ISO/IEC 20000-1:2018
Service Management System
AUDIT CHECKLIST
Organization Name:
Audit Date(s):
Lead Auditor:
Audit Team Members:
Auditee Representative:
Scope of Audit:
Standard Version:
ISO/IEC 20000-1:2018
Audit Type:
☐ Internal ☐ Stage 1 ☐ Stage 2 ☐ Surveillance ☐ Recertification
Previous Audit Ref:
Report Status:
☐ Draft ☐ Final
Checklist Legend
Symbol
Meaning
Conform
The requirement is fully met. Evidence sighted and verified.
Minor NC
A single lapse or isolated failure to meet a requirement; risk is low. Corrective action required within agreed timeframe.
Major NC
Absence of or total breakdown of a requirement; significant risk to service delivery. Corrective action required before certification/surveillance can be confirmed.
Audit Instructions & Notes
This checklist covers all clauses of ISO/IEC 20000-1:2018 relevant to an SMS audit. Each item should be assessed by reviewing documented information, interviewing responsible personnel, and observing operations where applicable.
Evidence Collection Approach:
• Document Review: Policies, procedures, plans, records, logs, and reports.
• Interviews: Question process owners, service managers, and technical staff.
• Observation: Witness processes in action and inspect toolsets (e.g., ITSM platform, CMDB).
• Sampling: Select a representative sample of incidents, changes, releases, and supplier reviews.
Grading: Mark the appropriate column (Conform / Minor NC / Major NC) for each checklist item. Record objective evidence, observations, and findings in a separate audit report.
Audit Summary (Complete at end of audit)
Total Conformances
Total Minor NCs
Total Major NCs
Overall Audit Conclusion:
☐ Recommend for Certification / Surveillance Confirmed ☐ Recommend with Minor NCs (closure required) ☐ Major NCs – Re-audit Required
Lead Auditor Signature: ___________________________________________ Date: ____________________
Auditee Representative Signature: ___________________________________ Date: ____________________
Audit Checklist — All Clauses
Instructions: For each item, tick one column: Conform (C), Minor Non-Conformance (MNC), or Major Non-Conformance (NC). Record evidence references in your audit notes.
Clause Ref
Audit Check Item
Audit Guidance / Evidence Required
Conform
Minor NC
Major NC
4. Context of the Organization
4.1
Understanding the organization and its context — Has the organization determined external and internal issues relevant to its purpose that affect its ability to achieve intended outcomes of the SMS?
Review documented issues register or SWOT/PESTLE analysis
☐
☐
☐
4.1
Understanding the organization and its context — Are issues monitored and reviewed periodically?
Check review records / meeting minutes
☐
☐
☐
4.2
Understanding the needs and expectations of interested parties — Has the organization determined interested parties relevant to the SMS and their requirements?
Review stakeholder register
☐
☐
☐
4.2
Understanding the needs and expectations of interested parties — Are requirements of interested parties monitored and reviewed?
Confirm review frequency and records
☐
☐
☐
4.3
Determining the scope of the SMS — Is the scope of the SMS documented, maintained, and available?
Inspect scope statement document
☐
☐
☐
4.3
Determining the scope of the SMS — Does the scope include the services, service components, and organizational units covered?
Cross-check scope against service catalogue
☐
☐
☐
4.3
Determining the scope of the SMS — Are exclusions from the scope justified?
Review exclusion rationale in scope document
☐
☐
☐
4.4
Service management system (SMS) — Has the organization established, implemented, maintained, and continually improved an SMS?
Review SMS documentation framework
☐
☐
☐
4.4
Service management system (SMS) — Are processes and their interactions determined?
Check process map / RACI matrix
☐
☐
☐
5. Leadership
5.1
Leadership and commitment — Does top management demonstrate commitment to the SMS by ensuring policies and objectives are established?
Interview top management; review signed policy
☐
☐
☐
5.1
Leadership and commitment — Does top management ensure integration of SMS requirements into business processes?
Review business plans and budgets
☐
☐
☐
5.1
Leadership and commitment — Does top management promote continual improvement?
Check improvement initiatives and records
☐
☐
☐
5.2
Policy — Is there a documented service management policy aligned with the strategic direction of the organization?
Review policy document for completeness
☐
☐
☐
5.2
Policy — Does the policy include a commitment to satisfy applicable requirements and to continual improvement?
Review policy content
☐
☐
☐
5.2
Policy — Is the policy communicated, understood, and applied within the organization?
Check training records and staff awareness
☐
☐
☐
5.3
Organizational roles, responsibilities, and authorities — Are roles, responsibilities, and authorities assigned and communicated?
Review org chart, job descriptions, RACI
☐
☐
☐
5.3
Organizational roles, responsibilities, and authorities — Is a service management representative appointed with appropriate authority?
Verify appointment and authority level
☐
☐
☐
6. Planning
6.1
Actions to address risks and opportunities — Has the organization determined risks and opportunities that need to be addressed for the SMS?
Review risk register
☐
☐
☐
6.1
Actions to address risks and opportunities — Are actions planned to address risks and opportunities, and are they integrated into SMS processes?
Review risk treatment plans
☐
☐
☐
6.1
Actions to address risks and opportunities — Is the effectiveness of actions evaluated?
Check risk review meeting records
☐
☐
☐
6.2
Objectives and planning to achieve them — Are service management objectives established at relevant functions and levels?
Review objectives documentation
☐
☐
☐
6.2
Objectives and planning to achieve them — Are objectives measurable, monitored, communicated, and updated?
Check KPIs and measurement records
☐
☐
☐
6.2
Objectives and planning to achieve them — Is there a plan for how objectives will be achieved (who, what, resources, timeframe)?
Review objective plans/roadmaps
☐
☐
☐
6.3
Planning of changes — Are changes to the SMS planned in a controlled manner considering purpose, consequences, resources, and responsibilities?
Review change management records for SMS changes
☐
☐
☐
7. Support
7.1
Resources — Does the organization determine and provide resources needed for the SMS?
Review resource allocation and budgets
☐
☐
☐
7.2
Competence — Are necessary competencies determined for staff affecting SMS performance?
Review competency framework
☐
☐
☐
7.2
Competence — Do staff have appropriate education, training, or experience?
Check CVs, training records, certifications
☐
☐
☐
7.2
Competence — Are actions taken to acquire necessary competence and is effectiveness evaluated?
Review training needs analysis and post-training assessments
☐
☐
☐
7.3
Awareness — Are persons performing work under the SMS aware of the policy, objectives, and their contribution?
Conduct staff interviews; check awareness training records
☐
☐
☐
7.4
Communication — Are internal and external communications relevant to the SMS determined (what, when, with whom, how)?
Review communication plan
☐
☐
☐
7.5
Documented information – General — Does the SMS include documented information required by the standard and determined as necessary by the organization?
Review document register against standard requirements
☐
☐
☐
7.5
Documented information – Creating and updating — Is documented information identified (title, date, author), formatted, reviewed, and approved appropriately?
Sample check documents for metadata and approval
☐
☐
☐
7.5
Documented information – Control — Is documented information controlled (available, protected, distributed, stored, retained, disposed)?
Review document control procedure and evidence
☐
☐
☐
8. Operation
8.1
Operational planning and control — Are processes planned, implemented, controlled, and maintained to meet requirements and achieve objectives?
Review process documentation and records
☐
☐
☐
8.1
Operational planning and control — Are planned changes controlled and unintended changes reviewed for impact?
Review change log
☐
☐
☐
8.2
Service portfolio — Is there a defined service portfolio covering services through the lifecycle?
Review service portfolio/catalogue documentation
☐
☐
☐
8.2
Service portfolio — Is the service portfolio reviewed and updated?
Check review records and version history
☐
☐
☐
8.3
Relationship and agreement – General — Are relationships and agreements managed across customers, suppliers, and internal teams?
Review relationship management policy
☐
☐
☐
8.3.2
Business relationship management — Are customer relationships established and maintained to understand requirements and satisfaction?
Review customer meeting minutes and satisfaction data
☐
☐
☐
8.3.3
Service level management — Are service level agreements (SLAs) documented, agreed, monitored, and reviewed?
Inspect current SLAs and performance reports
☐
☐
☐
8.3.3
Service level management — Are SLA breaches identified and addressed?
Review breach reports and corrective actions
☐
☐
☐
8.3.4
Supplier management — Are supplier requirements documented in underpinning contracts or agreements?
Inspect supplier contracts and OLAs
☐
☐
☐
8.3.4
Supplier management — Is supplier performance monitored against agreed requirements?
Review supplier review records and scorecards
☐
☐
☐
8.4
Supply and demand – Capacity and demand management — Is current and future demand for services forecasted?
Review capacity planning documents
☐
☐
☐
8.4
Supply and demand – Capacity and demand management — Are capacity plans in place to meet demand?
Check capacity plans vs actual utilization reports
☐
☐
☐
8.4.2
Budgeting and accounting for services — Are budgeting and accounting processes in place for services?
