Get 4 FREE months of Conformio to implement ISO 27001

Which questions will the ISO 20000 certification auditor ask?

Starting an ISO 20000 implementation, and the implementation itself, usually require a lot of effort and resources inside the company. I would add – a lot of hassle and stress, too. And, once you are finished, a new issue is in front of you – the certification audit.

Eyes wide open, questions coming from all sides: “What does the certification audit look like? Who is coming? What will they ask?…” Well, the certification audit process is pretty much the same for all (audited) companies, so there are no secrets; i.e., it’s easy to find out what to expect. But, when we get to the auditor… well, that’s a different story. The human factor plays a significant role here, but there are some common elements in auditors’ questions that repeat at every audit.

Read the article Infographic: The brain of an ISO auditor – What to expect at a certification audit to understand how auditors think.

Documentation and records

This is the “easiest” part of the certification audit. If you consider how much effort you needed to invest to prepare all required documentation and records (remember – ISO 20000-1, a set of requirements, has 256 “shalls,” with many of them requiring a record or a document), maybe it doesn’t sound so easy. But, at least it is pretty much straightforward. The standard requires mandatory documents (e.g., process descriptions for all processes, plans, etc.) and records (generated as a result of certain processes, i.e., activities) and there are no “pitfalls”; i.e., you know what needs to be implemented. OK, if you are using an ITSM (IT Service Management) tool, then particular care should be taken not to forget some of the requirements or not to duplicate records (e.g., say you have the record inside the tool, but you have a template as well).

So, the questions related to documents and records will tend to move toward checking that you fulfilled the standard’s requirements and didn’t exclude anything that is mandatory (these are the questions typically starting with “Do you have … procedure,” or “May I see the … process description?”). Besides the mandatory documents, the auditor will also ask for any other document that you developed in order to support the SMS (e.g., Incident Catalogue, or Major Incident Report, etc.).


Evidences

At this point, you are done with the “theoretical part” of your SMS – which documents and which records you have in place. Now you have to show that everything you define in your documents (e.g., processes like Change Management, Incident and Service Request Management, etc.) works in real life. For example, the auditor will ask you about approval of changes in the scope of your Change Management process (in the documentation check phase, he already confirmed that your Change Management process description fulfills the standard’s requirements); i.e., who is doing it, where is the change record for, e.g., the last change that was made, how was it approved, who did it… etc. Meaning, the auditor would like to confirm that the process description is not just a document for the sake of having a document, and in reality, the (Change Management) process works completely differently in your SMS.

Interview

Who will be interviewed? You (if you are auditee), but your colleagues as well. The auditor will try to figure out whether all he has found out (by checking documentation and evidences) so far works in real life. And this is OK, because implementing the standard without having it “work” in daily life is useless. I mean, you spend resources, time, money, management’s time and effort… and at the end, all you have is a bunch of documents, maybe some tools, and no real value behind any of it.

So, besides the person responsible for the SMS, process owners and people involved in process activities may be (usually will be) interviewed. Auditors will test their familiarity with process goals, activities, and details, in general. Questions that they could ask are:

  • Do you know what to do if there is a Major Incident?
  • How do you declare an incident to be a Major Incident?
  • Do you know which service targets supplier X needs to fulfill for service ABC?
  • Can you show me service reports for the last 30 days?

In addition to those people who are part of the SMS (e.g., a technician who is working on incident resolution) being interviewed, your users (e.g., in the case of internal users of IT services) may also be interviewed. For example, the auditor might ask them whether they know how to open an incident, what to do when they need something to be changed, or which security policies are in place.

Use it as best you can

To be sure, when it comes to documentation and evidences, an internal audit can be of great help. Basically, you should conduct internal audits at regular intervals (one of the standard’s requirement), and that will keep you on the “safe side.” Particularly if you have someone independent from the SMS (auditors should not audit their own work, anyway) – you will get a clear and objective picture. I would strongly recommend that you do that, even if you have to hire an external person to perform the internal audit.

And, there is one more thing (which I quite often see happening opposite from how it should) – the certification audit should not be, necessarily, a bad or unpleasant experience. Namely, the certification audit will let you know how good you are, and what your weak points are (to correct them), but the auditor also brings his own experience gathered from many companies, and that’s your excellent chance to learn and improve. It will benefit you, your company, and, most importantly – your customers. And they know how to appreciate that, believe me.

To learn more about certification audit, check out this book: Preparing for ISO Certification Audit: A Plain English Guide.

Advisera Branimir Valentic
Author
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.