If an ISO/IEC 20000-1:2018 audit goes wrong, it usually goes wrong in Clause 8. Clauses 4–7 (context, leadership, planning, support) and 9–10 (performance and improvement) are the familiar Annex SL management-system scaffolding. Clause 8 — Operation of the SMS — is where the standard becomes specific to service management, and where most IT teams and MSPs lose marks.
What Clause 8 actually contains
Clause 8 is broad. It covers the service portfolio (8.2 — including service catalogue, asset and configuration management), relationship and agreement (8.3 — business relationship, service level, supplier management), supply and demand (8.4 — budgeting, demand, capacity), service design, build and transition (8.5 — change, design/transition, release and deployment), resolution and fulfilment (8.6 — incident, service request, problem), and service assurance (8.7 — availability, continuity, information security). That is a lot of operating model to evidence.
The five failure points
1. Service levels that are stated but not measured (8.3.2). An SLA that names a target but has no measurement method, no report, and no review with the customer does not satisfy the clause. Auditors ask to see the target, the measurement, the report, and the review — all four.
2. Supplier-run processes excluded from scope (8.2.3). You can outsource the operation of a process; you cannot outsource accountability for governing it. Excluding a supplier-run process from the SMS scope is a frequent major nonconformity. Clause 8.2.3 requires you to demonstrate control of the parties involved in the service lifecycle.
3. Change and release without an authorization trail (8.5.1 / 8.5.3). The auditor samples changes and releases and tests for evidence: who authorized it, the risk and rollback assessment, the deployment record, and the post-implementation review. A change policy with no records behind it fails.
4. “Human error” as a problem root cause (8.6.3). Problem management exists to prevent recurrence. “The technician made a mistake” is a description of what happened, not a root cause. The clause expects you to identify the system or control deficiency that allowed the error.
5. Continuity plans that are documented but untested (8.7.2). A service continuity plan that has never been exercised is not evidence of continuity capability. Plan, document, and test at planned intervals.
How to structure around them
Each failure point is a structure problem, not an effort problem. Measured SLAs need an SLA register with a measurement method and review cadence. Supplier governance needs a supplier register that maps in-scope processes to documented agreements and targets. Change and release need records that carry the authorization and rollback evidence by design. Problem management needs a root-cause discipline that rejects “human error.” Continuity needs a tested plan with a scheduled exercise. Get the registers and procedures right and Clause 8 becomes the easiest part of the audit to defend.
Build it, don’t just read about it
SGRII ISO/IEC 20000-1:2018 ITSMS Framework — launching shortly
A complete Service Management System: SMS Manual, 14 clause-referenced procedures (incident, change, problem, service level, supplier and more), and an Excel pack with the SLA register, CMDB, change/incident/problem logs and supplier register that make Clause 8 audit-defensible. Pair it with the Risk & Opportunity Engine for Clause 6.1.
See SGRII frameworks → Risk & Opportunity Engine ($69)Coverage is not compliance. SGRII frameworks provide structured coverage, templates and guidance. They are designed for audit defensibility and structured for certification readiness; they do not certify you, do not guarantee a successful audit, and are not legal advice. The official ISO/IEC 20000-1 standard remains the only authoritative source of requirements.
Related reading: Which ISO standard does your business need?