ISO 20000-1:2011 audit checklist

ISO 20000-1:2011 Clause no

Checklist item no

Brief Description Questions- (for initial level system implemented <1 year)

Audit methods and Expected evidences

4 4.1 Service Management system/Management Responsibility

4.1.1 101 Management commitment -Service Policy, scope

Has the management established a service policy and objectives?

Look for the date of release of policy, authorisation, evidences of wide publicity

102 Objectives for service management

Are objectives derived from the service policy?

Look for function/dept wise objectives. Check for a review that objectives are current and address the various elements of policy.

103 communicating the importance of fulfilling service requirements

How well has the communication on service policy been done?

Take the channels of communication (web site, notice boards) and look for the impact. You may ask 3 persons , preferably those who have joined recently and ascertain the reach of the communication

104 communicating the importance of fulfilling statutory and legal requirements

What are the means of communicating the regulatory and legal requirements ?

same as above

105 ensuring provision of resources

How does the top management provide adequate resources for the establishment of a service management system ?

Check annual budget and the allocations made for improvements related to service delivery and customer satisfaction.

106 conducting management reviews

Have the management reviews been conducted as required by the manual?

check the Minutes of Meeting and the presence of top management among attendees. check for actions.

107 Ensuring risks are assessed and managed

How well the process of risk assessment been deployed?

Is there a risk assessment system for each service in place?

4.1.2 111 Establishment of service policy as per a to e

Has the service policy been reviewed for adequacy? In what periodicity is it reviewed?

Check with people how well they understand the policy and how they have internalised it in their functions.


Checklist item no



4.1.3 121 Defining authorities and responsibilities

Is the present organisation chart comprehensive enough to include all responsibilities as envisaged by the standard?

Select a few aspects of service management like Information security and check whether the roles have been clearly defined. Look for all locations and check for overlaps and gaps.

122 documented procedure for communication

Is a documented procedure for internal communication available?

Check for the instances in which the procedure has been deployed. Like appointment of MR or internal audit schedule.

4.1.4 131 Appointment of MR Has the MR been appointed from the internal staff?

Look for the appointment letter and check whether the role is reporting is to the top management.

132 MR's work (see a to e)

Does MR have the required mandate to carry out his/her responsibilities as defined in the standard?

Take two or three areas from standard like a) planning of internal audits b) reports to top management on implementation of standard or c) the status of licenses for software products used as part of service delivery

4.2 133 Governance of processes under others ( see a to d)

How is the Governance process led by top management? Which are the internal groups and vendors who are covered by the Governance process currently?

Check that the a) service providers and vendor selection mechanism exists b) vendors have defined the service delivery processes c) accountability exists for processes. This has to overlap with cl no 7.2for external suppliers and 6.1 for internal groups.


Checklist item no



4.3.1 141 Establishing and maintaining documents

is there a master list of documents? Are the release of documents done after due approval? Is there a system for version control?

Check a few entries in master list verify with actual documents , and check a few documents and trace it to the master list for correct version.

4.3.2 151 Control of Documents- Procedure

Is there a procedure for control of documents and is it followed?

Take some key documents like Service level agreements or service catalogues and check for all aspects of conformance to documents control procedure

4.3.3 161 Control of Records- procedure

Is there a procedure for control of records and is it followed?

Take some key records like back up records or audit reports and check for all aspects of conformance to procedure

4.4.1 171 Determination of resources and provision

How timely the resources are provided to enable the company to improve service management system and customer satisfaction?

Take a few resource requests from associates like requirement for software and check that they have been approved depending on priority. Note any case of customer dissatisfaction due to inadequacy in provision of resources.

4.4.2 181 Competency determination for personnel

Is there a process for determining the competency of existing people and providing the necessary training (or taking other actions) to improve them?

Check for 10% (20 which ever is lesser) of the key resources across functions that competencies are mapped and if there are gaps, actions are taken.

