ISO 200001:2011 Clause no 4

Checklist Brief Description item no

Questions- (for initial level system implemented <1 year)

Audit methods and Expected evidences

4.1.1

4.1 Service Management system/Management Responsibility 101 Management commitment -Service Policy, scope 102 Objectives for service management

Has the management established a service policy and objectives? Are objectives derived from the service policy?

103 communicating the importance of fulfilling service requirements

How well has the communication on service policy been done?

104 communicating the importance of fulfilling statutory and legal requirements 105 ensuring provision of resources

What are the means of communicating the regulatory and legal requirements ? How does the top management provide adequate resources for the establishment of a service management system ? Have the management reviews been conducted as required by the manual? How well the process of risk assessment been deployed? Has the service policy been reviewed for adequacy? In what periodicity is it reviewed?

Look for the date of release of policy, authorisation, evidences of wide publicity Look for function/dept wise objectives. Check for a review that objectives are current and address the various elements of policy. Take the channels of communication (web site, notice boards) and look for the impact. You may ask 3 persons , preferably those who have joined recently and ascertain the reach of the communication same as above

Check annual budget and the allocations made for improvements related to service delivery and customer satisfaction. check the Minutes of Meeting and the presence of top management among attendees. check for actions. Is there a risk assessment system for each service in place? Check with people how well they understand the policy and how they have internalised it in their functions.

106 conducting management reviews

4.1.2

107 Ensuring risks are assessed and managed 111 Establishment of service policy as per a to e

ISO 200001:2011 Clause no 4.1.3

Checklist Brief Description item no

Questions- (for initial level system implemented <1 year)

Audit methods and Expected evidences

121 Defining authorities and responsibilities

Is the present organisation chart comprehensive enough to include all responsibilities as envisaged by the standard?

Select a few aspects of service management like Information security and check whether the roles have been clearly defined. Look for all locations and check for overlaps and gaps. Check for the instances in which the procedure has been deployed. Like appointment of MR or internal audit schedule. Look for the appointment letter and check whether the role is reporting is to the top management. Take two or three areas from standard like a) planning of internal audits b) reports to top management on implementation of standard or c) the status of licenses for software products used as part of service delivery Check that the a) service providers and vendor selection mechanism exists b) vendors have defined the service delivery processes c) accountability exists for processes. This has to overlap with cl no 7.2for external suppliers and 6.1 for internal groups.

122 documented procedure for communication

Is a documented procedure for internal communication available?

4.1.4

131 Appointment of MR

Has the MR been appointed from the internal staff? Does MR have the required mandate to carry out his/her responsibilities as defined in the standard?

132 MR's work (see a to e)

4.2

133 Governance of processes under others ( see a to d)

How is the Governance process led by top management? Which are the internal groups and vendors who are covered by the Governance process currently?

ISO 200001:2011 Clause no 4.3.1

Checklist Brief Description item no

Questions- (for initial level system implemented <1 year)

Audit methods and Expected evidences

141 Establishing and maintaining documents

is there a master list of documents? Are the release of documents done after due approval? Is there a system for version control? Is there a procedure for control of documents and is it followed?

Check a few entries in master list verify with actual documents , and check a few documents and trace it to the master list for correct version. Take some key documents like Service level agreements or service catalogues and check for all aspects of conformance to documents control procedure Take some key records like back up records or audit reports and check for all aspects of conformance to procedure Take a few resource requests from associates like requirement for software and check that they have been approved depending on priority. Note any case of customer dissatisfaction due to inadequacy in provision of resources. Check for 10% (20 which ever is lesser) of the key resources across functions that competencies are mapped and if there are gaps, actions are taken. Take the training plan/calendar and check for the successful completion of programmes, nominations

4.3.2

151 Control of DocumentsProcedure

4.3.3

161 Control of Recordsprocedure

Is there a procedure for control of records and is it followed?

4.4.1

171 Determination of resources and provision

How timely the resources are provided to enable the company to improve service management system and customer satisfaction?

