ISO

20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions- (for initial
level system
implemented <1 year)
Audit methods and
Expected evidences
4 4.1 Service Management
system/Management
Responsibility

4.1.1 101 Management
commitment -Service
Policy, scope
Has the management
established a service
policy and objectives?
Look for the date of
release of policy,
authorisation, evidences
of wide publicity
102 Objectives for service
management
Are objectives derived
from the service policy?
Look for function/dept
wise objectives. Check for
a review that objectives
are current and address
the various elements of
policy.
103 communicating the
importance of
fulfilling service
requirements
How well has the
communication on service
policy been done?
Take the channels of
communication (web site,
notice boards) and look
for the impact. You may
ask 3 persons , preferably
those who have joined
recently and ascertain the
reach of the
communication
104 communicating the
importance of
fulfilling statutory
and legal
requirements
What are the means of
communicating the
regulatory and legal
requirements ?
same as above
105 ensuring provision of
resources
How does the top
management provide
adequate resources for
the establishment of a
service management
system ?
Check annual budget and
the allocations made for
improvements related to
service delivery and
customer satisfaction.
106 conducting
management reviews
Have the management
reviews been conducted
as required by the
manual?
check the Minutes of
Meeting and the presence
of top management
among attendees. check
for actions.
107 Ensuring risks are
assessed and
managed
How well the process of
risk assessment been
deployed?
Is there a risk assessment
system for each service in
place?
4.1.2 111 Establishment of
service policy as per a
to e
Has the service policy
been reviewed for
adequacy? In what
periodicity is it reviewed?
Check with people how
well they understand the
policy and how they have
internalised it in their
functions.
ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions- (for initial
level system
implemented <1 year)
Audit methods and
Expected evidences
4.1.3 121 Defining authorities
and responsibilities
Is the present
organisation chart
comprehensive enough to
include all responsibilities
as envisaged by the
standard?
Select a few aspects of
service management like
Information security and
check whether the roles
have been clearly defined.
Look for all locations and
check for overlaps and
gaps.
122 documented
procedure for
communication
Is a documented
procedure for internal
communication available?
Check for the instances in
which the procedure has
been deployed. Like
appointment of MR or
internal audit schedule.
4.1.4 131 Appointment of MR Has the MR been
appointed from the
internal staff?
Look for the appointment
letter and check whether
the role is reporting is to
the top management.
132 MR's work (see a to
e)
Does MR have the
required mandate to carry
out his/her
responsibilities as defined
in the standard?
Take two or three areas
from standard like a)
planning of internal audits
b) reports to top
management on
implementation of
standard or c) the status
of licenses for software
products used as part of
service delivery
4.2 133 Governance of
processes under
others ( see a to d)
How is the Governance
process led by top
management? Which are
the internal groups and
vendors who are covered
by the Governance
process currently?
Check that the a) service
providers and vendor
selection mechanism
exists b) vendors have
defined the service
delivery processes c)
accountability exists for
processes. This has to
overlap with cl no 7.2for
external suppliers and 6.1
for internal groups.





ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions- (for initial
level system
implemented <1 year)
Audit methods and
Expected evidences
4.3.1 141 Establishing and
maintaining
documents
is there a master list of
documents? Are the
release of documents
done after due approval?
Is there a system for
version control?
Check a few entries in
master list verify with
actual documents , and
check a few documents
and trace it to the master
list for correct version.
4.3.2 151 Control of
Documents-
Procedure
Is there a procedure for
control of documents and
is it followed?
Take some key documents
like Service level
agreements or service
catalogues and check for
all aspects of conformance
to documents control
procedure
4.3.3 161 Control of Records-
procedure
Is there a procedure for
control of records and is it
followed?
Take some key records like
back up records or audit
reports and check for all
aspects of conformance to
procedure
4.4.1 171 Determination of
resources and
provision
How timely the resources
are provided to enable
the company to improve
service management
system and customer
satisfaction?
Take a few resource
requests from associates
like requirement for
software and check that
they have been approved
depending on priority.
Note any case of customer
dissatisfaction due to
inadequacy in provision of
resources.
4.4.2 181 Competency
determination for
personnel
Is there a process for
determining the
competency of existing
people and providing the
necessary training (or
taking other actions) to
improve them?
Check for 10% (20 which
ever is lesser) of the key
resources across functions
that competencies are
mapped and if there are
gaps, actions are taken.
182 Training for people is there a structured plan
for training people and is
it well deployed
Take the training
plan/calendar and check
for the successful
completion of
programmes, nominations

ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions-( for initial
level system
implemented< 1 year)
Audit methods and
Expected evidences
183 evaluation of
effectiveness of
training
How does the
management evaluate the
effectiveness of the
training programmes ( or
other actions taken)?
Take a few training
programmes conducted
recently and check for the
evaluation of
effectiveness. If the HR or
L&D dept has any other
actions like mentoring or
on the job training
intended to improve
competencies those also
are to be checked for
effectiveness.
184 ensuring awareness
of the service
management
How does the
management ensure that
all the associates and
service providers are
aware of the Service
management objectives
and contribute to them?
Check with a few
associates about their
awareness of Service
policy and objectives and
about the understanding
of their role in service
management system.
185 Maintaining records What are the records
maintained to
demonstrate the
achievement of skills by
training, education and
other actions?
check the training records
and also the updating of
other personnel records
for the competencies they
had gained recently.
4.5.1 191 scope definition of
SMS
Scope should cover
location of customers ,
location wherefrom
service is delivered and
the technology used.
Check the scope for its
comprehensiveness and
for any change made
recently.






ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions- (for initial
level system
implemented <1 year)
Audit methods and
Expected evidences
4.5.2 201 service management
plan see a to l
In an organisation which is
a captive IT dept their
service Quality manual will
be adequate as a service
management plan but for
IT organisations which are
providing services to the
world at large the service
management plan is
required to be existing.
For IT organisations which
are providing services to
market at large, look for
key customers who
account for significant
revenue and check
whether service
management system has
been customised (like in
incident management) to
suit their priorities.
4.5.3 211 Operation of SMS as
per a to f
For the captive IT
organisation, this is
audited as a part of
auditing other
requirements of standard.
For IT organisations which
are providing services to
market at large, how well
these aspects a to f are
understood from
customers and
customised?
In the IT organisation
which is providing services
to market at large, look
for key customers and
check atleast two aspects
from a to l (like limitations
of meeting SLAs, risk
management , technology
in terms of customisation)
4.5.4.2 221 Internal audit Are internal audits
conducted as per plan?
Look for the internal audit
schedules and check for
competence of auditors,
timely completion of
audits and filing of
reports.
4.5.4.3 231 Management review are management reviews
conducted as per plan ?
Look for action points in
management reviews and
check whether they are
acted upon by attendees
and others. Check
whether the agenda is
up to date.
4.5.5.2 241 Management of
Improvements.
Is there a service
improvement plan (or
plans?)
Check that the service
improvement plans are
updated with latest
incidents or NCRs and
other inputs for
improving the service
management system.


ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions-( for initial level
system implemented< 1
year)
Audit methods and
Expected evidences
5 Design and transition
of new or changed
services

5.2 301 Plan new services
Introduction see a to
j-
How the planning for
introduction of a new
service go on?
Take a service which is
changed or a service which
is new and check whether
the planning activities are
demonstrated. New means
the service spec is different
and change means that the
scope is changed. Planning
will be evident in a.
timelines 2. Project plan. 3.
Review meetings. 4. Team
formation. 5. Finalising the
requirements and
validation criteria.
302 Plan for changed
service introduction
see a to j -make a
demo plan
how the planning has been
done for changed service?

303 Plan for removal of
service
How is the planning done
for removal of service? Or
incase of transitioning to
other service providers?
Take any instance of
removal of a service or
transitioning to others and
check whether the removal
was done according to a
plan.












ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions-( for initial level
system implemented< 1
year)
Audit methods and
Expected evidences
5.3 311 Service specification
apply a to k
selectively
How is design and
development of service
carried out?
Design and development
of service is seen as the
preparation of service
specs ie what customers
can expect at their
interfaces and service
delivery specs ie what are
the elements designed to
be in place like the
availability of server. Take
any one new service and
check how the service
specs are developed .
these include SLAs,
response time for tickets ,
criticality of backups, BCP
etc.
312 Service Delivery
specification (apply a
to k selectively)
Take the same two new
services changed or new
and check whether the
service delivery specs
which are consisting of
those elements about
which customer is not
aware but at the same
time are important for
customer satisfaction.
These could be people , IT
infrastructure or
communication link.
313 Quality Control
Specification
Take any elements which
are hardware or material
which go to augment the
service and check whether
they are inspected .
5.4 321 Transition of
new/changed service
How does the organisation
verify the service before it
is launched?
take any service and check
whether the team verified
the service with service
spec and service delivery
spec for a planned period
and then released the
service



ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions-( for initial
level system
implemented< 1 year)
Audit methods and
Expected evidences
6 Service level
management

