Overview: The Relationship Management Layer
Clauses 8.2 and 8.3 form the relationship management layer of the SMS. If Clause 8.1 establishes how the SMS operates internally, Clauses 8.2 and 8.3 establish how the SMS connects to the services it governs (service portfolio management) and to the people and organizations it serves and depends on (customers and suppliers). Without effective relationship management, the SMS becomes an internal function disconnected from business value and customer satisfaction.
Clause 8.2: Service Portfolio Management
What is the Service Portfolio?
The service portfolio is the complete set of services managed by the SMS. It is not limited to operational services only; it includes services in all lifecycle stages:
• Active services: services currently in production serving customers • Services in development: new services or service changes being designed and tested • Retired services: services that have been removed from operation and are no longer supported
The service portfolio is the authoritative record of what the organization manages and supports. For ISO 20000 certification scope, the portfolio defines the boundary of the SMS.
Required Content of the Service Portfolio
ISO 20000 does not prescribe the exact format of the portfolio, but it must include:
• Service name and description: clear, unambiguous identification of each service • Service status: whether the service is active, in development, or retired • Customer(s): which customer or customer group(s) the service serves • Associated SLAs: the agreed service level targets for each service • Service components and dependencies: what technology, people, or processes support each service • Service owner: clear accountability for each service
In practice, the portfolio is often maintained in a spreadsheet, a service management tool, or a central repository. The medium is less important than the completeness and currency of the information.
Managing New Services
When a new service is introduced, it must be added to the portfolio. The process for adding new services connects Clause 8.2 to Clause 8.5 (service design, build, and transition). A new service typically moves through these stages:
• Design: customer requirements are captured, service components are designed, SLAs are negotiated • Build and test: service components are built, procured, or configured; the service is tested • Transition: the service is moved into production; transition plan is executed; post-transition review occurs • Portfolio addition: once transitioned and accepted, the service is formally added to the portfolio with all required metadata
Many organizations skip formal portfolio addition. A service appears in the network, users begin relying on it, but it is never formally documented in the portfolio. From an ISO 20000 perspective, an undocumented service is not under SMS control.
Managing Existing Services
Active services must be continuously managed. This includes regular service reviews with customers, performance monitoring, SLA revision when circumstances change, and management of service improvements. Service reviews—discussed in detail in Clause 8.3.1—are a primary mechanism for managing active services. When customer needs change or service performance is inadequate, the review process surfaces these issues and drives improvement actions.
Retiring Services
When a service reaches end of life, it must be retired in a controlled manner. Retiring a service includes:
• Advance notification to customers • Support for customer migration to alternative services • Data handling and archive requirements • Final operational support period with clear end date • Removal from the portfolio only after all retirement steps are complete
Service retirement is often neglected in audit planning. Organizations may have many services with "retired" status that are years out of date. A clean, current portfolio is essential for demonstrating that the SMS is actively managing the services it supports.
The Service Catalogue vs. The Service Portfolio
A related but distinct concept is the service catalogue. The service portfolio is an internal governance and management record; it may contain sensitive information (cost, profitability, strategic intent). The service catalogue is the customer-facing subset of the portfolio—a list of available services, how to request them, and basic service information. Many organizations share the portfolio structure with customers, but the distinction between portfolio (what we manage) and catalogue (what we offer to customers) is conceptually important.
| KEY CONCEPT | The service portfolio defines the scope of the SMS. Services not in the portfolio are not under SMS control. The service catalogue is what customers see; the portfolio is what the organization uses to manage all services across their complete lifecycle. |
Clause 8.3: Relationship Management
Clause 8.3.1: Customer Relationship Management
Requirements Overview
ISO 20000 requires that the organization establish and maintain relationships with customers to understand their requirements, ensure SLAs are agreed and met, manage service reviews, and handle customer feedback and complaints. Customer relationship management is not a single process but a collection of activities:
• Requirement capture and understanding • SLA negotiation and agreement • Service review meetings • SLA performance monitoring and reporting • Customer satisfaction measurement • Complaint handling • Continuous improvement based on customer feedback
The Service Review Meeting
The service review meeting is the primary mechanism for managing the customer relationship throughout the service lifecycle. ISO 20000 requires that service reviews occur at defined intervals and produce documented outputs. In practice, service reviews typically occur quarterly or semi-annually, though the frequency may vary based on service criticality or customer agreement.
A typical service review meeting agenda includes:
• SLA achievement review (actual performance vs. agreed targets for the period) • Incident and problem trend review (significant incidents, recurrent issues) • Change activity summary (changes implemented, planned changes) • Customer satisfaction feedback • Capacity and performance outlook • Service improvement items and progress • New or modified requirements • Calendar for next review period
ISO 20000 auditors look for documented evidence of these meetings: meeting minutes with attendees, discussion topics, action items, and follow-up tracking. Informal service reviews that occur but leave no paper trail do not satisfy ISO 20000 requirements.
Customer Satisfaction Measurement
Clause 8.3.1 requires the organization to measure customer satisfaction. Many organizations interpret this narrowly as conducting a survey. In practice, effective customer satisfaction measurement includes:
• Survey design: what aspects of service quality are being measured (availability, responsiveness, technical quality, communication) • Survey frequency: how often surveys are distributed (annually, semi-annually, after major changes) • Sample methodology: which customers are surveyed, whether all customers or a representative sample • Analysis and trending: how results are analyzed to identify patterns and trends • Action: how survey results are used to drive service improvements • Documentation: records of surveys, results, analysis, and improvement actions
A common audit finding is the statement: "We measure customer satisfaction informally through ongoing conversations." ISO 20000 expects formal, documented measurement. The organization should be able to produce records showing historical satisfaction data and trending.
