Resources

ISO/IEC 20000-1 Clause 7.1 requires you to identify the resources your service management system (SMS) and service lifecycle need, then provide and sustain those resources. Operationalize it by documenting resource needs (people, tools, budget, information, facilities), assigning owners, funding and staffing plans, and retaining evidence that resourcing is reviewed, approved, and adjusted as services change. (ISO/IEC 20000-1:2018 Information technology — Service management)

Key takeaways:

• You must determine resource needs across the SMS and the full service lifecycle, not just IT operations.
• You must provide resources in a controlled, auditable way (ownership, approval, capacity, continuity).
• Auditors expect objective evidence: resourcing decisions, competence/coverage, tool access, and periodic review tied to service changes.

The “resources requirement” in ISO/IEC 20000-1 is easy to wave through and hard to prove under audit. Clause 7.1 is not asking for a generic statement that “management supports the SMS.” It’s asking for a repeatable way to decide what resources are needed to run and improve the SMS and to plan, design, transition, deliver, and improve services, then show that the organization actually provides those resources. (ISO/IEC 20000-1:2018 Information technology — Service management)

For a Compliance Officer, CCO, or GRC lead, this requirement becomes operational when you can answer three questions with evidence: (1) What resources do we need to meet service commitments and maintain the SMS? (2) Who approves and funds them, and how do we prioritize shortfalls? (3) How do we reassess resourcing when services, demand, tooling, third parties, or risks change?

This page gives you requirement-level implementation guidance: who it applies to, step-by-step execution, what artifacts to retain, common audit hangups, and a practical execution plan you can run without turning Clause 7.1 into an open-ended “do more” mandate.

Regulatory text

Requirement (quoted): “The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the service management system, and for the planning, design, transition, delivery and improvement of services.” (ISO/IEC 20000-1:2018 Information technology — Service management)

What the operator must do:
You must (1) decide what resources are necessary to run the SMS and manage services across their lifecycle, and (2) make those resources available and sustained. “Resources” should be interpreted broadly: people (capacity and competence), process ownership, tools and access, information and documentation, facilities and environments, and financial support. The requirement also implies resourcing for improvement work, not only steady-state delivery. (ISO/IEC 20000-1:2018 Information technology — Service management)

Plain-English interpretation (what Clause 7.1 means in practice)

If you can’t show how staffing, tooling, and operational capacity are planned and maintained, your SMS is not controllable. Clause 7.1 expects a documented, repeatable method to:

• identify resourcing needs for the SMS and each major service activity,
• address resourcing gaps through approval and prioritization,
• revisit resourcing after significant changes (new services, major releases, outsourcing, incident trends, demand growth),
• evidence that resourcing decisions are deliberate, owned, and reviewed.
  (ISO/IEC 20000-1:2018 Information technology — Service management)

Who it applies to

Entities: Any organization or service provider implementing an ISO/IEC 20000-1 service management system. (ISO/IEC 20000-1:2018 Information technology — Service management)

Operational context (where auditors look):

• Service desk and incident/request fulfillment
• Change enablement and release/transition activities
• Monitoring, capacity/availability continuity activities tied to service delivery
• Service reporting, service level management, and improvement planning
• Third-party delivered components that your services depend on (you still need internal resources to govern and manage them)
  (ISO/IEC 20000-1:2018 Information technology — Service management)

What you actually need to do (step-by-step)

Step 1: Define a “resource scope” that matches the service lifecycle

Create a simple checklist of resource categories you will always consider:

• People: roles, headcount/capacity coverage, on-call coverage, skills/competence needs
• Process ownership: accountable owners for SMS processes and key services
• Tools/technology: ITSM platform, monitoring, CMDB or asset records, collaboration tools, CI/CD or release tooling where relevant
• Information: service catalog, runbooks, knowledge articles, SLAs/OLAs, architecture diagrams
• Facilities/environments: office/site access, secure rooms, test environments, connectivity
• Financial resources: budget for licensing, training, external support, critical renewals
  Tie this list explicitly to “planning, design, transition, delivery, and improvement of services.” (ISO/IEC 20000-1:2018 Information technology — Service management)

Step 2: Inventory current resources and map them to services and SMS processes

Build a lightweight resourcing matrix:

• Rows: key services and SMS processes
• Columns: required roles/tools/environments/information
• Fields: current coverage, single points of failure, known gaps, owner

Keep it operational. A one-page matrix per critical service often audits better than a sprawling spreadsheet with no owner.

