Introduction: The Infrastructure That Makes Service Management Possible
Clause 7 addresses the enabling infrastructure of the SMS. Without adequate resources, competent people, organizational awareness, clear communication, and well-controlled documented information, the service management practices described in Clause 8 cannot function as required. Clause 7 is less about designing new processes and more about ensuring the organization has what it needs to execute the processes effectively. It is also the clause most heavily weighted during audit: auditors spend significant time reviewing documented information (are records complete, well-organized, properly retained?), assessing competence (do people have the skills they claim to have?), and verifying resources (is the organization adequately funded and staffed?).
Clause 7.1: Resources
The organization must determine what resources are required to establish, implement, and maintain the SMS, and ensure those resources are provided. Resources include people, financial budget, tools and technology infrastructure, facilities and physical environment, and external services. Resource determination should be based on the SMS scope and objectives. If the organization serves 500 customers, it needs more SMS resources than if it serves 50. If services are delivered 24/7, it needs resources for shift coverage. If high-risk services are in scope, more resources are needed for validation and testing of changes.
Common Resources Required
Organizations typically need to allocate resources for:
• People: Service desk staff, incident managers, change managers, problem managers, release managers, asset managers, and SMS coordinators. Most organizations need at least one dedicated SMS professional per 50-75 IT staff, with additional staff for specific roles.
• Tooling: A service desk or ITSM platform (Jira, ServiceNow, etc.), monitoring/alerting systems, a configuration management database (CMDB), change management tooling, and communication platforms. Most organizations budget 15-20% of IT annual operating budget for ITSM tools.
• Infrastructure: Environments for development and testing of changes, failover systems for business continuity, and adequate network capacity to support 24/7 service delivery.
• Budget: For training, certifications, tools, and improvement projects. An organization implementing ISO 20000 should budget 10-15% above normal operating costs for the first year, dropping to 5-10% thereafter.
• Vendor/Partner Services: If functions are outsourced (managed security, cloud hosting, helpdesk), the organization must maintain contracts that support SMS requirements and hold vendors accountable.
Resource Adequacy as an Ongoing Question
Resource determination is not a one-time exercise during initial SMS implementation. As the organization and its services evolve, resource needs must be reassessed. If new services are added to the SMS scope, resources must increase. If customer volumes grow, staffing must grow. If tools become obsolete or cease to support the organization, replacements must be procured. An organization where service demand has doubled but SMS staffing has remained static is under-resourced and audit risk is high.
Evidence of Resource Allocation
Auditors verify resource adequacy through:
• Budget allocation records showing resources assigned to service management
• Staffing plans and organization charts showing roles and headcount
• Tool procurement and licensing records
• Contracts with external providers
• Infrastructure capacity assessments
Clause 7.2: Competence
The organization must determine the competence required for all people who perform service management work, assess whether current staff meet those competence requirements, and take actions to acquire or develop missing competence. Competence goes beyond job title or years of experience; it is the demonstrated ability to perform specific functions to a defined standard.
What Competence Means in SMS Context
Competence includes:
• Knowledge: Understanding of service management concepts, processes, and tools. Measured through training completion, certifications (ITIL Foundation, ITIL Practitioner, ISO 20000 Lead Auditor), and assessments.
• Skills: Practical ability to perform specific tasks (e.g., categorizing incidents, approving changes, documenting problems, running reports).
• Attitudes and behaviors: Commitment to quality, collaborative problem-solving, attention to detail, continuous learning.
• Experience: Demonstrated track record of successful performance in similar roles or organizations.
Competence Assessment and Development
The organization should:
1. Define competence requirements for each service management role. For example, the Incident Manager must: have ITIL Foundation certification, have 3+ years of incident management experience, complete annual training on communication skills and escalation procedures, and pass a competency assessment demonstrating knowledge of incident categorization and prioritization.
2. Assess current staff against these requirements. Do they meet the baseline? Are there gaps?
3. Plan development actions to close gaps: training courses, on-the-job coaching, shadowing of experienced staff, external hiring if development cannot be achieved quickly.
4. Document and retain evidence of competence: training certificates, assessment scores, completion records, performance reviews.
5. Maintain a competence matrix showing which staff members have which competencies and at what level (trained, proficient, expert).
Special Consideration: Internal Auditor Competence
Clause 7.2 explicitly requires that those conducting internal SMS audits have appropriate competence. Internal auditors must: understand ISO 20000 requirements, be trained in audit techniques and protocols, be independent (not audit areas they directly manage), and maintain audit competence through ongoing training and practice. Many organizations make the mistake of assigning internal audit responsibilities to someone without audit training, resulting in audits that lack rigor and fail to identify non-conformities.
Clause 7.3: Awareness
All people whose work affects the SMS must be aware of three things: the service management policy, their contribution to SMS effectiveness, and the implications of not conforming to SMS requirements. Awareness is distinct from competence: a person can be aware that a policy exists and understand why it matters without being competent to execute the detailed procedures.
