Key Takeaways
  • ISO 20000-1 certification follows a two-stage audit process: Stage 1 (documentation review) and Stage 2 (implementation verification), followed by a certification decision by an independent reviewer.
  • The certificate is valid for 3 years, with mandatory annual surveillance audits in years 1 and 2, and a recertification audit before the certificate expires.
  • Choosing an accredited certification body with ISO 20000-1 experience and ITSM sector expertise is essential for a credible, recognized certificate.
  • Stage 2 focuses heavily on Clause 8 (operational processes) -- expect auditors to spend significant time on incident, change, problem, SLA, and configuration management.
  • Major nonconformities must be resolved and verified before the certificate can be issued; minor nonconformities require accepted corrective action plans.

The Certification Journey

Achieving ISO 20000-1 certification is a structured journey that demonstrates your organization has implemented an IT Service Management System (SMS) meeting international requirements. The process is designed to provide independent, objective assurance that your service management practices are not just documented but effectively implemented and delivering results.

The certification lifecycle follows a three-year cycle:

  • Year 0: Initial certification -- Stage 1 and Stage 2 audits, certification decision
  • Year 1: Surveillance Audit 1 -- partial review of SMS processes
  • Year 2: Surveillance Audit 2 -- remaining processes and overall effectiveness
  • Year 3: Recertification audit -- comprehensive reassessment for a new 3-year cycle

This guide walks you through every stage of this journey, explaining what happens, what auditors focus on, how long each phase takes, and how to prepare effectively.

ISO/IEC 20000-1:2018

All new certifications are against ISO/IEC 20000-1:2018 (Third edition). This version follows the Annex SL high-level structure, enabling integration with ISO 27001 and other management system standards. Organizations certified against the 2011 edition should have already transitioned.

Choosing a Certification Body

Your choice of certification body (CB) is one of the most important decisions in the certification journey. It affects the credibility of your certificate, the quality of your audit experience, and the ongoing value you derive from the certification process.

Accreditation is Non-Negotiable

Always select a CB that holds accreditation from a recognized national accreditation body that is a signatory to the IAF Multilateral Recognition Arrangement (MLA). Accreditation ensures:

  • Auditor Competence: Auditors are qualified, experienced, and assessed for technical competence in ISO 20000-1
  • Process Consistency: The CB follows standardized audit and certification processes
  • International Recognition: Your certificate is recognized globally through the IAF MLA network
  • Impartiality: The CB operates with demonstrated independence and objectivity

Key accreditation bodies include:

  • IAS (International Accreditation Service) -- United States
  • UKAS (United Kingdom Accreditation Service) -- United Kingdom
  • ANAB (ANSI National Accreditation Board) -- United States
  • DAkkS (Deutsche Akkreditierungsstelle) -- Germany
  • JAS-ANZ (Joint Accreditation System of Australia and New Zealand)

Selection Criteria

Beyond accreditation, consider the following when choosing your CB:

  • ISO 20000-1 Experience: How many ISO 20000-1 certifications has the CB conducted? A CB with significant ISO 20000-1 experience will have auditors who understand ITSM practices deeply
  • Sector Expertise: Does the CB have experience in your industry? MSPs, cloud providers, and shared services each have unique characteristics that experienced auditors understand
  • Geographic Coverage: Can the CB audit all locations in your scope efficiently? Consider travel costs and logistics for multi-site scopes
  • Audit Team Quality: Will auditors have relevant ITSM qualifications (e.g., ITIL, ISO 20000 Lead Auditor) and practical experience?
  • Pricing Transparency: Are all costs clearly itemized -- audit day rates, travel expenses, certificate fees, surveillance costs, and any hidden charges?
  • Integrated Audit Capability: If you hold or plan to achieve ISO 27001 or ISO 9001, can the CB conduct integrated audits to save time and cost?

Request proposals from at least three accredited certification bodies. Compare not just price but auditor experience, sector knowledge, and the value-add of the audit process. The best auditors provide constructive observations that help improve your SMS alongside verifying conformity.

Stage 1: Documentation Review

The Stage 1 audit is your first formal engagement with the certification body's audit team. Its purpose is to assess whether your organization is ready for the full certification audit (Stage 2).

