Download
1 / 12
130 likes | 234 Vues
Auditors are there to help, they are concerned with evidence of what you do, not what you say you do - so evidence is key.<br>
E N D
ISO/IEC 20000 Audit What should I expect? Dr Don Page Marval Software www.marval.co.uk
The Auditor will start off by confirming what the scope of the ISO certification is. This will be set out in the agenda that is supplied It is a `formal` audit Appearance – looking smart may not paper over cracks of a poorly prepared company, but may help with a borderline situation www.marval.co.uk
The auditor Auditors are there to help, they are concerned with evidence of what you do, not what you say you do (so evidence is key) They are ONLY concerned with the requirements of ISO/IEC 20000 www.marval.co.uk
Format Very structured Agenda pre-set several weeks prior to audit You can request a copy of audit from the Registered Certification Body (RCB) 6 weeks before the due date Day is broken up into manageable sessions (usually 45 minutes) Each session focuses on a different process (reference is made to clauses from part 1 of the standard) Focus areas are specified in agenda e.g. licence control www.marval.co.uk
Process Owners Overall owner for ISO/IEC 20000 should be present for whole day (acting as the ‘Guide Person’) Process owners should expect to attend only the session that is relevant to their process Have printed copies of all processes available, the auditor will want to take some away www.marval.co.uk
Facilities Reserve for the duration of the audit (e.g. 2 days) a meeting room that has power, projector, telephone Ensure the room is ready for the auditor. Audits can be stressful, the less you have to do on the day the better Where using an ITSM tool to provide evidence, ensure a well specificied PC is set up beforehand, connected to the projector Have someone who is familiar with the ITSM tool available for the whole day to present any evidence captured www.marval.co.uk
The Day itself The more ‘evidence’ that can be prepared beforehand, the easier the audit will be The auditor asks specific questions about how you ‘conform to a process’, so be specific in your answers Avoid waffle! If you don’t understand the question, don’t be afraid to ask for clarification www.marval.co.uk
Pre-prepared evidence Quarterly summary reports relating to individual processes Audit records - these must include outcomes and resolutions Reports that relate to processes e.g. Change Management will need to demonstrate that Changes have gone through the correct workflow as stated in your process Make sure training records are up to date, job descriptions, together with overall Management summaries for the year CMDB is up to date - make sure that any assets that are used in the audit are 100% accurate e.g. that server that has been under a desk for ages! www.marval.co.uk
Ensure ‘Management’ is present for the opening and closing meetings. This is imperative, since one of the founding principles of ISO/IEC 20000 is management buy in The auditor will, at some point, ask to speak to staff who use the processes (e.g. the service desk, change executor). Ensure they are well prepared and know the basics of what they do in relation to policies, processes and procedures (e.g. INC, CHG, PRB Management). www.marval.co.uk
What happens at the end of the audit? The auditor will debrief the ISO/IEC 20000 owner on findings of the audit www.marval.co.uk
What next? Action any non-conformances that were raised (you have 45 days for major and 90 for minor). The auditor may come back to check on a major non-conformance but won’t return to follow up any minor non- conformances. These will be checked at the next scheduled audit Internally you should debrief all those involved and start to prepare for the next audit Feedback to the business the result. Be honest in what you say to the business, this is part of the whole lifecycle approach e.g. ‘we passed’, ‘we made some mistakes’ and ‘this is how we are correcting them’ www.marval.co.uk
