ISO/IEC 20000 audit day overview
-
Upload
marval-software -
Category
Technology
-
view
249 -
download
6
Transcript of ISO/IEC 20000 audit day overview
www.marval.co.uk
ISO/IEC 20000 Audit
What should I expect?
Dr Don Page
Marval Software
www.marval.co.uk
The Auditor will start off by confirming what the scope of the ISO certification is. This will be set out in the agenda that is supplied
It is a `formal` audit
Appearance – looking smart may not paper over cracks of a poorly prepared company, but may help with a borderline situation
www.marval.co.uk
The auditor
Auditors are there to help, they are
concerned with evidence of what you do,
not what you say you do (so evidence is
key)
They are ONLY concerned with the
requirements of ISO/IEC 20000
www.marval.co.uk
Format
Very structured
Agenda pre-set several weeks prior to audit
You can request a copy of audit from the Registered Certification Body (RCB) 6 weeks before the due date
Day is broken up into manageable sessions (usually 45 minutes)
Each session focuses on a different process (reference is made to clauses from part 1 of the standard)
Focus areas are specified in agenda e.g. licence control
www.marval.co.uk
Process Owners
Overall owner for ISO/IEC 20000 should be present for whole day (acting as the ‘Guide Person’)
Process owners should expect to attend only the session that is relevant to their process
Have printed copies of all processes available, the auditor will want to take some away
www.marval.co.uk
Facilities
Reserve for the duration of the audit (e.g. 2 days) a meeting room that has power, projector, telephone
Ensure the room is ready for the auditor. Audits can be stressful, the less you have to do on the day the better
Where using an ITSM tool to provide evidence, ensure a well specificied PC is set up beforehand, connected to the projector
Have someone who is familiar with the ITSM tool available for the whole day to present any evidence captured
www.marval.co.uk
The Day itself
The more ‘evidence’ that can be prepared
beforehand, the easier the audit will be
The auditor asks specific questions about
how you ‘conform to a process’, so be
specific in your answers
Avoid waffle!
If you don’t understand the question, don’t
be afraid to ask for clarification
www.marval.co.uk
Pre-prepared evidence
Quarterly summary reports relating to individual processes
Audit records - these must include outcomes and resolutions
Reports that relate to processes e.g. Change Management will need to demonstrate that Changes have gone through the correct workflow as stated in your process
Make sure training records are up to date, job descriptions, together with overall Management summaries for the year
CMDB is up to date - make sure that any assets that are used in the audit are 100% accurate e.g. that server that has been under a desk for ages!
www.marval.co.uk
Ensure ‘Management’ is present for the opening
and closing meetings. This is imperative, since
one of the founding principles of ISO/IEC 20000
is management buy in
The auditor will, at some point, ask to speak to
staff who use the processes (e.g. the service
desk, change executor). Ensure they are well
prepared and know the basics of what they do in
relation to policies, processes and procedures
(e.g. INC, CHG, PRB Management).
www.marval.co.uk
What happens at the end of the audit?
The auditor will debrief the ISO/IEC 20000
owner on findings of the audit
www.marval.co.uk
What next?
Action any non-conformances that were raised (you have 45 days for major and 90 for minor). The auditor may come back to check on a major non-conformance but won’t return to follow up any minor non-conformances. These will be checked at the next scheduled audit
Internally you should debrief all those involved and start to prepare for the next audit
Feedback to the business the result. Be honest in what you say to the business, this is part of the whole lifecycle approach e.g. ‘we passed’, ‘we made some mistakes’ and ‘this is how we are correcting them’