where for any other reason there is the
future but not immediate possibility of an agreement on an International Standard;
— type 3, when the joint technical committee has collected data of a different kind from that which is normally
published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to
be reviewed until the data they provide are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 20000-3, which is a Technical Report of type 2, was prepared by Joint Technical Committee
ISO/IEC JTC 1, Information technology, Subcommittee SC 7, Software and systems engineering.
ISO/IEC TR 20000-3 was developed for use with ISO/IEC 20000-1 and ISO/IEC 20000-2.
ISO/IEC 20000 consists of the following parts, under the general title Information technology — Service
management —
⎯ Part 1: Specification
⎯ Part 2: Code of practice
⎯ Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1 [Technical Report]
⎯ Part 5: Exemplar implementation plan for ISO/IEC 20000-1 [Technical Report]
iv © ISO/IEC 2009 – All rights reserved

Introduction
This part of ISO/IEC 20000 provides guidance on scope definition, applicability and demonstration of
conformity for the service provider aiming to fulfil the requirements specified in ISO/IEC 20000-1, or for the
service provider intending to use ISO/IEC 20000-1 as a business objective. The intended user of this part of
ISO/IEC 20000 is the service provider, but it could also be useful for consultants and assessors. It
supplements the advice in the code of practice, ISO/IEC 20000-2, which provides generic guidelines for
implementing a service management system (SMS) in accordance with ISO/IEC 20000-1. It is not intended as
guidance on obtaining an ISO/IEC 20000-1 certificate.
This part of ISO/IEC 20000 takes the form of examples, guidance and recommendations. It should not be
quoted as if it were a specification of requirements and particular care should be taken to ensure that
declarations of conformity are not misleading.
ISO/IEC 20000-1 specifies requirements for an SMS to deliver information technology (IT) services. There are
no requirements that relate to organization structure, size, names and type. ISO/IEC 20000-1 applies to
service providers irrespective of size. The process requirements described in ISO/IEC 20000-1 do not change
with organizational structure, technology or service. Operating the processes in a particular system or service
environment will result in unique skill, tool and information requirements, even though the process attributes
are unchanged.
The service provider who implements an SMS based on ISO/IEC 20000-1 is required to define the scope of
the SMS as part of its planning. This part of ISO/IEC 20000 provides guidance on defining the scope of the
SMS and on the applicability of ISO/IEC 20000-1. Guidance provided in this part of ISO/IEC 20000 will also be
useful to the service provider who is making preparations for conformity assessment against ISO/IEC 20000-
1, including how to state the scope of the SMS for the assessment.
Service management processes in the IT industry can cross many organizational, legal and national
boundaries as well as different time zones. Many service providers depend on a complex supply chain for the
delivery of services. Many service providers also provide a range of services to several different types of
customer. This makes the scope of the SMS, and the agreement of the scope statement, a complex stage in
the service provider’s use of ISO/IEC 20000-1.
This part of ISO/IEC 20000 provides practical examples of scope statements for the service provider
irrespective of whether they have experience of documenting a scope statement required by other
management system standards.
© ISO/IEC 2009 – All rights reserved v

TECHNICAL REPORT ISO/IEC TR 20000-3:2009(E)

Information technology — Service management —
Part 3:
Guidance on scope definition and applicability of
ISO/IEC 20000-1
1 Scope
ISO/IEC 20000-1 specifies a number of related management processes. This part of ISO/IEC 20000 provides
guidance and commentary on scope definition and applicability of ISO/IEC 20000-1 to enable the service
provider to fulfil the requirements specified in ISO/IEC 20000-1.
This part of ISO/IEC 20000 assists the service provider who is planning service improvements or preparing for
a conformity assessment against ISO/IEC 20000-1. It can also assist the service provider who is considering
using ISO/IEC 20000-1 for establishing a service management system (SMS) and who needs specific advice
on whether ISO/IEC 20000-1 is applicable to its circumstances. Finally, it shows how to define the scope of an
SMS based on practical examples.
This part of ISO/IEC 20000 gives a list of main points on stating scope, on the applicability of
ISO/IEC 20000-1 and on demonstrating conformity to ISO/IEC 20000-1. It also includes examples of scope
statements, which vary according to the service provider’s circumstances.
2 Normative references
The following referenced document is indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 20000-1, Information technology — Service management — Part 1: Specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 20000-1 and the following
apply.
3.1
assessor
person, an internal or external auditor, who performs assessment activities necessary to establish whether the
service provider’s service management system fulfils the requirements specified in ISO/IEC 20000-1
4 Fulfilling the requirements specified in ISO/IEC 20000-1
Some service providers who have implemented a service management system (SMS) based on
ISO/IEC 20000-1 wish to demonstrate conformity to the requirements specified in ISO/IEC 20000-1. The
© ISO/IEC 2009 – All rights reserved 1