182 Training for people is there a structured plan for training people and is it well deployed

Take the training plan/calendar and check for the successful completion of programmes, nominations


Checklist item no

Brief Description Questions-( for initial level system implemented< 1 year)


183 evaluation of effectiveness of training

How does the management evaluate the effectiveness of the training programmes ( or other actions taken)?

Take a few training programmes conducted recently and check for the evaluation of effectiveness. If the HR or L&D dept has any other actions like mentoring or on the job training intended to improve competencies those also are to be checked for effectiveness.

184 ensuring awareness of the service management

How does the management ensure that all the associates and service providers are aware of the Service management objectives and contribute to them?

Check with a few associates about their awareness of Service policy and objectives and about the understanding of their role in service management system.

185 Maintaining records What are the records maintained to demonstrate the achievement of skills by training, education and other actions?

check the training records and also the updating of other personnel records for the competencies they had gained recently.

4.5.1 191 scope definition of SMS

Scope should cover location of customers , location wherefrom service is delivered and the technology used.

Check the scope for its comprehensiveness and for any change made recently.


Checklist item no



4.5.2 201 service management plan see a to l

In an organisation which is a captive IT dept their service Quality manual will be adequate as a service management plan but for IT organisations which are providing services to the world at large the service management plan is required to be existing.

For IT organisations which are providing services to market at large, look for key customers who account for significant revenue and check whether service management system has been customised (like in incident management) to suit their priorities.

4.5.3 211 Operation of SMS as per a to f

For the captive IT organisation, this is audited as a part of auditing other requirements of standard. For IT organisations which are providing services to market at large, how well these aspects a to f are understood from customers and customised?

In the IT organisation which is providing services to market at large, look for key customers and check atleast two aspects from a to l (like limitations of meeting SLAs, risk management , technology in terms of customisation)

4.5.4.2 221 Internal audit Are internal audits conducted as per plan?

Look for the internal audit schedules and check for competence of auditors, timely completion of audits and filing of reports.

4.5.4.3 231 Management review are management reviews conducted as per plan ?

Look for action points in management reviews and check whether they are acted upon by attendees and others. Check whether the agenda is up to date.

4.5.5.2 241 Management of Improvements.

Is there a service improvement plan (or plans?)

Check that the service improvement plans are updated with latest incidents or NCRs and other inputs for improving the service management system.


Checklist item no



5 Design and transition of new or changed services

5.2 301 Plan new services Introduction see a to j-

How the planning for introduction of a new service go on?

Take a service which is changed or a service which is new and check whether the planning activities are demonstrated. New means the service spec is different and change means that the scope is changed. Planning will be evident in a. timelines 2. Project plan. 3. Review meetings. 4. Team formation. 5. Finalising the requirements and validation criteria.

302 Plan for changed service introduction see a to j -make a demo plan

how the planning has been done for changed service?

303 Plan for removal of service

How is the planning done for removal of service? Or incase of transitioning to other service providers?

Take any instance of removal of a service or transitioning to others and check whether the removal was done according to a plan.


Checklist item no



5.3 311 Service specification apply a to k selectively

How is design and development of service carried out?

Design and development of service is seen as the preparation of service specs ie what customers can expect at their interfaces and service delivery specs ie what are the elements designed to be in place like the availability of server. Take any one new service and check how the service specs are developed . these include SLAs, response time for tickets , criticality of backups, BCP etc.

312 Service Delivery specification (apply a to k selectively)

Take the same two new services changed or new and check whether the service delivery specs which are consisting of those elements about which customer is not aware but at the same time are important for customer satisfaction. These could be people , IT infrastructure or communication link.

313 Quality Control Specification

Take any elements which are hardware or material which go to augment the service and check whether they are inspected .

5.4 321 Transition of new/changed service

How does the organisation verify the service before it is launched?

take any service and check whether the team verified the service with service spec and service delivery spec for a planned period and then released the service


Checklist item no



6 Service level management

6.1 401 Catalogue of services

Is the service catalogue available?

