Home
ICT
ISO 20000:2018 Gap Assessment
ISO 20000:2018 Gap Assessment
Anonymous

ISO 20000:2018 Gap Assessment

Use this Template
Print as PDF
graphic of a hand making an okay sign ×

Free ISO 20000:2018 Gap Assessment Checklist

Use this Template

Title Page

  • Customer

  • Conducted on

  • Prepared by

4. Context of the Organization

4.1 Understanding the organization and its context

  • Has the organization determined external and internal issues that are relevant to it's purpose and that affects its ability to achieve the intended outcomes of its service management system?

  • Guidance - The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability t achieve the intended outcome(s) of its SMS

4.2 Understanding the needs and expectations of interested parties

  • Has the organization determined a) the interested parties relevant to the SMS and the services; b) the relevant requirements of these interested parties?

  • Guidance - The organization shall determine:
    a) the interested parties that are relevant to the service management system;
    b) the relevant requirement of these interested parties

4.3 Determining the scope of the service management system

  • When establishing its scope, has the organization determined the boundaries and applicability of the SMS?

  • When determining this scope, has the organization considered a ) ; the internal and external issues referred to in Clause 4.1 ; b) the requirements referred to in Clause 4.2; c) the services delivered by the organisation?

  • Does the definition of the scope of the SMS include the services in scope and the name of the organization managing and delivering the services?

  • Is the scope available as documented information and has it been made available to third parties?

4.4 Service Management System

  • Has the organization established, implemented, maintained and continually improved its SMS, including the processes needed and their interactions, in accordance with the requirements of ISO20000-1:2018?

  • Guidance - The organization shall establish, implement and maintain and continually improve an SMS, including the processes needed and their interactions, in accordance with the requirements of this document.

5. Leadership

5.1 Leadership and commitment

  • a) Are the organization's service management policy and service management objectives established and are they compatible with the strategic direction and the context of the organization?

  • b) Does top management ensure that the service management plan is created, implemented and maintained?

  • c) Does top management ensure that appropriate levels of authority are assigned for making decisions related to the SMS and the services

  • d) Does top management ensure that what constitutes value for the organization and its customers is determined?

  • e) Does top management ensure that there is control of other parties involved in the service lifecycle?

  • f) Are the organization's SMS requirements integrated into the organization's business processes?

  • g) Are resources needed for the organisation's SMS and the services available?

  • h) Does top management communicate the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements?

  • i) Do top management ensure that the SMS achieves its intended outcome(s)?

  • j) Do top management effectively direct and support persons, allowing them to contribute to the effectiveness of the SMS and the services?

  • k) Do top management promote continual improvement of the SMS and the services?

  • l) Do top management support other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility?

  • Guidance - Ask to see the organisation's SMS policy

5.2 Policy

5.2.1 Establishing the service management poicy

  • Is there an established service management policy that a )is appropriate to the purpose of the organization; b) provides a framework for setting service management objectives; c) includes a commitment to satisfy applicable requirements and d) includes a commitment to continual improvement of the SMS and the services?

5.2.2 Communicating the service management policy

  • Is the service management policy a) available as documented information; b) communicated within the organisation and c) available to interested parties?

5.3 Organizational roles, responsibilities and authorities

  • Have top management ensured that the responsibilities and authorities for roles relevant to the SMS and the services are assigned and communicated within the organization?

  • Have top management assigned responsibility and authority for a) ensuring that the SMS conforms to the requirements of ISO20000-1:2018; and b) reporting on the performance of the SMS and the services to top management?

6. Planning

6.1 Actions to address risks and opportunities

6.1.1 General

  • Has the organisation - in it's SMS planning - considered the external and internal issues (referred to in Clause 4.1 and the requirements; referred to in Clause 4.2?

  • Has the organisation determined risks and opportunities (related to it's environmental aspects) that need to be to addressed to a) give assurance that the SMS can achieve it's intended outcome; b) prevent, or reduce undesired effects and c) achieve continual improvement of the SMS and the services?

  • Has the organisation maintained documented information of d) its risks and opportunities that need to be addressed; and e) its process(es) needed Clause 6.1.1 to Clause 6.1.4

6.1.2

  • Has the organization determined and documented the risks related to a) the organization; b) not meeting the service requirements; and c) the involvement of other parties in the service lifecycle?

  • Has the organization determined and documented b) the impact on customers of risks and opportunities for the SMS and the services; c) the risk acceptance criteria and d) the approach to be taken for the management of risks?

6.1.3

  • Has the organisation planned actions to address these risks and opportunities and their priorities?

  • Does the organisation plan a) how to integrate and implement these actions into its SMS processes and b) how to evaluate the effectiveness of these actions

6.2 Service management objectives and planning to achieve them

6.2.1 Establish objectives

  • Are the organisation's service management objectives a) consistent with the service management policy; b) measurable; c) taking into account applicable requirements; d) monitored; e) communicated and f) updated as appropriate?

  • Does the organisation maintain documented information on the service management objectives?

6.2.2 Plan to achieve objectives

  • When planning how to achieve its service management objectives, does the organisation determine a) what will be done; b) what resources will be required; c) who will be responsible; d) when it will be completed and e) how the results will be evaluated?

6.3 Plan the service management system

  • Has the organization created, implemented and maintained a service management plan?

  • Has the organization, in its planning, taken into consideration the service management policy, service management objectives, risk and opportunities, service requirements and requirements specified in ISO20000:2018?

  • Does the service management plan include or contain a reference to a) list of services; b) known limitations that can impact the SMS and the services?

  • Does the service management plan include or contain a reference to c) obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services?

  • Does the service management plan include or contain a reference to d) authorities and responsibilities for the SMS and the services?

  • Does the service management plan include or contain a reference to e) human, technical information and financial resources necessary to operate the SMS and the services?

  • Does the service management plan include or contain a reference to f) the approach to be taken for working with other parties involved in the service lifecycle?

  • Does the service management plan include or contain a reference to g) the technology used to support the SMS?

  • Does the service management plan include or contain a reference to h) how the effectiveness of the SMS and the service will be measured, audited, reported and improved?

7. Support

7.1 Resources

  • Has the organisation determined and provided the resources needed for the establishment, implementation, maintenance and continual improvement of the SMS?

  • Has the organisation determined and provided the resources needed for the operation of the services to meet service requirements and achieve the service management objectives?

  • Note to interviewer - Does the organisation have a list of resources needed for the SMS?

7.2 Competence

  • a) Has the organisation determined the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the SMS and the services?

  • b) Does the organisation ensure that these persons are competent on the basis of appropriate education, training or experience?

  • c) Where applicable, does the organisation take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken?

  • d) Does the organisation retain documented information as evidence of this competence?

  • Note to interviewer - Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons.

7.3 Awareness

  • Do persons' working under the organisation's control have awareness of a) the service management policy; b) the service management objectives; c) the services relevant to their work; d) their contribution to the effectiveness of the SMS, including the benefits of improved performance; e) the implications of not conforming with the SMS requirements?

7.4 Communication

  • Has the organisation determined the internal and external communications relevant to the SMS and the services?

  • With regards to the above, has the organisation determined a) what it will communicate; b) when to communicate; c) with whom to communicate; d) how to communicate; e) who will be responsible for the communication?

7.5 Documented information

7.5.1 General

  • Does the organisation's SMS include a) documented information required by ISO20000:2018 and b) documented information determined by the organisation as being necessary for the effectiveness of the SMS?

7.5.2 Creating and updating documented information

  • When creating and updating documented information, does the organisation ensure appropriate a) identification and description; b) format and media; and c) review and approval for suitability and adequacy?

  • Note to interviewer - review the SMS documentation. Is there an inventory or list of documentation? Is the documentation consistent, identifiable and accurate? Is it in an accessible format? Where is it stored? How often is it reviewed and approved to ensure it is still relevant, accurate and adequate for the requirements of the SMS? Is there a documentation control process/procedure in existence?

