Instant downloadAuditor-writtenSecure Stripe checkout
ISO 20000 Certification Process: Best 2026 Guide — ISO Toolkits

ISO 20000 Certification Process: Best 2026 Guide

The ISO 20000 certification process is the structured path an organisation follows to independently prove that its IT service management system (SMS) conforms to ISO/IEC 20000-1:2018. Certification is awarded by an accredited certification body after an external audit, and it signals to customers and regulators that your service management is planned, controlled, measured and continually improved rather than run on informal habit.

This guide walks through each stage in plain terms, explains what auditors look for, and clarifies a point that causes frequent confusion: ISO/IEC 20000-1 is the certifiable standard for IT service management, whereas ITIL is complementary best-practice guidance and is not something an organisation certifies against.

What ISO/IEC 20000-1:2018 actually requires

ISO/IEC 20000-1:2018 specifies requirements for establishing, implementing, maintaining and continually improving a service management system. It follows the Harmonized Structure (the common high-level format shared across modern ISO management system standards), which makes it straightforward to align with ISO 9001 or ISO/IEC 27001.

The standard covers the core of running a service organisation: service planning, design and transition of new or changed services, service delivery, relationship and supply management, resolution processes (such as incident and problem handling) and control processes (such as configuration and change). It also addresses service level agreements (SLAs), performance measurement and continual improvement.

For the authoritative scope and current edition, consult the official listing at ISO/IEC 20000-1 on iso.org, and always verify the current version before you rely on any specific detail.

The ISO 20000 certification process step by step

Although timelines vary by organisation size and maturity, the ISO 20000 certification process generally moves through the phases below. Treat any duration as approximate and plan around your own readiness.

PhaseWhat happensTypical output
1. Gap analysisCompare current practice against ISO/IEC 20000-1:2018 requirements.Gap report and action plan
2. SMS design and buildDefine scope, policy, objectives, roles, processes and SLAs.Documented SMS
3. ImplementationOperate the processes; capture records and metrics.Evidence of live operation
4. Internal auditCheck conformity internally and fix findings.Audit results, corrective actions
5. Management reviewLeadership evaluates performance and resourcing.Review minutes, decisions
6. Stage 1 auditCertification body reviews readiness and documentation.Readiness findings
7. Stage 2 auditOn-site/remote assessment of the SMS in operation.Certification decision
8. SurveillancePeriodic audits over the certification cycle.Maintained certificate

Gap analysis and scope

Start by defining the scope of the SMS: which services, locations and teams are included. A gap analysis then maps your existing controls to the standard so you know what to build, refine or document before spending money on an external auditor.

Building and operating the SMS

Next, document your service management policy, objectives and processes, and put them into daily use. Certification bodies want to see the SMS actually operating, so you typically need a period of live records, metrics and improvement activity before Stage 2. Approximately a few months of operating evidence is common, though this depends on your context.

Internal audit and management review

Before inviting an external auditor, run at least one internal audit cycle and a management review. These demonstrate that your organisation can find and correct its own nonconformities, a capability auditors weight heavily.

Stage 1 and Stage 2 certification audits

Accredited certification is normally a two-stage external audit. Stage 1 checks that your documentation and readiness are sufficient to proceed. Stage 2 assesses the SMS in operation, sampling evidence across your processes. If successful, the certification body issues a certificate, usually valid for a multi-year cycle with periodic surveillance audits and eventual recertification.

ISO 20000 certification process versus ITIL adoption

A recurring myth is that organisations get “ITIL certified.” They do not. ITIL provides guidance and vocabulary that can help you design good practices, but only individuals earn ITIL qualifications. Organisational certification runs through the ISO 20000 certification process against ISO/IEC 20000-1:2018.

AspectISO/IEC 20000-1:2018ITIL
NatureCertifiable standard (requirements)Best-practice guidance
CertifiesThe organisation’s SMSIndividual practitioners
Audited externallyYes, by accredited bodiesNo org certification
RelationshipCan be supported by ITIL practicesComplements the standard

Common pitfalls that delay certification

  • Defining a scope that is too broad or too vague for the resources available.
  • Writing polished documents that do not match how work is really done.
  • Skipping the internal audit and management review, then failing Stage 1.
  • Treating SLAs as static contracts instead of measured, reviewed commitments.
  • Neglecting continual improvement evidence, which auditors expect to see.

Frequently asked questions

How long does the ISO 20000 certification process take?

It depends on maturity, scope and resourcing. Organisations with mature service management may complete it in a few months, while others need longer to build and operate the SMS. Treat any figure as approximate and plan around your own readiness rather than a fixed deadline.

Is ISO/IEC 20000-1:2018 mandatory?

No. Certification is voluntary, but it is often requested in tenders, supplier assessments and regulated contexts as objective proof of service management capability.

Can we align ISO 20000 with ISO 27001 or ISO 9001?

Yes. Because these standards share the Harmonized Structure, you can integrate management systems, share audits and reduce duplication across policies, risk handling and improvement.

Who issues the certificate?

An accredited certification body issues it after a successful two-stage audit. Choosing an accredited body ensures the certificate carries recognised credibility.

ISO 20000 certification process toolkit templates
The editable ISO 20000 Toolkit — SMS policies, process documents and SLA templates.

Related guides

Ready to move faster? Our editable ISO/IEC 20000-1:2018 toolkit gives you ready-made SMS policies, process documents, SLA templates and audit checklists so you can shortcut the groundwork and focus on operating your service management system. Explore the ISO 20000 Toolkit to start building your certification-ready SMS today.

Shopping Cart