6.1 401 Catalogue of
services
Is the service catalogue
available?
Check whether the
catalogue is updated with
the latest changes in
service specifications
402 SLAs for each service
Are SLAS documented for
each service individually? Check the tracking of SLAs.
403 Reviews of SLAs with
customer
Are these SLAs being
reviewed with customer?
What is the frequency in
which SLAs are reported ?
Who in customer's side
participates in the reviews?
404 Trends of
performances
against targets
what are the trends ? are
targets for the SLAs
available?
Take a few services and go
through last six months
trends check whether the
trends have been analysed
for instability.
405 causal analyses of
non conformities
How instances of non
conformities in meeting
SLAs are dealt with?
Check whether in instances
of failure to meet SLAs
causal analysis have been
carried out.
406 Review of other
groups'
performances
How are other groups'
performances reviewed?
check whether the
performance of other
groups which contribute to
the service are monitored
regularly. In case of gaps,
do the findings trigger
some SIPs?
6.2 411 Service report for
each service
How does the IT report
about the status of its
service to the customers?
Select two services and
two months and go
through to see whether the
report contained all
relevant information. Like
backlogs, incidents, risks
and workload changes. .





ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions-( for initial
level system
implemented< 1 year)
Audit methods and
Expected evidences
6.3 Service continuity
and availability
management

6.3.1 421 service continuity
requirements
how has the IT team
collected the
requirements for service
continuity?
Check for mission critical
services how service
continuity requirements
have been collected.
These include helpdesks,
ticket resolution teams etc
422 service availability
requirements
How has the IT team
collected the
requirements for service
availability??
Check for mission critical
and other projects how
availability requirements
for service components
like data communication
or mail servers are
collected
6.3.2 431 service continuity
plan
what is the plan for service
continuity and availability
?
Check whether a BCP
(business continuity plan )
is available which states
the strategy in case of
failures
432 service availability
plan
Check for BCP plan and
check whether availability
of link etc is available by
providing redundancy.
6.3.3 441 service continuity
testing and
monitoring
How are the continuity
plans getting tested?
Check BCP drill schedule
and how are they carried
out in the last two
months. Check whether
reviews are taken after
drills and whether the
reports trigger SIPs
442 service availability
testing and
monitoring
How are availability plans
getting tested?
Check whether
redundancy has been
tested in case of achieving
100% availability
requirements.
6.4 451 Procedures for
budgeting and
accounting
what are the procedures
for cost accounting and
monitoring budgets?
Check whether budget
includes key aspects of
service like renewal of
license, payments to
external service providers

ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions-( for initial
level system
implemented< 1 year)
Audit methods and
Expected evidences
6.5 461 Capacity
management
How is the capacity being
planned in advance?
Look for capacity plan for
the current year and take
two aspects eg expected
impact of revised SLAs and
forecasted demand for
services and check
whether capacity plan
addresses the same.
6.6.1 471 Information security
policy
Is there an information
security policy?
Does the security policy
address the concern of
stakeholders and define a
methodical approach? Has
it been communicated to
all?
472 Risk Management Is the approach to
security risk management
defined ?
Look for risk registers for
IT assets.
6.6.2 473 Physical security
controls on premises
What are the physical
security controls?
Take two areas like data
centre and check whether
physical security controls
are complied with.
474 Security Objectives Are these objectives for IT
security?
Check whether IT security
objectives are understood
. Are they being
communicated?
475 controls on external
organisations
Are controls defined for
external organisations
who are involved in
service delivery?
Choose one or two
external organisations and
look for agreements and
implementation of IT
security controls.
6.6.3 476 change request
analysis
How are security risks
analysed for changes
proposed?
Go through some change
requests to check whether
these changes have been
evaluated from security
point of view
477 Incidents register Is there a system for
registering security
incidents?
Check the incident register
for security incidents and
their resolution.

ISO
20000-
1:2011
Clause
Checklist
item no
Brief Description Questions-( for initial
level system
implemented< 1 year)
Audit methods and
Expected evidences
7 Relationship
processes

7.1 501 Account manager
allocation list
Are designated account
managers available for
key customers?
For key customers check
whether an individual has
been designated to
ensure customer
satisfaction.
502 Review of
performance with
customers
what is the system for
performance review with
customers?
Is periodicity for reviews
defined? Are the reviews
taking place as per the
defined periodicity?
503 complaint
management
process
How does the
organisation manage its
complaints? Is there a
documented procedure?
Is there an agreement
with customer on what is
a complaint?
Check whether the
complaints are recorded,
investigated and acted
upon. Check for two
complaints the entire
process up to closure.
Check whether the
complaints have
triggered a SIP.
7.2 511 List of account
managers (supplier
wise)
Are designated account
managers for key
suppliers available?
Check whether the
organisation as
designated individuals
who are responsible for
managing relationship
and contract with key
suppliers..
512 contract of service Does organisation have a
documented contract
with each supplier?
Take two contracts and
check whether important
aspects (out of 7.2.a to l)
like workload, SLAs,
reporting etc are defined.
513 relationship of lead
to subcontracted
suppliers
are the relationship
between lead supplier
and the sub supplier
documented?
Check whether the lead
suppliers have sub
contracts and in that case
check whether the
relationship is clearly
defined like back to back
SLAs.
514 monitoring of the
performance of
suppliers
How does the
organisation monitor the
performance of
suppliers? Is here a
documented procedure
for resolving disputes?
check whether the
performance of suppliers
is reviewed regularly.
Check whether the
results of reviews are
getting recorded for SIPs
ISO
20000-
1:2011
Clause
Checklist
item no
Brief Description Questions-( for initial
level system
implemented< 1 year)
Audit methods and
Expected evidences
8 Resolution
processes

8.1 Incident and service
request
management

8.1 601 procedure for
dealing with service
incidents
Is there a documented
procedure for dealing
with incident
management ? Does it
define major and minor
service incidents?
Take a few service
incidents and track as per
the requirements a to g.
check whether customers
kept informed about the
status of resolution of
incident are major
incidents reviewed and
taken up for
improvement through
SIPs?
602 Procedure for
dealing with service
requests
Is there a documented
procedure for dealing
with service request ?
Track two service
requests whether they
have been dealt with as
per the procedure
8.2 611 Procedure for
problem
management
is there a documented
procedure for resolution
management?
Problems are causes for
major incidents or
repeated minor
incidents/chronic service
requests. Check two of
the above and look for a
problem solving process
in place to prevent their
recurrence. Look for
effectiveness by tracking
the incidents post
resolution. Look for
KEDB. (Known error data
base)





ISO
20000-
1:2011
Clause
no
Checklist
item no
Brief Description Questions-( for initial
level system
implemented< 1 year)
Audit methods and
Expected evidences
9 Control processes
9.1 701 Configuration
management
Is there a documented
procedure for
configuration
management?
Check for list of CIs .
Whether each CI is
uniquely identified and
recorded in a CMDB.
Check whether the
organisation is auditing
the CMDB regularly.
702 Configuration
management-CMDB
How are changes to CIs
handled?
check traceability of CIs.
Are master copies of CIs
recorded in CMDB stored
in secure physical
environment?
9.2 711 Change
Management-
change requests
is there a documented
procedure for change
management?
Are change requests
handled according to
procedure?
712 Emergency changes How does the
organisation handle
emergency changes?
Check whether the
organisation has agreed
about what is an
emergency change with
customer.
713 Change management
- Deploying the
changes
Check whether the
deployment of changes is
taking place as per the
procedure.
Check whether the
approved changes are
developed and tested. Is
schedule of changes
available with dates for
deployment? Are
unsuccessful changes
investigated? Do such
investigations lead to
SIPs?
9.3 721 Release and
Deployment Policy
Has the organisation
formulated a release
policy?
check whether the plan
for new releases are done
with agreement of
customer.
722 definition of
emergency release
Is emergency release
defined? Is there a
documented procedure?
Check what constitutes an
emergency release and
whether they are handled
according to the
procedure.
723 monitoring success
and failure of release
How does the
organisation monitor
success or failure of its
releases?
Check whether the
lessons learnt from
failures are documented
and are taken up for
service improvement .
Abbreviations used in checklist:

1. CMDB Configuration management data base
2. CI- Configuration item
3. ISO International organisation for standardisation
4. MR- Management Representative
5. SIP- Service Improvement plan.
6. SLA- Service level agreement.
7. SMS- Service Management system
8. For all terms used, definitions are as per clause no 3 of the ISO 20000-1:2011 standard.
Notes:
For information on conduct of Internal audits, Please refer to ISO 19011. The above checklist is
intended only for organisations which are at the start of the journey of implementation. Hence, the
auditors need to spend more time even in questions related to the documentation part of the
system. As the organisations mature, such questions are not essential and instead auditor can spend
more time in checking effectiveness.
In checklist, time allocation is not given and it is expected that the auditors customise the checklist in
terms of the time allocation for individual areas.
Author Profile:
C P Chandrasekaran is a practising Quality management consultant and an empanelled third party
auditor for IT organisations. He has about 15 years experience in Quality system consulting and
auditing. He lives in Pune, India and his email address is cpchandrasekaran@gmail.com