4.4.2

181 Competency determination for personnel

Is there a process for determining the competency of existing people and providing the necessary training (or taking other actions) to improve them? is there a structured plan for training people and is it well deployed

182 Training for people

ISO 200001:2011 Clause no

Checklist Brief Description item no

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

183 evaluation of effectiveness of training

How does the management evaluate the effectiveness of the training programmes ( or other actions taken)?

Take a few training programmes conducted recently and check for the evaluation of effectiveness. If the HR or L&D dept has any other actions like mentoring or on the job training intended to improve competencies those also are to be checked for effectiveness. Check with a few associates about their awareness of Service policy and objectives and about the understanding of their role in service management system. check the training records and also the updating of other personnel records for the competencies they had gained recently. Check the scope for its comprehensiveness and for any change made recently.

184 ensuring awareness of the service management

How does the management ensure that all the associates and service providers are aware of the Service management objectives and contribute to them? What are the records maintained to demonstrate the achievement of skills by training, education and other actions? Scope should cover location of customers , location wherefrom service is delivered and the technology used.

185 Maintaining records

4.5.1

191 scope definition of SMS

ISO 200001:2011 Clause no 4.5.2

Checklist Brief Description item no

Questions- (for initial level system implemented <1 year)

Audit methods and Expected evidences

201

service management plan see a to l

In an organisation which is a captive IT dept their service Quality manual will be adequate as a service management plan but for IT organisations which are providing services to the world at large the service management plan is required to be existing. For the captive IT organisation, this is audited as a part of auditing other requirements of standard. For IT organisations which are providing services to market at large, how well these aspects a to f are understood from customers and customised? Are internal audits conducted as per plan?

4.5.3

211

Operation of SMS as per a to f

For IT organisations which are providing services to market at large, look for key customers who account for significant revenue and check whether service management system has been customised (like in incident management) to suit their priorities. In the IT organisation which is providing services to market at large, look for key customers and check atleast two aspects from a to l (like limitations of meeting SLAs, risk management , technology in terms of customisation)

4.5.4.2

221

Internal audit

4.5.4.3

231

Management review

are management reviews conducted as per plan ?

4.5.5.2

241

Management of Improvements.

Is there a service improvement plan (or plans?)

Look for the internal audit schedules and check for competence of auditors, timely completion of audits and filing of reports. Look for action points in management reviews and check whether they are acted upon by attendees and others. Check whether the agenda is up to date. Check that the service improvement plans are updated with latest incidents or NCRs and other inputs for improving the service management system.

ISO 200001:2011 Clause no 5

Checklist Brief Description item no

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

Design and transition of new or changed services 301 Plan new services Introduction see a to j302 Plan for changed service introduction see a to j -make a demo plan How the planning for introduction of a new service go on? how the planning has been done for changed service? Take a service which is changed or a service which is new and check whether the planning activities are demonstrated. New means the service spec is different and change means that the scope is changed. Planning will be evident in a. timelines 2. Project plan. 3. Review meetings. 4. Team formation. 5. Finalising the requirements and validation criteria. Take any instance of removal of a service or transitioning to others and check whether the removal was done according to a plan.

5.2

303 Plan for removal of service

How is the planning done for removal of service? Or incase of transitioning to other service providers?

ISO 200001:2011 Clause no 5.3

Checklist Brief Description item no

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

311

Service specification apply a to k selectively

How is design and development of service carried out?

312

Service Delivery specification (apply a to k selectively)

313

Quality Control Specification

5.4

321

Transition of new/changed service

How does the organisation verify the service before it is launched?

Design and development of service is seen as the preparation of service specs ie what customers can expect at their interfaces and service delivery specs ie what are the elements designed to be in place like the availability of server. Take any one new service and check how the service specs are developed . these include SLAs, response time for tickets , criticality of backups, BCP etc. Take the same two new services changed or new and check whether the service delivery specs which are consisting of those elements about which customer is not aware but at the same time are important for customer satisfaction. These could be people , IT infrastructure or communication link. Take any elements which are hardware or material which go to augment the service and check whether they are inspected . take any service and check whether the team verified the service with service spec and service delivery spec for a planned period and then released the service

