Auditors are there to help, they are concerned with evidence of what you do, not what you say you do (so evidence is key)
They are only concerned with the requirements of ISO/IEC 20000
2. www.marval.co.uk
The Auditor will start off by confirming
what the scope of the ISO certification is.
This will be set out in the agenda that is
supplied
It is a `formal` audit
Appearance – looking smart may not
paper over cracks of a poorly prepared
company, but may help with a borderline
situation
3. www.marval.co.uk
The auditor
Auditors are there to help, they are
concerned with evidence of what you do,
not what you say you do (so evidence is
key)
They are ONLY concerned with the
requirements of ISO/IEC 20000
4. www.marval.co.uk
Format
Very structured
Agenda pre-set several weeks prior to audit
You can request a copy of audit from the
Registered Certification Body (RCB) 6 weeks
before the due date
Day is broken up into manageable sessions
(usually 45 minutes)
Each session focuses on a different process
(reference is made to clauses from part 1 of the
standard)
Focus areas are specified in agenda e.g. licence
control
5. www.marval.co.uk
Process Owners
Overall owner for ISO/IEC 20000 should
be present for whole day (acting as the
‘Guide Person’)
Process owners should expect to attend
only the session that is relevant to their
process
Have printed copies of all processes
available, the auditor will want to take
some away
6. www.marval.co.uk
Facilities
Reserve for the duration of the audit (e.g. 2
days) a meeting room that has power, projector,
telephone
Ensure the room is ready for the auditor. Audits
can be stressful, the less you have to do on the
day the better
Where using an ITSM tool to provide evidence,
ensure a well specificied PC is set up
beforehand, connected to the projector
Have someone who is familiar with the ITSM tool
available for the whole day to present any
evidence captured
7. www.marval.co.uk
The Day itself
The more ‘evidence’ that can be prepared
beforehand, the easier the audit will be
The auditor asks specific questions about
how you ‘conform to a process’, so be
specific in your answers
Avoid waffle!
If you don’t understand the question, don’t
be afraid to ask for clarification
8. www.marval.co.uk
Pre-prepared evidence
Quarterly summary reports relating to individual
processes
Audit records - these must include outcomes and
resolutions
Reports that relate to processes e.g. Change
Management will need to demonstrate that Changes
have gone through the correct workflow as stated in your
process
Make sure training records are up to date, job
descriptions, together with overall Management
summaries for the year
CMDB is up to date - make sure that any assets that are
used in the audit are 100% accurate e.g. that server that
has been under a desk for ages!
9. www.marval.co.uk
Ensure ‘Management’ is present for the opening
and closing meetings. This is imperative, since
one of the founding principles of ISO/IEC 20000
is management buy in
The auditor will, at some point, ask to speak to
staff who use the processes (e.g. the service
desk, change executor). Ensure they are well
prepared and know the basics of what they do in
relation to policies, processes and procedures
(e.g. INC, CHG, PRB Management).
10. www.marval.co.uk
What happens at the end of the audit?
The auditor will debrief the ISO/IEC 20000
owner on findings of the audit
11. www.marval.co.uk
What next?
Action any non-conformances that were raised (you
have 45 days for major and 90 for minor). The auditor
may come back to check on a major non-conformance
but won’t return to follow up any minor non-
conformances. These will be checked at the next
scheduled audit
Internally you should debrief all those involved and start
to prepare for the next audit
Feedback to the business the result. Be honest in what
you say to the business, this is part of the whole lifecycle
approach e.g. ‘we passed’, ‘we made some mistakes’
and ‘this is how we are correcting them’