ISO/IEC 20000, the international standard for service management, has been with us since 2005. The success rate has been high with many organisations around the world achieving certification to part 1 of the standard. The new edition of part 1, Service Management System Requirements, was published in April 2011. Aligned to this, the new editions of part 2 and 3 were published in 2012. An updated part 5 is expected to be published in 2013 along with a new part, Part 10 Concepts and terminology.

What is part 3?

ISO/IEC 20000-3 has the title ‘Guidance on scope definition and applicability of ISO/IEC 20000-1’. It supplements the guidance provided in part 2 and covers specific areas in more detail. Part 3 provides guidance and examples to support service providers preparing for certification to ISO/IEC 20000-1. It will also be useful to consultants and auditors.

ISO/IEC 20000-3:2012 will assist in establishing if ISO/IEC 20000-1 is applicable to a service provider’s circumstances. It illustrates how the scope of an SMS can be defined, irrespective of whether the reader has experience of defining the scope of other management systems.

What has changed in the 2012 edition of part 3?

The 2012 edition of part 3 is aligned to 3 very important new clauses in ISO/IEC 20000-1:2011. These items were all covered in some way in the previous edition of part 3 but were purely guidance as there were no related requirements in part 1. The clauses in part 1 that are explained in part 3 are:

1.2 Application
4.2 Governance of processes operated by other parties
4.5.1 Define scope.
The clause on applicability explains that the service provider should retain full accountability and responsibility for the service management system (SMS) general requirements in clause 4 of part 1. Other parties can be used to work on behalf of the service provider e.g. to produce the service management plan. For clauses 5 – 9 in part 1, the service provider can outsource some of the processes or parts of processes to other parties. The other parties can be external suppliers, internal groups (within the service provider but using the incident and service request management process. If the service provider has outsourced the majority of requirements in clauses 5 – 9, then it is unlikely that they can meet all of the requirements of part 1 and be applicable for certification to ISO/IEC 20000-1. If they have outsourced a minority of requirements in clauses 5 – 9 and can demonstrate governance of processes operated by other parties, then they can be applicable for certification.

The clause on governance of processes operated by other parties provides guidance and examples for the 4 items to be demonstrated:

accountability and adherence
control of process definitions and interfaces
knowledge of process performance and compliance
control of process improvements.
Governance of processes operated by other parties does not apply to other parties who are not operating a process or part of a process e.g. a software or hardware supplier.

There is a lot of guidance on defining scope of an SMS. The requirements in clause 4.5.1 of part 1 are explained. A typical scope statement contains the mandatory parameters of the service provider and the services to be provided and can include the optional parameters of location of customer, location of service provider and technology. Guidance is given on changing the scope, service catalogue in a scope statement, supply chains and defining scope for integrated management systems.

Reference is also made to the management of other parties either through the supplier management process (clause 7.2 in part 1) for external suppliers or the service level management process (clause 6.1 in part 1) for internal groups and customers acting as suppliers. The requirement to manage internal groups and customers acting as suppliers is a new requirement in the 2011 edition of part 1. The control of external organizations accessing information or services through the information security management process (clause 6.6.2 in part 1) is also referenced.

Annex A is checklist is provided on scope, applicability and conformity.

The examples in Annex B have been updated and clarified to align with the new requirements for defining scope in part 1. These cover scope definition and applicability for 11 scenarios ranging from simple internal service provider with no outsourcing to complex supply chains.

Annex C describes the different types of conformity assessments.

Using part 3 with other guidance

Part 3 is not the only guidance on the application of part 1. Other guidance documents which can be used to support part 1 are:

– Part 2 Guidance on the application of service management systems

– Part 5 Exemplar implementation plan for ISO/IEC 20000-1

– Certification scheme rules.

Part 3 in APMG certification and qualification schemes

Part 3 is a normative reference in the APMG certification scheme rules. Part 3 is the only guidance referenced in the APMG certification scheme.

For organizations that have previously used the ITSMF certification scheme, this referred to management control for any outsourced activities. The term management control has now been replaced by governance of processes operated by other parties. It is not referenced in the certification scheme rules since it is mandatory because governance of processes operated by other parties is a requirement of part 1.

Part 3 is in the syllabus of the foundation, practitioner and auditor qualifications. For foundation, the knowledge required is of some of the guidance. For practitioner and auditor levels, more detailed knowledge is required to demonstrate an understanding of how to define scope for various scenarios.


Part 3 is essential reading for those who are reviewing if their organization is applicable for certification to ISO/IEC 20000-1, especially where there is a complex supply chain. If applicability is established, then it is invaluable to support the definition of scope. The updated edition is vital to support three new and important clauses in part 1.

Further information

ISO/IEC 20000 part 3 can be obtained from the ISO web site or your country standards organisation e.g. BSI in the UK.