The Service Management System Discovery — 3
How a Service Management System Becomes the Backbone of Governance
This article is part 3 of 4 in the "Service Management System Discovery" series. In - 1 we covered the pain of ITSM without an SMS. In - 2 we defined what an SMS is and how it relates to your operating model. In - 4 we'll discuss how to avoid framework religion and build a living SMS that fits your context.
So far, we have deliberately focused on operating reality: tools, processes, teams and recurring pain. Now let us connect the dots to governance, risk and compliance.
Because this is where many CIOs are currently under real pressure.
NIS2, ISO and the governance gap
NIS2 does two important things:
- It significantly expands the number of organisations that fall under the directive.
- It puts explicit accountability on the management body to approve measures and oversee implementation.
At the same time, ISO/IEC 20000‑1 and ISO/IEC 27001 have become the de facto reference points for what "good management" looks like in service and security. Together, they create a new expectation:
IT will be governed through a management system, not just projects and tools.
If your organisation has ITSM but no explicit SMS, you will feel this as a constant tension. Every new regulation or audit creates another layer of spreadsheets, slide decks and side projects – because there is no central system to plug them into.
Governance and compliance without parallel universes
In many organisations, governance and compliance work runs in parallel to day‑to‑day IT:
The Problem: Parallel Universes
- Risk management has its own templates and language.
- Security runs its own incident, change and control processes.
- Audit findings are handled via ad‑hoc remediation projects.
- NIS2 is treated as a legal/infosec exercise, not as a service‑management and operating‑model question.
The Solution: One Coherent Story
A Service Management System allows you to collapse those parallel universes:
- Policies and risk controls are tied to services, processes and roles defined in the SMS.
- Evidence is generated naturally by the routines people already use.
- Management reviews of the SMS double as governance checkpoints for NIS2, ISO 27001 and ISO 20000.
Instead of three different conversations – one about ITSM, one about security, one about compliance – you have one coherent story: "This is how we manage services and risks as a system."
Clear decision rights across teams and suppliers
Modern IT is a team sport: internal functions, product teams, cloud platforms, managed service partners and SaaS vendors all contribute to the same business service. Without an SMS, decision rights often end up in a grey zone:
❓ Who can accept risk?
Who can accept risk on a critical service?
❓ Who approves changes?
Who approves high‑impact changes crossing multiple suppliers?
❓ Who defines "good enough"?
Who decides what "good enough" looks like for incident response or recovery time?
ISO 20000‑1 effectively forces you to tackle this: it expects management to define and communicate responsibilities and authorities for roles relevant to the SMS. When you apply that thinking, you get:
SMS Owner
A named SMS owner with clear mandate.
Service Owners
Service owners with recognised accountability for risk and performance.
Routine Owners
Routine owners (e.g. major incident, change) with cross‑team authority.
Supplier Managers
Supplier managers who are part of the same governance cadence, not a separate silo.
In practice, that means fewer "Who decided this?" moments and much less finger‑pointing when things go wrong.
From transformation projects to continual improvement
The final governance benefit is perhaps the most underrated: predictable improvement.
Many organisations have been through repeated ITSM or operating‑model transformations: big programmes, new tools, major org changes. After a few years, behaviour starts drifting back. People say, "Well, that was the project; now we do real work."
An SMS, if you take it seriously, embeds continual improvement into the normal rhythm of IT:
01
Plan
Objectives and KPIs are defined at the SMS level.
02
Do
Regular reviews look at system performance, not just tickets.
03
Check
Corrective and improvement actions are tracked across services and teams.
04
Act
Audits and assessments feed into the same cycle instead of triggering separate projects.
This is exactly how ISO 20000 and ISO 27001 expect you to run things: plan, do, check, act – over and over. You do not need to become a certification fanatic to benefit from that mindset.
A pragmatic starting point for governance
If you are under pressure from NIS2, audit findings or board expectations, you can use the SMS idea very concretely:
1
Map existing governance activities
Map existing governance activities (risk, security, audit, service reviews) against your implicit SMS – scope, roles, routines. Where are the gaps and overlaps?
2
Decide what to make explicit
Decide which SMS elements you want to make explicit in the next 3–6 months: scope statement, role model, 2–3 key routines, review cadence.
3
Use your first SMS management review as the anchor
Use your first SMS management review as the anchor meeting where IT, security and risk talk to the board with one story instead of three.
Coming Next · Part 4 of 4
Service Management System Discovery — 4
In Service Management System Discovery - 4, we will take a more opinionated look at frameworks and certifications.
We will explore why "implementing ITIL" can be the wrong opening move – and how to keep your SMS lean enough that people actually use it.
Part 1
The pain of ITSM without an SMS.
Part 2
What an SMS is and how it relates to your Operating Model.
Part 3 — You are here
How a Service Management System becomes the backbone of governance.
Part 4
How to avoid framework religion and build a living SMS that fits your context.