7.5.3 Control of documented information

7.5.3.1

  • With regards to documented information required by the SMS and by ISO20000:2018, does the organisation control this to ensure a) it is available and suitable for use, where and when it is needed; and b) it is adequately protected from loss of confidentiality, improper use or loss of integrity?

  • Guidance - understand where this information is stored. Is it available to staff ? Is it easy to find? What technical controls are in place to protect its CIA?

7.5.3.2

  • For the control of documented information, does the organisation address a) distribution, access, retrieval and use; b) storage and preservation, including the preservation of legibility; c) control of changes (e.g. version control); and d) retention and disposition?

  • Does the organisation identify and control documented information of external origin, determined to be necessary for the planning and operation of the SMS?

  • Note to interviewer: Access can imply a decision regarding he permission to view the documented information only, or the permission and authority to view and change the documented information

7.5.4 Service management system documented information

  • Does the documented information for the SMS include: a) Scope of the SMS; b) policy and objectives for service management; c) service management plan; d) change management policy, information security policy and service continuity plan; e) processes of the organisation’s SMS; f) service requirements?

  • Does it also include: g) service catalogues; i) contracts with external suppliers; j) agreements with internal suppliers or customers acting as a supplier; k) procedures that are required by ISO20000:2028; l) records required to demonstrate evidence of conformity to the requirements of this document and the organisation’s SMS?

7.6 Knowledge

  • Does the organisation determine and maintain the knowledge necessary to support the operation of the SMS and the services?

  • Is the knowledge relevant, usable and available to appropriate persons?

  • Note to interviewer – Knowledge is specific to the organisation, its SMS, services and interested parties. Knowledge is used and shared to support the achievement of the intended outcome(s) and the operation of the SMS and the services.

8. Operation

8.1 Operation planning and control

  • Does the organisation plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6?

  • Does the organisation do the above by a) establishing performance criteria for the processes based on requirements; b) implementing control of the processes in accordance with the established performance criteria; c) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned?

  • Does the organisation control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects?

  • Does the organisation ensure that outsourced processes are controlled?

8.2 Service portfolio

8.2.1 Service delivery

  • Does the organisation operate the SMS effectively to ensure co-ordination of the activities and the resources?

  • Does the organisation perform the activities required to deliver services?

  • Note to interviewer – A service portfolio is used to manage the entire lifecycle of all services including proposed services, those in development, live services defined in the service catalogue(s) and services that are to be removed. The management of the service portfolio ensures that the service provider has the right mix of services. Service portfolio activities in this document include planning the services, control of parties involved in the service lifecycle, service catalogue management, asset management and configuration management.

8.2.2 Plan the services

  • Does the organisation determine and document the service requirements for existing services, new services and changes to services?

  • Has the organisation determined the criticality of services based on the needs of the organisation, customers, users and other interested parties?

  • Does the organisation determine and manage dependencies and duplication between services?

  • Has the organisation proposed changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks?

  • Does the organisation prioritise requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources?

8.2.3 Control of parties involved in the service lifecycle

8.2.3.1

  • Does the organisation retain accountability for the requirement specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle?

  • Does the organisation determine and apply criteria for the evaluation and selection of the parties involved in the service lifecycle?

  • Note to interviewer – Other parties can be an external supplier, an internal supplier or a customer acting as a supplier.

  • Has the organisation determined and documented: a) services that are provided or operated by other parties; b) service components that are provided or operated by other parties; c) processes, or parts of processes, in the organisation’s SMS that are operated by other parties?

  • Has the organisation integrated services, service components and processes in the SMS that are provided or operated by the organisation or other parties to meet the service requirements?

  • Does the organisation co-ordinate activities with other parties involved in the service lifecycle including the planning, design, delivery and improvement of services?

8.2.3.2

  • Has the organisation defined and applied relevant controls for other parties from the following: a) measurement and evaluation of process performance; b) measurement and evaluation of the effectiveness of services and service components in meeting the service requirements?

