The ISO 20000 certification process is the structured path an organisation follows to independently prove that its IT service management system (SMS) conforms to ISO/IEC 20000-1:2018. Certification is awarded by an accredited certification body after an external audit, and it signals to customers and regulators that your service management is planned, controlled, measured and continually improved rather than run on informal habit.
This guide walks through each stage in plain terms, explains what auditors look for, and clarifies a point that causes frequent confusion: ISO/IEC 20000-1 is the certifiable standard for IT service management, whereas ITIL is complementary best-practice guidance and is not something an organisation certifies against.
What ISO/IEC 20000-1:2018 actually requires
ISO/IEC 20000-1:2018 specifies requirements for establishing, implementing, maintaining and continually improving a service management system. It follows the Harmonized Structure (the common high-level format shared across modern ISO management system standards), which makes it straightforward to align with ISO 9001 or ISO/IEC 27001.
The standard covers the core of running a service organisation: service planning, design and transition of new or changed services, service delivery, relationship and supply management, resolution processes (such as incident and problem handling) and control processes (such as configuration and change). It also addresses service level agreements (SLAs), performance measurement and continual improvement.
For the authoritative scope and current edition, consult the official listing at ISO/IEC 20000-1 on iso.org, and always verify the current version before you rely on any specific detail.
The ISO 20000 certification process step by step
Although timelines vary by organisation size and maturity, the ISO 20000 certification process generally moves through the phases below. Treat any duration as approximate and plan around your own readiness.
| Phase | What happens | Typical output |
|---|---|---|
| 1. Gap analysis | Compare current practice against ISO/IEC 20000-1:2018 requirements. | Gap report and action plan |
| 2. SMS design and build | Define scope, policy, objectives, roles, processes and SLAs. | Documented SMS |
| 3. Implementation | Operate the processes; capture records and metrics. | Evidence of live operation |
| 4. Internal audit | Check conformity internally and fix findings. | Audit results, corrective actions |
| 5. Management review | Leadership evaluates performance and resourcing. | Review minutes, decisions |
| 6. Stage 1 audit | Certification body reviews readiness and documentation. | Readiness findings |
| 7. Stage 2 audit | On-site/remote assessment of the SMS in operation. | Certification decision |
| 8. Surveillance | Periodic audits over the certification cycle. | Maintained certificate |
Gap analysis and scope
Start by defining the scope of the SMS: which services, locations and teams are included. A gap analysis then maps your existing controls to the standard so you know what to build, refine or document before spending money on an external auditor.
Building and operating the SMS
Next, document your service management policy, objectives and processes, and put them into daily use. Certification bodies want to see the SMS actually operating, so you typically need a period of live records, metrics and improvement activity before Stage 2. Approximately a few months of operating evidence is common, though this depends on your context.
Internal audit and management review
Before inviting an external auditor, run at least one internal audit cycle and a management review. These demonstrate that your organisation can find and correct its own nonconformities, a capability auditors weight heavily.
Stage 1 and Stage 2 certification audits
Accredited certification is normally a two-stage external audit. Stage 1 checks that your documentation and readiness are sufficient to proceed. Stage 2 assesses the SMS in operation, sampling evidence across your processes. If successful, the certification body issues a certificate, usually valid for a multi-year cycle with periodic surveillance audits and eventual recertification.
ISO 20000 certification process versus ITIL adoption
A recurring myth is that organisations get “ITIL certified.” They do not. ITIL provides guidance and vocabulary that can help you design good practices, but only individuals earn ITIL qualifications. Organisational certification runs through the ISO 20000 certification process against ISO/IEC 20000-1:2018.
| Aspect | ISO/IEC 20000-1:2018 | ITIL |
|---|---|---|
| Nature | Certifiable standard (requirements) | Best-practice guidance |
| Certifies | The organisation’s SMS | Individual practitioners |
| Audited externally | Yes, by accredited bodies | No org certification |
| Relationship | Can be supported by ITIL practices | Complements the standard |
Common pitfalls that delay certification
- Defining a scope that is too broad or too vague for the resources available.
- Writing polished documents that do not match how work is really done.
- Skipping the internal audit and management review, then failing Stage 1.
- Treating SLAs as static contracts instead of measured, reviewed commitments.
- Neglecting continual improvement evidence, which auditors expect to see.
Frequently asked questions
How long does the ISO 20000 certification process take?
It depends on maturity, scope and resourcing. Organisations with mature service management may complete it in a few months, while others need longer to build and operate the SMS. Treat any figure as approximate and plan around your own readiness rather than a fixed deadline.
Is ISO/IEC 20000-1:2018 mandatory?
No. Certification is voluntary, but it is often requested in tenders, supplier assessments and regulated contexts as objective proof of service management capability.
Can we align ISO 20000 with ISO 27001 or ISO 9001?
Yes. Because these standards share the Harmonized Structure, you can integrate management systems, share audits and reduce duplication across policies, risk handling and improvement.
Who issues the certificate?
An accredited certification body issues it after a successful two-stage audit. Choosing an accredited body ensures the certificate carries recognised credibility.

Related guides
- ISO 20000 IT service management: a complete guide
- ISO 20000 requirements checklist for your SMS
- ISO 20000 vs ITIL: standard versus guidance explained
Ready to move faster? Our editable ISO/IEC 20000-1:2018 toolkit gives you ready-made SMS policies, process documents, SLA templates and audit checklists so you can shortcut the groundwork and focus on operating your service management system. Explore the ISO 20000 Toolkit to start building your certification-ready SMS today.

