ISO 200001:2011 Clause no 4
4.1.1
Checklist Brief Description item no
Questions- (for initial level system implemented <1 year)
Audit methods and Expected evidences
4.1 Service Management system/Management Responsibility 101 Management commitment -Service Policy, scope
Has the management established a service policy and objectives?
102 Objectives for service management
Are objectives derived from the service policy?
103 communicating the importance of fulfilling service requirements
How well has the communication on service policy been done?
104 communicating the importance of fulfilling statutory and legal requirements 105 ensuring provision of resources
What are the means of communicating the regulatory and legal requirements ?
Look for the date of release of policy, authorisation, evidences of wide publicity Look for function/dept wise objectives. Check for a review that objectives are current and address the various elements of policy. Take the channels of communication (web site, notice boards) and look for the impact. You may ask 3 persons , preferably those who have joined recently and ascertain the reach of the communication same as above
106 conducting management reviews
4.1.2
107 Ensuring risks are assessed and managed 111 Establishment of service policy as per a to e
How does the top management provide adequate resources for the establishment of a service management system ? Have the management reviews been conducted as required by the manual? How well the process of risk assessment been deployed? Has the service policy been reviewed for adequacy? In what periodicity is it reviewed?
Check annual budget and the allocations made for improvements related to service delivery and customer satisfaction. check the Minutes of Meeting and the presence of top management among attendees. check for actions. Is there a risk assessment system for each service in place? Check with people how well they understand the policy and how they have internalised it in their functions.
ISO 200001:2011 Clause no 4.1.3
4.1.4
4.2
Checklist Brief Description item no
Questions- (for initial level system implemented <1 year)
Audit methods and Expected evidences
121 Defining authorities and responsibilities
Is the present organisation chart comprehensive enough to include all responsibilities as envisaged by the standard?
Select a few aspects of service management like Information security and check whether the roles have been clearly defined. Look for all locations and check for overlaps and gaps.
122 documented procedure for communication
Is a documented procedure for internal communication available?
Check for the instances in which the procedure has been deployed. Like appointment of MR or internal audit schedule.
131 Appointment of MR
Has the MR been appointed from the internal staff?
Look for the appointment letter and check whether the role is reporting is to the top management.
132 MR's work (see a to e)
Does MR have the required mandate to carry out his/her responsibilities as defined in the standard?
Take two or three areas from standard like a) planning of internal audits b) reports to top management on implementation of standard or c) the status of licenses for software products used as part of service delivery
133 Governance of processes under others ( see a to d)
How is the Governance process led by top management? Which are the internal groups and vendors who are covered by the Governance process currently?
Check that the a) service providers and vendor selection mechanism exists b) vendors have defined the service delivery processes c) accountability exists for processes. This has to overlap with cl no 7.2for external suppliers and 6.1 for internal groups.
ISO 200001:2011 Clause no 4.3.1
Checklist Brief Description item no
Questions- (for initial level system implemented <1 year)
Audit methods and Expected evidences
141 Establishing and maintaining documents
is there a master list of documents? Are the release of documents done after due approval? Is there a system for version control?
Check a few entries in master list verify with actual documents , and check a few documents and trace it to the master list for correct version.
4.3.2
151 Control of DocumentsProcedure
Is there a procedure for control of documents and is it followed?
Take some key documents like Service level agreements or service catalogues and check for all aspects of conformance to documents control procedure
4.3.3
161 Control of Recordsprocedure
Is there a procedure for control of records and is it followed?
Take some key records like back up records or audit reports and check for all aspects of conformance to procedure
4.4.1
171 Determination of resources and provision
How timely the resources are provided to enable the company to improve service management system and customer satisfaction?
Take a few resource requests from associates like requirement for software and check that they have been approved depending on priority. Note any case of customer dissatisfaction due to inadequacy in provision of resources.
4.4.2
181 Competency determination for personnel
Is there a process for determining the competency of existing people and providing the necessary training (or taking other actions) to improve them?
Check for 10% (20 which ever is lesser) of the key resources across functions that competencies are mapped and if there are gaps, actions are taken.
