Certification of companies

In order to get an ISO/IEC 20000 certification, a company has to engage the services of a Certification Body. What is a Certification Body? Is a company that is responsible for providing certificates to companies that request their services and comply with the requirements of the standard against which they want to become certified. Examples of Certification Bodies are: Bureau Veritas, BSI, SGS, etc.

The Certification Bodies needs to comply with rules and requirements of another ISO: ISO 17021, and also must be audited and licensed by local entities that are known as Accreditation Bodies. Every country has an Accreditation Body that is responsible for auditing Certification Bodies to ensure they meet the requirements of the reference standard.


Following are the necessary steps in the process of ISO/IEC 20000 certification:

  • Request: The applicant company requests a proposal (for example, to the Certification Body BSI). The request must state information about the company: number of people involved in the scope, business line, scope, etc. Based on this information, the Certification Body calculates the number of days required, and depending on the number of days sets the price of the proposal. Finally, the Certification Body sends the proposal to the company.
  • Certification Audit: If the company approves the ISO/IEC 20000 certification proposal, it then carries out the certification audit. This audit is basically composed of two phases:

Phase 1: The audit team prepares an Audit Plan, which must contain all issues to be reviewed at this phase. It will also identify persons who will interview, and date and time of all activities to be undertaken during the audit. The activities carried out in this phase are basically the review of documentation generated by the company, i.e. mainly procedures, technical instructions, etc., and everything related to Management System (PDCA). Also, the company will plan dates and activities that will take place in the next stage,

Phase 2: As in phase 1, the audit team will prepare an Audit Plan for this phase, which will contain all the things to do and all the people involved. In this second phase the audit team will review everything that has been pending management system and PDCA + operational implementation of all ISO/IEC 20000 processes. As a result of this phase, an Audit Report is generated. This will contain all deviations from phase 2, plus the deviations that have not been treated in phase 1. Therefore, we can say that this report will be the final report of the certification audit. So, the purpose of the phase 2 audit, also called the Main Audit, is to check whether the activities and processes in a company are compliant with the standard and with the documentation. In other words, to check whether the SMS works.

These two phases are needed only in the first certification audit, and therefore are not present in the surveillance audits and audits of recertification.

  • Obtaining the Certificate: If the company addresses all deviations of the report presented by the audit team and presents the necessary evidence to the Certification Body, the Certification Body then releases a Decision Evaluation Report, and finally approves the granting of the certificate to the company. In the normal issue is that the certificate is granted, but sometimes may be rejected, due to the immaturity of the system.
  • Surveillance Visits: An ISO certificate is valid for 3 years, during which time surveillance visits are conducted. That is, after the first certification audit, in the next 2 years the company will have to face further audits.
  • Recertification Audit: Finally, after 3 years, when the certificate expires, the company will have to face a recertification audit to maintain the certificate.