8.2.4 Service catalogue management

  • Has the organisation created and maintain one or more service catalogues?

  • Do they include information for the organisation, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services?

  • Does the organisation provide access to appropriate parts of the service catalogue to its customers, users and other interested parties?

8.2.5 Asset management

  • Does the organisation ensure that assets used to deliver services are managed to meet the service requirements and obligations in 6.3 (c) ?

  • Note to interviewer – ISO 55001 and ISO/IEC 19770-1 specify requirements to support the implementation and operation of asset and IT asset management.

  • Note to interviewer – In addition, see configuration management when an asset is also a configuration item (CI).

8.2.6 Configuration Management

  • Has the organisation defined types of configuration items (CI) and classified services as CIs?

  • Has the organisation recorded configuration information to a level of detail appropriate to the criticality and type of services and is access to the configuration information controlled?

  • Does the configuration information recorded for each CI include: a) unique identification; b) type of CI; c) description of the CI; d) relationship with other Cis; e) status?

  • Are the organisations CIs controlled, change to Cis traceable and auditable to maintain integrity of the configuration information and configuration information updated following the deployment of changes to the CIs?

  • Does the organisation verify the accuracy of the configuration information at planned intervals, taking necessary actions where deficiencies are found?

  • Has the organisation made the configuration information available for other service management activities as appropriate?

8.3 Relationship and agreement

8.3.1 General

  • Does the organisation use suppliers to a) provide or operate services; b) provide or operate service components; c) operate processes, or parts of processes, that are in the organisation’s SMS?

  • Note to interviewer - Figure 2 in ISO20000:2018 document illustrates the usage, agreements and relationships between business relationship management, service level management and supplier management.

  • Note to interviewer – ISO/IEC 20000-3 includes examples of supply chain relationships with their potential applicability and scope.

  • Note to interviewer – Supplier management in the document excludes the procurement of suppliers.

8.3.2 Business relationship management

  • Has the organisation identified and documented customers, users and other interested parties of the services?

  • Does the organisation have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction?

  • Has the organisation established arrangements for communicating with its customers and other interested parties, and does this communication promote understanding of the evolving business environment in which the services operate allowing them to respond to new or changed service requirements?

  • Does the organisation review the performance trends and the outcomes of the services at planned intervals?

  • Does the organisation, at planned intervals, measure satisfaction with the services based on a representative sample of customers, and are these results analysed, reviewed to identify opportunities for improvement and reported?

  • Are service complaints recorded, managed to closure and reported? Where a complaint is not resolved through the normal channels, is there a method of escalation provided?

8.3.3 Service level management

  • Does the organisation agree the services to be delivered with the customer?

  • For each service delivered, does the organisation establish one or more SLAs based on the documented service requirements, and do these SLAs include service level targets, workload limits and exceptions?

  • Does the organisation, at planned intervals, monitor, review and report on: a) performance against service level targets; b) actual and periodic changes in workload compared to workload limits in the SLA(s)?

  • Does the organisation, where service level targets are not met, identify opportunities for improvement?

8.3.4 Supplier management

8.3.4.1 Management of external suppliers

  • Does the organisation have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers?

  • Does the organisation, for each external supplier, agree on a documented contract that includes or contains a reference to: a) scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; b) requirements to be met by the external supplier; c) service level targets or other contractual obligations; d) authority and responsibilities of the organisation and the external supplier?

  • Does the organisation assess the alignment of service level targets or other contractual obligations for the externa supplier against SLAs with customers, and manage identified risks?

  • Does the organisation define and manage the interfaces with the external supplier?

  • Does the organisation, at planned intervals, monitor the performance of the external supplier, and where service level targets or other contractual obligations are not met, do they ensure that opportunities for improvement are identified?

  • Does the organisation, at planned intervals, review the contract against current service requirements?

  • Does the organisation ensure changes identified for the contract are assessed for the impact of the change on the SMS and the service(s) before the change is approved?

  • Does the organisation record and manage to closure all disputes between themselves and external suppliers?