service provider who wishes to demonstrate conformity should be able to demonstrate fulfilment of all
requirements. The verbal form ‘shall’ is used for all requirements specified in ISO/IEC 20000-1.
The service provider should plan and record the improvements that are necessary to fulfil the requirements,
so they are able to demonstrate that:
a) all processes required by ISO/IEC 20000-1 are documented and operated to achieve desired outcomes,
including governance of those processes operated by other parties, within the scope of the SMS;
b) interfaces between processes are operated and documented within the service management plans and
produce desired outcomes;
c) service management capability produces the agreed outcomes, according business needs and customer
requirements;
d) the SMS is managed from an end-to-end perspective, working with suppliers and internal groups to meet
the agreed outcomes.
There are three types of conformity assessments:
⎯ first-party, done using the service provider’s own resources, usually referred to as internal audit;
⎯ second-party, done by a person or organization that has a user interest in the organization, such as
customers, or by other persons on their behalf;
⎯ third-party, done by a conformity assessment organization usually referred to as a certification body.
There are international standards on practices in conformity assessment. Some of them are designed for
audits against management system standards. For example, ISO/IEC 17021 and ISO/IEC 19011 both include
generic requirements for third-party assessments against management systems, including SMS.
ISO/IEC 17021 is for third-party conformity assessment and ISO/IEC 19011 is for all types of conformity
assessment.
ISO/IEC 17000 provides terms and definitions that are related to conformity assessment in general, including
the terms first-party, second-party and third-party conformity assessment.
If the service provider intends to issue the declaration of conformity based on the successful results of a first-
party conformity assessment that has proved the service provider fulfils the requirements specified in
ISO/IEC 20000-1, the service provider should refer to ISO/IEC 17050-1 which specifies general requirements
for such a declaration of conformity.
Certification bodies establish rules on the awarding of a certificate by the certification body following a
successful third-party conformity assessment. For example, the certification body can require that an
ISO/IEC 20000-1 certificate is only issued to a single legal entity, not a consortium.
5 Applicability of ISO/IEC 20000-1
5.1 Introduction
ISO/IEC 20000-1 is very widely applicable. A broad range of service providers can use an SMS based on
ISO/IEC 20000-1. ISO/IEC 20000-1 applies to internal and external, large and small, and commercial and
non-commercial service providers. The applicability of ISO/IEC 20000-1 is independent of the funding for the
service so the costs may be in a single organizational budget covering both the internal customer and the
internal service provider.
ISO/IEC 20000-1 can be applicable to the service provider even if its customers or suppliers have
demonstrated conformity to ISO/IEC 20000-1. This is described in clause 5.2 and in Annex B.
2 © ISO/IEC 2009 – All rights reserved

