Key Takeaways
  • The most common ISO 20000-1 findings relate to the service catalogue, SLAs, supplier management, and continual improvement evidence
  • Many findings result from treating certification as a documentation exercise rather than implementing genuine service management practices
  • Process linkages — connecting incidents to problems, changes to releases, and services to configuration items — are frequently weak
  • Internal audit and management review findings are among the easiest to prevent yet remain persistently common
  • A thorough internal audit 4-6 weeks before the certification audit is your strongest prevention measure

How Audit Findings Work

During an ISO 20000-1 certification audit, auditors assess your service management system against the standard's requirements. When they identify a gap between what the standard requires and what your organisation demonstrates, they raise a finding.

Findings are classified into three levels of severity:

  • Major nonconformity: A systematic failure or complete absence of a required element. The certificate cannot be issued until this is resolved and verified. Major nonconformities typically require a follow-up audit.
  • Minor nonconformity: An isolated lapse or partial implementation that does not represent a systemic failure. The certificate can be issued with an accepted corrective action plan and a defined timeline for resolution.
  • Observation / Opportunity for Improvement (OFI): An area that could be enhanced but is not a conformity issue. No corrective action is required, but consideration is recommended.
Auditor Perspective

Auditors look for evidence that your SMS is genuinely implemented and producing results — not just that documentation exists. They interview staff, observe processes in action, review records, and verify that what you say you do matches what actually happens. The strongest evidence is operational records generated during day-to-day service delivery.

Finding 1: Incomplete or Inaccurate Service Catalogue

Clause: 8.2 (Service portfolio)

What auditors find: The service catalogue is incomplete, outdated, or missing key attributes. Services may be listed by name only without descriptions, service levels, dependencies, or customer mappings. Some services delivered to customers are not in the catalogue at all. In other cases, the catalogue includes retired services that are no longer offered.

Why it occurs: The service catalogue is often created as a one-time exercise during implementation and not maintained as services evolve. IT teams add new services without updating the catalogue, or changes to service scope are not reflected.

How to prevent:

  • Treat the service catalogue as a living document with a designated owner
  • Include all required attributes: service description, service hours, SLA references, support contacts, dependencies, and customer/user groups
  • Link changes to the catalogue to your change management process — when a service changes, the catalogue must be updated
  • Review the catalogue quarterly and validate accuracy with service owners
  • Ensure the catalogue covers all services within the SMS scope — no exceptions

Finding 2: SLA Gaps and Misalignment

Clause: 8.3 (Relationship and agreement management)

What auditors find: Service level agreements don't exist for all services, or the SLAs that exist don't cover all required elements. Common gaps include: missing escalation procedures, no reporting schedule, service levels that aren't measurable, targets that don't align with what is actually monitored, or SLAs that haven't been reviewed and agreed with customers in the current period.

Why it occurs: SLAs are often created at contract inception and never updated. Service delivery evolves, new metrics become available, and customer expectations change — but the SLA remains static. In other cases, organisations have informal arrangements that have never been formalised into written agreements.

How to prevent:

  • Ensure every service in the catalogue has a corresponding SLA (or OLA for internal services)
  • Include all required elements: service scope, performance targets, measurement methods, reporting schedule, escalation procedures, review frequency, and responsibilities
  • Ensure service level targets are specific and measurable (e.g., "99.5% availability" not "high availability")
  • Conduct regular service reviews with customers — at least annually — and document outcomes
  • Verify that what you monitor and report actually matches SLA targets

Finding 3: Weak Supplier Management

Clause: 8.3.4 (Supplier management)

What auditors find: Suppliers involved in service delivery are not formally managed. Common issues include: no inventory of service-affecting suppliers, contracts without service requirements or performance targets, no monitoring of supplier performance, and no regular supplier reviews.

Why it occurs: Supplier management is often seen as a procurement function rather than a service management function. IT teams rely on suppliers daily but don't formally assess their contribution to service delivery or hold them accountable to defined performance levels.

How to prevent:

  • Maintain a register of all suppliers involved in service delivery (hosting providers, software vendors, outsourced support, network providers, etc.)
  • Ensure contracts include service performance requirements, security obligations, and right-to-audit clauses
  • Define underpinning agreements (UAs) that align supplier commitments to your SLAs
  • Monitor supplier performance against agreed targets and document the results
  • Conduct regular supplier reviews — at least annually for critical suppliers — and record outcomes and actions

Finding 4: Missing or Inadequate Capacity Planning

Clause: 8.4.1 (Budgeting and accounting for services / Demand management)

What auditors find: No documented capacity plan exists, or the plan is generic and doesn't reflect actual service demand. Organisations may monitor current utilisation but have no forward-looking plan that addresses demand trends, growth projections, and planned capacity adjustments.

Why it occurs: Capacity management is often reactive — resources are added when performance degrades rather than proactively planned. Organisations monitor infrastructure metrics but don't connect this data to service demand forecasting or business growth plans.

How to prevent:

  • Create a documented capacity plan that covers current capacity, demand trends, growth forecasts, and planned adjustments
  • Include capacity data for all critical service components — compute, storage, network, licensing, and human resources
  • Link capacity planning to demand management — understand what drives demand and plan accordingly
  • Review and update the capacity plan at least quarterly or when significant changes in demand occur
  • Include capacity considerations in change management — assess capacity impact for significant changes

Finding 5: Poor Change Management Records

Clause: 8.5.1 (Change management)

What auditors find: Change records are incomplete, inconsistent, or missing key elements. Common issues include: changes without documented risk assessments, no evidence of testing or approval before implementation, no post-implementation review (PIR) for significant changes, and emergency changes that bypass the process without subsequent retrospective authorisation.

Why it occurs: Change management processes exist on paper, but in practice, teams take shortcuts — particularly for "routine" or "urgent" changes. The ITSM tool may have workflow fields for risk assessment and approval, but they're left blank or filled with placeholder text.

How to prevent:

  • Enforce complete change records — make mandatory fields truly mandatory in your ITSM tool
  • Require documented risk assessment for every change, proportionate to the change type and risk level
  • Ensure testing and approval are evidenced before implementation begins
  • Conduct and document post-implementation reviews for all significant changes
  • Define a clear emergency change process that includes retrospective review and authorisation within a specified timeframe
  • Audit a sample of recent changes during internal audit to verify record completeness

Finding 6: Inadequate Incident-Problem Linking

Clause: 8.6.1 and 8.6.2 (Incident management and Problem management)

What auditors find: Incidents are resolved but never analysed for patterns or linked to problem investigations. Problem management is either non-existent or purely reactive, with no evidence of proactive trend analysis. Known errors are not maintained or communicated to the service desk. Root cause analysis is superficial or absent.

Why it occurs: Organisations focus on restoring service quickly (incident management) but fail to invest in understanding why incidents occur (problem management). Problem management requires analytical effort and time, which is deprioritised in favour of firefighting.

How to prevent:

  • Implement a formal link between incident management and problem management — recurring incidents should trigger problem investigations
  • Conduct regular trend analysis of incident data to identify patterns (e.g., monthly review of top 10 recurring incidents)
  • Maintain a known error database (KEDB) and ensure the service desk has access to it for faster resolution
  • Require root cause analysis for all major incidents and high-frequency recurring incidents
  • Track problem management metrics: problems raised, problems resolved, known errors, and mean time to resolve problems

Finding 7: Unclear Continual Improvement Evidence

Clause: 10.2 (Continual improvement)

What auditors find: The organisation claims to be continuously improving but cannot provide evidence. There is no improvement register, no documented improvement initiatives, or no evidence of outcomes from improvement activities. Improvements happen informally but are not tracked or measured.

Why it occurs: Continual improvement is treated as a concept rather than a process. Teams make improvements but don't record them. There's no structured approach to identifying, prioritising, implementing, and measuring improvement opportunities.

How to prevent:

  • Maintain an improvement register that captures all identified improvement opportunities from audits, incidents, management reviews, customer feedback, and staff suggestions
  • Prioritise improvements and assign owners, target dates, and expected outcomes
  • Track implementation status and measure actual results against expected outcomes
  • Report on improvement activities at management review — this demonstrates the PDCA cycle in action
  • Ensure improvements cover both the SMS itself (governance, processes) and the services (quality, performance)

Finding 8: Service Continuity Not Tested

Clause: 8.5.4 (Service availability and continuity)

What auditors find: A service continuity plan exists on paper, but it has never been tested — or the last test was years ago. When plans have been tested, the test results are not documented, or identified gaps from the test have not been addressed.

Why it occurs: Continuity testing is disruptive and requires significant coordination. Organisations postpone testing indefinitely, especially when no actual disruptions have occurred. The plan is written, filed, and forgotten.

How to prevent:

  • Test service continuity plans at least annually — this is a clear expectation in audits
  • Tests can range from desktop exercises (walkthroughs) to full failover tests, depending on risk and practicality
  • Document test objectives, scenarios, participants, results, and lessons learned
  • Address gaps identified during testing with documented corrective actions
  • Update the continuity plan based on test findings and changes to services or infrastructure

Finding 9: Internal Audit Gaps

Clause: 9.2 (Internal audit)

What auditors find: The internal audit programme doesn't cover all clauses of ISO 20000-1 within the audit cycle. Internal auditors lack competence or independence. Audit reports are superficial — listing "no issues found" for every area without evidence of thorough examination. Internal audit findings are not followed up with corrective actions.