Stage 1 Objectives

  • Review SMS documentation against ISO 20000-1 requirements
  • Evaluate the scope and boundaries of the SMS, including services covered
  • Assess the organization's understanding of ISO 20000-1 requirements
  • Verify that internal audit and management review have been completed
  • Identify potential areas of concern that need addressing before Stage 2
  • Gather information to plan Stage 2 audit activities, including audit team allocation and schedule

What Auditors Review

During Stage 1, the auditor will examine the following documentation:

  • SMS Scope Statement: Clear definition of services, organizational units, locations, and boundaries
  • Service Management Policy: Commitment from top management, alignment with organizational purpose
  • Service Management Plan: How the SMS is implemented and operated, process descriptions, resource plans
  • Service Catalogue: Complete list of services with descriptions, levels, and dependencies
  • Service Level Agreements: Documented agreements with measurable service level targets
  • Risk Register: Risks to the SMS and their treatment plans
  • Internal Audit Records: Evidence that internal audit covering ISO 20000-1 requirements has been conducted
  • Management Review Minutes: Evidence that top management has reviewed SMS performance
  • Process Documentation: Policies and procedures for key processes (incident, change, problem, etc.)

Duration and Format

Stage 1 typically takes 1-2 days depending on organization size and scope complexity. It can be conducted:

  • On-site: Document review at your premises with a brief facility tour and initial discussions
  • Remote: Via video conference with document sharing (particularly suitable for cloud-based organizations)
  • Hybrid: Document review conducted remotely, followed by a brief on-site visit

Stage 1 Outcomes

After completing Stage 1, the auditor provides a written report indicating one of the following:

  • Ready for Stage 2: Documentation is complete, the organization demonstrates readiness. Stage 2 can be scheduled (typically 2-8 weeks after Stage 1)
  • Ready with Observations: Minor gaps identified that should be addressed but do not prevent Stage 2. The auditor may note areas for particular attention during Stage 2
  • Not Ready -- Delay Stage 2: Significant documentation gaps or implementation deficiencies require remediation. Stage 2 should be postponed until issues are resolved
Stage 1 Tip

Do not schedule Stage 1 until your internal audit and management review have been completed. These are prerequisites that auditors will specifically check. Many organizations fail Stage 1 readiness simply because these activities were not yet done.

Stage 2: Certification Audit

Stage 2 is the main certification audit. This is where the auditor verifies that your SMS is not just documented but effectively implemented, operating, and delivering results. Stage 2 is more intensive than Stage 1 and involves the entire organization.

Stage 2 Objectives

  • Confirm the SMS conforms to all ISO 20000-1 requirements (Clauses 4-10)
  • Verify that policies, processes, and procedures are implemented and followed in practice
  • Assess the effectiveness of service management processes in delivering agreed service levels
  • Verify integration between processes (e.g., incident-problem-change linkage)
  • Confirm awareness and competence of personnel performing service management roles
  • Evaluate continual improvement mechanisms and evidence of improvement actions

Audit Methods

Auditors use multiple methods to gather evidence during Stage 2:

  • Interviews: Discussions with service management staff, process owners, service desk agents, technical teams, management, and customers/users
  • Document and Record Review: Examination of incident records, change records, problem records, SLA reports, capacity plans, continuity plans, internal audit reports, and management review minutes
  • Observation: Watching service management activities in action -- service desk operations, change advisory board (CAB) meetings, deployment procedures
  • Technical Verification: Reviewing ITSM tool configurations, CMDB accuracy, monitoring dashboards, and reporting capabilities
  • Sampling: Selecting random samples of incident records, change records, and service requests to verify consistent process adherence across different services, time periods, and staff

What Auditors Focus On

While Stage 2 covers all clauses, auditors typically allocate the most time to Clause 8 (Operation) because it contains the core service management processes. Key focus areas include:

