Why Combined Certification
Most Indonesian IT service organizations pursuing ISO 20000 also hold or are pursuing ISO 27001 (information security). Running both certification programs from the same certification body and using the same audit team enables combined audits that are significantly more efficient than two separate audits. Instead of one audit team spending three days on ISO 20000 and another team spending four days on ISO 27001 (seven total days), a single combined audit team can audit both standards in five to six days. The efficiency gain comes from examining shared elements (governance, context, leadership, planning, support, performance evaluation, improvement) once rather than twice. A typical organization pursuing both certifications sees 24–29% reduction in total audit effort across the three-year certification cycle.
How Combined Audits Work
In a combined audit, a single audit team with lead auditors competent in both ISO 20000 and ISO 27001 conducts a combined Stage 1 (covering both standards) and a combined Stage 2 (covering both standards) simultaneously. The result is separate audit reports and separate certificates issued for each standard (ISO 20000 certificate and ISO 27001 certificate), but the auditing process is integrated. An integrated audit plan covers the clauses and controls of both standards, mapping where they overlap and where they require distinct audit activities.
The Combined Audit Plan
In a combined audit plan, auditors map audit sessions to the clauses/controls of both standards simultaneously. Shared elements are audited once: organization context (understand the organization once, answer it for both standards), leadership and commitment (one management interview answers questions for both standards), planning (one discussion of strategic planning addresses ISO 20000 planning and ISO 27001 planning), organizational support (one conversation about competence, awareness, communication covers both), and performance evaluation and improvement (one review of management review and internal audit outputs covers both standards). Standard-specific elements require dedicated audit time: ISO 20000 Clause 8 practices (incident, problem, change, configuration, service level, availability, capacity, continuity, budgeting, supplier management) are specific to ISO 20000 and audited in detail by the ISO 20000-competent auditor. ISO 27001 Annex A controls and ISMS-specific processes are specific to ISO 27001 and audited in detail by the ISO 27001-competent auditor. The combined effect is that shared elements reduce total audit scope by 20–30%, while practice-specific and control-specific auditing remains thorough.
Auditor Competence Requirements
Combined audits require lead auditors who hold valid lead auditor qualifications for both ISO 20000 and ISO 27001. This is not a universal capability; not every lead auditor has dual qualifications. When selecting a CB for combined auditing, always verify that the proposed auditors are individually qualified as lead auditors for both standards. Ask the CB to provide the auditors' credentials and verify them. Some CBs use separate auditors for each standard working in tandem; this is acceptable but less efficient because coordination is required between the two audit teams.
Audit Efficiency in Practice
As a concrete example: a standalone ISO 20000 Stage 2 might require 3 man-days; a standalone ISO 27001 Stage 2 might require 4 man-days; together, if done separately, that is 7 man-days. A combined Stage 2 for both standards typically requires 5–6 man-days—a saving of 1–2 days. The saving increases at surveillance audits (where the scope is narrower) and at recertification. Across the full three-year certification cycle, the cumulative savings can be five to six man-days, which translates to meaningful cost savings and reduced disruption to the organization.
Adding ISO 22301 to the Combination
Organizations pursuing all three standards (ISO 20000, ISO 27001, and ISO 22301 Business Continuity) can achieve three-standard combined audits with even greater efficiency gains. The three standards share significant governance and support elements, and a combined audit plan can cover all three in even less total time than separate audits. This is the optimal integrated approach for Indonesian IT service organizations with comprehensive compliance programs.
Certificate Independence
Even in combined audits, each standard receives a separate audit report and a separate certificate. The ISO 20000 certificate and ISO 27001 certificate are independent documents. If one standard fails (e.g., the organization does not resolve a major NC before the deadline), the other standard's certificate is not automatically affected. The organization can maintain separate certification cycles; for example, ISO 27001 was certified 18 months before ISO 20000, so their three-year renewal dates are different. However, it is more efficient to align the cycles if possible.
Synchronizing Certification Cycles
If ISO 20000 and ISO 27001 are on different renewal schedules (e.g., ISO 27001 certificate expires 18 months before ISO 20000), consider aligning them by requesting that the CB schedule Year 1 or Year 2 surveillance audits at times that bring the renewal dates into alignment. For example, if ISO 27001 renews in January and ISO 20000 renews in July, the CB might conduct the ISO 20000 Year 2 surveillance in June rather than its normal schedule, moving the renewal closer to January. This allows combined auditing at recertification instead of separate audits, creating efficiency.
Scope Alignment
Both ISO 20000 and ISO 27001 define organizational scope. The ISO 20000 scope describes which services are managed by the SMS. The ISO 27001 scope describes which assets, processes, and locations are covered by the ISMS. These scopes may overlap (the ISMS covers the same services as the SMS) or may differ (the ISMS covers the whole organization, but the SMS covers only certain critical services). Auditors need to understand the scope relationship. Ideally, the ISO 20000 SMS scope is a subset of, or co-extensive with, the ISO 27001 ISMS scope. If the SMS covers more than the ISMS (which is unusual), that creates a mismatch that auditors will question.
Practical Considerations for Indonesian Organizations
For Indonesian organizations planning combined ISO 20000 + ISO 27001 certification: (1) Certification body selection: Verify that the CB holds KAN accreditation for both ISO 20000 and ISO 27001, and that proposed auditors are individually qualified for both standards. (2) Auditor Indonesian market knowledge: Prioritize CBs with local presence or prior audit experience in Indonesia. (3) Audit scheduling: Coordinate combined audit timing around critical business periods to minimize business disruption. (4) Cost structure: Combined audits typically cost 20–25% less than the sum of two separate audits. Negotiate the combined pricing explicitly in the engagement agreement.
| KEY CONCEPT | Combined audits do not reduce the rigor of either standard's audit. The same requirements must be demonstrated for both ISO 20000 and ISO 27001. The efficiency comes from examining shared elements (governance, support, performance evaluation) once rather than twice, and from auditor familiarity with the organization reducing setup and context-building time. Practice-specific and control-specific work is performed at full depth. |
Disadvantages and Tradeoffs
The main disadvantage of combined auditing is reduced competitive pricing pressure. With a single CB providing both services, the organization has less leverage to negotiate lower rates. If you use different CBs for each standard, you can pit them against each other for pricing. The efficiency gains from combined auditing typically outweigh the pricing disadvantage, but organizations with tight budgets should compare the total cost of combined vs separate auditing. Alternatively, negotiate the combined pricing aggressively; most CBs are willing to discount combined audits to win the business.
| IMPORTANT | Not all CBs have auditors competent in both ISO 20000 and ISO 27001. Confirm auditor qualifications for both standards before signing an engagement agreement. Request the auditors' lead auditor certificates as proof. |
Combined vs Separate Audit Comparison
| Audit Stage | Separate Approach (days) | Combined Approach (days) | Effort Saving | Key Consideration |
|---|---|---|---|---|
| Stage 1 | ISO 20000: 1 day; ISO 27001: 1 day = 2 days | Combined: 1.5 days | 0.5 days | Combined Stage 1 audits shared governance; ISO 27001 documentation review takes less additional time |
| Stage 2 | ISO 20000: 3 days; ISO 27001: 4 days = 7 days | Combined: 5–6 days | 1–2 days | Shared governance, support, performance eval clauses reduce overall scope; practice/control-specific work done once |
| Year 1 Surveillance | ISO 20000: 1 day; ISO 27001: 1.5 days = 2.5 days | Combined: 2 days | 0.5 days | Rotating sample of practices and controls combined in single audit plan |
| Year 2 Surveillance | ISO 20000: 1 day; ISO 27001: 1.5 days = 2.5 days | Combined: 2 days | 0.5 days | Further efficiency as auditors are familiar with organization |
| Year 3 Recertification | ISO 20000: 3 days; ISO 27001: 4 days = 7 days | Combined: 5–6 days | 1–2 days | Full recertification scope; combined efficiencies maintained |
| Total 3-Year Effort | ISO 20000: 9 days; ISO 27001: 12 days = 21 man-days | Combined: 15–16 man-days | 5–6 man-days (24–29% reduction) | Significant effort and cost savings over certification cycle |
| BITLION INSIGHT | Bitlion GRC provides a multi-standard compliance platform with integrated ISO 20000 + ISO 27001 + ISO 22301 evidence management. The platform helps organizations organize evidence for combined audits, track progress across multiple standards on aligned timelines, and identify where evidence satisfies requirements from multiple standards simultaneously. |