Why it occurs: Internal audits are treated as a formality rather than a genuine assurance mechanism. Organisations may lack trained internal auditors, or auditors are assigned to audit their own processes. Time pressure leads to superficial audits.

How to prevent:

  • Develop an audit programme that covers all ISO 20000-1 clauses within each audit cycle (typically annually)
  • Ensure auditor competence — train internal auditors in ISO 20000-1 auditing (ISO 20000-1 Lead Auditor training is ideal)
  • Ensure auditor independence — auditors must not audit their own work
  • Require detailed audit reports with evidence of what was sampled, what was found, and conclusions
  • Track corrective actions from internal audit findings to closure with evidence of effectiveness

Finding 10: Incomplete Management Review

Clause: 9.3 (Management review)

What auditors find: Management reviews don't cover all required inputs specified by the standard, or outputs don't include decisions and actions with assigned owners. Reviews may be perfunctory — a quick sign-off rather than genuine top management oversight. In some cases, management review has not been conducted within the required timeframe.

Why it occurs: Top management views the management review as an administrative burden rather than a governance mechanism. Reviews are rushed, agenda items are skipped, and action items are not tracked.

How to prevent:

  • Use a standard agenda template that covers all required inputs: status of previous actions, changes to internal/external issues, service performance, audit results, nonconformities, risk status, and improvement opportunities
  • Schedule management reviews at planned intervals (at least annually; semi-annual is recommended)
  • Document minutes that capture discussion points, decisions made, and actions assigned (with owners and deadlines)
  • Track action items from management review to completion
  • Ensure genuine top management participation — not just delegation to middle management

Prevention Checklist

Use this checklist before your ISO 20000-1 certification audit to verify readiness across all common finding areas:

Area Verification Question
Service catalogue Does the catalogue include all services in scope with complete attributes?
SLAs Does every service have an agreed SLA with measurable targets?
Supplier management Are all service-affecting suppliers identified, contracted, and reviewed?
Capacity planning Is there a documented, current capacity plan with forward projections?
Change management Do change records include risk assessment, approval, testing, and PIR evidence?
Incident-problem link Are recurring incidents triggering problem investigations with root cause analysis?
Continual improvement Is there an improvement register with tracked initiatives and measured outcomes?
Service continuity Have continuity plans been tested within the last 12 months with documented results?
Internal audit Does the audit programme cover all clauses, with competent, independent auditors?
Management review Does the review cover all required inputs, with documented decisions and tracked actions?

The best audit preparation is a well-functioning SMS that operates throughout the year — not a last-minute scramble before the auditor arrives. If your service management system is genuinely implemented and producing results, the audit becomes a validation exercise rather than a stressful event.

Frequently Asked Questions

What is the most common ISO 20000-1 audit finding?

The most common finding is an incomplete or inadequate service catalogue. Many organisations list services but fail to include all required attributes such as service descriptions, dependencies, SLA references, and relationships to configuration items. Auditors expect the catalogue to be a living document that accurately reflects the current service portfolio.

How many findings are typical in an ISO 20000-1 certification audit?

For a well-prepared organisation, 2-5 minor nonconformities is typical in an initial certification audit. Zero major nonconformities is expected. Some observations or opportunities for improvement (OFIs) are normal and show the auditor engaged with your SMS thoughtfully.

Can we still get certified if we have audit findings?

Yes, provided there are no unresolved major nonconformities. Minor nonconformities can be addressed through an accepted corrective action plan with a defined timeline. Major nonconformities must be resolved and verified by the auditor before the certificate can be issued, which typically requires a follow-up audit.

What is the difference between a major and minor nonconformity in ISO 20000-1?

A major nonconformity indicates a systematic failure, complete absence of a required process, or a situation that renders the SMS unable to achieve its intended outcomes. A minor nonconformity is an isolated instance of non-compliance that does not represent a systemic failure and does not prevent the SMS from functioning effectively.

How should we prepare for an ISO 20000-1 audit?

Conduct a thorough internal audit covering all clauses at least 4-6 weeks before the certification audit. Perform a management review with all required inputs. Verify all documentation is current and approved. Ensure staff can explain their roles in the SMS. Organise evidence so it is quickly accessible during the audit.

ISO 20000-1 Audit Nonconformities