Process Area What Auditors Look For
Service Catalogue Accuracy, completeness, accessibility. Does it reflect the actual services delivered? Is it kept current?
Service Level Management SLAs with measurable targets, regular monitoring and reporting, evidence of action when targets are missed
Incident Management Consistent recording, classification, and prioritization. Resolution within SLA. Major incident procedures
Problem Management Root cause analysis evidence. Proactive problem identification. Known error database. Links to incidents
Change Management All changes going through the process. Risk assessment. CAB functioning. Post-implementation reviews
Configuration Management CMDB accuracy. CI relationships. Verification audits. Links to change management
Service Continuity Plans exist and have been tested. Test results documented. Plans updated after testing
Capacity Management Capacity plan exists. Monitoring is in place. Proactive capacity management for planned changes

Stage 2 Duration

Stage 2 duration is determined by several factors:

  • Number of employees in scope (FTE count)
  • Number of services in scope
  • Complexity of the service portfolio and technology environment
  • Number of sites and locations
  • Outsourced or multi-supplier arrangements

Typical Stage 2 durations by organization size:

Organization Size Stage 1 Days Stage 2 Days Total Initial Audit Days
1-25 employees 1 3-4 4-5
26-65 employees 1-1.5 4-6 5-7.5
66-175 employees 1.5-2 6-8 7.5-10
176-425 employees 2 8-12 10-14
426+ employees 2-3 12-15+ 14-18+

Stage 2 Outcomes

At the close of Stage 2, the lead auditor presents findings and a recommendation:

  • Recommend Certification: The SMS conforms to requirements; the auditor recommends certification (may include minor findings)
  • Recommend Certification Subject to Corrective Action: Minor nonconformities exist but the overall SMS is effective; certification recommended once corrective actions are accepted
  • Defer Certification Decision: Major nonconformities identified that must be resolved and verified before certification can be recommended

Certification Decision

The certification decision is not made by the audit team. It is made by an independent person or committee within the CB who was not involved in conducting the audit. This ensures impartiality and objectivity.

The Decision Process

  1. Audit Report Submission: The lead auditor submits a detailed report to the CB's certification decision-maker
  2. Independent Review: The decision-maker reviews the audit report, findings, evidence summaries, and the auditor's recommendation
  3. Nonconformity Verification: If major nonconformities were raised, the decision-maker verifies that corrective actions have been implemented and verified (may require a follow-up audit visit)
  4. Certificate Issuance: If all requirements are met, the ISO 20000-1 certificate is issued

Understanding Findings

  • Major Nonconformity: Complete absence or fundamental breakdown of a required element; systemic failure affecting SMS effectiveness. Must be resolved and verified before certification. Resolution deadline: typically within 90 days
  • Minor Nonconformity: Single instance of non-compliance that does not indicate systemic failure. Certificate can be issued once a corrective action plan is accepted. Verified at the next surveillance audit
  • Observation / Opportunity for Improvement: Area that could be enhanced but is not a conformity issue. No formal action required, though organizations are encouraged to consider addressing these

Certificate Details

The ISO 20000-1 certificate includes:

  • Organization name and registered address
  • Scope of certification (services covered)
  • Standard reference (ISO/IEC 20000-1:2018)
  • Certificate number
  • Date of initial certification
  • Date of certificate expiry (3 years from certification decision)
  • Accreditation body mark and CB details

Surveillance Audits

After initial certification, annual surveillance audits verify that the SMS continues to conform to ISO 20000-1 and is being maintained and improved.

Surveillance Schedule

Surveillance audits must occur at least annually. The first surveillance must be completed within 12 months of the Stage 2 completion date. Most CBs schedule surveillance audits approximately every 10-12 months.

Surveillance Scope

Each surveillance audit covers a subset of the full standard requirements. Over the two surveillance audits in the 3-year cycle, all requirements must be reviewed. Every surveillance must include:

  • Internal audits and management review
  • Status of actions from previous audit nonconformities
  • Complaints and their handling
  • SMS effectiveness in achieving service management objectives
  • Continual improvement activities
  • Use of the certification mark
  • Changes to the SMS, scope, or organization
  • Selected Clause 8 operational processes (rotated across the cycle)

Surveillance Duration

Surveillance audits typically require 30-40% of the initial certification audit duration per visit. For example, if the initial audit required 10 days total, each surveillance would typically be 3-4 days.

