/>

Support

Typically replies instantly

Start chat
1

ISO/IEC 20000-1 IT Service Management Risk Assessment

Identify IT service risks, evaluate impact on service delivery and SLAs, map to SMS processes and set improvement actions โ€” ISO/IEC 20000-1:2018 compliant

ISO/IEC 20000-1:2018 Auto-Save SLA Impact Tracking ITSM Process Mapping CSV ยท TXT ยท JSON ยท PDF ITIL Aligned

New IT Service Management Risk Entry

General Information
Risk Details
Risk Assessment (ISO/IEC 20000-1 Cl. 6.1)
Controls & Treatment

SLA Management โ€” ISO/IEC 20000-1:2018 Clause 8.3.3

Clause 8.3.3 requires the organisation to define, agree, document and manage Service Level Agreements (SLAs) with customers. SLAs must be reviewed regularly and performance reported to appropriate parties. SLA risks must be identified and treated proactively.

SLA Content Requirements

ISO/IEC 20000-1 requires SLAs to cover: service description and scope, hours of service, availability targets, incident response and resolution times, service request fulfilment times, planned maintenance windows, reporting frequency and format, escalation procedures, and review schedule.

SLA Risk Indicators

Monitor these as early warning signals: availability trending below target, incident resolution times approaching SLA threshold, recurring incidents without permanent fix, capacity approaching limits, supplier performance degrading, change failure rate increasing, MTTR increasing over time.

Underpinning Contracts (UCs)

SLAs with customers must be underpinned by supplier contracts or Operational Level Agreements (OLAs) with internal teams. If a supplier cannot meet their contractual obligations, the service provider's SLA commitments are at risk. Map all SLA commitments to their underpinning agreements.

SLA Review Process

Review SLAs at least annually or when: service requirements change, repeated SLA breaches occur, new technology or suppliers are introduced, major incidents occur, customer feedback indicates dissatisfaction, or business priorities shift. Document outcomes and update agreements.

Common SLA Metrics for IT Services:
Availability % (target e.g. 99.9%) MTTR (Mean Time to Restore) P1 Response: <15min P1 Resolution: <4hrs P2 Response: <30min Change Success Rate >95% CSAT >85% First-Call Resolution >70%

Supplier Management โ€” ISO/IEC 20000-1:2018 Clause 8.3.4

Clause 8.3.4 requires the organisation to manage its suppliers to ensure they meet their commitments and contribute to the delivery of services meeting customer requirements. Supplier risks must be actively managed.

Supplier Risk Assessment

Assess each supplier for: financial stability, single-supplier dependency, geographic concentration, SLA performance history, security posture, contract terms and exit rights, regulatory compliance, capacity to scale.

Underpinning Contracts

All supplier contracts must contain: clear SLA obligations aligned to customer SLAs, audit rights, security requirements, change notification obligations, exit and transition assistance provisions, data protection requirements.

Performance Monitoring

Regular supplier performance reviews: monthly for critical suppliers, quarterly for standard suppliers. Track: SLA metrics, incident trends, change success rates, security incidents, contract compliance, innovation and roadmap alignment.

Exit Management

Plan for supplier exit before it becomes necessary. Ensure: data portability, knowledge transfer, exit timeframes are contractually defined, transition assistance obligations, alternative supplier options identified (avoid vendor lock-in).

ISO/IEC 20000-1:2018 โ€” Key Risk-Related Clauses

6.1 โ€“ Risks & Opportunities

Determine risks that could affect the SMS's ability to achieve its objectives. Plan actions proportionate to the potential impact on service quality, availability and customer satisfaction.

8.2 โ€“ Service Portfolio

Manage the service portfolio: catalogue of services in scope, relationships between services, dependencies and impacts. Risks to services in design, transition and live phases must be assessed.

8.4 โ€“ Capacity & Demand

Manage capacity to meet current and future demand. Monitor capacity metrics, forecast demand, plan infrastructure investments and identify risks from undercapacity or demand spikes before they cause service degradation.

8.7 โ€“ Service Assurance

Availability management (targets, monitoring, improvement), service continuity management (ITSCM plans, testing), information security management (integrated with ISO 27001), and configuration management (CMDB accuracy).