Customer Complaint Handling
Beyond incident management (which addresses operational service failures), Clause 8.3.1 addresses complaint handling—complaints about service quality, responsiveness, billing, or how issues are handled. The complaint handling process should:
• Provide a clear channel for customers to lodge complaints • Log complaints with sufficient detail for investigation • Investigate and determine the cause • Provide a response to the customer explaining findings and remediation • Track complaints to closure • Analyze complaint trends for service improvement
Complaints are often distinct from incidents. An incident is a service failure; a complaint is customer dissatisfaction with how the service or the organization responded to a failure or how the service is being delivered.
Clause 8.3.2: Supplier and Partner Relationship Management
Requirements Overview
Just as customer relationship management is critical on the customer-facing side, supplier relationship management is critical on the supply side. The organization must establish and maintain relationships with suppliers and partners providing services or components that support the SMS. Supplier relationship management includes:
• Establishing supplier agreements that clearly define service scope and performance requirements • Monitoring supplier performance against agreed requirements • Managing supplier risks and contingencies • Escalating and remediating when suppliers do not meet requirements • Periodically assessing or auditing suppliers
Supplier Agreements
A supplier agreement (contract, SLA, service agreement, master service agreement) must cover:
• Service scope: what services or components the supplier provides • Performance requirements: availability, response times, quality standards • Security and compliance requirements: what data protection and information security standards the supplier must meet • Audit rights: whether the organization can audit the supplier's delivery • Termination and transition: how the relationship ends and how the organization transitions if the supplier exits • Escalation paths: who to contact at the supplier when issues arise • Reporting requirements: what performance data the supplier must provide
The relationship between Clause 8.3.2 (supplier relationship management) and Clause 8.4 (supply chain management) should be noted. Clause 8.3.2 focuses on direct supplier relationships; Clause 8.4 addresses the broader governance of how services flow through multiple tiers of suppliers.
Supplier Performance Monitoring
Supplier agreements must be accompanied by monitoring. This includes:
• Regular collection of supplier performance data (availability, response times, quality metrics) • Comparison of actual performance to agreed targets • Escalation procedures when suppliers miss targets • Scorecards or performance dashboards showing supplier status over time • Periodic supplier review meetings (similar in structure to customer service review meetings)
In practice, this means maintaining supplier scorecards or dashboards showing current performance status and trend.
Managing Supplier Risk and Contingency
When a supplier provides critical services or components (such as a managed IT service provider, a cloud infrastructure provider, or a critical application vendor), supplier risk becomes operational risk. The organization must consider:
• Criticality assessment: how critical is this supplier to service delivery? • Concentration risk: how many critical services rely on a single supplier? • Contingency planning: if this supplier fails or exits, how would the organization maintain service delivery? • Redundancy: for critical suppliers, is there a backup or alternative arrangement? • Contractual protections: does the contract include transition support, advance notice, and data return provisions if the relationship ends?
The "fail" scenario is not theoretical. Data center providers go out of business, application vendors cease support, outsourcing partners experience major incidents. Organizations without contingency plans for critical supplier failures face extended service outages.
| IMPORTANT | Every service in the portfolio must have a documented SLA agreed with the customer. This is not optional guidance; it is an explicit ISO 20000 requirement. "We have an informal understanding" does not satisfy the requirement. |
| BITLION INSIGHT | Bitlion GRC service portfolio management capabilities provide centralized governance of services across their complete lifecycle—from design intake through operation to retirement. Integrated supplier and customer relationship registers enable tracking of all stakeholder agreements and performance. |
Integration Between Clauses 8.2 and 8.3
Service portfolio management (Clause 8.2) and relationship management (Clause 8.3) are tightly integrated. The portfolio defines what is managed; relationship management ensures that the customer and supplier relationships supporting those services are actively maintained. When new services are added to the portfolio, customer and supplier relationships for that service must be established. When services are retired, those relationships must be formally closed.
Common Audit Findings
• Service portfolio exists but lacks complete information (missing SLAs, unclear customers, no documented owner) • Service portfolio not maintained; services added years ago are still listed as active despite no operational support • No documented evidence that service review meetings occur; reviews happen informally without minutes or action tracking • No formal customer satisfaction measurement; satisfaction "managed" through general feedback • Supplier agreements missing or outdated; no performance monitoring records • Outsourced services not included in portfolio; audit scope does not clearly delineate what the SMS covers
Service Portfolio Register Template
| Service Name | Status | Customer | SLA Reference | Key Components | Owner |
|---|---|---|---|---|---|
| Finance System Support | Active | Finance Department | SLA-2024-FIN-001 | Oracle EBS, Database Server, Network | James Liu |
| Email and Collaboration | Active | All Staff | SLA-2024-EMAIL-001 | Exchange, SharePoint, Mobile Client | Maria Garcia |
| Development Environment | In Development | Engineering | TBD | CI/CD Pipeline, Test Servers | Alex Chen |
| Legacy HR System | Retired | HR Department (historical) | N/A | N/A | N/A |
Supplier Management Register
| Supplier | Services Provided | Contract Reference | Performance Metric | Review Frequency | Risk Level |
|---|---|---|---|---|---|
| Acme Cloud Services | Infrastructure as a Service | MSA-2024-001 | 99.95% availability | Monthly | High |
| Tech Support Global | Help Desk Services | MSA-2024-005 | P1 response < 1 hr | Quarterly | Medium |
| DataGuard Security | Security Monitoring Services | SLA-2024-SEC-001 | 24/7 monitoring | Quarterly | High |
| Office Supplies Co | Hardware Procurement | PO Agreement 2024 | On-time delivery 95% | Semi-annual | Low |