5 Things ISO 20000-1 Reveals About Your Company's Services

Introduction: Taming the Chaos of "Service Sprawl"

Many organizations suffer from "service sprawl"—a situation where numerous services are delivered without clear ownership, formal approval, or a coherent strategy. This leads to undefined services, inconsistent quality, and a misalignment with business needs. The result is often chaos, wasted resources, and unmanaged risk.

While it may seem like a complex compliance standard, ISO 20000-1 is a powerful framework that brings surprising clarity to this chaos. It forces an organization to answer a fundamental question: Do we know exactly which services we provide, why they exist, and how they are controlled throughout their lifecycle?

This article distills five counter-intuitive but critical lessons from the standard's approach to Service Portfolio Management. These takeaways are crucial for any organization aiming to achieve true operational excellence.

Takeaway 1: Your 'List of Services' Is Dangerously Incomplete

A true Service Portfolio isn't just what's live—it includes the future and the past.

A complete service portfolio, as required by the standard, contains three distinct components: the Service Pipeline (services being planned or developed), the Live Service Catalog (currently available services), and a record of Retired Services (services formally withdrawn from operation).

This holistic view is critical for effective governance. Without visibility into the service pipeline, an organization cannot make strategic decisions or plan resources effectively. Without a formal record of retired services—which must be retained for knowledge, audit, or legal purposes—critical operational knowledge is lost, and lessons learned are forgotten.

Takeaway 2: Your Service Catalog and Service Portfolio Are Not the Same Thing

You're confusing the map for the territory.

It's a common mistake to use the terms "Service Catalog" and "Service Portfolio" interchangeably, but from a governance perspective, they serve very different functions. The Service Portfolio is the comprehensive, internal "master plan" that provides management with visibility and control over the entire service lifecycle. The Service Catalog, in contrast, is the customer-facing "menu" of currently available, live services.

This distinction is critical in an audit. A common failure is finding services being delivered to users that are completely missing from the official service catalog—a clear sign that operational reality and governance are disconnected.

Takeaway 3: "Legacy" Isn't an Excuse for a Lack of a Retirement Plan

Every service must have an end-of-life plan.

According to the ISO 20000-1 standard, all services must be managed through a full lifecycle, which includes a formal retirement stage. The standard mandates that no service can exist indefinitely without formal review and justification. Decisions to retire a service must be documented and communicated, and the associated risks and impacts must be managed.

One of the major "Red Flags" for an auditor is finding services that remain in operation "indefinitely with no review or justification." These so-called legacy services create significant risks: they consume valuable resources that could be used for innovation, they can become security vulnerabilities if not properly maintained, and they prevent the organization from modernizing its offerings.

Takeaway 4: Undocumented Services Are Unmanaged Risk

If it's not formally authorized, it shouldn't be running.

A core tenet of the standard is that no service is delivered without formal authorization. This is not a bureaucratic formality; it is a critical governance control. Authorization ensures that a service is aligned with business needs, its risks have been assessed, and the necessary resources have been planned and allocated. This process is typically handled by governance mechanisms like a service review board, an IT governance committee, or through formal business approvals.

The severity of this issue cannot be overstated. From an auditor's perspective, delivering an unauthorized service isn't a minor oversight; it is a fundamental failure of control. The principle is simple and absolute:

Unauthorized services represent unmanaged risk.

This formal requirement directly addresses the common operational problem of "informal" or "shadow IT" services. From a compliance standpoint, these services represent a significant governance failure and are a common source of audit nonconformities.

Takeaway 5: The Ultimate Failure Is Not Knowing What You Do

An auditor's first question might be the one you can't answer.

The most critical nonconformity an organization can receive in this area is when it "cannot clearly state which services are in scope and under control." An auditor's primary goal is to verify that the organization knows what it does and has control over it. An inability to provide a clear, complete list of services demonstrates a profound lack of control.

This failure goes far beyond a simple documentation issue. It signals a systemic failure that calls into question the integrity of the entire IT Service Management System (ITSMS), as it proves the organization cannot govern its core function: the delivery of services.

Conclusion: From Chaos to Control

Ultimately, these five takeaways point to a single core message: effective service management is about achieving total visibility, clear authorization, and disciplined lifecycle control. Moving from the chaos of "service sprawl" to a state of control requires a structured approach where every service is visible, authorized, and managed from its conception to its retirement.

This leaves one final, thought-provoking question for your organization to consider:

If an auditor walked in today and asked for a complete, authorized list of your services—planned, live, and retired—could you confidently provide one?

Share This Article

Found this useful? Share it with your network: