ISO Checklist Brief Description Questions- (for initial Audit methods and

20000- item no level system Expected evidences

1:2011 implemented <1 year)
Clause
no
4 4.1 Service Management
system/Management
Responsibility
4.1.1 101 Management Has the management Look for the date of
commitment -Service established a service release of policy,
Policy, scope policy and objectives? authorisation, evidences
of wide publicity
102 Objectives for service Are objectives derived Look for function/dept
management from the service policy? wise objectives. Check for
a review that objectives
are current and address
the various elements of
policy.
103 communicating the How well has the Take the channels of
importance of communication on service communication (web site,
fulfilling service policy been done? notice boards) and look
requirements for the impact. You may
ask 3 persons , preferably
those who have joined
recently and ascertain the
reach of the
communication
104 communicating the What are the means of same as above
importance of communicating the
fulfilling statutory regulatory and legal
and legal requirements ?
requirements
105 ensuring provision of How does the top Check annual budget and
resources management provide the allocations made for
adequate resources for improvements related to
the establishment of a service delivery and
service management customer satisfaction.
system ?
106 conducting Have the management check the Minutes of
management reviews reviews been conducted Meeting and the presence
as required by the of top management
manual? among attendees. check
for actions.
107 Ensuring risks are How well the process of Is there a risk assessment
assessed and risk assessment been system for each service in
managed deployed? place?
4.1.2 111 Establishment of Has the service policy Check with people how
service policy as per a been reviewed for well they understand the
to e adequacy? In what policy and how they have
periodicity is it reviewed? internalised it in their
functions.
ISO Checklist Brief Description Questions- (for initial
20000- item no level system
1:2011 implemented <1 year)
Clause
no
4.1.3 121 Defining authorities Is the present
and responsibilities organisation chart
comprehensive enough to
include all responsibilities
as envisaged by the
standard?
122 documented Is a documented
procedure for procedure for internal
communication communication available?
4.1.4 131 Appointment of MR Has the MR been
appointed from the
internal staff?
132 MR's work (see a to Does MR have the
e) required mandate to carry
out his/her
responsibilities as defined
in the standard?
4.2 133 Governance of How is the Governance
processes under process led by top
others ( see a to d) management? Which are
the internal groups and
vendors who are covered
by the Governance
process currently?
Audit methods and
Expected evidences
Select a few aspects of
service management like
Information security and
check whether the roles
have been clearly defined.
Look for all locations and
check for overlaps and
gaps.
Check for the instances in
which the procedure has
been deployed. Like
appointment of MR or
internal audit schedule.
Look for the appointment
letter and check whether
the role is reporting is to
the top management.
Take two or three areas
from standard like a)
planning of internal audits
b) reports to top
management on
implementation of
standard or c) the status
of licenses for software
products used as part of
service delivery
Check that the a) service
providers and vendor
selection mechanism
exists b) vendors have
defined the service
delivery processes c)
accountability exists for
processes. This has to
overlap with cl no 7.2for
external suppliers and 6.1
for internal groups.
ISO Checklist Brief Description Questions- (for initial
20000- item no level system
1:2011 implemented <1 year)
Clause
no
4.3.1 141 Establishing and is there a master list of
maintaining documents? Are the
documents release of documents
done after due approval?
Is there a system for
version control?
4.3.2 151 Control of Is there a procedure for
Documents- control of documents and
Procedure is it followed?
4.3.3 161 Control of Records- Is there a procedure for
procedure control of records and is it
followed?
4.4.1 171 Determination of How timely the resources
resources and are provided to enable
provision the company to improve
service management
system and customer
satisfaction?
4.4.2 181 Competency Is there a process for
determination for determining the
personnel competency of existing
people and providing the
necessary training (or
taking other actions) to
improve them?
182 Training for people is there a structured plan
for training people and is
it well deployed
Audit methods and
Expected evidences
Check a few entries in
master list verify with
actual documents , and
check a few documents
and trace it to the master
list for correct version.
Take some key documents
like Service level
agreements or service
catalogues and check for
all aspects of conformance
to documents control
procedure
Take some key records like
back up records or audit
reports and check for all
aspects of conformance to
procedure
Take a few resource
requests from associates
like requirement for
software and check that
they have been approved
depending on priority.
Note any case of customer
dissatisfaction due to
inadequacy in provision of
resources.
Check for 10% (20 which
ever is lesser) of the key
resources across functions
that competencies are
mapped and if there are
gaps, actions are taken.
Take the training
plan/calendar and check
for the successful
completion of
programmes, nominations
ISO Checklist Brief Description Questions-( for initial Audit methods and
20000- item no level system Expected evidences
1:2011 implemented< 1 year)
Clause
no

183 evaluation of How does the Take a few training

effectiveness of management evaluate the programmes conducted
training effectiveness of the recently and check for the
training programmes ( or evaluation of
other actions taken)? effectiveness. If the HR or
L&D dept has any other
actions like mentoring or
on the job training
intended to improve
competencies those also
are to be checked for
effectiveness.