Check whether the catalogue is updated with the latest changes in service specifications

402 SLAs for each service Are SLAS documented for each service individually? Check the tracking of SLAs.

403 Reviews of SLAs with customer

Are these SLAs being reviewed with customer?

What is the frequency in which SLAs are reported ? Who in customer's side participates in the reviews?

404 Trends of performances against targets

what are the trends ? are targets for the SLAs available?

Take a few services and go through last six months trends check whether the trends have been analysed for instability.

405 causal analyses of non conformities

How instances of non conformities in meeting SLAs are dealt with?

Check whether in instances of failure to meet SLAs causal analysis have been carried out.

406 Review of other groups' performances

How are other groups' performances reviewed?

check whether the performance of other groups which contribute to the service are monitored regularly. In case of gaps, do the findings trigger some SIPs?

6.2 411 Service report for each service

How does the IT report about the status of its service to the customers?

Select two services and two months and go through to see whether the report contained all relevant information. Like backlogs, incidents, risks and workload changes. .


Checklist item no



6.3 Service continuity and availability management

6.3.1 421 service continuity requirements

how has the IT team collected the requirements for service continuity?

Check for mission critical services how service continuity requirements have been collected. These include helpdesks, ticket resolution teams etc

422 service availability requirements

How has the IT team collected the requirements for service availability??

Check for mission critical and other projects how availability requirements for service components like data communication or mail servers are collected

6.3.2 431 service continuity plan

what is the plan for service continuity and availability ?

Check whether a BCP (business continuity plan ) is available which states the strategy in case of failures

432 service availability plan

Check for BCP plan and check whether availability of link etc is available by providing redundancy.

6.3.3 441 service continuity testing and monitoring

How are the continuity plans getting tested?

Check BCP drill schedule and how are they carried out in the last two months. Check whether reviews are taken after drills and whether the reports trigger SIPs

442 service availability testing and monitoring

How are availability plans getting tested?

Check whether redundancy has been tested in case of achieving 100% availability requirements.

6.4 451 Procedures for budgeting and accounting

what are the procedures for cost accounting and monitoring budgets?

Check whether budget includes key aspects of service like renewal of license, payments to external service providers


Checklist item no



6.5 461 Capacity management

How is the capacity being planned in advance?

Look for capacity plan for the current year and take two aspects eg expected impact of revised SLAs and forecasted demand for services and check whether capacity plan addresses the same.

6.6.1 471 Information security policy

Is there an information security policy?

Does the security policy address the concern of stakeholders and define a methodical approach? Has it been communicated to all?

472 Risk Management Is the approach to security risk management defined ?

Look for risk registers for IT assets.

6.6.2 473 Physical security controls on premises

What are the physical security controls?

Take two areas like data centre and check whether physical security controls are complied with.

474 Security Objectives Are these objectives for IT security?

Check whether IT security objectives are understood . Are they being communicated?

475 controls on external organisations

Are controls defined for external organisations who are involved in service delivery?

Choose one or two external organisations and look for agreements and implementation of IT security controls.

6.6.3 476 change request analysis

How are security risks analysed for changes proposed?

Go through some change requests to check whether these changes have been evaluated from security point of view

477 Incidents register Is there a system for registering security incidents?

Check the incident register for security incidents and their resolution.

ISO 20000-1:2011 Clause

Checklist item no



7 Relationship processes

7.1 501 Account manager allocation list

Are designated account managers available for key customers?

For key customers check whether an individual has been designated to ensure customer satisfaction.

502 Review of performance with customers

what is the system for performance review with customers?

Is periodicity for reviews defined? Are the reviews taking place as per the defined periodicity?

503 complaint management process

How does the organisation manage its complaints? Is there a documented procedure? Is there an agreement with customer on what is a complaint?

Check whether the complaints are recorded, investigated and acted upon. Check for two complaints the entire process up to closure. Check whether the complaints have triggered a SIP.

7.2 511 List of account managers (supplier wise)

Are designated account managers for key suppliers available?

