Implementing an ISO 20000-based IT Service Management (SGS)

By April 12, 2016 No Comments

THE ISO 20000 It is an internationally recognized standard and its main objective is to provide credibility to customers and shareholders, ie its guidelines and controls allow the organization to be evaluated by external and independent entities in order to certify that it operates following good practices for the Company. Information Technology (IT) service management.

What are the main benefits of ISO 20000?

The following benefits can be provided through implementation and hence recommendation for certification. ISO 20000:

  • Alignment of service management processes with the business strategy of the organization;
  • Increased employee, supplier and, above all, customer satisfaction;
  • Safer and more structured environment;
  • Increased visibility of enhancement points and gaps;
  • Improvement of internal controls;
  • Compliance with good market practices, eg risk management, information security, quality management, etc .;
  • Provision of complete information for audit (audit trails / evidence).

Key drivers of ISO 20000

Organizations rely directly on IT processes to deliver services, add value to products and drive higher productivity to achieve their business goals.

With this growing demand for IT services consumption and in an extremely competitive market, some issues are unavoidable:

  • Is your company providing quality service to its customers?
  • Is your organization acting reactive or proactive?
  • Are there control mechanisms to evaluate the performance of IT services?

Well, by implementing the ISO 20000 Your organization will have a more structured view of the entire IT services lifecycle through a Service Management System, also known as SGS. The complexity of deploying an SMS depends largely on the level of maturity that the organization has in ITIL (Information Technology Infrastructure Library), ranging from 9 to 24 months in most cases.

By deploying an SGS your company will have the ability to provide IT services based on best market practices. The services will be following a continuous improvement process (Plan-Do-Check-Act) and prepared to integrate with an Information Security Management System (SGSI) and / or a Business Continuity Management System (SGCN) when required.

Controls Structure and Interrelation with SGSI

One point that must be taken into account for the successful implementation of ISO 20000 is the issue of implementing an information security process, which requires special attention, as ISO 20000 requires specific information security controls such as such as risk analysis and some documentary and technical controls to support the IT process, so a minimum level of information security maturity will be required.

If you are considering deploying both management systems, SGS (ISO 20000) and SGSI (ISO 27001), It is recommended that this implementation take place in parallel, as there will be synergy in some requirements and it is possible to optimize the process implementation time.

It is noteworthy that it is not a prerequisite to have its scope certified to ISO 27001, or have an SGSI implemented to successfully implement the SGS, but this will greatly facilitate the implementation and smooth running of the project. As mentioned before, if the organization already has a good level of information security maturity, this will help in the SGS implementation process and, consequently, obtaining the certification. ISO 20000.


Companies that adopt the processes of ISO 20000 and submitted to an assessment by an accredited body, have the assurance and international recognition of quality in the provision of IT services.

Through the Service Management System (SGS) your organization will be better prepared to support new market demands, responding with greater agility and reliability in providing IT services. Additionally, it is an excellent marketing strategy, as in Brazil there are still few certified companies compared to other countries like Japan, China, India, United States and others.

* André Garcia is an Information Security Consultant at SAFEWAY

SAFEWAY has great expertise and success stories from ISO 20000 certified customers.

Want more information?

Talk to one of our consultants at link

Leave a Reply