184 ensuring awareness How does the Check with a few

of the service management ensure that associates about their
management all the associates and awareness of Service
service providers are policy and objectives and
aware of the Service about the understanding
management objectives of their role in service
and contribute to them? management system.

185 Maintaining records What are the records check the training records
maintained to and also the updating of
demonstrate the other personnel records
achievement of skills by for the competencies they
training, education and had gained recently.
other actions?

4.5.1 191 scope definition of Scope should cover Check the scope for its
SMS location of customers , comprehensiveness and
location wherefrom for any change made
service is delivered and recently.
the technology used.
ISO Checklist Brief Description Questions- (for initial
20000- item no level system
1:2011 implemented <1 year)
Clause
no
4.5.2 201 service management In an organisation which is
plan see a to l a captive IT dept their
service Quality manual will
be adequate as a service
management plan but for
IT organisations which are
providing services to the
world at large the service
management plan is
required to be existing.
4.5.3 211 Operation of SMS as For the captive IT
per a to f organisation, this is
audited as a part of
auditing other
requirements of standard.
For IT organisations which
are providing services to
market at large, how well
these aspects a to f are
understood from
customers and
customised?
4.5.4.2 221 Internal audit Are internal audits
conducted as per plan?
4.5.4.3 231 Management review are management reviews
conducted as per plan ?
4.5.5.2 241 Management of Is there a service
Improvements. improvement plan (or
plans?)
Audit methods and
Expected evidences
For IT organisations which
are providing services to
market at large, look for
key customers who
account for significant
revenue and check
whether service
management system has
been customised (like in
incident management) to
suit their priorities.
In the IT organisation
which is providing services
to market at large, look
for key customers and
check atleast two aspects
from a to l (like limitations
of meeting SLAs, risk
management , technology
in terms of customisation)
Look for the internal audit
schedules and check for
competence of auditors,
timely completion of
audits and filing of
reports.
Look for action points in
management reviews and
check whether they are
acted upon by attendees
and others. Check
whether the agenda is
up to date.
Check that the service
improvement plans are
updated with latest
incidents or NCRs and
other inputs for
improving the service
management system.
ISO Checklist Brief Description Questions-( for initial level Audit methods and
20000- item no system implemented< 1 Expected evidences
1:2011 year)
Clause
no
5 Design and transition
of new or changed
services
5.2 301 Plan new services How the planning for Take a service which is
Introduction see a to introduction of a new changed or a service which
j- service go on? is new and check whether
302 Plan for changed how the planning has been the planning activities are
service introduction done for changed service? demonstrated. New means
see a to j -make a the service spec is different
demo plan and change means that the
scope is changed. Planning
will be evident in a.
timelines 2. Project plan. 3.
Review meetings. 4. Team
formation. 5. Finalising the
requirements and
validation criteria.
303 Plan for removal of How is the planning done Take any instance of
service for removal of service? Or removal of a service or
incase of transitioning to transitioning to others and
other service providers? check whether the removal
was done according to a
plan.
ISO Checklist Brief Description Questions-( for initial level Audit methods and
20000- item no system implemented< 1 Expected evidences
1:2011 year)
Clause
no
5.3 311 Service specification How is design and Design and development
apply a to k development of service of service is seen as the
selectively carried out? preparation of service
specs ie what customers
can expect at their
interfaces and service
delivery specs ie what are
the elements designed to
be in place like the
availability of server. Take
any one new service and
check how the service
specs are developed .
these include SLAs,
response time for tickets ,
criticality of backups, BCP
etc.
312 Service Delivery Take the same two new
specification (apply a services changed or new
to k selectively) and check whether the
service delivery specs
which are consisting of
those elements about
which customer is not
aware but at the same
time are important for
customer satisfaction.
These could be people , IT
infrastructure or
communication link.
313 Quality Control Take any elements which
Specification are hardware or material
which go to augment the
service and check whether
they are inspected .
5.4 321 Transition of How does the organisation take any service and check
new/changed service verify the service before it whether the team verified
is launched? the service with service
spec and service delivery
spec for a planned period
and then released the
service
ISO Checklist Brief Description Questions-( for initial Audit methods and
20000- item no level system Expected evidences
1:2011 implemented< 1 year)
Clause
no
6 Service level
management
6.1 401 Catalogue of Is the service catalogue Check whether the
services available? catalogue is updated with
the latest changes in
service specifications
402 SLAs for each service Are SLAS documented for
each service individually? Check the tracking of SLAs.
403 Reviews of SLAs with Are these SLAs being What is the frequency in
customer reviewed with customer? which SLAs are reported ?
Who in customer's side
participates in the reviews?
404 Trends of what are the trends ? are Take a few services and go
performances targets for the SLAs through last six months
against targets available? trends check whether the
trends have been analysed
for instability.
405 causal analyses of How instances of non Check whether in instances
non conformities conformities in meeting of failure to meet SLAs
SLAs are dealt with? causal analysis have been
carried out.
406 Review of other How are other groups' check whether the
groups' performances reviewed? performance of other
performances groups which contribute to
the service are monitored
regularly. In case of gaps,
do the findings trigger
some SIPs?
6.2 411 Service report for How does the IT report Select two services and
each service about the status of its two months and go
service to the customers? through to see whether the
report contained all
relevant information. Like
backlogs, incidents, risks
and workload changes. .
ISO Checklist Brief Description Questions-( for initial Audit methods and
20000- item no level system Expected evidences
1:2011 implemented< 1 year)
Clause
no
6.3 Service continuity
and availability
management

