ISO Survival Kit is your very own practical guide to ISO standards, ISO audits, and operational excellence. Specifically in this edition, we look at ISO/IEC 20000, the international standard for establishing an IT Service Management System (SMS).
One of the most prominent problems organizations face in ISO 20000 certification and internal alignment with the standard is getting a good feel of where the deficiencies exist, even before those go out during the audit.
The professionals taking the ISO 20000 Lead Auditor training also need to understand the failures that take place during audits in practice for effective evaluation and implementation.
The article explains in detail the 100 common and significant ISO 20000 non-conformities noticed during audits, the real reasons they exist, how they impact your service delivery, and how you can handle them before they grow.
ISO 20000:2018 creates a structured way to deliver reliable IT services based on value, whether they are provided internally or outsourced.
The standard assists in aligning IT service delivery according to business needs, reducing risk, and promoting continual improvement.
However, good intentions on paper will not suffice; auditors and customers will want to see how well embedded ITSM really is in practice.
The most common reasons for not satisfying ISO 20000 expectations are poorly defined processes, insufficient documentation, and lack of good governance.
📌 Clause: 4.3 – Determining the Scope of the SMS
What’s going wrong:
Organizations often define the SMS scope too narrowly or inconsistently, omitting key services, third-party dependencies, or cross-functional processes. Sometimes, the scope is not formally documented at all.
Why it matters during an ISO 20000 audit:
An incomplete or unclear scope can lead to significant gaps in the audit trail. Auditors need to confirm that all relevant services, people, and technologies are included under the SMS.
How to fix it:
✔ Document the SMS scope in detail, including physical locations, service boundaries, technologies, and external service providers
✔ Align the scope with your service catalog
✔ Ensure all stakeholders understand what’s in and out of scope
✔ Review the scope regularly, especially after organizational or service changes
Real-world result:
A clearly defined and maintained SMS scope helps auditors trace compliance more effectively, strengthens internal controls, and ensures all critical services are actively managed.
📌 Clause: 5.3 – Organizational Roles, Responsibilities, and Authorities
What’s going wrong:
Key ITSM responsibilities are not formally assigned or documented. Staff are unclear on who owns service components, who authorizes changes, or who monitors compliance.
Why it matters during an audit:
Auditors assess whether the organization has clearly defined responsibilities for service delivery, governance, and process ownership. Ambiguity can lead to critical failures in accountability.
How to fix it:
✔ Define and document roles in the SMS (e.g., Change Manager, Incident Owner, Service Owner)
✔ Use a RACI matrix to clarify who is Responsible, Accountable, consulted, and informed
✔ Communicate roles to stakeholders and include them in onboarding and process documentation
✔ Revalidate roles annually or when responsibilities shift
Real-world result:
Formalized roles lead to improved decision-making, accountability, and audit outcomes by ensuring everyone knows what’s expected of them.
📌 Clause: 5.2 – Service Management Policy
What’s going wrong:
The organization may have a service management policy, but it’s outdated, generic, or poorly communicated. Many employees are unaware of its existence or purpose.
Why it matters during an audit:
The policy is a foundational document that sets direction and commitment for the SMS. If it's
irrelevant or unknown, auditors may conclude that management engagement is lacking.
How to fix it:
✔ Review and update the policy at least annually or following major service or organizational changes
✔ Align it with corporate goals, customer needs, and ITSM objectives
✔ Make it accessible to all employees and reinforce it during training sessions
✔ Ensure that leadership visibly supports and promotes the policy
Real-world result:
A relevant, well-communicated policy drives alignment across teams and demonstrates clear management commitment during the audit.
📌 Clause: 8.2 – Change Management
What’s going wrong:
Changes to systems and services are made without proper approval, impact assessment, or rollback planning. Emergency changes are often undocumented or bypass formal processes.
Why it matters during an audit:
Uncontrolled changes are a major risk area. Auditors assess whether changes are managed to prevent unintended service disruptions or security breaches.
How to fix it:
✔ Implement a formal change evaluation and authorization process, including risk and impact assessments
✔ Define criteria for normal, standard, and emergency changes
✔ Track change success/failure metrics
✔ Conduct post-implementation reviews to capture lessons learned
Real-world result:
A structured change process reduces outages and audit findings while improving service stability and accountability.
📌 Clause: 6.1 – Actions to Address Risks and Opportunities
What’s going wrong:
Organizations focus on incidents and SLAs but neglect to assess risks associated with service delivery, business continuity, or third-party dependencies.
Why it matters during an audit:
Risk-based thinking is central to ISO standards. Without a defined risk process, auditors may report non-conformities for failing to proactively manage threats.