8.3.4.2 Management of internal suppliers and customers acting as a supplier

  • Has the organisation, for each internal supplier or customer acting as a supplier, developed, agreed and maintained a documented agreement to define service level targets, other commitments, activities and interfaces between the parties?

  • Does the organisation, at planned intervals, monitor the performance of the internal supplier or customer acting as a supplier, and when service level targets or other agreed commitments are not met, ensure that opportunities for improvement are identified?

8.4 Supply and demand

8.4.1 Budgeting and accounting for services

  • Does the organisation budget and account for services or groups of services in accordance with its financial management policies and processes?

  • Are costs budgeted to enable effective financial control and decision-making for services?

  • Does the organisation, at planned intervals, monitor and report on actual costs against the budget, review the financial forecasts and manage costs?

  • Note to interviewer – Many, but not all, organisations charge for their services. Budgeting and accounting for services in ISO 20000 excludes charging, to ensure applicability to all organisations.

8.4.2 Demand management

  • Does the organisation, at planned intervals: a) determine current demand and forecast future demand for services; b) monitor and report on demand and consumption of services?

  • Note to interviewer - Demand management is responsible for understanding current and future customer demand for services. Capacity management works with demand management to plan and provide sufficient capacity to meet the demand.

8.4.3 Capacity management

  • Has the organisation determined, documented and maintained taking into consideration the service and performance requirements, the capacity requirements for human, technical and financial resources?

  • Does the organisation plan capacity to include: a) current and forecast capacity based on demand for services; b) expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; c) timescales and thresholds for changes to service capacity?

  • Does the organisation provide sufficient capacity to meet agreed capacity and performance requirements?

  • Does the organisation monitor capacity usage, analyse capacity and performance data and identify opportunities to improve performance?

8.5 Service design, build and transition

8.5.1 Change management

8.5.1.1

  • Does the organisation have an established and documented change management policy defining: a) service components and other items that are under the control of change management; b) categories of change, including emergency change, and how they are managed; c) criteria to determine changes with the potential to have a major impact on customers or services?

8.5.1.2 Change management initiation

  • Does the organisation record and classify requests for change, including proposals to add, remove or transfer services?

  • Does the organisation use service design and transition (in 8.5.2) for: a) new services with the potential to have a major impact on customers or other services as determined by the change management policy; b) changes to services with the potential to have a major impact on customers or other services as determined by the change management policy; c) categories of change that are to be managed by service design and transition according to the change management policy?

  • Does the organisation also use service design and transition for: d) removal of a service; e) transfer of an existing service from the organisation to a customer or other party; f) transfer of an existing service from a customer or other party to the organisation?

  • Does the organisation ensure assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 (service design and transition) shall be managed through the change management activities in 8.5.1.3?

  • Are requestion for change not being managed through 8.5.2 (service design and transition) managed through the change management activities in 8.5.1.3?

8.5.1.3 Change management activities

  • Does the organisation and interested parties make decisions on the approval and priority of requests for change, with decision-making taking into consideration the risks, business benefits, feasibility and financial impact?

  • Does decision-making consider the potential impacts of the change on: a) existing services; b) customers, users and other interested parties; c) policies and plans required by ISO 20000; d) capacity, service availability, service continuity and information security; e) other requests for change, releases and plans for deployment?

  • Are approved changes prepared, verified and, where possible, tested?

  • Does the organisation communicate to interested parties all proposed deployment dates and other deployment details for approved changes?

  • Does the organisation have plans for activities to reverse or remedy an unsuccessful change and, where possible, are tested?

  • Are unsuccessful changes investigated and agreed actions taken?

  • Does the organisation review changes for effectiveness and take actions agreed with interested parties?

  • Does the organisation, at planned intervals, analyse request for change records to detect trends and, record and review the results and conclusions drawn from the analysis to identify opportunities for improvement?