6.3.1 421 service continuity how has the IT team Check for mission critical
requirements collected the services how service
requirements for service continuity requirements
continuity? have been collected.
These include helpdesks,
ticket resolution teams etc
422 service availability How has the IT team Check for mission critical
requirements collected the and other projects how
requirements for service availability requirements
availability?? for service components
like data communication
or mail servers are
collected
6.3.2 431 service continuity what is the plan for service Check whether a BCP
plan continuity and availability (business continuity plan )
? is available which states
the strategy in case of
failures
432 service availability Check for BCP plan and
plan check whether availability
of link etc is available by
providing redundancy.
6.3.3 441 service continuity How are the continuity Check BCP drill schedule
testing and plans getting tested? and how are they carried
monitoring out in the last two
months. Check whether
reviews are taken after
drills and whether the
reports trigger SIPs
442 service availability How are availability plans Check whether
testing and getting tested? redundancy has been
monitoring tested in case of achieving
100% availability
requirements.
6.4 451 Procedures for what are the procedures Check whether budget
budgeting and for cost accounting and includes key aspects of
accounting monitoring budgets? service like renewal of
license, payments to
external service providers
ISO Checklist Brief Description Questions-( for initial Audit methods and
20000- item no level system Expected evidences
1:2011 implemented< 1 year)
Clause
no
6.5 461 Capacity How is the capacity being Look for capacity plan for
management planned in advance? the current year and take
two aspects eg expected
impact of revised SLAs and
forecasted demand for
services and check
whether capacity plan
addresses the same.
6.6.1 471 Information security Is there an information Does the security policy
policy security policy? address the concern of
stakeholders and define a
methodical approach? Has
it been communicated to
all?
472 Risk Management Is the approach to Look for risk registers for
security risk management IT assets.
defined ?

6.6.2 473 Physical security What are the physical Take two areas like data
controls on premises security controls? centre and check whether
physical security controls
are complied with.
474 Security Objectives Are these objectives for IT Check whether IT security
security? objectives are understood
. Are they being
communicated?
475 controls on external Are controls defined for Choose one or two
organisations external organisations external organisations and
who are involved in look for agreements and
service delivery? implementation of IT
security controls.
6.6.3 476 change request How are security risks Go through some change
analysis analysed for changes requests to check whether
proposed? these changes have been
evaluated from security
point of view
477 Incidents register Is there a system for Check the incident register
registering security for security incidents and
incidents? their resolution.
ISO Checklist Brief Description Questions-( for initial Audit methods and
20000- item no level system Expected evidences
1:2011 implemented< 1 year)
Clause
7 Relationship
processes
7.1 501 Account manager Are designated account For key customers check
allocation list managers available for whether an individual has
key customers? been designated to
ensure customer
satisfaction.
502 Review of what is the system for Is periodicity for reviews
performance with performance review with defined? Are the reviews
customers customers? taking place as per the
defined periodicity?
503 complaint How does the Check whether the
management organisation manage its complaints are recorded,
process complaints? Is there a investigated and acted
documented procedure? upon. Check for two
Is there an agreement complaints the entire
with customer on what is process up to closure.
a complaint? Check whether the
complaints have
triggered a SIP.
7.2 511 List of account Are designated account Check whether the
managers (supplier managers for key organisation as
wise) suppliers available? designated individuals
who are responsible for
managing relationship
and contract with key
suppliers..
512 contract of service Does organisation have a Take two contracts and
documented contract check whether important
with each supplier? aspects (out of 7.2.a to l)
like workload, SLAs,
reporting etc are defined.
513 relationship of lead are the relationship Check whether the lead
to subcontracted between lead supplier suppliers have sub
suppliers and the sub supplier contracts and in that case
documented? check whether the
relationship is clearly
defined like back to back
SLAs.
514 monitoring of the How does the check whether the
performance of organisation monitor the performance of suppliers
suppliers performance of is reviewed regularly.
suppliers? Is here a Check whether the
documented procedure results of reviews are
for resolving disputes? getting recorded for SIPs
ISO Checklist Brief Description Questions-( for initial Audit methods and
20000- item no level system Expected evidences
1:2011 implemented< 1 year)
Clause
8 Resolution
processes