8.5 โ€“ Change Management

All changes must be assessed for risk before approval. Emergency change procedures must be documented. Change failure rate, rollback procedures, and post-implementation review are key risk controls.

8.6 โ€“ Incident & Problem

Incident management must restore service within SLA timeframes. Problem management addresses root causes to prevent recurrence. Known errors must be documented. Recurring incidents indicate problem management risk.

Risk Scoring Guide (L ร— I):
1โ€“4: Low โ€” routine monitoring 5โ€“9: Medium โ€” action plan needed 10โ€“16: High โ€” urgent action / P2 17โ€“25: Critical โ€” P1 escalation

IT Service Management Risk Register

All ITSM risks, SLA threats and process gaps โ€” filter, edit, export. Auto-saved in browser.

0
Total Risks
0
Critical (P1)
0
High (P2)
0
Medium (P3)
0
SLA at Risk
0
Supplier Risks
0
Open
Risk IDDateTypeCategoryService DescriptionITSM ProcessLIScore Risk LevelSLA ImpactPriority TreatmentStatusOwnerTargetActions

No ITSM risks recorded yet

Add your first IT service risk using the Tool tab above

IT Service Risk Matrix

Likelihood ร— Impact โ€” ISO/IEC 20000-1:2018 IT service risk significance matrix

5ร—5 IT Service Risk Matrix

Risk Score = Likelihood ร— Impact on service delivery. Risks scoring โ‰ฅ 10 (High/Critical) require immediate treatment and must be reported to service management.

L=1
Very Low
L=2
Low
L=3
Medium
L=4
High
L=5
Very High
Low (1โ€“4): Routine monitoring Medium (5โ€“9): Action plan / P3 High (10โ€“16): Urgent / P2 Critical (17โ€“25): P1 Escalation

Low (1โ€“4) โ€” P4

Include in risk register, monitor at standard intervals. Ensure existing controls are effective. Review at monthly service review. No immediate action required. Consider for CSI pipeline. Document rationale.

Medium (5โ€“9) โ€” P3

Action plan required within 1 month. Assign risk owner, define treatment action and target date. Include in service review agenda. Monitor SLA metrics for deterioration. Consider whether ITSM process improvement is needed.

High (10โ€“16) โ€” P2

Urgent action required within 1 week. Service Manager ownership. SLA breach assessment mandatory. Immediate controls or workarounds if available. Report to management. Implement monitoring alert if not already active. Weekly progress review.

Critical (17โ€“25) โ€” P1

P1 level โ€” immediate escalation to Service Director / CTO. Crisis management response if active. SLA breach notification to customers may be required. Emergency change may be needed. Post-incident review and root cause analysis mandatory. Board awareness if existential service risk.

ISO/IEC 20000-1 ITSM Processes & Risk Areas

Clause 8 service management processes โ€” risk considerations and key controls for each

Incident Management (Cl. 8.6.1)

Restore normal service as quickly as possible, minimising business impact. Major incident process for P1/P2. Prioritisation based on impact and urgency.

Key Risks: SLA breach, escalation failure, incorrect prioritisation, insufficient capacity to handle volume
Key Controls: ITSM tooling, escalation matrix, on-call rota, major incident procedure, communication templates

Problem Management (Cl. 8.6.3)

Identify root causes of incidents and implement permanent fixes. Known Error Database (KEDB). Proactive problem identification to prevent incidents.

Key Risks: Recurring incidents, workarounds become permanent, KEDB not maintained, reactive-only approach
Key Controls: Problem review meetings, trend analysis, root cause analysis (5-Whys, Ishikawa), KEDB maintenance

Change Management (Cl. 8.5.1)

Control changes to minimise disruption. Change Advisory Board (CAB). Standard, normal and emergency change categories. Change schedule (FSC/CAB calendar).

Key Risks: Failed change causing outage, unauthorised changes, emergency change abuse, inadequate testing
Key Controls: RFC process, risk assessment template, CAB approval, PIR, rollback plan, change freeze periods

Configuration Management (Cl. 8.7.4)

Maintain accurate CMDB (Configuration Management Database) of all CIs (Configuration Items). Support change, incident and problem management with accurate data.

