ISO/IEC 20000 and ITIL The Difference Explained by Jenny Dugmore and Alison Holt

This article describes differences between ITIL and ISO/IEC 20000. The two have much in common, both cover service management, are used internationally and can be studied through formal training. ITIL provides good practice guidelines, advice and options that can be selectively adopted and adapted. ISO/IEC 20000 is a standard in two parts. Part 1, ISO/IEC 20000-1 is the distillation of the "must do" practices of service management. Part 2, ISO/IEC 20000-2 is a code of practice giving advice.

ITIL is usually the starting point and in practice is often used by organisations wanting to address a particular "point of pain", such as a process that is obviously failing. Once one process has been implemented successfully it soon becomes obvious that the related processes would also be worth implementing...and a service improvement journey begins.

Achieving ISO/IEC 20000 is undertaken when organizations want to test and prove they have adopted ITIL advice effectively. It is used to develop consistent, integrated processes across organisational and national boundaries. Customer organisations also use it to compare providers.

Origins of ISO/IEC 20000 and ITIL

ISO/IEC 20000 replaced BS 15000 in December 2005. Both ITIL and BS 15000 (and therefore ISO/IEC 20000) date back to the 1980s. In the mid 1990s and following the publication of the first service management code of practice and ITIL Version 1 a concordat between the British Standards Institution (BSI), itSMF and BMP, formed the basis for co-operation and positioning of publications so that they form part of the same logical structure. The logical relationship still applies, as shown in Figure 1.

Figure 1

Key differences

Despite the close link ISO/IEC 20000 and ITIL are not fully aligned. This is partly due to the fundamental difference between a standard and a framework. Also, there are variations due to the differing development and publication timetables. The key differences are described below.

Organisational structure and size

ISO/IEC 20000 requirements are completely independent of organisational structure or size. A service provider must use the structure that is most appropriate. ITIL includes advice and options for some aspects of organizational structure. Specialist advice is available for small organisations.

Management system requirements

Management responsibilities, including the Plan-Do- Check-Act cycle of continual improvement requirements are fundamental to ISO/IEC 20000. This aligns the standard with other management systems standards, such as the '9000' series. Much of the ITIL advice is targeted at individual processes, to help organisations on the journey to best practices.

Process comparisons

  • ISO/IEC 20000 includes business relationship management and supplier management processes, which are not covered by the Service Support and Service Delivery books. However, aspects of business relationship and supplier management are covered by BMP publications.
  • In ISO/IEC 20000 service reporting is a separate process and is a key component of service management, the Plan-Do- Check-Act cycle process integration. ITIL makes reference to service reports but as part of a process (e.g. service level management) and service reporting is not treated as a separate process.
  • Service continuity and availability management have been combined in ISO/IEC 20000 as the requirements are closely related and treating them separately results in duplication. In ITIL, service continuity and availability management are separate processes.
  • ISO/IEC 20000-1 includes requirements for budgeting and accounting. Charging is not applicable for some organisations so cannot be included in a specification, where all requirements are compulsory. ITIL includes advice on charging.
  • ISO/IEC 20000-1 includes requirements for information security management with a note referring to a code of practice for security requirements ISO/IEC 17799. Notes do not change the requirements nor do they affect the scope of an audit. ITIL includes a Security Management Guide, although there is limited alignment between this publication and ISO/IEC 17799 or ISO/IEC 27001.
  • In ISO/IEC 20000 capacity management covers all capacity, drawing no distinction between different types. ITIL draws a distinction between resource, service and business capacity management.
  • Asset management is covered by clauses on configuration management, in ISO/IEC 20000, aligning with the ITIL Service Support and Service Delivery books. ITIL includes software asset management in a separate publication.

The future for ISO/IEC 20000 and ITIL

Long-term improvements to ISO/IEC 20000 have already been discussed at ISO level. Plans include a new Part 3 to cover scoping and applicability of ISO/IEC 20000 as well as providing advice for auditors. Although ISO/IEC 20000 was only recently published there are already training courses and certification schemes, based on conversions of the BS 15000 equivalents. ITIL is undergoing a "refresh programme" to improve the content of the publications and qualifications and the usefulness and applicability of ITIL. It is envisaged that ITIL and ISO/IEC 20000 will continue to be adopted by organisations with a wide range of goals.