ISO/IEC 20000-1: IT Service Management

Data centers must establish a formal service management system with documented policies, objectives, and scope that aligns with organizational strategy and customer requirements.

This requires defined governance structures including service management roles (service owner, incident manager, change manager, problem manager), authority hierarchies, and decision-making frameworks.

The SMS must include a management review process occurring at least annually to assess effectiveness, identify improvement opportunities, and ensure continual resource allocation.

Data centers must maintain documented service portfolios describing all IT services offered, including service descriptions, business outcomes, pricing models, and target customer segments.

The service catalog must define service components, service levels, dependencies, and support hours with sufficient detail that customers understand exactly what they are purchasing.

Both portfolio and catalog must be kept current through change management processes and reviewed during management reviews.

Data centers must establish, document, and maintain service level agreements (SLAs) for each service containing specific, measurable service level targets such as availability percentages, response times, throughput rates, and maintenance windows.

SLAs must include defined scope, service hours, performance metrics with targets, escalation procedures, and consequences for non-compliance.

Data centers must continuously monitor performance against SLA targets, report results to customers, and demonstrate achievement or justify deviations through formal reporting mechanisms.

Data centers must establish documented incident management procedures that define severity classifications, initial response timeframes, escalation paths based on impact and urgency, and resolution targets tied to service levels.

The process must include incident logging systems that capture incident details, assignment to support personnel, status tracking, and closure verification.

Data centers must maintain incident records as evidence of process compliance and use incident data to identify recurring issues for problem management activities.

Data centers must implement systematic problem management processes distinct from incident management that identify underlying causes of incidents, develop permanent solutions, and prevent recurrence.

This requires documented procedures for problem investigation, root cause analysis methodologies (such as 5-why or fishbone analysis), solution development, and known error database maintenance.

The standard requires data centers to prioritize problems based on impact and urgency, with documented evidence of investigation activities and implemented solutions.

Data centers must establish formal change management procedures that govern all infrastructure, software, and configuration modifications to prevent service disruption and maintain stability.

Changes must be evaluated for risk, impact assessment, rollback plans, and scheduling coordination through change advisory boards (CABs) or equivalent governance bodies.

The standard requires documented change requests, impact analyses, testing protocols, and post-implementation reviews to verify that changes achieved intended outcomes without introducing new issues.

Data centers must define and document release policies that govern how software updates, patches, hardware refreshes, and infrastructure changes are packaged, tested, and deployed into production environments.

Release management must coordinate with change management, include testing protocols, define deployment windows, and establish rollback procedures.

The standard requires release documentation including version control, deployment checklists, known issues registers, and deployment success metrics.

Data centers must maintain a Configuration Management Database (CMDB) or equivalent system that documents all IT infrastructure components (servers, network devices, applications, virtualization platforms) including configurations, relationships, ownership, and status.

The CMDB must be accurate, current, and integrated with incident and change management processes.

Data centers must perform regular configuration verification through physical and system audits to maintain data integrity and prevent configuration drift.

Data centers must establish processes to manage relationships with external service providers, hardware vendors, and third-party infrastructure suppliers through documented agreements, performance metrics, and regular review meetings.

Vendor management must include contract review, service level agreement alignment, performance monitoring, and escalation procedures for service failures.

The standard requires data centers to maintain visibility into external dependencies and ensure vendor services meet organizational requirements.

Data centers must establish a continuous improvement program that regularly evaluates service management effectiveness through defined metrics including availability, incident volumes, resolution times, customer satisfaction scores, and process efficiency measures.

Improvement activities must be documented with objectives, implementation plans, responsible parties, and completion timelines.

The standard requires quarterly or more frequent review of improvement initiatives and their effectiveness in achieving organizational targets.