Fulfilling all the requirements is not always possible for the service provider whose customers or suppliers
have demonstrated conformity to ISO/IEC 20000-1. Typically, this arises when the service provider has
governance of only some of the processes. Under these circumstances, the assessor’s professional judgment
can be that ISO/IEC 20000-1 is not appropriate and that another standard is more suitable, e.g. ISO 9001 or a
more specialist standard covering only some aspects of service management, such as security or
configuration management.
ISO/IEC 20000-1 is only applicable if the service provider remains accountable for the delivery of the service,
as shown in the scenarios in Annex B.
5.2 Governance of processes operated by other parties
The service provider who wishes to conform to the standard is required to have governance of all processes in
ISO/IEC 20000-1.
It is particularly important to demonstrate process governance if other parties operate some parts of the
processes within the scope of the SMS.
Other parties may be internal groups in the same organization as the service provider, but who are not part of
the service provider’s own organizational unit. An internal group has a formal agreement with the service
provider, specifying its contribution to the services delivered by the service provider.
Other parties may also be customers or suppliers. A customer is an organization or part of an organization
that receives a service and may be internal or external to the service provider. A supplier is an external
organization or part of an external organization and has a formal agreement with the service provider
specifying its contribution to the services delivered by the service provider. Unlike internal groups, the
supplier’s formal agreement may be a legally-binding contract.
The service provider is required to demonstrate process governance by:
a) demonstrating accountability for the processes and the authority to require adherence to the processes.
For example, establishing the information security policy, using controls, detecting breaches and initiating
corrective actions;
b) controlling the definition of the processes and interfaces to other processes. For example, documenting,
agreeing and operating the interfaces and dependencies of the change management process with the
configuration management process;
c) determining process performance and compliance through access to and analysis of measurements and
other records. For example, accessing a set of incident records and incident management process
performance measurements, analysing them and initiating improvements;
d) controlling the planning and the prioritizing of process improvements. For example, assessing a set of
improvements in the capacity management process, prioritizing them and scheduling their
implementation.
The service provider can request other parties to use specific processes or can work with other parties to
document and approve the processes that the other parties operate.
The service provider is not required to implement the process itself, in order to establish process governance.
Where suppliers are operating a process, the service provider is also required to manage the supplier through
the supplier management process.
If the service provider relies on other parties for operation of the majority of the processes, the service
provider is unlikely to be able to demonstrate governance of the processes. However, if other parties operate
only a minority of the processes the service provider could fulfil the requirements specified in ISO/IEC 20000-
1. Wherever other parties are involved, the service provider should be able to demonstrate process
governance of all processes within the scope of the SMS.
© ISO/IEC 2009 – All rights reserved 3

In outsourced situations, the service provider should ensure that service contracts with suppliers do not
prevent the service provider from having governance of all management processes within the scope of the
SMS. Process governance has to be demonstrated only for processes included in the service provider's
scope. Processes under the control of other parties cannot be included in the service provider's scope
statement.
5.3 The extent of technology used to deliver services
The applicability of ISO/IEC 20000-1 is unaffected by the technologies used for the delivery of services,
including the technologies used to automate service management processes. This is the case even if the
technology is not included in the list of examples given below.
The technologies used by a service do not change the management processes, but will have a direct impact
on the skill, tool and data requirements of the process activities.
The extent of technology includes but is not limited to the following:
a) servers and mainframes;
b) desktops;
c) networks;
d) telecommunications;
e) storage systems;
f) environmental equipment;
g) applications;
h) multi-media systems;
i) mobile and smart devices;
j) management tools and systems.
6 General principles for an SMS scope
6.1 Introduction
The service provider is required to define the scope of the SMS and include a scope statement in the service
management plan, before establishing the SMS. Top management of the service provider are responsible for
the service management plan. After the SMS has been established top management are responsible for
reviewing the scope of the SMS for continuing effectiveness and validity.
The scope of the SMS is required to take into account that demonstrating conformity requires fulfilment of all
requirements specified in ISO/IEC 20000-1. The service provider needs to have governance of all processes
within the scope of the SMS, including processes crossing organizational boundaries between the service
provider and other parties.
The scope statement should:
a) be as simple as possible;
b) be understandable without detailed knowledge of the service provider’s organization;
4 © ISO/IEC 2009 – All rights reserved

