Why Phasing Matters
ISO 20000 implementation done right is a 12-18 month organizational program, not a documentation sprint. Organizations that attempt to compress implementation into 3-4 months consistently produce SMS infrastructure that is documented but not genuinely operational--a problem that auditors detect quickly during Stage 1 and Stage 2 audits. The phased approach ensures that management system governance is established before service management practices begin operations, that practices run for a sufficient period to generate evidence, and that internal audit can verify effectiveness before certification audits commence.
Overview of the Four Implementation Phases
ISO 20000 implementation follows four distinct phases that must occur in sequence:
Phase 1 (Foundation) establishes the organizational foundation: gap assessment, scope definition, and leadership commitment. Phase 2 (Design) builds the management system infrastructure and process design. Phase 3 (Implementation) transitions practices into live operation and generates evidence. Phase 4 (Certification) executes the staged certification audits. Each phase has specific outputs and go/no-go criteria that must be met before proceeding.
| KEY CONCEPT | The phased approach is not optional. Stage 2 auditors will assess whether the SMS shows evidence of planned, deliberate development, not rushed documentation. Organizations that attempt all work simultaneously typically create work products that are internally inconsistent and lack sufficient operational evidence. |
Phase 1: Foundation (Months 1-2)
The Foundation phase establishes the organizational conditions necessary for successful SMS design and implementation.
Conduct an initial gap assessment against all ISO 20000-1:2018 clauses, covering both management system governance (Clauses 4-7, 9-10) and service management practice gaps (Clause 8). This assessment produces a heat map of current state versus required state, identifying where the most significant remediation effort will be required.
Establish SMS project governance with clear roles: an executive sponsor with budget authority, an SMS coordinator responsible for day-to-day program management, an implementation team with representatives from each in-scope service area, and a steering committee that meets regularly to review progress and remove obstacles.
Define the SMS scope precisely: which services, customers, organizational units, and geographic locations are included. The scope statement becomes a certified document that auditors will examine. Exclusions must be justified--auditors will test that in-scope services are genuinely managed within the SMS and excluded services are not.
Develop the implementation project plan with defined milestones, resource allocation, budget, dependencies, and a risk register specifically for the implementation program. This differs from the service management plan (which describes how the SMS will operate); the project plan describes how the organization will build the SMS.
Obtain formal leadership commitment: board or executive sign-off on the implementation program, its resource requirements, and the timeline. Without visible executive sponsorship, implementation efforts typically stall when competing operational priorities emerge.
Phase 2: Design (Months 2-5)
The Design phase produces all required management system and service management practice design documents.
Establish management system governance infrastructure: develop and approve the service management policy that describes the organization's commitment to managing services per ISO 20000; establish a document control system; conduct risk and opportunity assessments relevant to service management objectives; and set measurable service management objectives for the current planning period.
Produce the service management plan required by Clause 6: a comprehensive governing document that describes the objectives, roles, resources, timeline, and governance arrangements for the SMS. The SMP is the primary document that auditors will use to assess SMS design maturity.
Design all Clause 8 service management practices: incident management, problem management, service request management, change management, release management, configuration management, service portfolio management, relationship management, service continuity management, availability management, capacity management, and information security as it relates to service management. Each practice must have a documented procedure and assigned ownership.
Establish the service portfolio and SLAs: document all in-scope services, agree SLAs with customers, and establish the baseline set of metrics that the SMS will monitor and report. SLAs must be realistic and achievable with current resources.
Set up the Configuration Management Database (CMDB): define the scope of configuration items, populate the initial CMDB with the current environment, and establish a verification process to ensure CMDB accuracy before transition to live operation.
Design the internal audit program: establish an audit schedule covering all ISO 20000-1:2018 requirements, plan auditor competence development, and establish the audit procedure that will be used for the pre-certification internal audit.
| IMPORTANT | Phase 2 must be completed before Phase 3 begins. Starting practice operations before design is finalized is a primary cause of implementation delays and rework. Design decisions made under time pressure during the operation phase are typically more costly to correct than decisions made deliberately during design. |
Phase 3: Implementation (Months 5-10)
The Implementation phase transitions practices into live operation and generates the evidence that auditors will examine.
Operate all Clause 8 practices in their designed form for a minimum of 3 months before Stage 2 certification. Stage 2 auditors require evidence that practices have been operating consistently. Records created the week before audit are not evidence of sustained operation.
Conduct training and awareness for all SMS staff: ensure service management practitioners understand their roles, the documented procedures, and the tools they will use to record and manage the service management activities.
Verify CMDB accuracy against the actual IT environment: conduct a reconciliation between what the CMDB records and what is actually deployed. Address any discrepancies before Stage 2; auditors will test CMDB accuracy.
Conduct the first management review: assess SMS performance against objectives, review metrics and KPIs, evaluate the effectiveness of practices, and adjust objectives or the service management plan as needed based on operational experience.