182 Training for people
is there a structured plan for training people and is it well deployed
Take the training plan/calendar and check for the successful completion of programmes, nominations
ISO 200001:2011 Clause no
4.5.1
Checklist Brief Description item no
Questions-( for initial level system implemented< 1 year)
Audit methods and Expected evidences
183 evaluation of effectiveness of training
How does the management evaluate the effectiveness of the training programmes ( or other actions taken)?
Take a few training programmes conducted recently and check for the evaluation of effectiveness. If the HR or L&D dept has any other actions like mentoring or on the job training intended to improve competencies those also are to be checked for effectiveness.
184 ensuring awareness of the service management
How does the management ensure that all the associates and service providers are aware of the Service management objectives and contribute to them?
Check with a few associates about their awareness of Service policy and objectives and about the understanding of their role in service management system.
185 Maintaining records
What are the records maintained to demonstrate the achievement of skills by training, education and other actions?
check the training records and also the updating of other personnel records for the competencies they had gained recently.
191 scope definition of SMS
Scope should cover location of customers , location wherefrom service is delivered and the technology used.
Check the scope for its comprehensiveness and for any change made recently.
ISO 200001:2011 Clause no 4.5.2
Checklist Brief Description item no
Questions- (for initial level system implemented <1 year)
Audit methods and Expected evidences
201
service management plan see a to l
In an organisation which is a captive IT dept their service Quality manual will be adequate as a service management plan but for IT organisations which are providing services to the world at large the service management plan is required to be existing.
4.5.3
211
Operation of SMS as per a to f
4.5.4.2
221
Internal audit
For the captive IT organisation, this is audited as a part of auditing other requirements of standard. For IT organisations which are providing services to market at large, how well these aspects a to f are understood from customers and customised? Are internal audits conducted as per plan?
For IT organisations which are providing services to market at large, look for key customers who account for significant revenue and check whether service management system has been customised (like in incident management) to suit their priorities. In the IT organisation which is providing services to market at large, look for key customers and check atleast two aspects from a to l (like limitations of meeting SLAs, risk management , technology in terms of customisation)
4.5.4.3
231
Management review
are management reviews conducted as per plan ?
4.5.5.2
241
Management of Improvements.
Is there a service improvement plan (or plans?)
Look for the internal audit schedules and check for competence of auditors, timely completion of audits and filing of reports. Look for action points in management reviews and check whether they are acted upon by attendees and others. Check whether the agenda is up to date. Check that the service improvement plans are updated with latest incidents or NCRs and other inputs for improving the service management system.
ISO 200001:2011 Clause no
Checklist Brief Description item no
Questions-( for initial level system implemented< 1 year)
Audit methods and Expected evidences
Take a service which is changed or a service which is new and check whether the planning activities are demonstrated. New means the service spec is different and change means that the scope is changed. Planning will be evident in a. timelines 2. Project plan. 3. Review meetings. 4. Team formation. 5. Finalising the requirements and validation criteria. Take any instance of removal of a service or transitioning to others and check whether the removal was done according to a plan.
5
Design and transition of new or changed services
5.2
301 Plan new services Introduction see a to j302 Plan for changed service introduction see a to j -make a demo plan
How the planning for introduction of a new service go on? how the planning has been done for changed service?
303 Plan for removal of service
How is the planning done for removal of service? Or incase of transitioning to other service providers?
ISO 200001:2011 Clause no 5.3
5.4
Checklist Brief Description item no
Questions-( for initial level system implemented< 1 year)
Audit methods and Expected evidences
311
Service specification apply a to k selectively
How is design and development of service carried out?
312
Service Delivery specification (apply a to k selectively)
313
Quality Control Specification
321
Transition of new/changed service
Design and development of service is seen as the preparation of service specs ie what customers can expect at their interfaces and service delivery specs ie what are the elements designed to be in place like the availability of server. Take any one new service and check how the service specs are developed . these include SLAs, response time for tickets , criticality of backups, BCP etc. Take the same two new services changed or new and check whether the service delivery specs which are consisting of those elements about which customer is not aware but at the same time are important for customer satisfaction. These could be people , IT infrastructure or communication link. Take any elements which are hardware or material which go to augment the service and check whether they are inspected . take any service and check whether the team verified the service with service spec and service delivery spec for a planned period and then released the service
How does the organisation verify the service before it is launched?
