ISO represents International Organization for Standardization. ISO is a non-governmental organization. ISO gives higher credibility to your organisation.ISO in Greek means “Equal”. ISO has a network  institutes  in 157 countries. It’s Central Secretariat is  in Geneva (Switzerland). It deals with the worlds largest developer of International standards. ISO has published 22306 International Standards and related documents. It covers almost every industry, from technology to food safety, to agriculture and healthcare. ISO certification is proof from a third party, which proves your organisation is working on international standards. There are also certification bodies present in this process. The Certification Bodies needs to comply with rules and requirements of another ISO: ISO 17021, and also must be audited and licensed by local entities that are known as Accreditation Bodies. Every country has an Accreditation Body that is responsible for auditing Certification Bodies to ensure they meet the requirements of the reference standard.


Following are the necessary steps in the process of ISO/IEC 20000 certification:

  1. Requesting a proposal : The applicant organization requests a proposal (for example, to the Certification Body BSI). The request must state information about the company: number of people involved in the scope, business line, scope, etc. Based on this information, the Certification Body calculates the number of days required, and depending on the number of days sets the price of the proposal. Finally, the Certification Body sends the proposal to the company.
  1. Audit: If the organization approves the ISO/IEC 20000 certification proposal, it then carries out the certification audit. This audit is basically composed of two phases:

Phase 1: The audit team prepares an Audit Plan, which must contain all issues to be reviewed at this phase.  It will also identify persons who will interview, and date and time of all activities to be undertaken during the audit. The activities carried out in this phase are basically the review of documentation generated by the company, i.e. mainly procedures, technical instructions, etc., and everything related to Management System (PDCA). Also, the company will plan dates and activities that will take place in the next stage, phase 2. As a result of phase 1, the audit team will develop and deliver an audit report to the company, which reflects all the detected deviations. So, the purpose of the phase 1 audit, also called Documentation Review,  is to check whether the documentation is compliant with ISO/IEC 20000.

Phase 2: As in phase 1, the audit team will prepare an Audit Plan for this phase, which will contain all the things to do and all the people involved. In this second phase the audit team will review everything that has been pending management system and PDCA + operational implementation of all ISO/IEC 20000 processes. As a result of this phase, an Audit Report is generated. This will contain all deviations from phase 2, plus the deviations that have not been treated in phase 1.  Therefore, we can say that this report will be the final report of the certification audit.  So, the purpose of the phase 2 audit, also called the Main Audit, is to check whether the activities and processes in a company are compliant with the standard and with the documentation. In other words, to check whether the SMS works.

These two phases are needed only in the first certification audit, and therefore are not present in the surveillance audits and audits of recertification.

  1. Granting Certificate: If the company addresses all deviations of the report presented by the audit team and presents the necessary evidence to the Certification Body, the Certification Body then releases a Decision Evaluation Report, and finally approves the granting of the certificate to the company. In the normal issue is that the certificate is granted, but sometimes may be rejected, due to the immaturity of the system.
  1. Surveillance Visits: An ISO certificate is valid for 3 years, during which time surveillance visits are conducted. That is, after the first certification audit, in the next 2 years the company will have to face further audits.
  1. Recertification : Lastly, after 3 years, when the certificate expires, the company will have to face a recertification audit to maintain the certificate.