Maintaining Your Certification

Certification can be suspended or withdrawn if:

  • Surveillance audits are not completed on schedule
  • Major nonconformities found during surveillance are not resolved within agreed timeframes
  • Significant SMS failures are identified
  • The organization misuses the certification mark
  • Certification fees are not paid
  • The organization undergoes changes that significantly affect the SMS without informing the CB

Recertification

Before the 3-year certificate expires, a recertification audit must be completed to start a new certification cycle.

Recertification Scope

The recertification audit is similar to an initial certification but considers the SMS's performance and maturity over the entire 3-year cycle:

  • Overall effectiveness of the SMS as a whole
  • Performance against service management objectives over the cycle
  • Changes to the SMS, scope, services, or organizational context since initial certification
  • Previous audit findings, corrective actions, and their effectiveness
  • Evidence of continual improvement and SMS maturity development
  • Ongoing conformity with all ISO 20000-1 requirements

Timing and Planning

Plan recertification 3-4 months before certificate expiry. This provides adequate time to schedule the audit, address any findings, and complete the certification decision before the certificate lapses. If the certificate expires before recertification is complete, the organization temporarily loses its certification status and must undergo a new initial certification.

Recertification Duration

Recertification audit duration is typically equivalent to the initial certification audit (Stage 1 + Stage 2), though it may be reduced if the SMS has been consistently effective and well-maintained throughout the 3-year cycle.

Typical Certification Timeline

The following table provides a realistic timeline from the decision to pursue certification through to the first full certification cycle:

Phase Typical Duration Key Activities
CB Selection 2-4 weeks RFP distribution, proposal evaluation, contract negotiation and signing
Pre-Audit Preparation 2-6 weeks Documentation finalization, internal audit completion, management review, staff briefings
Stage 1 Audit 1-3 days Documentation review, scope verification, readiness assessment, Stage 2 planning
Gap Closure 2-8 weeks Address Stage 1 findings, finalize any outstanding implementation items
Stage 2 Audit 3-15 days On-site implementation verification, interviews, evidence sampling, ITSM tool review
Corrective Actions 2-12 weeks Root cause analysis, implement corrective actions, gather verification evidence
Certification Decision 1-3 weeks Independent review, certificate issuance
Surveillance 1 Month 10-12 Partial SMS review, selected processes, improvement verification
Surveillance 2 Month 22-24 Remaining processes, overall effectiveness assessment
Recertification Month 32-35 Comprehensive SMS reassessment for new 3-year cycle

Total Time from Stage 1 to Certificate: Typically 8-20 weeks depending on findings, organization responsiveness, and CB scheduling.

How to Prepare for Your ISO 20000-1 Audit

Effective preparation significantly increases the likelihood of a successful audit outcome. Here are proven strategies for each stage:

Before Stage 1

  1. Complete your internal audit: Ensure a comprehensive internal audit covering all ISO 20000-1 requirements has been conducted. Address significant findings before Stage 1
  2. Conduct management review: Hold a formal management review that addresses all required inputs (SMS performance, audit results, objectives, risks, improvements)
  3. Finalize the service catalogue: Verify it accurately reflects all services in scope, with correct descriptions, service levels, and dependencies
  4. Review SLAs: Ensure SLAs exist for all services, contain measurable targets, and have been agreed with customers
  5. Organize documentation: Make all SMS documentation accessible and easy to navigate. Auditors appreciate well-organized document management

Between Stage 1 and Stage 2

  1. Address all Stage 1 findings: Systematically close each observation and concern raised in the Stage 1 report
  2. Brief your team: Ensure all staff who may be interviewed understand the SMS, their roles, and can articulate how their processes work
  3. Verify ITSM tool data: Review your ITSM tool to ensure incident, change, problem, and configuration records are complete, accurate, and demonstrate process adherence
  4. Check process integration: Verify that links between processes work (e.g., recurring incidents trigger problem records, changes update the CMDB, problems generate changes)
  5. Prepare evidence packs: For each Clause 8 process, prepare sample records demonstrating the process working end to end