8.1 Incident and service

request
management

8.1 601 procedure for Is there a documented Take a few service

dealing with service procedure for dealing incidents and track as per
incidents with incident the requirements a to g.
management ? Does it check whether customers
define major and minor kept informed about the
service incidents? status of resolution of
incident are major
incidents reviewed and
taken up for
improvement through
SIPs?
602 Procedure for Is there a documented Track two service
dealing with service procedure for dealing requests whether they
requests with service request ? have been dealt with as
per the procedure
8.2 611 Procedure for is there a documented Problems are causes for
problem procedure for resolution major incidents or
management management? repeated minor
incidents/chronic service
requests. Check two of
the above and look for a
problem solving process
in place to prevent their
recurrence. Look for
effectiveness by tracking
the incidents post
resolution. Look for
KEDB. (Known error data
base)
ISO Checklist Brief Description Questions-( for initial Audit methods and
20000- item no level system Expected evidences
1:2011 implemented< 1 year)
Clause
no
9 Control processes
9.1 701 Configuration Is there a documented Check for list of CIs .
management procedure for Whether each CI is
configuration uniquely identified and
management? recorded in a CMDB.
Check whether the
organisation is auditing
the CMDB regularly.
702 Configuration How are changes to CIs check traceability of CIs.
management-CMDB handled? Are master copies of CIs
recorded in CMDB stored
in secure physical
environment?
9.2 711 Change is there a documented Are change requests
Management- procedure for change handled according to
change requests management? procedure?
712 Emergency changes How does the Check whether the
organisation handle organisation has agreed
emergency changes? about what is an
emergency change with
customer.
713 Change management Check whether the Check whether the
- Deploying the deployment of changes is approved changes are
changes taking place as per the developed and tested. Is
procedure. schedule of changes
available with dates for
deployment? Are
unsuccessful changes
investigated? Do such
investigations lead to
SIPs?
9.3 721 Release and Has the organisation check whether the plan
Deployment Policy formulated a release for new releases are done
policy? with agreement of
customer.
722 definition of Is emergency release Check what constitutes an
emergency release defined? Is there a emergency release and
documented procedure? whether they are handled
according to the
procedure.
723 monitoring success How does the Check whether the
and failure of release organisation monitor lessons learnt from
success or failure of its failures are documented
releases? and are taken up for
service improvement .
Abbreviations used in checklist:

1. CMDB Configuration management data base

2. CI- Configuration item
3. ISO – International organisation for standardisation
4. MR- Management Representative
5. SIP- Service Improvement plan.
6. SLA- Service level agreement.
7. SMS- Service Management system
8. For all terms used, definitions are as per clause no 3 of the ISO 20000-1:2011 standard.

Notes:

For information on conduct of Internal audits, Please refer to ISO 19011. The above checklist is
intended only for organisations which are at the start of the journey of implementation. Hence, the
auditors need to spend more time even in questions related to the documentation part of the
system. As the organisations mature, such questions are not essential and instead auditor can spend
more time in checking effectiveness.

In checklist, time allocation is not given and it is expected that the auditors customise the checklist in
terms of the time allocation for individual areas.

Author Profile:

C P Chandrasekaran is a practising Quality management consultant and an empanelled third party

auditor for IT organisations. He has about 15 years experience in Quality system consulting and
auditing. He lives in Pune, India and his email address is cpchandrasekaran@gmail.com