Why Preparation Matters
Certification audits are not pass–fail events that tolerate immaturity. A poorly prepared Stage 1 or Stage 2 audit incurs real costs: failed audits delay certification by months, corrective action periods extend the timeline further, and certification bodies charge additional fees for follow-up visits. Organizations that begin their Stage 1 audit before readiness gates are passed often spend 40–60% more in total audit fees than organizations that prepare thoroughly before submitting to audit. More critically, an underprepared audit damages credibility with customers who are evaluating the organization’s SMS maturity and commitment. The certification process is not a test of luck; it is an opportunity to demonstrate that the SMS is genuinely operational and sustainable.
The Readiness Gate Model
Before booking a certification audit, the organization must pass three readiness gates. These gates are not theoretical; they represent the minimum conditions under which a Stage 1 auditor can conduct a productive audit and under which a Stage 2 auditor can find evidence of operational SMS practice.
Gate 1: Documentation Readiness
All mandatory documented information must be created, controlled, and current. This includes the scope statement, service management policy, service management plan, service portfolio with status definitions, SLAs for all in-scope customer relationships, practice procedures for all Clause 8 requirements (incident, problem, change, configuration, service level, availability, capacity, continuity, information security, budgeting and accounting, and supplier management), a CMDB or equivalent configuration data source, and supplier agreements for all in-scope suppliers. Additionally, a document version control system must be in place and the document register must be current. Gate 1 is passed when all these documents exist in controlled versions and are signed by the appropriate authority (the SMS coordinator may sign on behalf of top management if delegated). A checklist approach helps: list each mandatory documented information item, assign an owner, set a target completion date, and verify completion before declaring Gate 1 passed.
Gate 2: Operational Evidence Readiness
The SMS must have operated for at least three months to generate the evidence auditors will examine. This includes complete incident records (at least 50 incidents with all mandatory fields: ID, date, category, impact, urgency, SLA status, resolution), problem records with root cause analyses (at least 20 problems), change records with approvals and post-implementation reviews (at least 30 changes), CMDB records that have been verified for accuracy by testing a representative sample of configuration items in the live environment, monthly service reports covering at least three months, service review meeting minutes from the same period, documented customer satisfaction measurement results, and supplier performance review records. If the organization is starting the SMS from scratch, Gate 2 can only be passed by waiting until the 90-day evidence window is complete. Attempting to enter Stage 2 before three months of operational evidence exist is one of the most common preparation failures; auditors cannot assess operational maturity from sparse records.
Gate 3: Internal Governance Readiness
An internal audit covering all ISO 20000-1:2018 clauses must be completed. All nonconformities from the internal audit must have documented corrective actions, and either the nonconformities must be closed (with verification evidence) or a clear resolution plan must exist with committed dates. A management review must be conducted with documented minutes that show that all required inputs were reviewed (performance data, audit results, external environment changes, customer feedback, nonconformity status, objective performance) and that outputs and follow-up actions were decided. Service management objectives must be documented and baselines must be established; some progress toward the objectives should be measurable. Gate 3 is passed when the organization demonstrates that it has internal audit and management review processes in place and is managing SMS performance.
| KEY CONCEPT | The 90-day evidence rule: Most certification bodies expect to see a minimum of three months of operational evidence before Stage 2. If you start SMS operations on 1 January, you cannot realistically enter Stage 2 until 1 April at the earliest. Plan your certification timeline accordingly. |
Stage 1 Specific Preparation
Stage 1 is a documentation and readiness review. Auditors focus on the accuracy of the scope statement, the completeness of the service management plan, the existence of the mandatory documented information set, and an initial assessment of practice maturity. A typical Stage 1 audit lasts one day for most organizational scopes (larger, multi-division organizations may have a longer Stage 1). To prepare for Stage 1, assemble a submission package that includes the scope statement, the service management plan, the service management policy, the service portfolio, the complete set of practice procedures, evidence of document version control (the document register), evidence of top management commitment (e.g., a management review minute or approval email), and a brief organizational chart showing roles and SMS governance. Have the SMS coordinator available for the entire Stage 1 audit to answer questions about SMS scope, governance, and the planned Stage 2 timing.