8.5.2 Service design and transition

8.5.2.1 Plan new or change services

  • Does the organisations planning use the service requirements for the new or changed services determined in 8.2.2 (Plan the services) and include or contain a reference to: a) authorities and responsibilities for design, build and transition activities; b) activities to be performed by the organisation or other parties with the timescales; c) human, technical, information and financial resources; d) dependencies on other services?

  • Does it also include or contain a reference to: e) testing needed for the new or changed services; f) service acceptance criteria; g) intended outcomes from delivering the new or changed services, expressed in measurable terms; h) impact on the SMS, other services, planned changes, customers, users or other interested parties?

  • For services about to be removed, does the planning additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components?

  • Are CIs affected by new or changed services managed through configuration management?

8.5.2.2 Design

  • Does the organisation ensure new or changed services are designed and documented to meet the service requirements determined in 8.2.2 (Plan the services)?

  • Does the design include relevant items from the following: a) authorities and responsibilities of the parties involved in the delivery of the new or changed services; b) requirements for changes to human, technical, information and financial resources; c) requirements for appropriate education, training and experience?

  • Does it also include relevant items from: d) new or changed SLAs, contracts and other documented agreements that support the services; e) changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; f) impact on other services; g) updates to the service catalogue(s)?

8.5.2.3 Build or transition

  • Does the organisation ensure that new or changed services are built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria?

  • If the service acceptance criteria are not met, do the organisation and interested parties decide on necessary actions and deployment?

  • Does the organisation deploy new or changed services into the live environment using release and deployment management?

  • Following the completion of the transition activities, does the organisation report to interested parties on the achievements against the intended outcomes?

8.5.3 Release and deployment management

  • Does the organisation define the types of release, including emergency release, their frequency and how they are to be managed?

  • Does the organisation plan the deployment of new and changed services and service components into the live environment?

  • Is the planning co-ordinated with change management and include references to the related requests for change, known errors or problem which are being closed through the release, dates for deployment of each release, deliverables and methods of deployment?

  • Does the organisation verify the release against documented acceptance criteria and approved before deployment, and when the acceptance criteria is not met, the organisation and interested parties decide on necessary actions and deployment?

  • Does the organisation take a baseline of affect CIs before deployment of a release into the live environment?

  • Is the release then deployed into the live environment so that the integrity of the services and service components are maintained?

  • Does the organisation monitor and analyse the success or failure of releases, including measurements such as incidents related to a release in the period following deployment of the release?

  • Does the organisation record and review the results and conclusions drawn from the analysis to identify opportunities for improvement?

  • Has the organisation made information about the success or failure of releases and future release dates available for other service management activities as appropriate?

8.6 Resolution and fulfilment

8.6.1 Incident management

  • Does the organisation ensure that incidents are: a) recorded and classified; b) prioritised taking into consideration impact and urgency; c) escalated if needed; d) resolved; e) closed?

  • Are records of incidents updated with all actions taken?

  • Has the organisation determined criteria to identify a major incident and are major incidents classified and managed according to a documented procedure?

  • Does the organisation keep top management informed of all major incidents and assign responsibility for managing each major incident?

  • After a major incident has been resolved, does the organisation report and review to identify opportunities for improvement?

8.6.2 Service request management

  • Does the organisation ensure service requests are: a) recorded and classified; b) prioritised; c) fulfilled; d) closed?

  • Are records of incidents updated with all actions taken?

  • Does the organisation ensure that instructions for the fulfilment of service requests are made available to persons involved in service request fulfilment?

8.6.3 Problem management

  • Does the organisation analyse data and trends on incidents to identify problem and undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents?

  • Does the organisation ensure that problem are: a) recorded and classified; b) prioritised; c) escalated if needed; d) resolved if possible; e) closed?

  • Are records of problem updated with all actions taken, and with changes needed for problem resolution managed according to the change management policy?

  • Does the organisation, in the case of problem that have not been permanently resolved but have a root cause identified, determine actions to reduce or eliminate the impact of the problem on the services?

  • Are know errors recorded and up-to-date information on known errors and problem resolutions made available for other service management activities as appropriate?