Conduct a full-scope internal audit covering all ISO 20000-1:2018 requirements: the internal audit must be performed by competent auditors and must produce a detailed report identifying any nonconformities or observations. Implementation of corrective actions for identified nonconformities must be verified as effective before proceeding to Stage 2.
Phase 4: Certification (Months 10-12)
The Certification phase executes the two-stage certification audit process.
Select an accredited certification body (KAN-accredited in Indonesia) with demonstrated ISO 20000 audit competence. The same CB must conduct both Stage 1 and Stage 2; switching CBs requires starting the certification process over.
Submit the Stage 1 application: provide the scope statement, service management plan, key documented information, and evidence of SMS design completion. Stage 1 is a documentation review; the CB assesses whether the documented design appears likely to meet ISO 20000 requirements.
Conduct Stage 1 audit: the CB reviews documentation, may request clarifications or additional documentation, and issues a Stage 1 audit report. Any findings from Stage 1 must be remediated before Stage 2 can be scheduled.
Conduct Stage 2 audit: the CB performs an on-site audit, examining SMS operation in practice. Stage 2 auditors will review records, observe processes, and interview personnel. Any nonconformities raised during Stage 2 require a formal corrective action plan and evidence of remediation.
Certification decision: if no major nonconformities exist, or if identified major nonconformities have been remediated and verified, the organization receives the ISO 20000 certificate. If major nonconformities remain after remediation attempts, the CB may decline certification.
Ongoing compliance: organizations with ISO 20000 certification are subject to surveillance audits in the first and second years following certification, and must undergo recertification at the three-year mark.
Key Sequencing Rules
Certain sequencing constraints must be observed:
Internal audit must be completed and corrective actions verified before Stage 2. Auditors expect the organization to have already conducted self-assessment via internal audit.
Management review must be completed before Stage 2, demonstrating that top management has reviewed SMS performance and made any needed decisions about objectives or approach.
SLA records must show at least 3 months of consistent operation before Stage 2. Auditors will examine SLA achievement trends.
The CMDB must be verified for accuracy before transition to live operation. Unverified CMDBs frequently become a Stage 2 audit finding.
| BITLION INSIGHT | Bitlion GRC implementation accelerator includes pre-built templates for the service management plan, policy frameworks, practice procedures, and internal audit programs. Organizations using these templates report reducing Phase 2 design time by up to 40% while maintaining consistency with ISO 20000 requirements. |
Resource Requirements
Typical organizations require between 400-800 internal implementation effort days across the 12-month program, distributed unevenly across phases. Phase 1 is relatively light (80-120 days); Phase 2 is heavy (250-350 days); Phase 3 is moderate (100-150 days); Phase 4 is light (60-100 days). Most organizations supplement internal effort with external SMS consultants for Phase 2 design work. Typical external support ranges from 60-120 consulting days, concentrated in Phases 2 and 3. Key roles include SMS coordinator (full-time), practice owners (part-time), and auditor competence leads (part-time).
Common Reasons Implementations Fail or Stall
No executive sponsor with real authority and budget control. When the SMS coordinator lacks direct access to senior management decision-making, implementation priorities are easily displaced by operational pressures.
Scope too broad for available resources. Organizations that include too many services or customers exhaust implementation resources before design is complete.
Design phase not completed before implementation. Starting practice operations before procedures are finalized creates rework and reduces organization confidence in the SMS.
Internal audit conducted too late to allow corrective action. When internal audit occurs within 2-3 weeks of Stage 2, there is insufficient time to implement corrective actions and verify effectiveness.
| Phase | Months | Key Activities | Go/No-Go Criteria |
|---|---|---|---|
| Foundation | 1-2 | Gap assessment, scope definition, leadership commitment, project plan | Scope approved, gap assessment complete, sponsor committed, plan endorsed |
| Design | 2-5 | SMP design, practice procedure design, CMDB setup, IA program design | SMP approved, procedures documented, roles assigned, objectives set |
| Implementation | 5-10 | Practice operation (3+ months), management review, internal audit | Practices operational, SLA records showing 3+ months operation, IA complete with corrective actions verified |
| Certification | 10-12 | Stage 1 audit, Stage 2 audit, remediation | Stage 1 findings resolved, Stage 2 conducted, certificate issued |
| Phase | Internal Effort (days) | Typical External Support (days) | Key Roles |
|---|---|---|---|
| Foundation | 80-120 | 10-20 | Executive sponsor, SMS coordinator, practice owners |
| Design | 250-350 | 60-100 | SMS coordinator, practice owners, technical leads, SMP lead |
| Implementation | 100-150 | 20-40 | SMS coordinator, practice teams, internal auditors |
| Certification | 60-100 | 0-10 | SMS coordinator, audit representative, corrective action leads |