Stage 2 Specific Preparation
Stage 2 is the implementation audit. Prepare the management team by briefing them on what to expect, what auditors will ask, and how their answers contribute to the audit outcome. Brief staff who will be interviewed on the practice areas (service desk, change manager, problem manager, CMDB administrator, etc.) by preparing practice questions that auditors are likely to ask: "Walk me through a recent incident you handled. Show me the record and explain how you classified it and what SLA applied." Have staff review their records so they can speak to them confidently. Organize all documented information and operational evidence in a way that auditors can retrieve items quickly; do not overwhelm them with thousands of documents. Prepare a dedicated audit room with tables, internet access, and a secure way for auditors to view confidential records. Ensure top management is available during the Stage 2 opening meeting and closing meeting to discuss SMS governance, objectives, and strategic intent.
Mock Audit Approach
In the 4–6 weeks before Stage 2, conduct a final internal "mock Stage 2" audit. Assign internal audit resources or engage an external consultant to play the auditor role. Have the mock auditor sample records from each practice area (e.g., 5 incidents, 3 problems, 5 changes, 3 service reviews) and review them as a Stage 2 auditor would. Have the mock auditor interview practice owners using realistic questions. Identify any gaps in records, inconsistencies in classification, or missing evidence. Fix these issues before the real Stage 2. A mock audit often reveals small inconsistencies that, if left unaddressed, could be rated as minor nonconformities or observations in the real audit. Addressing them beforehand demonstrates professionalism and confidence.
| IMPORTANT | Stage 1 findings prevent Stage 2. If the Stage 1 audit identifies significant documentation gaps or scope inconsistencies, the certification body will not schedule Stage 2 until those gaps are remediated. Plan 4–8 weeks between Stage 1 and Stage 2 for remediation if findings are identified. |
The "Not Yet" Decision
There are legitimate conditions under which it is better to postpone certification than to proceed underprepared. If the internal audit is not yet complete, postpone. If operational evidence is less than 60 days, postpone. If a significant portion of the management team has changed and understands the SMS plan inadequately, postpone. If the CMDB has never been verified against the live environment, postpone and conduct verification first. The cost-benefit of a two-month delay that ensures a smooth audit is far better than the cost-benefit of a rushed, failed audit. Most certification bodies will accommodate scheduling changes if requested before the audit date; cancellation fees are typically waived if sufficient notice is given.
| BITLION INSIGHT | Bitlion GRC provides a certification readiness dashboard that automatically tracks progress against the three readiness gates, showing real-time status of documentation completion, evidence accumulation, and governance activities. This visibility helps organizations make confident "ready to audit" decisions. |
Readiness Checklist
| Area | Readiness Criterion | Evidence Required | Status Check |
|---|---|---|---|
| Documentation | Scope statement current and accurate | Signed document, version control | ☐ Ready |
| Documentation | Service management plan complete | All required sections present, top management approval | ☐ Ready |
| Documentation | SLAs signed with all in-scope customers | Customer signatures, effective date | ☐ Ready |
| Documentation | Practice procedures for all Clause 8 requirements | Complete procedure set, version control | ☐ Ready |
| Documentation | Risk and opportunity assessment conducted | Risk register, residual risk acceptance | ☐ Ready |
| Operational Evidence | Incident records – 3 months complete | At least 50 incidents with full fields | ☐ Ready |
| Operational Evidence | Problem records and RCA documented | At least 20 problems with root cause analysis | ☐ Ready |
| Operational Evidence | Change records with approvals and PIR | At least 30 changes with CAB approvals | ☐ Ready |
| Operational Evidence | CMDB verified and current | Sample verification of 20+ CIs | ☐ Ready |
| Operational Evidence | SLA performance metrics reported | 3 months of monthly service reports | ☐ Ready |
| Governance | Internal audit completed and documented | Audit report covering all clauses | ☐ Ready |
| Governance | All internal audit NCs have closure plans | Documented corrective actions with verification | ☐ Ready |
| Governance | Management review conducted | Signed minutes with outputs and follow-up | ☐ Ready |
| Governance | SMS objectives defined and being measured | Documented objectives with baselines | ☐ Ready |
Stage 1 vs Stage 2 Preparation
| Preparation Area | Stage 1 Focus | Stage 2 Focus |
|---|---|---|
| Scope Statement | Review accuracy and completeness | Verify actual services match scope |
| Documentation Package | Ensure all mandatory documents exist | Verify documents are actually being used |
| Service Management Plan | Verify all required sections present | Verify it is being followed operationally |
| Practice Procedures | All procedures documented for all requirements | Staff follow procedures; records exist |
| Evidence Timeline | None required at Stage 1 | Minimum 3 months of operational records |
| Staff Preparation | Minimal; SMS coordinator available | All practice owners prepared for interviews |
| Management Availability | Top management may be briefly present | Management review and objectives discussed |
| Audit Duration | Typically 1 day | Typically 2–4 days depending on scope |