ISO 200001:2011 Clause no 6 6.1

Checklist Brief Description item no

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

Service level management 401 Catalogue of services Is the service catalogue available? Check whether the catalogue is updated with the latest changes in service specifications Check the tracking of SLAs. What is the frequency in which SLAs are reported ? Who in customer's side participates in the reviews? Take a few services and go through last six months trends check whether the trends have been analysed for instability. Check whether in instances of failure to meet SLAs causal analysis have been carried out. check whether the performance of other groups which contribute to the service are monitored regularly. In case of gaps, do the findings trigger some SIPs? Select two services and two months and go through to see whether the report contained all relevant information. Like backlogs, incidents, risks and workload changes. .

402 SLAs for each service 403 Reviews of SLAs with customer

Are SLAS documented for each service individually? Are these SLAs being reviewed with customer?

404 Trends of performances against targets

what are the trends ? are targets for the SLAs available?

405 causal analyses of non conformities

How instances of non conformities in meeting SLAs are dealt with? How are other groups' performances reviewed?

406 Review of other groups' performances

6.2

411 Service report for each service

How does the IT report about the status of its service to the customers?

ISO 200001:2011 Clause no 6.3

Checklist Brief Description item no

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

Service continuity and availability management 421 service continuity requirements how has the IT team collected the requirements for service continuity? Check for mission critical services how service continuity requirements have been collected. These include helpdesks, ticket resolution teams etc Check for mission critical and other projects how availability requirements for service components like data communication or mail servers are collected Check whether a BCP (business continuity plan ) is available which states the strategy in case of failures Check for BCP plan and check whether availability of link etc is available by providing redundancy. Check BCP drill schedule and how are they carried out in the last two months. Check whether reviews are taken after drills and whether the reports trigger SIPs Check whether redundancy has been tested in case of achieving 100% availability requirements. Check whether budget includes key aspects of service like renewal of license, payments to external service providers

6.3.1

422

service availability requirements

How has the IT team collected the requirements for service availability??

6.3.2

431

service continuity plan

what is the plan for service continuity and availability ?

432

service availability plan

6.3.3

441

service continuity testing and monitoring

How are the continuity plans getting tested?

442

service availability testing and monitoring

How are availability plans getting tested?

6.4

451

Procedures for budgeting and accounting

what are the procedures for cost accounting and monitoring budgets?

ISO 200001:2011 Clause no 6.5

Checklist Brief Description item no

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

461

Capacity management

How is the capacity being planned in advance?

6.6.1

471

Information security policy

Is there an information security policy?

472

Risk Management

Is the approach to security risk management defined ? What are the physical security controls?

Look for capacity plan for the current year and take two aspects eg expected impact of revised SLAs and forecasted demand for services and check whether capacity plan addresses the same. Does the security policy address the concern of stakeholders and define a methodical approach? Has it been communicated to all? Look for risk registers for IT assets.

6.6.2

473

Physical security controls on premises

Take two areas like data centre and check whether physical security controls are complied with. Check whether IT security objectives are understood . Are they being communicated? Choose one or two external organisations and look for agreements and implementation of IT security controls. Go through some change requests to check whether these changes have been evaluated from security point of view Check the incident register for security incidents and their resolution.

474

Security Objectives

Are these objectives for IT security?

475

controls on external organisations

Are controls defined for external organisations who are involved in service delivery? How are security risks analysed for changes proposed?

6.6.3

476

change request analysis

477

Incidents register

Is there a system for registering security incidents?

ISO Checklist Brief Description 20000- item no 1:2011 Clause 7 Relationship processes 7.1 501 Account manager allocation list

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

Are designated account managers available for key customers?

502 Review of performance with customers 503 complaint management process

what is the system for performance review with customers? How does the organisation manage its complaints? Is there a documented procedure? Is there an agreement with customer on what is a complaint?

7.2

511 List of account managers (supplier wise)

Are designated account managers for key suppliers available?

512 contract of service

Does organisation have a documented contract with each supplier?

513 relationship of lead to subcontracted suppliers

are the relationship between lead supplier and the sub supplier documented?

