Get 4 FREE months of Conformio to implement ISO 27001

What’s needed for successful ISO 20000 certification of your company?

Once you decide to implement ISO 20000, the focus is on the certification date (which is, most probably, the most critical moment in the ISO 20000 implementation lifecycle). For that milestone your SMS (Service Management System) has to be up and running and ready for “inspection.”

Easier said than done. Imagine you are responsible for having the SMS ready for the certification audit. It’s a huge responsibility, and you would be careful to say: “We are ready!” And, that’s the correct approach. There are many steps that you must take, and many things you have to finish before the certification. Let’s see the most important ones.

Getting ready

Gaining your management’s support, budget, and other resources are certainly important. I would say – these are prerequisites to start the project. Here are items that are crucial before you face the certification body:

Implementation – ISO 20000-1 are requirements for the SMS, and they all need to be implemented. That includes setting up the SMS, implementing processes and measurement, as well as defining roles and responsibilities. The standard itself does not provide any details about implementation of the requirements (use this ISO 20000 Implementation Project Checklist to include all necessary steps during the implementation project). ISO 20000-2 (code of practice) can be used to clarify details of the requirements, but it won’t give you necessary details for the implementation. ITIL can be used for this purpose and provide you with needed know-how. But, be careful and take only what is necessary to fulfill the standard’s requirements and make the SMS useful. Find out more about the benefits of the ISO 20000 implementation in the article 5 key benefits of ISO 20000 implementationTraining – The SMS is quite a complex system. It goes deep into daily activities and encompasses, more or less, all of your workforce. Therefore, if processes are based on improvisation (for example, what I often find with my customers is that everyone involved in, e.g., incident or change management has their own view of how the process and related activities should be set), there will be chaos in the IT department in a few weeks’ time. Users, internal or external – doesn’t matter – will soon notice that. And, you can guess their reaction. Read more about ITIL/ISO 20000 training in the article ITIL training – Why would a company invest money into it? Train everyone involved in the SMS because in such way you’ll put them all on the same level of knowledge, i.e., understanding of the SMS, its functionalities, and the benefits it provides.



Internal audit – This is one of the items people in IT often see from the wrong angle. Namely, your organization must ensure that your implementation fulfills the requirements of the standard. The internal audit is not mentioned as a check of someone’s quality of work. The same is valid for management – it’s not a tool to judge the quality of the work of their employees. If used that way, it will create unnecessary pressure and a defensive culture (people involved in SMS setup and management will try to prove that everything they did is correct). Quite the contrary, the internal audit should show weak points of the SMS before the certification body shows up.

Management review – That’s how you will actively involve your management. It’s crucial to have their sponsorship as well as to have them present in the most important decisions. In such way your (SMS-related) activities will “gain more weight.” Management review is the place where important decisions for the SMS are made and the SMS Manager’s credibility is confirmed. But, on the other side, it’s a meeting where the SMS Manager’s work is assessed. Read more about communication with the management in the article How to translate ITIL/ISO 20000 language into business language understandable by your management.

Corrective measure – Management review and internal audit are mandatory by the ISO 20000 standard. Corrective measure is as well, but not necessarily before your first audit. However, after performing the internal audit, defining a corrective measure is the logical step. And, that will be an excellent test to check whether the SMS is functional.

The certification body will visit you before the certification audit. First, the auditor will perform the Stage 1 audit where documentation, scope, objectives, and the internal audit procedure will be checked (eventually, some other mandatory documents as well). Afterwards, the Stage 2 audit follows, which is your main audit. See on this infographic how the auditor thinks: The brain of an ISO auditor – What to expect at a certification audit.

And, what’s next?

You invested a lot of effort (meaning human and financial resources) to implement the SMS (and, believe me, there is no quick-and-dirty method). So, you would like to get the most out of it. That’s an excellent view and you just have to use what you prepared for the certification: internal audit, management review, measurement in place, and trained people inside your organization.

Who gains the benefit of an efficient SMS? Well, I would say – not only you, but your customers as well. And they know how to appreciate that – in both ways, positive as well as negative.

Use this free  ISO 20000 implementation diagram to plan and manage all necessary steps of the implementation.

To learn more about certification audit, check out this book: Preparing for ISO Certification Audit: A Plain English Guide.

Advisera Branimir Valentic
Author
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.