Be Prepared to Answer Questions Like These During the ISO 20000 Certification Audit

Be Prepared to Answer Questions Like These During the ISO 20000 Certification Audit
6 min read
22 September 2023

The ISO 20000 certification demonstrates to the business world that the information technology sector adheres to strict guidelines regarding service design, delivery, and ongoing development. We live in a digital age, therefore the company's information technology (IT) department needs to deliver top-notch services to please clients, strengthen partnerships with vendors, and boost revenue. The IT service management (ITSM) operations can be improved with the help of the International Organization for Standardization (ISO) 20000 procedures.

ISO 20000 is an internationally recognized standard that describes the standards for an IT service provider's planning, establishment, implementation, operation, monitoring, review, maintenance, and improvement of a service management system (SMS). This standard establishes a consistent high-level structure, terminology, and definitions for ITSMS certification. Starting an ISO 20000 implementation, as well as the implementation itself, normally necessitates a significant amount of time and resources inside the firm. I'd add a lot more difficulty and stress as well. When you're done, you'll face a new challenge: the certification audit preparations.

With wide-open eyes and inquiries from all directions, be prepared auditor can ask many questions.  There are no secrets to the ISO 20000 certification audit process, so it's simple to learn what to anticipate. It's very much the same for all (audited) organizations. However, the situation changed when we contacted the auditor. Although the human element is quite important in this, there are several aspects of the auditors' queries that come up time and time again. So, these are some things that you should keep in mind when undergoing the certification audit.  

Documentation and records: The "simplest" component of the certification audit. Perhaps it doesn't sound so simple when you consider the amount of work required to compile all necessary ISO 20000 documents and records. But at least it is essentially simple. Since the standard specifies what must be implemented, there are no "pitfalls" and mandated records and documents are required.  

Therefore, the questions about documents and records will often progress toward ensuring that you met the requirements of the standard and did not omit anything necessary (these are the inquiries that typically begin with "Do you have ISO 20000 procedure" or "May I see the process description?"). The auditor will also request any other documentation that was created to back up the SMS in addition to the ones that are required.

Evidence: You have now finished the "theoretical part" of your SMS, which dealt with the records and documentation you have in place. You must now demonstrate that everything you specify in your documents works in practice. For instance, the auditor might ask about the approval of modifications that fall under the authority of your modification management process, including who is responsible, where the change record is for, claim, the most recent change exists, how it was approved, who created it, etc. In other words, the auditor wants to make sure that the process description isn't just a document for the sake of having a document and that your SMS's (Change Management) process operates entirely differently.

Interview: Who is going to be questioned? not just you, but also your co-workers. The auditor will investigate whether everything he has discovered thus far holds in practice. And that's fine because it's pointless to implement the standard if it doesn't "work" in real life. You invest resources, time, money, and management's time and effort, after all. In the end, all you have are a ton of documents, perhaps a few tools, and nothing of any actual worth.

Therefore, in addition to the person in charge of the SMS, process owners and those involved in process operations may be interviewed (and frequently are). The aims, activities, and specifics of the process will be tested by the auditors. They might query things like:

  • Are you aware of what to do in case of a major incident?
  • How is a situation deemed to be a Major Incident?
  • Do you understand the service objectives that supplier X must meet for service ABC?
  • Please provide me with the latest 30 days' worth of service reports.

Use it as best you can: An internal audit can undoubtedly be very useful when it comes to documentation and evidence. One requirement of the standard is that internal audits be conducted regularly; doing so will keep you "on the safe side." In particular, if you use a third party who is not affiliated with the SMS (auditors shouldn't audit their work, anyway), you will obtain a clear and unbiased view. Even if you had to engage a third party to conduct the internal audit, I would highly advise that you do it.

The ISO 20000 certification audit shouldn't necessarily be a negative or unpleasant experience, but it has seen this happening in the other way. In particular, the certification audit will inform you of your strengths and weaknesses so that you can address them. However, the auditor also brings his expertise gained from working with other firms, giving you a fantastic opportunity to grow and learn. It will be advantageous to you, your business, and—most importantly—your clients. And trust me, they know how to appreciate that.


In case you have found a mistake in the text, please send a message to the author by selecting the mistake and pressing Ctrl-Enter.
john 0
Joined: 10 months ago
Comments (0)

    No comments yet

You must be logged in to comment.

Sign In / Sign Up