Check whether the organisation as designated individuals who are responsible for managing relationship and contract with key suppliers..

512 contract of service Does organisation have a documented contract with each supplier?

Take two contracts and check whether important aspects (out of 7.2.a to l) like workload, SLAs, reporting etc are defined.

513 relationship of lead to subcontracted suppliers

are the relationship between lead supplier and the sub supplier documented?

Check whether the lead suppliers have sub contracts and in that case check whether the relationship is clearly defined like back to back SLAs.

514 monitoring of the performance of suppliers

How does the organisation monitor the performance of suppliers? Is here a documented procedure for resolving disputes?

check whether the performance of suppliers is reviewed regularly. Check whether the results of reviews are getting recorded for SIPs

ISO 20000-1:2011 Clause

Checklist item no



8 Resolution processes

8.1 Incident and service request management

8.1 601 procedure for dealing with service incidents

Is there a documented procedure for dealing with incident management ? Does it define major and minor service incidents?

Take a few service incidents and track as per the requirements a to g. check whether customers kept informed about the status of resolution of incident are major incidents reviewed and taken up for improvement through SIPs?

602 Procedure for dealing with service requests

Is there a documented procedure for dealing with service request ?

Track two service requests whether they have been dealt with as per the procedure

8.2 611 Procedure for problem management

is there a documented procedure for resolution management?

Problems are causes for major incidents or repeated minor incidents/chronic service requests. Check two of the above and look for a problem solving process in place to prevent their recurrence. Look for effectiveness by tracking the incidents post resolution. Look for KEDB. (Known error data base)


Checklist item no



9 Control processes 9.1 701 Configuration

managementIs there a documented procedure for configuration management?

Check for list of CIs . Whether each CI is uniquely identified and recorded in a CMDB. Check whether the organisation is auditing the CMDB regularly.

702 Configuration management-CMDB

How are changes to CIs handled?

check traceability of CIs. Are master copies of CIs recorded in CMDB stored in secure physical environment?

9.2 711 Change Management- change requests

is there a documented procedure for change management?

Are change requests handled according to procedure?

712 Emergency changes How does the organisation handle emergency changes?

Check whether the organisation has agreed about what is an emergency change with customer.

713 Change management - Deploying the changes

Check whether the deployment of changes is taking place as per the procedure.

Check whether the approved changes are developed and tested. Is schedule of changes available with dates for deployment? Are unsuccessful changes investigated? Do such investigations lead to SIPs?

9.3 721 Release and Deployment Policy

Has the organisation formulated a release policy?

check whether the plan for new releases are done with agreement of customer.

722 definition of emergency release

Is emergency release defined? Is there a documented procedure?

Check what constitutes an emergency release and whether they are handled according to the procedure.

723 monitoring success and failure of release

How does the organisation monitor success or failure of its releases?

Check whether the lessons learnt from failures are documented and are taken up for service improvement .

Abbreviations used in checklist:

1. CMDB Configuration management data base2. CI- Configuration item3. ISO – International organisation for standardisation4. MR- Management Representative5. SIP- Service Improvement plan.6. SLA- Service level agreement.7. SMS- Service Management system8. For all terms used, definitions are as per clause no 3 of the ISO 20000-1:2011 standard.

Notes:

For information on conduct of Internal audits, Please refer to ISO 19011. The above checklist is intended only for organisations which are at the start of the journey of implementation. Hence, the auditors need to spend more time even in questions related to the documentation part of the system. As the organisations mature, such questions are not essential and instead auditor can spend more time in checking effectiveness.

In checklist, time allocation is not given and it is expected that the auditors customise the checklist in terms of the time allocation for individual areas.

Author Profile:

C P Chandrasekaran is a practising Quality management consultant and an empanelled third party auditor for IT organisations. He has about 15 years experience in Quality system consulting and auditing. He lives in Pune, India and his email address is [email protected]

ISO 20000-1:2011 audit checklist

Documents

Transcript of ISO 20000-1:2011 audit checklist