ISO/IEC 20000-1:2017 – What To Expect?

Author: Subrata Guha

ISO/IEC DIS 20000-1:2017 is about to become the newest revised international standard when it comes to IT service management.

About ISO/IEC 20000-1:2011

ISO/IEC 20000-1:2011 is a global service management system standard which describes the requirements for the service provider to improve their service management system. Aiming to provide control and efficiency to an organization and its team can run as smoothly as possible.

Why Update ISO/IEC 20000-1:2011?

With certifications and processes continually changing, ISO/IEC 20000-1:2011 is ready for a facelift. ISO/IEC 20000-1:2011 has stayed the same for over five years now, and in this digital age it is time for revisions.

About ISO/IEC DIS 20000-1:2017                                   

ISO/IEC DIS 20000-1:2017 version provides more specific requirements for planning as a) what will be done; b) what resources will be required; c) who will be responsible; d) when it will be completed; e) how the results will be evaluated.

Specific Updates Include:


If you would like to learn more about ISO/IEC 20000-1:2017, contact us at DQS either by email at [email protected] or call us at 800-285-4476

New ISO IEC 20000-1: Alignment with ISO 27001

“We need ISO 20000 and ISO 27001, which one should we get first?”  – I hear this question very often these days. This is a very intriguing question. In my opinion, these two standards are closely linked and should be implemented as a single management system. The new release of ISO 20000-1 has made this process easier than ever before.

To begin with, let’s look at the common management system requirements of ISO 27001 and ISO 20000-1:

Once an organization addresses the requirements listed above, they will have laid the foundation for ISO 20000-1 and ISO 27001. Now, let’s look at section 6.6 (Information Security Management) of ISO 20000-1.  The key elements of this section are:

Requirements for security policy and incident management have been defined in ISO 20000-1; however, no details are provided on risk management and security controls. Let’s discuss the critical elements of risk assessment:

Section 4.2.1 of ISO 27001 provides these details. Where will you find the security controls? You can define your own controls or refer to a security standard. The best available source that I have found is Annexure A of ISO 27001. With a list of 133 security controls, there is no need to reinvent the wheel.  Organizations can easily identify the controls applicable to their business and integrate them with their service management system.

Now you see why I think these two standards should be implemented together. Having said so, I’d like to clarify one point. It is not a pre-requisite to implement these two standards together. I have worked with many organizations that have successfully implemented ISO 20000-1 without referring to ISO 27001. However, I recommend the integrated approach that will establish an effective IT Service Management system with a robust backbone of an Information Security Management system.