c) include enough information for use in conformity assessment;
d) be worded so it does not intentionally or unintentionally imply that something is included if it is excluded.
6.2 Integrating or aligning with other management systems
The service provider should be aware that ISO/IEC 20000-1 enables alignment or integration of an SMS with
other related management systems. The inclusion of the Plan-Do-Check-Act model in ISO/IEC 20000-1
enhances compatibility with other management system standards.
The service provider may define the scope of its SMS as geographically or organizationally identical to the
scope of other management systems, such as an Information Security Management System (ISMS) based on
ISO/IEC 27001 or a Quality Management System (QMS) based on ISO 9001.
However, the service provider should be aware that there could be a need for differences within the scope in
order to fulfil specific requirements in each management system standard. There are differences in
requirements because each type of management system has a different purpose. The SMS, ISMS and QMS
each cover topics that the others do not.
6.3 The scope of the SMS
6.3.1 Defining the scope
The service provider should discuss the scope statement with its assessor. Reassurance that the proposed
scope is valid, before establishing the SMS, will avoid setting false expectations.
The service provider should demonstrate that the scope is valid at the beginning of an assessment because it
is fundamental to the assessor’s planning of the assessment.
Processes and services to customers outside the scope of the SMS do not have to fulfil the requirements
specified in ISO/IEC 20000-1 and will not influence or affect an assessment. Exclusions do not have to be
referred to in the scope statement but can help to make the scope statement unambiguous.
6.3.2 Limits to the scope
Where the service provider intends to include an entire business area in the SMS, defining the scope of an
SMS is relatively simple. This is because the scope is everything the service provider does. If the service
provider includes only some of its services in the SMS it can be difficult to define the scope in simple terms or
to avoid ambiguity.
A demonstration of conformity may be the fulfilment of all requirements for one small service to one customer,
which represents a small proportion of the service provider’s total services. This needs to be explicitly stated
in the scope statement, to avoid any risk of the scope statement being misunderstood.
The external service provider can have many customers and deliver many services, so the scope of the SMS
may include services for several customers. When this is the case, the processes should be used to deliver
services to each customer. The processes for each customer may vary in detail, but each process is required
to fulfil the requirements for that process.
An internal service provider supplies services to customers within the same organization as the service
provider. In the situation where an internal service provider supplies many services to many customers within
its own organization, the scope statement should be based on the services offered, within the scope of the
SMS.
Despite the difficulty of including only some services in the SMS, many service providers prefer to
demonstrate conformity initially for only some of the services. The service provider may then extend the scope
of the SMS, up to the whole extent of the service provider’s services, as described in clause 6.6.
© ISO/IEC 2009 – All rights reserved 5

6.4 Service contracts between customers and the service provider
The service provider delivering services under the terms of a legally binding contract should be aware that it is
not possible for the contract to reduce the service provider’s obligation to fulfil all the requirements specified in
ISO/IEC 20000-1. Nor is it possible for the terms of a contract to remove the assessor’s obligations to obtain
sufficient evidence of conformity to all the requirements. This is the case even if a contract limits the services
and processes.
6.5 Scope definition parameters
6.5.1 Permitted types of scope definition parameters
The service provider should use parameters to define the scope of the SMS to ensure that there is no
ambiguity about what is included and excluded. The parameters include but are not limited to:
a) organizational units providing services, e.g. a single department, group of departments or all departments;
b) services offered, e.g. a single service, group of services or all services, financial services, retail services,
email services;
c) geographical location from which the service provider delivers the services, e.g. a single office or group of
offices, regional, national or global;
d) customers and their locations, e.g. one customer, many customers, external customers or internal
customers;
e) technology used to provide the services (see 5.3).
The scope statement cannot include the names of other parties contributing to the delivery of the service.
If the scope statement includes many customers, services or locations, then an assessor may base the
assessment on a sample, using his/her professional judgement for selection of the sample and what will be
assessed. The scope statement may include the full range of customers, services and locations within the
scope of the SMS, not just those sampled.
EXAMPLE:
The structure of a scope statement may be:
“The service management system of that delivers to
from ”
A scope statement using the names of customers may include only those customers where all requirements
are fulfilled, even if the service provider has many other customers. Alternatively, instead of using customer
names, other parameters, such as service, location, or technology, may be used. For example, "all services
from the data centre at location A" or "all mainframe-based services" could include several customers, without
listing individual customers.
Examples based on commonly used scope definition parameters are given in Annex B.
6.5.2 Currency of parameters
The parameters used in scope statements can become out of date. The service provider should review the
scope of the SMS and scope statements on a regular basis, to check that they are still valid.
The service provider should ensure that the scope statement is, as far as possible, able to accommodate
changes without introducing ambiguity. Although any parameters can become out of date, an explicit list of
organizational units (departments), geographic locations (specific addresses) or services is normally useful.
6 © ISO/IEC 2009 – All rights reserved

