ISO/IEC 20000-1:2018

ISO/IEC 20000-1:2018 overview

ISO/IEC 20000-1:2018 is an international standard for IT service management that defines requirements for the development, implementation, monitoring, maintenance, and improvement of an IT service management system. A related standard ISO/IEC 20000-2:2019 provides guidance on the application of service management systems. Moreover, ISO/IEC 27013:2015 guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 was released for organizations planning to implement ISO/IEC 20000-1 when ISO/IEC 27001 is already implemented or planning to implement these two standards together. ISO/IEC 20000-1:2018 is the only standard in the ISO/IEC 20000 family that results in a formal certification.

The ISO/IEC 20000-1 certificate demonstrates that a cloud service provider has implemented the right IT service management procedures to deliver efficient and reliable IT services that are subject to regular monitoring, review, and improvement. It helps organizations provide assurance to customers that their service requirements will be fulfilled.

Applicability

  • Azure
  • Azure Government
  • Azure China (for more information, see Trust Center documentation)

Services in scope

Microsoft online services in scope are shown on the Azure ISO/IEC 20000-1 certificate:

  • Azure (for detailed insight, see Microsoft Azure Compliance Offerings or ISO/IEC 20000-1 certificate)
  • Dynamics 365 (for detailed insight, see ISO/IEC 20000-1 certificate)
  • Microsoft 365 Defender (formerly Microsoft Threat Protection, not in scope for Azure Government)
  • Microsoft Bing for Commerce (not in scope for Azure Government)
  • Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security, MCAS)
  • Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
  • Microsoft Graph
  • Microsoft Intune
  • Microsoft Managed Desktop (not in scope for Azure Government)
  • Microsoft Stream
  • Microsoft Threat Experts (not in scope for Azure Government)
  • Power Apps
  • Power Automate (formerly Microsoft Flow)
  • Power BI
  • Power BI Embedded
  • Power Virtual Agents (not in scope for Azure Government)
  • Universal Print (not in scope for Azure Government)

Audit reports and certificates

You can access Azure ISO/IEC 20000-1 audit documents via the Service Trust Portal (STP) Audit Reports - ISO Reports section. You must login to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.

Frequently asked questions

Why is ISO/IEC 20000-1 certification important?
An independent third-party auditing firm performed a rigorous examination of Azure and several Microsoft online services for adherence to the requirements established in the ISO/IEC 20000-1 standard. The available ISO/IEC 20000-1 certificate demonstrates that Azure and covered Microsoft online services have implemented the right IT service management procedures to deliver efficient and reliable IT services that are subject to regular monitoring, review, and improvement.

Where can I get the Azure ISO/IEC 20000-1 audit documentation?
For links to audit documentation, see Audit reports and certificates. You must have an existing subscription or free trial account in Azure or Azure Government to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Can I use the Azure ISO/IEC 20000-1 compliance assurances in my organization’s certification process?
Yes. If your business is seeking certification for an implementation deployed using in-scope services, you can use the relevant Azure certifications in your compliance assessment. However, you are responsible for engaging an assessor to evaluate your implementation for compliance and for the controls and processes within your own organization.

Resources