514 monitoring of the performance of suppliers

How does the organisation monitor the performance of suppliers? Is here a documented procedure for resolving disputes?

For key customers check whether an individual has been designated to ensure customer satisfaction. Is periodicity for reviews defined? Are the reviews taking place as per the defined periodicity? Check whether the complaints are recorded, investigated and acted upon. Check for two complaints the entire process up to closure. Check whether the complaints have triggered a SIP. Check whether the organisation as designated individuals who are responsible for managing relationship and contract with key suppliers.. Take two contracts and check whether important aspects (out of 7.2.a to l) like workload, SLAs, reporting etc are defined. Check whether the lead suppliers have sub contracts and in that case check whether the relationship is clearly defined like back to back SLAs. check whether the performance of suppliers is reviewed regularly. Check whether the results of reviews are getting recorded for SIPs

ISO 200001:2011 Clause 8

Checklist Brief Description item no

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

Resolution processes

8.1

Incident and service request management 601 procedure for dealing with service incidents Is there a documented procedure for dealing with incident management ? Does it define major and minor service incidents? Take a few service incidents and track as per the requirements a to g. check whether customers kept informed about the status of resolution of incident are major incidents reviewed and taken up for improvement through SIPs? Track two service requests whether they have been dealt with as per the procedure Problems are causes for major incidents or repeated minor incidents/chronic service requests. Check two of the above and look for a problem solving process in place to prevent their recurrence. Look for effectiveness by tracking the incidents post resolution. Look for KEDB. (Known error data base)

8.1

602

Procedure for dealing with service requests Procedure for problem management

Is there a documented procedure for dealing with service request ? is there a documented procedure for resolution management?

8.2

611

ISO Checklist Brief Description 20000- item no 1:2011 Clause no 9 9.1 Control processes 701 Configuration management

Questions-( for initial level system implemented< 1 year)

Audit methods and Expected evidences

Is there a documented procedure for configuration management?

702 Configuration management-CMDB

How are changes to CIs handled?

9.2

711 Change Managementchange requests 712 Emergency changes

is there a documented procedure for change management? How does the organisation handle emergency changes?

713 Change management Check whether the - Deploying the deployment of changes is changes taking place as per the procedure.

9.3

721 Release and Deployment Policy

Has the organisation formulated a release policy? Is emergency release defined? Is there a documented procedure?

722 definition of emergency release

723 monitoring success and failure of release

How does the organisation monitor success or failure of its releases?

Check for list of CIs . Whether each CI is uniquely identified and recorded in a CMDB. Check whether the organisation is auditing the CMDB regularly. check traceability of CIs. Are master copies of CIs recorded in CMDB stored in secure physical environment? Are change requests handled according to procedure? Check whether the organisation has agreed about what is an emergency change with customer. Check whether the approved changes are developed and tested. Is schedule of changes available with dates for deployment? Are unsuccessful changes investigated? Do such investigations lead to SIPs? check whether the plan for new releases are done with agreement of customer. Check what constitutes an emergency release and whether they are handled according to the procedure. Check whether the lessons learnt from failures are documented and are taken up for service improvement .

Abbreviations used in checklist:

1. 2. 3. 4. 5. 6. 7. 8. Notes:

CMDB Configuration management data base CI- Configuration item ISO International organisation for standardisation MR- Management Representative SIP- Service Improvement plan. SLA- Service level agreement. SMS- Service Management system For all terms used, definitions are as per clause no 3 of the ISO 20000-1:2011 standard.

For information on conduct of Internal audits, Please refer to ISO 19011. The above checklist is intended only for organisations which are at the start of the journey of implementation. Hence, the auditors need to spend more time even in questions related to the documentation part of the system. As the organisations mature, such questions are not essential and instead auditor can spend more time in checking effectiveness. In checklist, time allocation is not given and it is expected that the auditors customise the checklist in terms of the time allocation for individual areas. Author Profile: C P Chandrasekaran is a practising Quality management consultant and an empanelled third party auditor for IT organisations. He has about 15 years experience in Quality system consulting and auditing. He lives in Pune, India and his email address is cpchandrasekaran@gmail.com