Key Risks: Inaccurate CMDB leading to wrong decisions, undocumented CIs, shadow IT, stale records
Key Controls: Auto-discovery tools, CMDB audit schedule, CI lifecycle process, change-linked CMDB updates

Availability Management (Cl. 8.7.1)

Ensure IT services achieve agreed availability targets. MTTR, MTBF, availability trending. Proactive improvement to meet future targets.

Key Risks: SLA availability breach, single point of failure, no redundancy, poor MTTR
Key Controls: Availability reporting, HA architecture, redundancy planning, maintenance windows, availability reviews

Service Continuity (Cl. 8.7.2)

Ensure IT services can be recovered to agreed levels following a major disruption. IT Service Continuity Plans (ITSCPs). DR testing and validation.

Key Risks: Untested DR plan, RTO/RPO objectives not achievable, DR site not ready, backup failure
Key Controls: ITSCM plan, annual DR test, backup verification, RTO/RPO validation, runbook maintenance

ISO/IEC 20000-1 vs ITIL: ISO/IEC 20000-1 is the certifiable standard for IT service management โ€” it defines requirements that must be met. ITIL (IT Infrastructure Library) is a non-certifiable best practice framework providing detailed guidance on how to implement the processes. Most organisations use ITIL practices to implement the requirements of ISO/IEC 20000-1. The two are complementary โ€” ISO/IEC 20000-1 tells you what you must do, ITIL guidance helps you decide how to do it. Certification to ISO/IEC 20000-1 requires third-party audit by an accredited certification body.

ISO Xpert

Contact ISO Xpert

Your ISO certification experts โ€” London-based, globally trusted

โš™ Ready to achieve ISO/IEC 20000-1 Certification?

Our expert ITSM consultants help you implement the SMS, align ITSM processes and achieve certification.

Call Now: +44 7853 109840 WhatsApp Us

ISO Xpert Ltd

71-75 Shelton Street, Covent Garden
London, WC2H 9JQ, United Kingdom
+44 7853 109840
WhatsApp: +44 7853 109840
info@iso-xpert.com
iso-xpert.com

Follow ISO Xpert

ITSM, ISO and technology governance news

ISO 20000-1 Services

  • โš™ Gap analysis against ISO/IEC 20000-1
  • ๐Ÿ“‹ SMS risk assessment & documentation
  • ๐Ÿ“Š SLA framework design
  • ๐Ÿ”— ITSM process design & implementation
  • ๐ŸŽ“ ITSM team training
  • ๐Ÿ” Internal audit support
  • โœ… Certification body liaison
  • ๐Ÿ”„ Post-certification maintenance

All ISO Services

  • โš™ ISO 20000-1 โ€“ IT Service Management
  • ๐Ÿ”’ ISO 27001 โ€“ Information Security
  • ๐Ÿ“‹ ISO 9001 โ€“ Quality Management
  • ๐Ÿ›ก ISO 22301 โ€“ Business Continuity
  • โš– ISO 37001 โ€“ Anti-Bribery
  • ๐Ÿฆบ ISO 45001 โ€“ Health & Safety
  • ๐ŸŒฟ ISO 14001 โ€“ Environmental

Privacy Policy

ISO Xpert Ltd โ€” Last updated: January 2025

Privacy Policy

Last updated: January 2025

ISO Xpert Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom, is committed to protecting your personal data.

1. Data We Collect

Note: The ISO/IEC 20000-1 ITSM Risk Tool stores all data locally in your browser only. No risk register data is transmitted to our servers.

2. Legal Basis (UK GDPR)

Consent, Contract, Legitimate Interests, Legal Obligation (UK GDPR Article 6).

3. Your Rights

Access, rectify, erase, restrict, port, object. Contact info@iso-xpert.com. Complaints: ico.org.uk.

4. Retention

Client data retained 7 years post-contract or as required by law.

Terms of Use

ISO Xpert Ltd โ€” Last updated: January 2025

Terms of Use

Last updated: January 2025

These Terms govern use of the website and digital tools provided by ISO Xpert Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

1. Acceptance

By using this tool, you confirm you are at least 18 years of age and agree to these Terms.

2. Intellectual Property

All content โ€” including the ISO/IEC 20000-1 ITSM Risk Tool โ€” is the exclusive property of ISO Xpert Ltd. ISO Xpertโ„ข is a proprietary trademark.

