ISO 20000 SIG
MEETING
‘Ask the Auditor
Paul Breslin, DNV Certification Ltd
22 Oct 2007, Stockport
ISO 20000 SIG
Q1. What does the auditor look for in the scoping
statement?
A1: Scoping statements are agreed between the
certification body and the organisation. The key
elements are ‘who’ is certified for ‘what’ services and
‘where’ are they delivered from.
See itSMF document “itSMF ISO/IEC 20000 Certification Scheme –
Scoping Guidelines” at www.isoiec20000certification.com
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
2
ISO 20000 SIG
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
3
ISO 20000 SIG
Q2. What does the auditor look for in the initial
assessment?
Q3. What are the key elements an auditor looks for to
assure them that the organisation is adhering to the
standard in addition to the shall’s and should’s it
demands?
A1: Two key questions to answer:
- Does the organisation conform to the requirements of ISO
20000?
- Does the organisation adhere to its own ITSM polcies,
objectives and processes?
This is confirmed by interviewing staff, reviewing
documentation and inspecting records. For the first aspect
the auditor will confirm the five main process areas are
established and effective:
- Service Delivery; Relationship; Resolution; Control & Release
The auditor will also need to focus on the links between the
IT Service Management policy; the objectives and targets
support its achievement; ITSM risk assessment and
mitigations; the monitoring, measuring and reviewing done
against the targets; the process review and management
review evidence and the continuous improvement
programme.
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
4
ISO 20000 SIG
Q4. Will the auditor have an IT background when
they come to conduct and audit?
A1: Yes, all audits done by RCBs under the itSMF
accredited scheme require IT competent auditors.
The scheme rules define criteria for education; work
experience; training and audit experience.
This may not be the case for unaccredited audits.
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
5
ISO 20000 SIG
Q5. What does a surveillance audit constitute and
how often are they conducted?
A1: The surveillance programme is to confirm that the
ITSMS is still established; that any changes have
been effectively implemented and that the
organisation continues to meet the certification
requirements.
Normally we check the key system maintenance
activities such as internal audit; management review
and improvement actions (corrective and preventive).
Any changed areas or processes should also be
reviewed.
Otherwise selected processes and elements of the
standard are checked based on a three year sample
plan.
Surveillance frequency can be six monthly; nine
monthly or annual as appropriate to the size and
complexity of the ITSMS.
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
6
ISO 20000 SIG
Q6. How long does an audit take?
A1: Er...as long as is needed to determine compliance
☺
Well the timescales for audits are highly conditioned
by the size, scope and complexity of the organisations
ITSMS.
Once we have this information DNV will provide a
quotation of the exact timescales needed for all
stages of the certification process.
We are talking here about a management system
audit so timescales will be comparable to other audits
for quality, security or environment.
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
7
ISO 20000 SIG
THE CERTIFICATION PROCESS
Preliminary
Assessment/
Gap Analysis
(Optional)
Stage 1:
Document Review
Stage 1:
Initial Visit
Stage 2: Initial
Audit
Periodic Audits
(Surveillance Visits)
© Det Norske Veritas AS. All rights reserved
A mock audit, or trial run allowing you to identify gaps in your
current management system, discuss interpretations of the standard
and evaluate your readiness for certification.
Review of your management system documentation to ensure
compliance to the standard. At the end of this review a report of all
findings will be issued.
During the Initial Visit the scope of the audit will be discussed and
the audit plan put together. To ensure that we focus on your
priorities right from the beginning we will ask you to identify the
issues or areas most critical to your business. The Initial Audit date
will also be agreed to enable you to ensure that key personnel are
available.
Our audit/report will focus on areas and issues that you have
identified as most critical to your operations. Risk Based Certification
is aimed at assisting you to achieve these business goals by focusing
on the relationship between strategic goals and operational
processes, assessing risk areas and identifying improvement
opportunities.
Monitoring the effectiveness/performance of your management
system against the requirements of the certified standard and your
business goals and objectives. Identifying trends, highlighting
business improvement opportunities with regard to areas and issues
that are key to your business.
23 October 2007
Slide
8
ISO 20000 SIG
Q7. What are major and minor non-conformities?
A1: Major non-conformity is defined as
“The absence of, or the failure to implement and
maintain, one or more required management system
elements, or a situation which would, on the basis of
objective evidence raise significant doubt as to the
capability of the SMS to achieve the policies and
objectives of the organisation.”
A major non-conformity will need to be corrected
before certification can be recommended.
Minor non-conformities are lapses of either discipline
or control during the implementation of
system/procedural requirements but which do not
indicate a system breakdown.
They do not normally stop certification proceeding as
they can be handled by the organisations own
corrective action processes.
Important note: minor non-conformities are
NORMAL occurrences in operating an ITSMS;
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
9
ISO 20000 SIG
Q8. On what does an auditor base their
recommendation for Opportunities for
Improvement?
A1: OFI’s are raised for activities that meet the
minimum requirement of the standard, but which
could be improved.
The OFI’s may be system or performance related and
are normally based on the auditor’s own experience,
knowledge of industry’s best practice or practices
within another unit/department of the organisation.
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
10
ISO 20000 SIG
Q9. Can we challenge the auditors findings if we
don’t agree. How is this achieved?
A1: Happily this situation does not occur often in
modern management systems auditing.
All RCB’s operate a formal complaints and appeals
process but it is generally best to take a discussion
with the lead auditor at the time of the audit.
DNV operate a ‘no surprises’ policy where we provide
feedback on findings and their grading throughout the
audit.
This is done verbally with the interviewees; through
wash-up reviews with the ITSM responsibles and by
tabling a written table of findings for review and
comment before the closing meeting.
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
11
Paul Breslin DNV Certification,
tel +44 207 716 6694,
E-mail: [email protected]
NOTE: The views expressed here are the author’s and are not necessarily those of the DNV
Group.
© Det Norske Veritas AS. All rights reserved
23 October 2007
Slide
12