Review financial management process and reports
☐
☐
☐
8.5
Design, build, and transition – General — Are new or changed services designed, built, tested, and transitioned in a controlled manner?
Review project/release documentation
☐
☐
☐
8.5.2
Design and transition of new or changed services — Is there a formal process to plan and manage the introduction of new or changed services?
Review change/release management process
☐
☐
☐
8.5.3
Release management — Are releases planned, scheduled, tested, and authorized before deployment?
Review release records and CAB minutes
☐
☐
☐
8.6
Resolution and fulfilment – Incident management — Is there a documented incident management process covering identification, recording, classification, and resolution?
Review incident management process and records
☐
☐
☐
8.6
Resolution and fulfilment – Incident management — Are incidents prioritized and resolved within agreed timeframes?
Check incident data against SLA targets
☐
☐
☐
8.6
Resolution and fulfilment – Incident management — Are major incidents identified and managed separately?
Review major incident reports
☐
☐
☐
8.6.2
Service request management — Are service requests managed within a defined fulfillment process?
Review request catalogue and fulfillment data
☐
☐
☐
8.6.3
Problem management — Is there a problem management process covering identification, logging, investigation, and resolution?
Review problem records and root cause analyses
☐
☐
☐
8.6.3
Problem management — Are known errors documented and workarounds communicated?
Check known error database
☐
☐
☐
8.7
Service assurance – Service availability management — Are availability requirements documented and monitored?
Review availability plans and reports
☐
☐
☐
8.7
Service assurance – Service availability management — Are availability targets agreed in SLAs and tracked?
Cross-reference SLA vs availability reports
☐
☐
☐
8.7.2
Service continuity management — Are service continuity plans documented, tested, and maintained?
Review continuity plans and test reports
☐
☐
☐
8.7.2
Service continuity management — Is business impact analysis (BIA) performed and recovery objectives defined?
Review BIA documentation
☐
☐
☐
8.7.3
Information security management — Are information security policies established and implemented within the SMS?
Review security policies aligned to SMS
☐
☐
☐
8.7.3
Information security management — Are information security incidents managed?
Check security incident log
☐
☐
☐
8.7.4
Configuration management — Is there a configuration management process with a defined configuration management database (CMDB)?
Review CMDB / CMS and process documentation
☐
☐
☐
8.7.4
Configuration management — Are CIs identified, recorded, and controlled?
Sample CMDB records for accuracy
☐
☐
☐
8.7.4
Configuration management — Are CMDB records verified and audited?
Review CMDB audit/verification records
☐
☐
☐
9. Performance Evaluation
9.1
Monitoring, measurement, analysis, and evaluation — Has the organization determined what needs to be monitored and measured, methods, and when analysis will occur?
Review measurement framework and KPIs
☐
☐
☐
9.1
Monitoring, measurement, analysis, and evaluation — Are the results of monitoring evaluated and acted upon?
Check performance review meeting minutes
☐
☐
☐
9.2
Internal audit — Are internal audits conducted at planned intervals against the standard requirements?
Review audit programme and completed audit reports
☐
☐
☐
9.2
Internal audit — Are auditors selected to ensure objectivity and impartiality?
Review auditor selection criteria and independence
☐
☐
☐
9.2
Internal audit — Are audit findings documented and corrective actions taken?
Review non-conformity reports and CAPA records
☐
☐
☐
9.3
Management review — Does top management conduct management reviews at planned intervals?
Review management review minutes and agenda
☐
☐
☐
9.3
Management review — Do management review inputs include audit results, service performance, risks, and improvement opportunities?
Inspect management review agenda and inputs
☐
☐
☐
9.3
Management review — Are outputs from management review documented with decisions and actions?
Review action logs from management reviews
☐
☐
☐
10. Improvement
10.1
Continual improvement — Does the organization continually improve the suitability, adequacy, and effectiveness of the SMS?
Review improvement register/log
☐
☐
☐
10.1
Continual improvement — Are improvement objectives established and tracked?
Check improvement plan vs outcomes
☐
☐
☐
10.2
Nonconformity and corrective action — Are nonconformities identified, documented, and controlled?
Review nonconformity/corrective action records
☐
☐
☐
10.2
Nonconformity and corrective action — Is root cause analysis performed and corrective actions implemented?
Verify RCA in CAPA records
☐
☐
☐
10.2
Nonconformity and corrective action — Is the effectiveness of corrective actions reviewed?
Check effectiveness review records
☐
☐
☐
10.2
Nonconformity and corrective action — Is documented information retained as evidence of nonconformities and corrective actions?
Sample CAPA files for completeness
☐
☐
☐
— END OF CHECKLIST —