8.7 Service management

8.7.1 Service availability management

  • Does the organisation, at planned intervals, assess and document the risks to service availability?

  • Does the organisation determine the service availability requirements and targets, with agreed requirements taking into consideration relevant business requirements, service requirements, SLAs and risks?

  • Has the organisation documented and maintained service availability requirements?

  • Does the organisation monitor service availability, recording results and comparing them against the target and with any unplanned non-availability being investigated and any necessary actions taken?

  • Note to interviewer – Risks identified in 6.1 can provide input to the risks for service availability, service continuity and information security

8.7.2 Service continuity management

  • Does the organisation, at planned intervals, assess and document the risks to service continuity?

  • Does the organisation determine the service continuity requirements, with agreed requirements taking into consideration relevant business requirements, service requirements, SLAs and risks?

  • Has the organisation created, implemented and maintained one or more service continuity plans?

  • Do the continuity plan(s) include or contain a reference to: a) criteria and responsibilities for invoking service continuity; b) procedures to be implemented in the event of a major loss of services; c) targets for service availability when the service continuity plan is invoked; d) service recovery requirements; e) procedures for returning to normal working conditions?

  • Has the organisation made sure that the service continuity plan(s) and list of contacts are accessible when access to the normal service location is prevented?

  • Does the organisation test the service continuity plan(s) against the service continuity requirements, at planned intervals and after major changes to the service environment, with results being recorded?

  • Does the organisation conduct reviews after each test and after the service continuity plan(s) have been invoked, and where deficiencies are found necessary actions are taken?

  • Does the report on when the service continuity plan(s) have been invoked include cause, impact and recovery?

8.7.3 Information security management

8.7.3.1 Information security policy

  • Has the organisations management with appropriate authority approved an information security policy relevant to the organisation, that is documented and takes into consideration the service requirements and the obligations in 6.3 c)?

  • Has the information security policy been made available as appropriate?

  • Does the organisation communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: a) the organisation; b) customers and users; c) external suppliers, internal suppliers and other interested parties?

8.7.3.3 Information security incidents

  • Does the organisation ensure information security incidents are: a) recorded and classified; b) prioritized taking into consideration the information security risk; c) escalated if need; d) resolved; e) closed?

  • Does the organisation analyse the information security incidents by type, volume and impact on the SMS, services and interested parties?

  • Are information security incidents reported and reviewed to identify opportunities for improvement?

  • Note to interviewer – The ISO/IEC 27000 series specifies requirements and provides guidance to support the implementation and operation of an information security management system. ISO/IEC 27013 provides guidance on the integration of ISO/IEC 27001 and ISO/IEC 20000-1.

9. Performance Evaluation

9.1 Monitoring, measurement, analysis and evaluation

  • Has the organisation determined a) what needs to be monitored and measured for the SMS and the services; b) the methods for monitoring, measurement, analysis and evaluation, as applicable to ensure valid results; c) when the monitoring and measuring shall be performed; and d) when the results from monitoring and measurement shall be analysed and evaluated?

  • Does the organisation retain appropriate documented information as evidence of the results?

  • Does the organisation evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS?

  • Does the organisation evaluate the effectiveness of the services against the service requirements?

9.2 Internal audit

9.2.1

  • Does the organisation conduct internal audits at planned intervals to provide information on whether the SMS a) conforms to 1) the organisation's own requirements for its SMS; and 2) the requirements of ISO20000:2018; and b) is effectively implemented and maintained?

9.2.2

  • Does the organisation a) establish, implement and maintain an internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits?

  • When establishing the internal audit programme, does the organisation take into consideration 1) the importance of the processes concerned, 2) changes affecting the organisation and 3) the result of previous audits?

  • Does the organisation define b) the audit criteria and scope for each audit; c) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; d) ensure that the results of the audits are reported to relevant management?

  • Does the organisation e) retain documented information evidence of the implementation of the audit programme(s) and the audit results?

  • Note to interviewer – ISO 19011 provides guidelines on auditing management systems.