Awareness vs. Training vs. Competence
These three are related but distinct requirements:
• Awareness: Knowing that service management matters and understanding personal responsibility. All staff need awareness.
• Training: Structured instruction in how to perform service management functions. Only those directly executing SMS processes need training.
• Competence: Demonstrated ability to perform functions to defined standards. Only those in formal service management roles need competence assessment.
Building Awareness Systematically
Effective awareness programs include:
• Induction training: New employees receive SMS overview during onboarding, learn about service management policy, understand expectations for their role.
• Periodic refreshers: Annual or biennial refresher training reinforces key concepts and communicates policy updates.
• Policy communications: Policy documents are made readily available; policy highlights are communicated in team meetings, newsletters, or intranet posts.
• Process communications: When service management processes change (change management, incident handling, etc.), affected staff are informed of changes and trained on new procedures.
• Leadership messaging: Executives reinforce the importance of service management and communicate examples of how it benefits the organization.
Measuring Awareness
Auditors assess awareness through:
• Training attendance records and completion reports
• Interviews with staff: Do they understand the service management policy? Can they explain their role in the SMS? Do they know how to report an incident or request a change?
• Awareness assessment surveys or quizzes
• Review of communication artifacts (memos, emails, intranet posts about service management)
Clause 7.4: Communication
The organization must plan and implement communication about the SMS: what to communicate, when to communicate, to whom, and through what channels. Communication serves multiple purposes: informing staff about policy changes, notifying customers about service updates, providing transparency to regulators about SMS effectiveness, and building organizational commitment to service management.
Internal Communication Topics
Internal communication typically addresses:
• Service management policy and changes to it
• New or updated service management processes
• Service performance and achievement of objectives
• Incident summaries and lessons learned
• Upcoming changes to services or infrastructure
• Training opportunities and competence expectations
• Recognition of service management excellence or improvements
External Communication
External communication is typically directed to:
• Customers: Service roadmaps, planned maintenance windows, SLA changes, incident notifications
• Regulators: Audit reports, compliance evidence, incident reports
• Suppliers: SLA requirements, performance expectations, contract terms
Communication Planning
A communication plan should define what information is communicated to which audiences, how frequently, and through which channels. For example:
• Monthly: Service performance dashboard published internally (email to IT leaders); monthly customer report published externally
• Quarterly: Lessons learned from significant incidents presented to IT staff
• Annually: Policy review and communication; training completion reporting
• As-needed: Incident notification, emergency maintenance announcements
Clause 7.5: Documented Information
Clause 7.5 is the most evidence-intensive requirement of the standard. It addresses the creation, maintenance, and control of the documented information (documents and records) that forms the evidence base of the SMS. Most auditor time during a Stage 2 assessment is spent reviewing documented information: Are required documents in place? Are they current and version-controlled? Are records complete and well-organized?
Documents vs. Records
ISO 20000 distinguishes between two types of documented information:
• Documents: Information that must be maintained (kept current). Examples: the service management policy, service management plan, service level agreements, documented procedures, work instructions, change schedules, service portfolio. Documents are updated as the SMS evolves and previous versions are retained as historical records.
• Records: Information that must be retained (kept as historical evidence). Examples: audit reports, incident tickets, change approval records, problem investigations, internal audit findings, management review minutes, competence assessments, communication evidence, incident response logs, corrective action records. Records are retained for defined periods (typically 3-7 years depending on regulatory requirement) and are not normally updated (except for closure or minor corrections with version tracking).
Documented Information Management Requirements
For all documented information (both documents and records), the organization must:
• Define what information needs to be created and maintained (document inventory)
• Define version control: how updates are tracked, previous versions archived, and current versions identified
• Define creation and update procedures: who can create or edit, what approvals are required before publication, how changes are authorized
• Define distribution: who has access, how it is communicated, how access is controlled (especially sensitive information)
• Define storage and preservation: where information is kept (physical or electronic), how it is protected from loss or corruption, redundancy/backup for critical information
• Define retention periods: how long records must be kept, when they can be disposed of, how disposal is authorized and documented
• Define retrieval: how information is found when needed, indexing or metadata tagging for searchability
Document Register and Control
Most organizations maintain a document register or control log that lists all required documented information: document name, document ID or version number, current version date, owner/author, approval status, location/access, and retention requirement. The document register itself must be controlled and reviewed regularly. It serves as the master inventory of what information should exist.
Required ISO 20000 Documented Information
ISO 20000 explicitly requires the following documented information to be created, maintained, and made available:
Strategic and Planning Documents (must be maintained)
• Scope statement (Clause 4)
• Service management policy (Clause 5)
• Service management plan (Clause 6)
• Service level agreements (Clause 8.1)
• Service portfolio (Clause 8.1)
• Risk register and treatment plan (Clause 6.1)
Process Documentation (must be maintained)
• Documented procedures for each service management practice (incident management, change management, problem management, etc.)