Scope statements based on a reference to a repository of information, such as a catalogue of services, can
provide a simple scope statement. Therefore care should be taken is using this approach as the scope
statement can be ambiguous or quickly become out of date due to changes to the contents of the repository.
6.6 Changing the scope
Some service providers will only ever demonstrate conformity for some services, dependent upon their
business need. However, the service provider may start with a scope that includes only some services and
then later increase the services included in the scope of the SMS. It will be necessary to revise both the SMS
and scope statement, to include the additional services.
A major change to the scope of the SMS can mean that the service provider is unable to demonstrate
conformity to the requirements specified in ISO/IEC 20000-1. For example, the service provider may extend
the scope by including new services such as those previously provided by suppliers. A major change may also
be a decrease in the scope of the SMS, e.g. the retirement of services.
A major change to the scope of the SMS should be managed using a project or programme of improvements
or other changes. This minimizes the risk to the service and the service provider’s ability to demonstrate
conformity to the requirements in ISO/IEC 20000-1.
When the revised SMS is assessed for the first time it is normally also necessary to re-assess the initial SMS.
This is usually necessary even if the initial SMS was not due for a routine re-assessment.
6.7 Supply chains and SMS scope
6.7.1 Reliance on suppliers
Being reliant on suppliers or internal groups for part of service delivery does not prevent the service provider
implementing an SMS based on ISO/IEC 20000-1.
Annex B contains examples of valid and invalid scenarios for the scope of the SMS and scope statements.
Most illustrate supply chains arising from complex arrangements between suppliers, internal groups,
customers and the service provider.
6.7.2 Supply chains
The service provider should be aware that the relationships between the organizations in a supply chain can
influence both the scope of the SMS and the scope statement. Understanding the supply chain is fundamental
to establishing an effective scope for the SMS and to defining a valid scope statement.
Figure 1 illustrates examples of two supply chains.
The first example in Figure 1 is a simple example where a service provider is external to its customer’s
organization (Customer A). This type of relationship is commonly a commercial outsourcing organization
providing services to several customer organizations. For simplicity, Figure 1 shows only one customer.
The second example in Figure 1 is a service provider that is part of the same organization as their customers,
generally referred to as an internal service provider. This customer is Customer B. In this second example, a
supplier (shown by the dotted line box) is under the control of Customer B. This supplier is therefore also
outside the scope of the internal service provider.
The service provider is required to have governance of the processes operated by the “Direct supplier of
services” if they wish to include the direct supplier’s processes in the scope statement. The service provider
and Customer B cannot both have governance of the processes operated by the direct supplier. The service
provider can find it difficult to establish process governance if the direct supplier’s contract is with Customer B.
© ISO/IEC 2009 – All rights reserved 7

““DDiirectrect su supppplielier r
OOrrgaganinizzaattiioonn XX OOrrgaganinizzaattiioonn XX
ooff serv servicesices”t”too
CuCuststoommer Ber B
CusCusttoommerer A A CusCusttoommerer B B
EExxterternnalal s seerrvviiccee pr provoviiderder InteInterrnnalal s seerrvviicce e prprovoviiddeerr
SSuppupplliieerr SuSupppplierlier SSuppupplliieerr SSuupplppliieerr

NOTE “Direct supplier of services” is managed by Customer B and are therefore out of scope of the internal service
provider’s SMS.
Figure 1 — Relationship with supplier
6.7.3 Suppliers, lead suppliers and sub-contracted suppliers
When the service provider has several suppliers it is common to appoint one supplier as the lead supplier.
The three-stage supply chain becomes a four-stage supply chain, as illustrated in Figure 2. The service
provider and lead supplier have a direct relationship and a contract. The service provider and the sub-
contracted suppliers do not have a direct relationship and the contract can be with the lead supplier. The lead
supplier manages the sub-contracted suppliers on behalf of the service provider.
OOrrganiganizatzatiionon XX OOrrganiganizatizationon XX
CusCusttomeomerr A A CusCusttomeomerr B B
EExxtteerrnalnal s seerrvvicice pe prrovidoviderer IInntteerrnal snal seerrvvice price provovideiderr
LLeadead s suupppplliieerr SuSupppplielierr LLeadead s suupppplliieerr SuSupppplielierr
SuSub-b-ccoonnttrraactcteded SuSubb--conconttrractacteded SuSub-b-ccoonnttrractacteded SuSub-b-ccoonnttrractacteded SSuubb--cocontntrractacteded SuSubb--conconttrractacteded
susupppplliierer susupppplliieerr susupppplliierer susupppplliieerr
susupppplliierer susupppplliierer