During Stage 2

  • Be transparent: Answer questions honestly and directly. Auditors respect openness far more than perfection
  • Provide evidence proactively: When asked about a process, offer specific records, reports, and examples
  • Avoid over-explaining: Answer what is asked; don't volunteer unrelated information that could open new audit trails
  • Designate a guide: Appoint an SMS manager or coordinator to escort auditors, facilitate interviews, and provide requested documentation
  • Take notes: Record what auditors discuss and any provisional findings -- this helps with corrective action planning

Common Stage 2 Findings

Based on audit experience across hundreds of ISO 20000-1 certifications, the following are the most frequently raised findings:

Service Catalogue and Configuration Management

  • Service catalogue is incomplete or does not match actual services delivered
  • CMDB accuracy has not been verified through configuration audits
  • Configuration items do not reflect actual infrastructure or have missing relationships
  • Service catalogue is not accessible to relevant stakeholders

Service Level Management

  • SLAs exist but do not contain specific, measurable service level targets
  • No evidence of regular service level performance reporting to customers
  • SLA breaches are not systematically tracked or investigated
  • Service reviews with customers are not conducted or not documented

Incident and Problem Management

  • Incidents not classified consistently using impact and urgency criteria
  • Major incident procedures exist but have never been invoked or tested
  • Problem management is purely reactive -- no proactive trend analysis
  • Root cause analysis is superficial ("user error" rather than systematic investigation)
  • Known error database does not exist or is not used by the service desk

Change Management

  • Not all changes go through the change management process (especially emergency changes)
  • Change risk assessment is not documented or is inconsistent
  • Post-implementation reviews are not conducted for failed or major changes
  • CAB terms of reference or membership are undefined

Service Continuity and Capacity Management

  • Service continuity plans exist but have not been tested
  • Test results are not documented or used to improve plans
  • No formal capacity plan -- capacity management is reactive only
  • Availability targets are stated but monitoring does not cover all components

Performance Evaluation and Improvement

  • Service reports are produced but lack trend analysis or performance commentary
  • Internal audit does not cover all ISO 20000-1 requirements
  • Continual improvement register does not exist or is not actively maintained
  • Improvement actions are identified but not tracked through to completion

The most successful organizations view the certification audit as a learning opportunity, not just a compliance exercise. Auditors bring cross-industry insights that can genuinely improve your service management practices.

Frequently Asked Questions

What happens during an ISO 20000-1 Stage 1 audit?

Stage 1 is a documentation and readiness review. The auditor examines your SMS documentation, scope statement, service management plan, service catalogue, SLAs, risk register, internal audit records, and management review minutes. The goal is to determine whether you are ready for the Stage 2 certification audit. It typically takes 1-2 days and can be conducted on-site or remotely.

How many audit days does ISO 20000-1 certification require?

Audit duration depends on organization size, number of services in scope, and complexity. Typical initial certification (Stage 1 + Stage 2) ranges from 5-20 audit days. Small organizations (under 50 staff) may need 5-8 days, medium organizations (50-250) around 8-12 days, and large organizations (250+) may require 12-20+ days. Multi-site scopes add additional audit days.

How long is an ISO 20000-1 certificate valid?

An ISO 20000-1 certificate is valid for 3 years from the date of the certification decision. During this period, annual surveillance audits must be completed to maintain certification. Before the certificate expires, a recertification audit is required to begin a new 3-year cycle. If the certificate expires before recertification is complete, the organization must undergo a new initial certification.

What are common Stage 2 findings for ISO 20000-1?

Common Stage 2 findings include: service catalogue that is incomplete or inaccurate, SLAs without measurable targets or not monitored, problem management lacking root cause analysis, change management not covering all change types, capacity plans missing or not maintained, service continuity plans not tested, service reports not delivered to stakeholders, and weak integration between incident, problem, and change processes.

Can ISO 20000-1 and ISO 27001 be audited together?

Yes. Many certification bodies offer integrated audits covering both ISO 20000-1 and ISO 27001 simultaneously. Since both standards share the Annex SL high-level structure, shared elements (management review, internal audit, document control, risk management, continual improvement) are audited once, reducing total audit days and cost. This approach also reduces disruption to the organization.

ISO 20000-1 Certification Audit Process