ISO 200001:2011 Clause no
Checklist Brief Description item no
Questions-( for initial level system implemented< 1 year)
Audit methods and Expected evidences
Check whether the catalogue is updated with the latest changes in service specifications
6
Service level management
6.1
401 Catalogue of services
Is the service catalogue available?
402 SLAs for each service 403 Reviews of SLAs with customer
Are SLAS documented for each service individually? Are these SLAs being reviewed with customer?
404 Trends of performances against targets
what are the trends ? are targets for the SLAs available?
405 causal analyses of non conformities
How instances of non conformities in meeting SLAs are dealt with?
406 Review of other groups' performances
How are other groups' performances reviewed?
411 Service report for each service
How does the IT report about the status of its service to the customers?
6.2
Check the tracking of SLAs. What is the frequency in which SLAs are reported ? Who in customer's side participates in the reviews? Take a few services and go through last six months trends check whether the trends have been analysed for instability. Check whether in instances of failure to meet SLAs causal analysis have been carried out. check whether the performance of other groups which contribute to the service are monitored regularly. In case of gaps, do the findings trigger some SIPs? Select two services and two months and go through to see whether the report contained all relevant information. Like backlogs, incidents, risks and workload changes. .
ISO 200001:2011 Clause no 6.3
Checklist Brief Description item no
6.3.1
421
6.3.2
6.3.3
6.4
Questions-( for initial level system implemented< 1 year)
Audit methods and Expected evidences
service continuity requirements
how has the IT team collected the requirements for service continuity?
422
service availability requirements
How has the IT team collected the requirements for service availability??
431
service continuity plan
what is the plan for service continuity and availability ?
432
service availability plan
Check for mission critical services how service continuity requirements have been collected. These include helpdesks, ticket resolution teams etc Check for mission critical and other projects how availability requirements for service components like data communication or mail servers are collected Check whether a BCP (business continuity plan ) is available which states the strategy in case of failures Check for BCP plan and check whether availability of link etc is available by providing redundancy.
441
service continuity testing and monitoring
How are the continuity plans getting tested?
442
service availability testing and monitoring
How are availability plans getting tested?
451
Procedures for budgeting and accounting
what are the procedures for cost accounting and monitoring budgets?
Service continuity and availability management
Check BCP drill schedule and how are they carried out in the last two months. Check whether reviews are taken after drills and whether the reports trigger SIPs Check whether redundancy has been tested in case of achieving 100% availability requirements. Check whether budget includes key aspects of service like renewal of license, payments to external service providers
ISO 200001:2011 Clause no 6.5
Checklist Brief Description item no
Questions-( for initial level system implemented< 1 year)
Audit methods and Expected evidences
461
Capacity management
How is the capacity being planned in advance?
6.6.1
471
Information security policy
Is there an information security policy?
472
Risk Management
Is the approach to security risk management defined ?
Look for capacity plan for the current year and take two aspects eg expected impact of revised SLAs and forecasted demand for services and check whether capacity plan addresses the same. Does the security policy address the concern of stakeholders and define a methodical approach? Has it been communicated to all? Look for risk registers for IT assets.
473
Physical security controls on premises
What are the physical security controls?
Take two areas like data centre and check whether physical security controls are complied with.
474
Security Objectives
Are these objectives for IT security?
Check whether IT security objectives are understood . Are they being communicated?
475
controls on external organisations
Are controls defined for external organisations who are involved in service delivery?
476
change request analysis
How are security risks analysed for changes proposed?
477
Incidents register
Is there a system for registering security incidents?
Choose one or two external organisations and look for agreements and implementation of IT security controls. Go through some change requests to check whether these changes have been evaluated from security point of view Check the incident register for security incidents and their resolution.
6.6.2
6.6.3
ISO Checklist Brief Description 20000- item no 1:2011 Clause 7 Relationship processes 7.1
7.2
Questions-( for initial level system implemented< 1 year)
Audit methods and Expected evidences
501 Account manager allocation list
Are designated account managers available for key customers?
502 Review of performance with customers
what is the system for performance review with customers?
503 complaint management process
How does the organisation manage its complaints? Is there a documented procedure? Is there an agreement with customer on what is a complaint?
511 List of account managers (supplier wise)
Are designated account managers for key suppliers available?
512 contract of service
Does organisation have a documented contract with each supplier?