How to fix it:
✔ Develop a risk register that includes IT service delivery risks
✔ Assign risk owners and establish review frequencies
✔ Integrate risk identification into change, capacity, and supplier management processes
✔ Use risk findings to guide improvement efforts
Real-world result:
Proactive risk management enhances service reliability and gives auditors confidence that the organization is prepared for uncertainty.
📌 Clause: 8.1 – Service Management System Planning & 8.4 – Service Delivery
What’s going wrong:
Services are missing from the catalog, or the information is outdated and lacks ownership, SLAs, or contact points.
Why it matters during an audit:
The service catalog is a key reference point for scope, delivery, and stakeholder communication. A weak or incomplete catalog can undermine the entire SMS.
How to fix it:
✔ Maintain a centralized and current service catalog
✔ Include descriptions, availability, SLAs, support hours, escalation paths, and service owners
✔ Review and update the catalog quarterly
✔ Make the catalog accessible to end users and internal teams
Real-world result:
A comprehensive service catalog streamlines service delivery, clarifies expectations, and
demonstrates operational maturity to auditors.
📌 Clause: 8.7 – Incident Management & 8.8 – Problem Management
What’s going wrong:
Incidents are handled individually, but no effort is made to analyze recurring patterns, underlying causes, or service-specific trends.
Why it matters during an audit:
Auditors look for evidence of continual improvement. A failure to analyze and act on trends suggests the organization is reactive, not proactive.
How to fix it:
✔ Capture and categorize incidents consistently
✔ Perform trend analysis monthly or quarterly
✔ Identify high-frequency issues and escalate them to problem management
✔ Use findings to improve systems, training, or support processes
Real-world result:
Effective trend analysis reduces repeat incidents, supports root cause elimination, and enhances audit performance.
📌 Clause: 10.2 – Continual Improvement
What’s going wrong:
Improvements are made informally or in response to issues, but they’re not tracked, measured, or aligned with strategic objectives.
Why it matters during an audit:
Auditors expect continual improvement to be visible, documented, and results-driven — not incidental.
How to fix it:
✔ Establish a formal continual improvement log
✔ Tie improvement actions to audit results, feedback, and KPI trends
✔ Assign owners and deadlines for each action
✔ Review progress during management review meetings
Real-world result:
Structured improvement planning demonstrates a mature, evolving SMS and reduces audit risk.
📌 Clause: 8.5 – Relationship Management & 8.6 – Supplier Management
What’s going wrong:
Third-party vendors are not assessed for risk, monitored for performance, or included in the
SMS lifecycle.
Why it matters during an audit:
Service disruptions often originate with external suppliers. Auditors need assurance that vendors are under formal oversight.
How to fix it:
✔ Maintain a supplier register with defined SLAs and contact details
✔ Regularly review vendor performance against expectations
✔ Include suppliers in change management, risk reviews, and improvement efforts
✔ Conduct periodic supplier audits or evaluations
Real-world result:
Integrated supplier management enhances service quality and demonstrates end-to-end control of your service ecosystem.
📌 Clause: 9.1 – Monitoring, Measurement, Analysis and Evaluation
What’s going wrong:
Metrics are collected (if at all) but are not used to evaluate performance, inform decisions, or
drive improvement.
Why it matters during an audit:
Auditors assess how well your metrics support service objectives. Without meaningful analysis, the SMS lacks direction and accountability.
How to fix it:
✔ Define relevant KPIs linked to service goals and stakeholder needs
✔ Track and review metrics regularly with IT and business leaders
✔ Use data to identify underperformance, prioritize actions, and communicate progress
✔ Document metric reviews in management reports
Real-world result:
Performance metrics become a powerful management tool — helping you reduce risk, improve reliability, and satisfy audit criteria.
This toolkit is furnished by the well-founded expert opinions that are matched with actual audit findings as well as the best practices of ISO 20000:2018, which will help easily identify and address the most frequently observed gaps identified by the audit.
✔ Conduct gap assessments across all core ITSM processes
✔ Verify compliance with ISO 20000 clauses and control points
✔ Align your SMS with service delivery, policy, and governance requirements
✔ Prepare with confidence for internal audits and ISO 20000 certification reviews
This toolkit includes:
Use this toolkit to drive service excellence, reduce audit findings, and build a resilient, standards-aligned ITSM framework.
ISO/IEC 20000 certification is more than an audit; it is about providing consistent, value-driven IT services to induce successful business achievements.
Curing these types of audit failures will enhance your credibility for service management, operational risk reduction, and customer satisfaction enhancement.
These checklists will improve your SMS while driving continuous improvement throughout your IT service area, whether you intend to use them for planning certification, internal auditing, or related studies for ISO 20000 Lead Auditor qualification.
Stay up-to-date with the latest news, trends, and resources in GSDC
If you like this read then make sure to check out our previous blogs: Cracking Onboarding Challenges: Fresher Success Unveiled
Not sure which certification to pursue? Our advisors will help you decide!