ISO/IEC 20000-1:2011 Information Technology Service Management

ISO/IEC 20000-1:2011 overview

The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world’s largest developer of voluntary international standards. The International Electrotechnical Commission (IEC) is the world’s leading organization for the preparation and publication of international standards for electrical, electronic, and related technologies.

Published under the joint ISO/IEC subcommittee in 2005 and revised in 2011, ISO 20000-1:2011 is an international standard for the establishment, implementation, operation, monitoring, and review of an Information Technology Service Management System (SMS). It is the only standard in the ISO 20000 family that results in a formal certification. The standard is based on requirements for designing, transitioning, delivering, and improving services to fulfill agreed service requirements and to provide value to both customers and service providers. ISO 20000-1 helps organizations provide assurance to customers that their service requirements will be fulfilled.

Microsoft and ISO/IEC 20000-1:2011

Obtaining the ISO 20000-1:2011 certification is a logical step for Microsoft Azure. We lead the industry with the most comprehensive compliance coverage, enabling customers to meet a wide range of regulatory obligations. The ISO 20000-1 certification complements our current catalog of ISO certifications including ISO 27001:2013 and ISO 9001:2015, which validate that a process of continual improvement is in place helping Microsoft Azure deliver a secure and reliable cloud service platform for our customers.

An independent third-party auditing firm performed a rigorous examination of Microsoft Azure and several Microsoft online services for adherence to the requirements established in the ISO 20000-1:2011 standard. The available ISO 20000-1 certificate demonstrates that Azure and covered Microsoft online services have implemented the right IT service management procedures to deliver efficient and reliable IT services that are subject to regular monitoring, review, and improvement.

Microsoft in-scope cloud services

  • Azure, Azure Government, and Azure Germany
  • Microsoft Cloud App Security
  • Microsoft Defender Advanced Threat Protection
  • Microsoft Graph
  • Microsoft Healthcare Bot
  • Intune
  • Microsoft Managed Desktop
  • Office 365 Operated by 21Vianet
  • Microsoft PowerApps
  • Power Automate (formerly Microsoft Flow)
  • Power BI
  • Power BI Embedded

Audits, reports, and certificates

ISO 20000-1 documentation as follows:

Frequently asked questions

Where can I get the ISO 20000-1:2011 audit reports and scope statements for Microsoft services?

The Service Trust Portal provides independently audited compliance reports. You can use the portal to request reports so that your auditors can compare Microsoft's cloud services results with your own legal and regulatory requirements. The FY17 Microsoft Azure ISO 20000-1 Assessment Report and the FY17 Microsoft Azure ISO 20000-1 Certificate are both available.

Does Microsoft run annual tests for infrastructure failures?

Yes. The ISO 20000-1:2011 annual assessment includes the underlying physical infrastructure datacenter. Review the certificate for the coverage details.

Where can I view Microsoft’s compliance information for ISO 20000-1:2011?

You can download the ISO 20000-1:2011 certificate for Azure and additional services that are in scope of this assessment.

Can I use the compliance of Microsoft services to ISO 20000-1:2011 in my organization’s certification process?

Yes. If your business is seeking certification for implementations deployed on in-scope services, you can use the relevant Microsoft certifications in your compliance assessment. However, you are responsible for engaging an assessor to evaluate your implementation for compliance, and for the controls and processes within your own organization.

Resources