• Work instructions and checklists
• Tool configuration and system documentation
• Communication plans
• Training curricula and training records
Records (must be retained)
• Incident records (incident tickets, investigation notes, resolution records)
• Problem records (problem descriptions, root cause analyses, solution implementations)
• Change records (change requests, approvals, implementation logs, post-implementation reviews)
• Configuration records (CMDB entries, asset registers, equipment logs)
• Internal audit reports and audit evidence
• Management review meeting minutes and performance data
• Nonconformity records, corrective action records, and closure evidence
• Competence assessment records and training completion certificates
• Communication and awareness evidence
• Improvement initiative records (improvement proposals, implementation status, completion evidence)
Common Clause 7 Findings
The most frequent Clause 7 audit findings are:
• Documents without version control: organization has a service management policy but does not track version numbers or dates, making it unclear which version is current
• Required documented information missing: records of incidents, changes, or problems are not being retained
• Competence requirements defined but not assessed: organization has job descriptions but no evidence that staff are assessed against competence standards
• Awareness programs not systematic: training may happen casually but is not tracked or scheduled regularly
• Inadequate resources: SMS team is under-staffed, tools are not adequately licensed, training budget is insufficient
• Communication plan not documented: organization communicates informally but has no documented plan for what, when, how, and to whom
• No document register: organization cannot explain what documented information should exist and where it is stored
Practical Guidance: Setting Up Document Control
To implement Clause 7.5 effectively:
1. Create a document inventory: list all documented information the SMS requires, categorize as "document" (maintained) or "record" (retained), assign owner, define retention period
2. Establish version control: all documents must have version numbers, dates, and owner; each change must be tracked
3. Create a document register: a master control log (spreadsheet or database) that lists all required documents, current version, location, owner, and retention periods
4. Define storage: centralized location (folder structure, document management system, or cloud storage) where all required documents are stored and protected
5. Define access: who can view, who can edit, who must approve before publication; implement access controls in your storage system
6. Define retention: for each record type, specify how long it must be kept (often driven by regulatory requirements like POJK, UU PDP); define disposal process
7. Schedule regular reviews: quarterly or annually, review the document register to ensure it is current and all required documents exist and are version-controlled
Required Documented Information Summary
| Document/Record | Type | Clause | Minimum Retention |
|---|---|---|---|
| Service Management Policy | Document | 5.2 | Maintained (current version); archive previous versions |
| Service Management Plan | Document | 6 | Maintained (annual review); archive previous versions |
| Scope Statement | Document | 4.3 | Maintained; review annually or on significant change |
| Service Level Agreements | Document | 8.1 | Maintained while service is active; archive when service ends |
| Incident Records | Record | 8.3 | 3-7 years (depends on service sensitivity and regulatory requirement) |
| Change Records | Record | 8.4 | 3-7 years |
| Problem Records | Record | 8.5 | 3-7 years |
| Internal Audit Reports | Record | Clause 9 | 7 years (required for management system records) |
| Management Review Minutes | Record | Clause 9 | 7 years |
| Competence Assessment Records | Record | 7.2 | 3 years minimum (recommended 5+ for regulatory audits) |
| KEY CONCEPT | The distinction between "documents" (maintained) and "records" (retained) is critical. Documents must be kept current; if a procedure changes, the document is updated and the old version archived. Records are historical evidence and must not be altered except to correct clerical errors; instead, corrections are made with clear tracking of what changed and when. Many organizations misunderstand this and fail to retain complete incident or change records, creating audit gaps. |
| IMPORTANT | Documented information is the primary audit evidence. Auditors spend most of their time reviewing it and asking questions about completeness and accuracy. Version-uncontrolled or missing documents are a systemic risk. If you cannot produce evidence that a process was followed, auditors will assume it was not followed, regardless of your claims about what happens in practice. |
| BITLION INSIGHT | Bitlion GRC provides document control and records management modules that automate version control, access management, and retention tracking. Use the document register feature to inventory all required documented information. The competence matrix template helps assess and track staff competence across service management roles. The communication planning module supports systematic awareness and communication as required by Clause 7.4. |
Conclusion
Clause 7 addresses the enabling infrastructure: the resources, competent people, organizational awareness, communication, and controlled documentation that make effective service management possible. It is the clause that auditors examine most closely because documentation and competence are verifiable, objective evidence. Organizations that invest in proper resource allocation, competence development, systematic communication, and controlled documented information create an environment in which the service management practices of Clause 8 can actually function. Those that under-resource the SMS, fail to assess competence, communicate casually, and keep poor documentation find that processes break down in practice and auditors discover systemic gaps. Audit success in Clause 7 requires foundational discipline: knowing what information you need, controlling it properly, ensuring people have skills, and proving it all through documentation.