Figure 2 — Relationship with lead suppliers and sub-contracted suppliers
There should be clarity on the responsibilities of the lead supplier in order to define the scope of the service
provider’s SMS: the lead supplier operates the processes and process governance is performed by the
service provider.
Supply chains are often far more complex than the four-level supply chain illustrated in Figure 2. The scope of
the SMS can still be simple if the service provider understands:
a) what is required for process governance;
8 © ISO/IEC 2009 – All rights reserved

b) which organization operates which part of each process;
c) which organization is the lead supplier.
The service provider is required to retain overall accountability for the service, irrespective of where the
service originates in the supply chain.
6.7.4 Demonstrating conformity
The service provider is required to demonstrate conformity to the requirements for control of suppliers as
specified in ISO/IEC 20000-1.
Other organizations in a supply chain need not conform to ISO/IEC 20000-1 in order for the service provider to
demonstrate conformity. Conversely, it is possible for several organizations in a supply chain to fulfil the
requirements specified in ISO/IEC 20000-1. The service provider and its suppliers can each implement an
SMS independently and each can fulfil all the requirements specified in ISO/IEC 20000-1.
It is common for process activities, within a single process, to be performed by more than one organization. It
is important that the service provider needs to have governance of the process, including definition and
agreement of the responsibilities of other parties.
When a process is operated by two or more organizations, only one can demonstrate governance of that
process. The other organizations can only demonstrate adherence to that process or demonstrate process
governance of another usage of the same process. There should be clarity on the different usages and
separate records and documentation. This is required for planning and for the assessment against
ISO/IEC 20000-1. This is a common circumstance for the service provider with more than one customer, and
for organizations that rely on a complex supply chain of multiple suppliers, lead suppliers and sub-contracted
suppliers.
6.7.5 Maintaining an accurate scope statement
It is the service provider’s responsibility to ensure that the scope of the SMS remains valid after it has been
documented. This is done by conducting reviews at planned intervals to identify discrepancies. If the actual
scope does not match the declared scope, then the scope statement needs to be amended. If the difference is
considered significant, a re-assessment may be required.
It is the assessor's responsibility to verify the service provider's declared scope for accuracy and validity.
© ISO/IEC 2009 – All rights reserved 9

Annex A
(informative)
Main points on applicability of ISO/IEC 20000-1,
scope definition of the SMS and conformity to ISO/IEC 20000-1
A.1 General
When defining the scope of an SMS and developing a scope statement based on ISO/IEC 20000-1, the
service provider should consider the following:
A.1.1 Multiple legal entities
Third-party certification bodies can require that an ISO/IEC 20000-1 certificate is only issued to a single legal
entity, not a consortium.
A.1.2 Commercial status
a) The service may be provided on a commercial or non-commercial basis. The financial basis of the service
provision is irrelevant to the decision on applicability, scope of the SMS or scope statement.
b) The service provider does not need to own assets of the service in order to fulfil the requirements
specified in ISO/IEC 20000-1.
A.1.3 Process names
The service provider’s choice of names for service management processes does not have to be based on the
names used in ISO/IEC 20000-1, as the requirements are about the existence of processes, their content,
capability, quality and usage.
NOTE Mapping of the process names adopted by the service provider to those used in ISO/IEC 20000-1 will assist
the service provider and assessor in recognizing how the requirements specified in ISO/IEC 20000-1 are fulfilled.
A.1.4 Inclusions and exclusions
a) The scope of an SMS and the scope statement based on ISO/IEC 20000-1 should define what has been
included within the scope. To aid clarity, it can be useful to state what is outside the scope.
b) The service provider needs to keep evidence to demonstrate that all the requirements specified in
ISO/IEC 20000-1 are fulfilled.
c) All the service management processes need to be implemented and operated throughout the scope of an
SMS to fulfil the requirements specified in ISO/IEC 20000-1.
A.1.5 Authorities and responsibilities
a) Some of the service management process activities, which need to be operated within the scope of an
SMS, may be operated by other parties, either suppliers or internal groups. It is important that the service
provider needs to have governance of the process, including definition and agreement of the
responsibilities of other parties.
10 © ISO/IEC 2009 – All rights reserved

b) The service provider should have identified and documented all functional groups, departments or
organizations involved in the scope of service management, i.e. the service provider’s own organization,
suppliers, lead suppliers and sub-contracted suppliers.
c) The service provider should demonstrate governance of the processes within the scope of the SMS,
regardless of whether these processes are operated by the service provider or other parties, either
suppliers or internal groups.
A.1.6 Interfaces and process integration
a) There needs to be clarity on boundaries between the service provider and customers and between the
service provider and other parties.
b) The service provider should demonstrate appropriate integration of processes, which is fundamental to
best practice service management and is required by ISO/
...