FAQ: ISO 20000 Certification

 

This page offers answers to a number of common questions related to ISO 20000 certifications. Click on a subject heading below to view the answers relating to your selection.

 

 

What are the merits of an ISO 20000 certification?

An ISO 20000 certificate is proof that your IT organization is

As such, the certificate and the corresponding logo are increasingly a competitive advantage in the market. Many clients even demand ISO 20000 compliance as a condition for awarding contracts to IT service providers. Of course, working along ISO 20000 (and ITIL) principles also offers internal benefits for the IT organization, because the standard is all about supporting the business side with adequate IT services, while providing those services as efficiently as possible.

The decision to go for an ISO 20000 certificate sets a specific target for your IT organization and helps to concentrate minds. It is, in other words, a good way to kick-start the adoption of IT Best Practice and to make sure motivation stays high.

[top]

 

What exactly do we have to achieve to become ISO 20000 compliant?

The most important thing at the start of a big project - like an ISO 20000 initiative - is to know what exactly must be achieved ("where do we want to be?")

Unfortunately, the standard itself only sets out a number of requirements which must be fulfilled. ISO 20000 tells you to design and implement a set of processes which meet certain requirements, but it does not describe how this should be done. So there is no short answer to the question "what exactly must be achieved?".

As a result, there is often a problem at the start of an ISO 20000 initiative: It is not clear what the working habits of your IT organization should be like in order to be ISO 20000 compliant, making it hard to determine what you should aim for and how much change is needed.

However, since ITIL and ISO 20000 are aligned, it is possible to turn to ITIL for advice.

ITIL knowledge is available in the form of books, but the ITIL Process Map together with the ITIL - ISO 20000 Bridge provides you with a better alternative: Our ITIL process model contains a complete set of ISO 20000 compliant process diagrams and checklists. Starting from a list of the standard’s 173 single requirements, you can jump right into process diagrams and document templates to see specific suggestions on how those requirements can be fulfilled - the ideal way to quickly understand what exactly it means for your IT organization to become ISO 20000 compliant.

We do not mean to say, however, that you must implement all processes contained in the ITIL Process Map to the letter. Our processes should be seen as one possible approach to implementing ISO 20000, and it is acceptable to use the original processes as a starting point and adapt them to your own organization's needs - as long as you stay in line with the ISO 20000 requirements.

[top]

 

How does an auditor verify that our IT organization is ISO 20000 compliant?

The aim of the certification audit is to check if your organization fulfils the ISO 20000 requirements. This is done primarily by

  • examining the process documentation
  • conducting interviews with IT staff
  • looking at evidence in the form of documents and records (if the processes are executed correctly, there are traces in the form of documents and records; e.g. the Incident Management process is producing Incident Records if executed correctly)

    • [top]

     

    What are the typical project steps leading to certification?

    Create awareness:

    Communicate the goals and benefits of the ISO 20000 certification and the approach for achieving ISO 20000 compliance; this step should include giving everyone in your IT organization at least a basic understanding of ITIL.

    Determine the certification scope:

    Decide what parts of the organization, what services and/ or what locations shall be covered by the certificate.

    Conduct an initial assessment:

    Determine gaps between today’s situation and the standard's requirements; this can be done by an external advisor, but there is also an IT Service Management Self Assessment Workbook published by BSI.

    The result of this step is a detailed list of the ISO 20000 requirements where conformant and non-conformant areas are identified. For non-conformant areas the list includes the findings on what exactly the shortcomings are and how they can be addressed.

    Set up the project:

    Establish a project board; choose a project manager and project staff. Determine the necessary resources, prepare a project plan and assign tasks. Choose a certifier and experienced external advisor.

    Prepare for the certification audit:

    Close the gaps identified during the initial assessment – usually the most time-consuming part of an ISO 20000 initiative, because (depending on the level of compliance found during the initial assessment) a considerable number of processes may need to be modified or introduced.

    During preparation for the audit, an inventory of requirements, documents and records helps to keep track of what requirements are already fulfilled and what related evidence (documents and records) is in place.

    To help you with this task, the ITIL - ISO 20000 Bridge contains a pre-configured inventory which you can use to monitor your progress towards ISO 20000 compliance.

    Conduct the certification audit:

    Perform the actual certification audit (to be carried out by an external certifier)

    Retain certification:

    After the initial certification, a renewal of the certificate is due every three years, with intermittent assessments every 6 to 12 months. Make sure that you continue to adhere to the standard and put a strong emphasis on continual service and process improvement.

    [top]

     

    What are the typical pitfalls?

    No management support:

    Management must understand and communicate why the service provider is seeking certification, and visibly endorse the initiative.

    No support for the initiative among IT staff:

    The advantages of Best Practice should be made clear to everyone in your IT organization, and it should be explained to IT staff where their places will be after the reorganization.

    Insufficient resources:

    Management commitment must be backed up by the provision of sufficient resources for the certification program. This includes making sure that staff assigned to the project are freed from some of their day-to-day tasks.

    [top]

     

    Should we seek external support?

    External support will be necessary at least for the certification audit, as the audit can only be performed by a Registered Certification Body.

    In most cases it is also advisable to seek the help of an experienced consultant, who will know what typically attracts the attention of auditors. So while we would not recommend attempting an ISO 200000 certification without external expertise, the point here is to keep consulting expenditures as low as possible.

    The ITIL Process Map was designed with this in mind, as it enables you to acquire a large amount of ITIL and ISO 20000 knowledge before deciding where external help is needed.

    [top]

     

    How much does an ISO 20000 certification cost?

    Unfortunately, this question is hard to answer.

    The formal ISO 20000 audit itself is usually a very small proportion of the total cost that your organization will incur. In most cases, closing the gaps to become ISO 20000 compliant is by far the biggest part of a certification project.

    As a result, the total cost heavily depends on

    Once the certificate is awarded it will be valid for an initial period of three years. This means that regular re-certification audits and intermittent assessments are required, so there are also ongoing costs to be considered.

    [top]