ISO/IEC 20000 Certification, Three Steps To Certification, Step 2 – Assessment

An article by Mark Sykes, Principal Consultant at Fox IT. ‘ISO/IEC 20000 Certification, Three Steps To Certification, Step 2 – Assessment’ explaining the mechanics of obtaining ISO/IEC 20000 certification. This is the second part of a trilogy of articles explaining the mechanics of obtaining ISO/IEC 20000 certification.



Welcome to this second in a trilogy of articles explaining the mechanics of obtaining ISO/IEC 20000 certification.

This specific article deals with the following aspects:

  • Assessing the current state of the IT Organisation.
  • Developing a roadmap and project plan through to final certification.

Download this Article on ISO 20000 certification process

Part 1 of the trilogy provided an explanation of what ISO/IEC 20000 is, why organisations would seek to obtain certification and what’s involved in achieving it. Additionally, the paper discussed the typical length of time it takes to obtain certification and where an IT Organisation (ITO) should start when the decision has been made to attain the Standard.

Why do an ISO/IEC 20000 Assessment

Before starting on any programme of service management improvement, implementation or transformation, it is vital to understand the current state of the ITO’s service management system. Doing an assessment at this stage will provide a baseline measurement of the existing ITO operation and will also provide a mechanism from which to measure future progress.

The key point of doing an initial assessment is to identify where the ITO is currently failing to meet the requirements of the Standard. These are identified as ‘non-conformities’, along with where the requirements are already being met, known as ‘conformities’.

This gap analysis enables an accurate roadmap and project plan to be developed that supports the organisation’s required timeframe for certification; but importantly, it is also something that needs to remain realistic based on the number of non-conformities that have been identified.

Assessment of the ISO/IEC 20000 Service Management System

One of the aspects covered in the first paper of this trilogy was defining the scope of certification and this is the foundation upon which an assessment needs to be based. There are many options for setting the certification scope, so it is important that there is a clear understanding of this as it will define the boundaries for assessing the current state of the ITO.

Once the scope has been agreed then the next step is to identify the key stakeholders that will need to participate. These will include process owners, process managers and process practitioners (i.e. those doing the process on a day-to-day basis). When Fox IT perform an assessment for a client we always try to engage with the practitioners of a process as they sometimes provide a different point of view from that given by a manager!

Also, if some of these roles don’t exist then we at least try and get to speak to someone that is involved in the process or activities that form part of that process. For example, an organisation may not do anything formally for capacity management (nor have any defined process), but they no doubt have someone who does capacity-related activities. If that’s the case, we want to speak to them!

In all respects it is vital that we have a clear and accurate picture of what is and isn’t being done, so that we can provide suitable advice as necessary – and it also helps us to minimise the risk of any subsequent issues arising as a client works their way towards certification.

Do you remember the contents of the service management system (SMS)?

ISO 20000 management system

The assessment must cover all aspects of the SMS, so it is likely that representatives from a number of different areas will need to be involved in the assessment activities. Once all parties have been identified, then scheduling can commence.

When organising an assessment, Fox IT recommend scheduling a number of interview sessions and/or workshops based on the availability of the stakeholders who will be participating. The schedule needs to cover all processes of the SMS and more specifically the 403 detailed requirements contained within the Standard. Even where some processes may not yet exist within the ITO, it is important to understand what related activities are actually done in relation to the scope of certification, so sessions still need to be held for these areas.

The interviews/workshops should be supplemented with some observations of processes in operation (for example, a visit to the Service Desk or attendance at a change advisory board meeting), as well as a review of some of the supporting documentation. This is critical to ensure that the right types of evidence are being generated to support the requirements of the Standard and importantly, the auditor!

