ISO20000 Implementation Guide v10
If you find that your objectives are not being met, then an improvement may be required to bring the situation back into line; such improvements should be recorded and tracked through to completion.
2.10.2 Internal audit The standard requires that there be an internal auditing programme in place which audits all aspects of the SMS within a reasonable period of time. If you embrace the idea of internal auditing as a useful early warning of any issues at external audit, then you will not go far wrong. Internal audits should ensure that there are no surprises during the annual certification/surveillance audit which should allow everyone a higher degree of confidence in the SMS. In terms of where to start auditing, the standard suggests that you consider the importance of the processes concerned, problem areas identified in previous audits and those parts of the SMS where significant risks have been identified. Beyond that, there is no particular order in which internal audits need to happen. Auditors need to be suitably qualified either through experience or training (or both) and must be impartial i.e. they are not involved in the setting up or running of the SMS. The Toolkit has a number of documents to help with the internal auditing process, including a schedule, plan, procedure and post-audit action plan. In general, all aspects of internal auditing need to be documented and an external auditor will almost always want to see the most recent internal audit report and track through any actions arising from it.
2.10.3 Management review Management review is another key part of the SMS which, if you get it right, will hold together everything else and make audits (internal and external) a relatively straightforward experience. The ISO20000 standard is pretty specific about what these reviews should cover but it is less forthcoming about how often they should take place. This is one of those areas where you will need to try it and see what works for your organization; too often and it becomes an unacceptable administrative overhead; too infrequent and you risk losing control of your SMS. The generally accepted minimum frequency is probably once a year and, in this case, it would need to be a full review covering everything required by the standard. A more common approach is to split the management review into two parts: perhaps a quarterly review of the main areas with a more complete review on an annual basis. You may even decide that in the early days of the SMS a monthly review is appropriate. There is no wrong answer, there is just a decision about how much control you feel you need to exercise at management level. In all cases, every management review must be captured as minutes and the resulting actions tracked through to completion. The Toolkit has a procedure and a sample agenda for a management review. www.certikit.com
Page 35 of 44