3. Disclaimer

This tool is a practical SMS support aid only and does not constitute professional IT service management, regulatory, legal or certification advice. ITSM risk assessments should be reviewed by qualified service management professionals. ISO/IEC 20000-1 certification requires third-party audit by an accredited certification body.

4. Limitation of Liability

ISO Xpert Ltd shall not be liable for any IT service failures, SLA breaches or operational consequences arising from use of this tool.

5. Governing Law

Laws of England and Wales.

6. Contact

info@iso-xpert.com

Common Questions

ISO/IEC 20000-1 IT Service Management โ€” Frequently Asked Questions

Quick answers about the ISO/IEC 20000-1 IT Service Management gap analysis tool, data privacy, audit preparation, and ISO Xpert consulting.

What is the ISO/IEC 20000-1 IT Service Management gap analysis tool and how does it work?
The ISO/IEC 20000-1 IT Service Management gap analysis tool is a free browser-based checklist that compares your current management system against the clauses of ISO/IEC 20000-1 IT Service Management. You answer clause-by-clause questions and rate each requirement as Compliant, Partial or Non-compliant. The tool calculates a live compliance score, highlights gaps on a heat-map, captures evidence and corrective-action notes, and exports the full assessment as JSON, CSV, TXT or print-ready PDF for management review and Stage 1 / Stage 2 audit preparation.
Is the ISO/IEC 20000-1 IT Service Management gap analysis tool really free to use?
Yes โ€” the ISO/IEC 20000-1 IT Service Management tool is 100% free with no sign-up, no email capture, no credit card, no watermarks, and no usage limits. It runs entirely in your browser; nothing is transmitted to ISO Xpert servers. You can clear or export your data at any time.
Where is my ISO/IEC 20000-1 IT Service Management assessment data stored?
All ISO/IEC 20000-1 IT Service Management assessment data is stored locally in your browser’s storage. Nothing is uploaded to our servers. This makes the tool GDPR-friendly and suitable for confidential audit data classified up to Restricted. Export anytime as JSON (re-importable), CSV (Excel-pivotable), TXT (executive summary) or PDF (audit-trail evidence).
Can I use this tool to prepare for ISO/IEC 20000-1 IT Service Management certification or surveillance audits?
Yes. The ISO/IEC 20000-1 IT Service Management gap analysis is designed to support preparation for certification by UKAS-, IAS- or ANAB-accredited bodies. Use the exported report as evidence of internal audit, feed it into management review, and prioritise high-severity non-conformities ahead of Stage 1 / Stage 2 visits. ISO Xpert consultants can assist with documented information, internal audits and full implementation if required.
How long does a ISO/IEC 20000-1 IT Service Management gap analysis typically take?
Most users complete an initial ISO/IEC 20000-1 IT Service Management gap analysis in 60 to 120 minutes for a single site, depending on system maturity and clause depth. The tool auto-saves continuously, so you can pause, switch devices via JSON export/import, and resume at any time. Re-assessments after corrective action usually take 20 to 40 minutes.
Does ISO Xpert offer ISO/IEC 20000-1 IT Service Management consulting or training?
Yes. ISO Xpert Ltd (London, UK) provides ISO/IEC 20000-1 IT Service Management gap analysis consulting, internal audits, Stage 1 and Stage 2 certification preparation, lead auditor / internal auditor training, and full management-system implementation. Contact info@iso-xpert.com or WhatsApp +44 7853 109840.

More questions? Contact ISO Xpert or browse other iso-risk-analysis tools.

Related Tools

More Iso Risk Tools

Explore other gap analysis and risk-assessment tools in the same category — useful for integrated management systems and cross-standard alignment.

Iso Risk
ISO 22000 Food Safety Risk & Hazard Assessment Tool
Iso Risk
ISO 22301 Business Continuity Risk & BIA Assessment Tool
Iso Risk
ISO 27001 Information Security Risk Assessment Tool
Iso Risk
ISO/IEC 27701 Privacy Information Management Risk Assessment Tool
Iso Risk
ISO 31000 Enterprise Risk Management Tool
Iso Risk
ISO 37001 Anti-Bribery Risk Assessment Tool

Browse the full Iso Risk category or all 125+ ISO Xpert tools.