In Fox IT’s experience all of this adds up to a pretty intense week of activities for the people performing the assessment, although sometimes it can take a little longer than 5 days depending on the size of scope and number of participants. On this note, there is nothing to stop an ITO having their own internal staff undertake the assessment, but Fox IT would only recommend this route if the ITO has some level of independence, for example an internal audit team with experience of ISO/IEC 20000 and a suitable qualification. If these requirements aren’t available, then we would always recommend that an ITO sources external consultancy to perform the assessment. It is a fairly specialised subject matter and the ITO would gain tremendously from engaging with experienced consultants.

Once the above assessment activities have taken place then the next steps can commence. This involves a detailed analysis of the results of the interviews and workshops, along with the observation and documentation review that was performed. It’s then necessary to create a detailed report that provides the ITO with a comprehensive view of the current state. The value of this report is that it will provide an accurate view of what needs to be done to bring the SMS up to the right level of maturity before certification can be achieved.

When Fox IT perform an assessment these are the contents of the report that is produced:

  • Management Summary
  • Overall scores: % Conformance / No. of Non-Conformities
  • Comparison with other organisations
  • Process by process breakdown:
      • Individual % Conformance / No. of Non-Conformities
      • Findings
      • Recommendations

Importantly, for each of the individual non-conformities that have been identified, we would also include a recommendation for how to remediate that non-conformity.

Roadmap and Project Plan

If you remember, I mentioned in part 1 of this trilogy – Planning, that depending upon the maturity of the ITO it can typically take somewhere between 12 and 18 months before an organisation is ready for the final audit to be undertaken by the Registered Certification Body (RCB).

Once the assessment has been carried out, you will have an accurate view of the current state of the ITO in respect of the certification scope. The next step will be to develop a high- level roadmap; this should be designed so that it provides a realistic outlook on the timeframe of activities that will be required to put the ITO in a position to be audited for certification. It is important not to be too over-ambitious in your target timeline for reaching certification; the details of the assessment report will provide you with relevant information for setting a realistic target based on the resources available and the amount of work necessary.

The assessment results can be utilised to help ensure that areas requiring most focus are prioritised appropriately. Also, it should not be forgotten that the RCB will be looking for 3 months’ worth of evidence, so this needs to be built into the roadmap and any accompanying project plan.

Once the roadmap has been signed-off a comprehensive project plan needs to be developed. A key input to this will be the detailed assessment report that was written. The contents of the report will provide the level of detail required to build the specific tasks that need to be undertaken. Fox IT would always recommend that a reference be included to each of the individual non-conformities that have been identified. This then provides an extra level of assurance that nothing will get forgotten about further down the line!

Having a project plan, and of course a project manager, in place will be extremely beneficial when the implementation activities commence. Being able to track the execution and completion of individual activities, along with any relevant inter-dependencies, will help to provide a level of confidence that target milestones are being met – and enable issues to be readily identified.

What’s next?

Once both the roadmap and project plan have been signed-off then it’s just a case of implementing them! Yes I know, easier said than done, but I’ll be looking at this in more detail in part 3 of this trilogy – Implementation. This will focus on implementing the roadmap and project plan that will take the ITO on a journey of implementing and/or improving processes and practices that the Standard mandates must be met, through generating the required evidence, and on to the final certification audit and beyond.

How can Fox IT help you?

Fox IT has many years proven experience of ISO/IEC 20000 as well as its previous incarnation, BS15000, producing a demonstrable track record of assisting organisations in attaining certification.

Our proven route map for guiding clients on their journey enables us to support you whatever your requirements – from the initial scoping activities and putting together a business case, then onto the detailed assessment (as discussed in this paper), through to developing and implementing a mature service management system that enables clients to meet the certification requirements. These practical elements are further supported by a comprehensive training portfolio, including ISO/IEC 20000 Foundation, Practitioner and Auditor courses.

All of this enables Fox IT to accelerate the timeframes for certification, whilst our substantial experience helps to de-risk any issues arising when the RCB performs the final audit.

Link to Step 1: ISO/IEC 20000 Certification, Three Steps to Certification, Step 1 – Planning

Want to speak to a Fox IT consultant today? Contact us now →