ISO/IEC 20000 audits
In ISO/IEC 20000-1 there are requirements for 3 types of audits. Most people recognize the need for internal audit but may forget that there are also requirements for information security audits and configuration audits.
Internal audit (clause 126.96.36.199/2 of ISO20000-1)
The internal audit requirements are common to all management system standards e.g. 9001, 27001. The audit is not just against the requirements of ISO20000-1 but also against the service requirements and the SMS i.e. the organization’s SM policy, SM objectives, SM plan. There is a requirement to audit that all of these items are ‘effectively implemented and maintained’.
Internal audits need to be conducted to ensure objectivity and impartiality. Auditors are not allowed to audit their own work. There are usually 3 options to resource auditors:
- an internal audit department within your organization
- staff within IT services auditing each other’s work
- external consultants conducting internal audits on your behalf.
A procedure is required to provide details of the objectives of internal audits, responsibilities and reporting. The internal audit programme needs to be planned including the criteria, scope, frequency and methods for the audit. The audit may find nonconformities and can make recommendations for improvement.
After an audit, the audit results are written up and reported to the management responsible for the audited area that are then responsible for ensuring that corrective actions are taken. The actions also need to be verified to close any nonconformities found.
ISO 19011 provides useful guidance on internal auditing.
Information security audit (clause 6.6.1 of ISO20000-1)
The information security process has a requirement for information security audits and a review of results to identify improvements as a result. Unlike the internal audit, it is likely that this auditing will be done by information security specialists who can be internal or external to the service provider. It is advisable to plan the information security audits in the same way as internal audits.
Although it is not specified, it is likely that this audit will support the requirements:
- to ensure conformance to the information security policy, clause 6.6.1
- to review the effectiveness of information security controls including those for external organizations, clause 6.6.2
- to analyse the types, volumes and impacts of information security incidents, clause 6.6.3.
Information security audits are likely to use a variety of techniques such as interview, review of documents and records, penetration testing and ethical hacking.
Configuration audit (clause 9.1 of ISO20000-1)
The configuration management process has a requirement for configuration audits to ‘check the records stored in the CMDB at planned intervals’. This audit needs to check that the contents of the CMDB are accurate. It is unlikely that this can be done for all records in one audit. Typical methods used are:
- audit the relevant CMDB records for callers to the service desk
- audit 10% of records each month
- use of discovery tools to check the accuracy of records
- use of discovery tools to check that no unauthorized software is present.
Unlike the internal audit, it is likely that this auditing will be done by configuration management specialists who can be internal or external to the service provider. It is advisable to plan the configuration audits in the same way as internal audits.
External certification audit
There is no requirement for certification and the auditing which goes with this. ISO/IEC 20000 can be used within a service provider without certification. If there is external certification, the audit will be done by an independent organization with appropriately qualified and competent auditors.
The requirements for internal audits are comprehensive. It is advisable to plan the information security and configuration audits in the same way as internal audits. Indeed the same procedure could be used for all audits with the audit programme incorporating all types of audits. In addition, the competencies will need to be defined for auditors for each specialism. It will be useful to provide some auditor training based around ISO 19011 to ensure that the auditors are aware of auditing techniques and focus.
Lynda Cooper, an independent consultant and trainer, is one of the first people in the world to hold the ITIL Master qualification. Lynda chairs the BSI committee for IT service management (ITSM). Lynda sits on various ISO/IEC committees representing the UK and is the project editor for ISO/IEC 20000-1 and ISO/IEC 90006.