Step 3: Determine “minimum viable resourcing” and define triggers for reassessment

Set internal criteria for what “adequate” looks like. Avoid vague language. Examples you can define without inventing metrics:

• Named owner for each SMS process and critical service
• Documented backup/coverage for critical roles
• Tool access and license availability for operators who must perform SMS activities
• Training/competence expectations for roles that approve changes or handle major incidents
• Resourcing review triggered by major service change, sustained incident patterns, major onboarding of a third party, or new compliance obligations
  This is how you show you “determine” resources instead of guessing. (ISO/IEC 20000-1:2018 Information technology — Service management)

Step 4: Create a resourcing approval and prioritization workflow

Auditors will test whether the organization can act on identified needs. Put in place:

• A clear approver path (service owner → SMS owner → leadership/finance as required)
• A prioritization rule (risk to service commitments, customer impact, regulatory exposure)
• A tracking mechanism for gaps (backlog items with owner, target state, and status)

If you already run governance forums (CAB, service review meetings), add “resource gaps and risks” as a standing agenda item and retain minutes.

Step 5: Prove resources are “provided” and sustained

This is the evidence step. You should be able to show:

• hiring requests approved or external support engaged when needed,
• tool procurement and access provisioning completed,
• training assigned and completed for required roles,
• environments provisioned for transition and testing,
• updates to runbooks/knowledge/service documentation that enable delivery.
  (ISO/IEC 20000-1:2018 Information technology — Service management)

Step 6: Bake resource review into continual improvement

Clause 7.1 explicitly includes continual improvement. Operationalize that by:

• reviewing the resourcing matrix during improvement planning,
• linking improvement items to resource needs (time, skills, tools),
• recording decisions when improvement is deferred due to resource constraints.
  The last point matters: auditors accept constrained resources, but not unmanaged constraints. (ISO/IEC 20000-1:2018 Information technology — Service management)

Required evidence and artifacts to retain (audit-ready)

Use this as a retention checklist:

• Resource determination method: a documented procedure or governance note describing how you identify SMS/service lifecycle resource needs (ISO/IEC 20000-1:2018 Information technology — Service management)
• Resourcing matrix: services/SMS processes mapped to roles, tools, and key dependencies
• Role descriptions and ownership: named owners for SMS processes and critical services
• Capacity/coverage evidence: on-call rosters, coverage plans, escalation schedules (as applicable)
• Tooling evidence: license inventories, access control records, screenshots/export from ITSM or monitoring admin consoles (as appropriate)
• Budget/procurement records: approved purchase requests, renewal approvals for critical tools
• Training and competence records: training assignments/completions for key roles
• Governance minutes: service reviews/CAB notes showing resource gaps discussed and decisions made
• Improvement backlog: items that require resources, status, and rationale for prioritization (ISO/IEC 20000-1:2018 Information technology — Service management)

Tip: organize artifacts by service and by SMS process. Auditors sample; make sampling easy.

Common exam/audit questions and hangups

What auditors ask:

• “Show me how you determined the resources required for this service’s transition and ongoing delivery.” (ISO/IEC 20000-1:2018 Information technology — Service management)
• “Where is the evidence that resourcing is reviewed when services change?”
• “Who is accountable for ensuring the SMS has adequate tools and competent staff?”
• “How do you manage resource gaps? Where are decisions recorded?”
• “How do you ensure third-party-supported services still have internal governance capacity?”

Where teams get stuck:

• They can describe resources informally but cannot show a controlled process.
• They have budgets and headcount plans, but they are not connected to the SMS and service lifecycle activities.
• Improvement work is treated as “extra,” with no resourcing model or decision record.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating Clause 7.1 as an HR staffing statement.
   Fix: Include tools, access, environments, and information assets in the definition of “resources.” (ISO/IEC 20000-1:2018 Information technology — Service management)

2. Mistake: One-time resourcing assessment with no review trigger.
   Fix: Define specific events that force reassessment (major change, new service, outsourcing, recurring incidents, audit findings) and retain meeting minutes or tickets.

3. Mistake: No ownership for gaps.
   Fix: Every identified resource shortfall needs an owner and a tracked action, even if the action is “defer with rationale.”