513 relationship of lead to subcontracted suppliers
are the relationship between lead supplier and the sub supplier documented?
514 monitoring of the performance of suppliers
How does the organisation monitor the performance of suppliers? Is here a documented procedure for resolving disputes?
For key customers check whether an individual has been designated to ensure customer satisfaction. Is periodicity for reviews defined? Are the reviews taking place as per the defined periodicity? Check whether the complaints are recorded, investigated and acted upon. Check for two complaints the entire process up to closure. Check whether the complaints have triggered a SIP. Check whether the organisation as designated individuals who are responsible for managing relationship and contract with key suppliers. Take two contracts and check whether important aspects (out of 7.2.a to l) like workload, SLAs, reporting etc are defined. Check whether the lead suppliers have sub contracts and in that case check whether the relationship is clearly defined like back to back SLAs. check whether the performance of suppliers is reviewed regularly. Check whether the results of reviews are getting recorded for SIPs
ISO 200001:2011 Clause 8
Checklist Brief Description item no
8.2
Audit methods and Expected evidences
Take a few service incidents and track as per the requirements a to g. check whether customers kept informed about the status of resolution of incident are major incidents reviewed and taken up for improvement through SIPs? Track two service requests whether they have been dealt with as per the procedure Problems are causes for major incidents or repeated minor incidents/chronic service requests. Check two of the above and look for a problem solving process in place to prevent their recurrence. Look for effectiveness by tracking the incidents post resolution. Look for KEDB. (Known error data base)
Resolution processes
8.1
8.1
Questions-( for initial level system implemented< 1 year)
Incident and service request management 601
procedure for dealing with service incidents
Is there a documented procedure for dealing with incident management ? Does it define major and minor service incidents?
602
Procedure for dealing with service requests
Is there a documented procedure for dealing with service request ?
611
Procedure for problem management
is there a documented procedure for resolution management?
ISO Checklist Brief Description 20000- item no 1:2011 Clause no 9 9.1
9.2
Control processes 701 Configuration management
Questions-( for initial level system implemented< 1 year)
Audit methods and Expected evidences
Is there a documented procedure for configuration management?
Check for list of CIs . Whether each CI is uniquely identified and recorded in a CMDB. Check whether the organisation is auditing the CMDB regularly. check traceability of CIs. Are master copies of CIs recorded in CMDB stored in secure physical environment? Are change requests handled according to procedure? Check whether the organisation has agreed about what is an emergency change with customer. Check whether the approved changes are developed and tested. Is schedule of changes available with dates for deployment? Are unsuccessful changes investigated? Do such investigations lead to SIPs? check whether the plan for new releases are done with agreement of customer. Check what constitutes an emergency release and whether they are handled according to the procedure. Check whether the lessons learnt from failures are documented and are taken up for service improvement .
702 Configuration management-CMDB
How are changes to CIs handled?
711 Change Managementchange requests 712 Emergency changes
is there a documented procedure for change management? How does the organisation handle emergency changes?
713 Change management Check whether the - Deploying the deployment of changes is changes taking place as per the procedure.
9.3
721 Release and Deployment Policy
Has the organisation formulated a release policy?
722 definition of emergency release
Is emergency release defined? Is there a documented procedure?
723 monitoring success and failure of release
How does the organisation monitor success or failure of its releases?
Abbreviations used in checklist:
1. 2. 3. 4. 5. 6. 7. 8.
CMDB Configuration management data base CI- Configuration item ISO – International organisation for standardisation MR- Management Representative SIP- Service Improvement plan. SLA- Service level agreement. SMS- Service Management system For all terms used, definitions are as per clause no 3 of the ISO 20000-1:2011 standard.
Notes: For information on conduct of Internal audits, Please refer to ISO 19011. The above checklist is intended only for organisations which are at the start of the journey of implementation. Hence, the auditors need to spend more time even in questions related to the documentation part of the system. As the organisations mature, such questions are not essential and instead auditor can spend more time in checking effectiveness. In checklist, time allocation is not given and it is expected that the auditors customise the checklist in terms of the time allocation for individual areas. Author Profile: C P Chandrasekaran is a practising Quality management consultant and an empanelled third party auditor for IT organisations. He has about 15 years experience in Quality system consulting and auditing. He lives in Pune, India and his email address is [email protected]