9.3 Management review

  • Do top management review the organisation's SMS and the services at planned intervals to ensure its continuity suitability, adequacy and effectiveness?

  • Does the management review include consideration of a) the status of actions from previous management reviews; b) changes in the external and internal issues that are relevant to the SMS; 2) the needs and expectations of interested parties; d) information on the organisations environmental performance, including trends in 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3) audit results?

  • Does the management review include consideration for: d) opportunities for continual improvement; e) feedback from customers and other interested parties?

  • Does the review include consideration for: f) adherence to and suitability of the service management policy and other policies required by ISO20000:2018; g) achievement of service management objects; h) performance of the services; I) performance of other parties involved in the delivery of the services?

  • Does the management review also include consideration of: j) current and forecast human, technical, information and financial resource level, and human and technical resource capabilities; k) results of risk assessment and the effectiveness of actions taken to address risks and opportunities; l) changes that can affect the SMS and the services?

  • Does the outputs of the management review include decisions related to continual improvement opportunities and any need for changes to the SMS and the services?

  • Does the organisation retain documented information as evidence of the results of management reviews?

9.4 Service reporting

  • Has the organisation determined reporting requirements and their purpose?

  • Does the organisation produce reports on the performance and effectiveness of the SMS and the services using information from the SMS activities and delivery of the services, with service reporting including trends?

  • Does the organisation make decisions and take actions based on the findings in the service reports, with agreed actions being communicated to interested parties?

  • Note to interviewer – The reports that are required are specified in the relevant clauses of ISO20000:208. Additional reports can also be produced.

10. Improvement

10.1 Nonconformity and corrective action

  • When a non-conformity occurs, does the organisation a) react to the conformity and, as applicable, 1) take action to control and correct it; and 2) deal with the consequences?

  • Does the organisation b) evaluate the need for action to eliminate the causes of the non conformity, in order that it does not recur or occur elsewhere, by 1) reviewing the non conformity; 2) determining the causes of the non-conformity; and 3) determining if similar non-conformities exist, or could potentially occur?

  • Does the organisation c) implement any action needed?

  • Does the organisation d) review the effectiveness of any corrective action taken?

  • Does the organisation e) make changes to the SMS if necessary?

  • Does the organisation ensure that corrective actions taken are appropriate to the effects of the nonconformities encountered?

  • Does the organisation retain documented information as evidence of a) the nature of the noncomformities and any subsequent actions taken; and b) the results of any corrective action

10.2 Continual improvement

  • Does the organisation continually improve the suitability, adequacy and effectiveness of the SMS and the services?

  • Does the organisation determine the evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval? Does the evaluation criteria include alignment of the improvement with service management objectives?

  • Are all opportunities for improvement well documented?

  • Does the organisation manage approved improvement activities that include a) setting one or more targets for improvement in areas such as quality, value, capability, cost productivity, resource utilization and risk reduction?

  • Does the organisation manage approved improvement activities that include b) ensuring that improvements are prioritised, planned and implemented; c) making changes to the SMS, if necessary?

  • Does the organisation manage approved improvement activities that include d) measuring implemented improvments against the target(s) set and where target(s) are not achieved, taking necessary actions?

  • Does the organisation manage approved improvement activities that include e) reporting on implemented improvements?

  • Guidance - Improvements can include reactive and pro-active actions such as correction, corrective action, preventive action, enhancements, innovation and re-organisation.

Completion

Comments/Recommendations

  • undefined

Name and Signature

  • Add signature

Approval

  • Date and time of approval

  • Approver's signature

ISO 20000:2018 Gap Assessment
Anonymous

ISO 20000:2018 Gap Assessment

Use this Template
The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.

Related checklists

equipment log
Anonymous
equipment log
6,501 Downloads
Incident Report
Anonymous
Incident Report
27,023 Downloads
Daily Temperature Log
Anonymous
Daily Temperature Log
20,473 Downloads
back arrow for carousel
back arrow for carousel
iAuditor Logo Icon ©SafetyCulture 2022