www.marval.co.uk

ISO/IEC 20000 Audit

What should I expect?

Dr Don Page

Marval Software

www.marval.co.uk

The Auditor will start off by confirming what the scope of the ISO certification is. This will be set out in the agenda that is supplied

It is a `formal` audit

Appearance – looking smart may not paper over cracks of a poorly prepared company, but may help with a borderline situation

www.marval.co.uk

The auditor

Auditors are there to help, they are

concerned with evidence of what you do,

not what you say you do (so evidence is

key)

They are ONLY concerned with the

requirements of ISO/IEC 20000

www.marval.co.uk

Format

Very structured

Agenda pre-set several weeks prior to audit

You can request a copy of audit from the Registered Certification Body (RCB) 6 weeks before the due date

Day is broken up into manageable sessions (usually 45 minutes)

Each session focuses on a different process (reference is made to clauses from part 1 of the standard)

Focus areas are specified in agenda e.g. licence control

www.marval.co.uk

Process Owners

Overall owner for ISO/IEC 20000 should be present for whole day (acting as the ‘Guide Person’)

Process owners should expect to attend only the session that is relevant to their process

Have printed copies of all processes available, the auditor will want to take some away

www.marval.co.uk

Facilities

Reserve for the duration of the audit (e.g. 2 days) a meeting room that has power, projector, telephone

Ensure the room is ready for the auditor. Audits can be stressful, the less you have to do on the day the better

Where using an ITSM tool to provide evidence, ensure a well specificied PC is set up beforehand, connected to the projector

Have someone who is familiar with the ITSM tool available for the whole day to present any evidence captured

www.marval.co.uk

The Day itself

The more ‘evidence’ that can be prepared

beforehand, the easier the audit will be

The auditor asks specific questions about

how you ‘conform to a process’, so be

specific in your answers

Avoid waffle!

If you don’t understand the question, don’t

be afraid to ask for clarification

www.marval.co.uk

Pre-prepared evidence

Quarterly summary reports relating to individual processes

Audit records - these must include outcomes and resolutions

Reports that relate to processes e.g. Change Management will need to demonstrate that Changes have gone through the correct workflow as stated in your process

Make sure training records are up to date, job descriptions, together with overall Management summaries for the year

CMDB is up to date - make sure that any assets that are used in the audit are 100% accurate e.g. that server that has been under a desk for ages!

www.marval.co.uk

Ensure ‘Management’ is present for the opening

and closing meetings. This is imperative, since

one of the founding principles of ISO/IEC 20000

is management buy in

The auditor will, at some point, ask to speak to

staff who use the processes (e.g. the service

desk, change executor). Ensure they are well

prepared and know the basics of what they do in

relation to policies, processes and procedures

(e.g. INC, CHG, PRB Management).

www.marval.co.uk

What happens at the end of the audit?

The auditor will debrief the ISO/IEC 20000

owner on findings of the audit

www.marval.co.uk

What next?

Action any non-conformances that were raised (you have 45 days for major and 90 for minor). The auditor may come back to check on a major non-conformance but won’t return to follow up any minor non-conformances. These will be checked at the next scheduled audit

Internally you should debrief all those involved and start to prepare for the next audit

Feedback to the business the result. Be honest in what you say to the business, this is part of the whole lifecycle approach e.g. ‘we passed’, ‘we made some mistakes’ and ‘this is how we are correcting them’