4. Mistake: Improvement plans without time allocation.
   Fix: For each improvement item, document the resource type required (engineering hours, tool purchase, training) and who approves it. (ISO/IEC 20000-1:2018 Information technology — Service management)

5. Mistake: Third parties cover operations, so internal resourcing is ignored.
   Fix: Document internal roles for supplier management, service governance, and escalation. External delivery does not remove internal accountability under the SMS.

Enforcement context and risk implications

No public enforcement cases were provided for this standard in the source catalog. Practically, the risk shows up as certification nonconformities and operational failures: missed SLAs, high incident volume, stalled changes, poor transitions, and weak improvement throughput. Clause 7.1 is often a “root cause” requirement because under-resourcing cascades into failures across incident management, change, and service reporting. (ISO/IEC 20000-1:2018 Information technology — Service management)

Practical 30/60/90-day execution plan

Use this as an operator’s rollout plan; adjust to your change calendar and audit date.

First 30 days (Immediate stabilization)

• Name an executive owner for resourcing decisions tied to the SMS.
• Define your resource categories and the method for determining needs (short procedure).
• Build the first resourcing matrix for your highest-impact services and core SMS processes.
• Identify top gaps and open tracked actions with owners and due dates.
• Add “resource gaps/constraints” to an existing governance forum agenda and start retaining minutes.
  (ISO/IEC 20000-1:2018 Information technology — Service management)

By 60 days (Operational integration)

• Extend the resourcing matrix to remaining in-scope services.
• Connect resourcing triggers to your change/transition workflow (e.g., a checklist step in major change or new service onboarding).
• Establish evidence collection: tool access exports, training records, procurement approvals stored in a central audit folder.
• Tie improvement backlog items to resource needs and approval decisions. (ISO/IEC 20000-1:2018 Information technology — Service management)

By 90 days (Audit readiness and continual improvement)

• Run a management review or equivalent leadership review focused on resourcing outcomes: what was approved, what remains constrained, and why.
• Validate coverage for critical roles (primary/backup) and document exceptions with risk acceptance.
• Perform a sample-based self-audit: pick a recent transition/change and show end-to-end evidence of resource determination and provisioning.
• Automate reminders and evidence capture where feasible; platforms like Daydream can help centralize the control narrative, map artifacts to Clause 7.1, and keep resourcing actions from getting lost across tickets, procurement, and HR systems. (ISO/IEC 20000-1:2018 Information technology — Service management)

Frequently Asked Questions

What counts as “resources” under ISO 20000-1 Clause 7.1?

Resources include people (capacity and competence), tools and access, information (documentation and knowledge), environments/facilities, and financial support needed for the SMS and service lifecycle activities. The standard requires you to determine and provide what’s needed, not just list what you have. (ISO/IEC 20000-1:2018 Information technology — Service management)

Do we need a separate “Resource Management” policy?

Not necessarily. You need documented evidence of how resource needs are determined and approved, plus records showing resources were provided and reviewed. Many organizations meet this through existing governance procedures, planning artifacts, and meeting minutes mapped to Clause 7.1. (ISO/IEC 20000-1:2018 Information technology — Service management)

How do we prove we “determined” resources instead of guessing?

Maintain a resourcing matrix tied to services and SMS processes, define review triggers, and retain decision records (minutes, tickets, approvals) showing how gaps were prioritized and handled. Auditors look for repeatability and ownership. (ISO/IEC 20000-1:2018 Information technology — Service management)

What if leadership won’t fund the gaps we identify?

Document the gap, the risk/impact to service commitments, and the decision to defer, including the approver. Clause 7.1 is about controlled determination and provision of resources; documented acceptance of constraints is better than untracked under-resourcing. (ISO/IEC 20000-1:2018 Information technology — Service management)

How does Clause 7.1 relate to third-party supported services?

Even if a third party operates parts of the service, you still need internal resources to govern, manage escalations, control changes, and maintain the SMS. Show internal ownership, supplier oversight capacity, and access to the information/tools needed to manage the service. (ISO/IEC 20000-1:2018 Information technology — Service management)

What’s the minimum evidence set for an ISO 20000-1 audit?

Keep your resource determination method, a current resourcing matrix, ownership assignments, examples of approvals/procurement/training/access provisioning, and governance records showing periodic review and action on gaps. Provide samples across planning/transition and steady-state delivery. (ISO/IEC 20000-1:2018 Information technology — Service management)