Why CB Selection Matters Beyond Price
The certification body is not a commodity service. The competence of the audit team, the reputation of the certification body with target clients and regulators, and the CB's ability to conduct multi-standard audits directly affect both the audit outcome and the value of the resulting certificate. A certification by a little-known CB with auditors who lack genuine ISO 20000 experience may result in a certificate that sophisticated clients and regulators will question. Conversely, a certification by a recognized CB with auditors experienced in IT service management environments establishes credibility with international customers and strengthens the SMS design through expert auditor insights. The CB selection decision should prioritize auditor competence and CB reputation ahead of price.
KAN Accreditation
KAN is Komite Akreditasi Nasional, Indonesia's national accreditation body. For certification to have regulatory recognition in Indonesia and to be accepted by government agencies and sophisticated enterprise clients, the certification body must hold KAN accreditation for ISO 20000 specifically. KAN accreditation means the CB has been assessed to meet stringent criteria for auditor competence, audit process discipline, and independence. A CB holding ISO 9001 and ISO 27001 accreditation may not hold ISO 20000 accreditation; verify this explicitly. The KAN directory of accredited CBs is publicly available online and lists all CBs accredited for each standard. Before engaging a CB, cross-reference its name on the KAN directory and confirm that its scope of accreditation includes "ISO 20000-1:2018 Service management system – Requirements".
IAF Multilateral Recognition
IAF is the International Accreditation Forum. IAF MLA (Mutual Lateral Agreement) is a peer-to-peer recognition agreement among accreditation bodies from different countries. A certificate issued by a CB accredited under an IAF MLA member accreditation body has enhanced international recognition. For organizations with customers or partners outside Indonesia, IAF MLA recognition strengthens the credibility of the ISO 20000 certificate. Check the IAF directory to confirm that KAN (Indonesia's accreditation body) holds IAF MLA membership. This information is also typically stated on the accreditation body website.
Key CB Evaluation Criteria
Accreditation Scope
Verify that the CB is specifically accredited for ISO 20000-1:2018. A CB accredited only for ISO 9001 or ISO 27001 cannot legally issue ISO 20000 certificates. Request the CB's accreditation certificate or scope of accreditation document as proof. This is not negotiable.
Auditor Competence
Request the CVs of the auditors who will lead your Stage 1 and Stage 2 audits. Verify that each auditor holds a recognized lead auditor qualification for ISO 20000 (such as IRCA, Exemplar Global, or equivalent). Check their prior ISO 20000 audit experience; auditors with at least three prior ISO 20000 audits demonstrate genuine expertise. Ask about ITIL certification or equivalent IT service management training. An auditor who is ITIL-trained will understand the context of IT service management practices and ask more insightful questions than an auditor who is new to IT service management.
Multi-Standard Capability
If your organization is pursuing both ISO 20000 and ISO 27001 (or ISO 22301), ask whether the CB can conduct combined audits where a single audit team covers both standards. This requires that auditors are competent in both standards. Using the same CB for multi-standard audits significantly increases efficiency and reduces total audit days. If the CB cannot conduct combined audits, ask which other CB it typically partners with for multi-standard programs; lack of a clear answer is a red flag.
Indonesian Market Presence
CBs with local offices or regular Indonesian operations understand Indonesian business context, regulatory environment, and customer expectations. They can usually schedule audits faster and have lower travel costs. Ask whether the CB has conducted prior ISO 20000 audits in Indonesia and request references from Indonesian organizations it has certified.
Client References
Ask the CB for 2–3 client references from other Indonesian IT service organizations it has certified for ISO 20000. Contact these references and ask about their experience: Did the auditors ask insightful questions? Were the audit findings fair and reasonable? How long did it take from Stage 2 closure to certificate issuance? Is the CB responsive to questions between audits?
Audit Fee Structure
Obtain a detailed fee proposal that breaks down Stage 1 fees, Stage 2 fees, surveillance audit fees, and recertification fees. Ask for man-day rates, whether travel costs are included or charged separately, and how subsistence costs are handled. Clarify the cost structure for combined multi-standard audits. Be wary of CBs that quote an all-in flat fee without explaining what scope or hours are included.
Turnaround Time
Ask how quickly the CB can schedule Stage 1 and Stage 2 audits. A typical timeline is 2–4 weeks for Stage 1 scheduling after engagement, and Stage 2 scheduled 6–12 weeks after Stage 1. Ask how long the certification decision takes after Stage 2 closes; most CBs issue decisions within 2–3 weeks. CBs with months-long scheduling delays are often overbooked and may not provide responsive service.
| KEY CONCEPT | KAN accreditation verifies that the CB meets competence and independence standards set by Indonesia's accreditation authority. An uncertified CB or a CB without KAN accreditation for ISO 20000 cannot issue certificates that will be recognized by Indonesian regulators or by sophisticated international clients. Always verify KAN accreditation before engaging. |
The RFQ Process
Prepare a Request for Quote (RFQ) that includes: your organization's scope (the services in scope for ISO 20000 and the customer segments you serve), the number of locations your SMS covers, the estimated size of your SMS team, whether you are pursuing multi-standard certifications and which standards, the planned audit timeline, and your organization's size (number of IT staff, annual IT budget, or equivalent metric). Send the RFQ to 3–4 qualified CBs. Evaluate proposals not just on price but on the experience of the proposed audit team, the CB's understanding of your organization's context shown in the proposal, the quality of the service level agreement offered by the CB, and responsiveness to clarifying questions. Fee negotiation is appropriate; however, never negotiate so aggressively that you reduce the CB's profit margin to unsustainable levels, as this typically results in reduced service quality.
Same CB for Multi-Standard
Use the same CB for ISO 20000 and ISO 27001 unless there is a compelling specific reason otherwise. Advantages include combined audit planning, integrated audit team, single relationship manager, and significant reductions in total audit days. The only disadvantage is that you have less competitive pricing pressure from multiple CBs; however, the efficiency gains typically outweigh this disadvantage. If you use different CBs for each standard, coordinate audit timings to ensure that one audit does not disrupt the business during the other audit.
Switching CBs
If you need to switch CBs during a certification cycle (for example, if the current CB is not responsive or raises findings you believe are unreasonable), you can transition to a new CB. The new CB will conduct a full Stage 2 audit and may accept some evidence from the previous CB's Stage 2, but do not assume continuity. Plan for a full Stage 2 with the new CB. The previous CB's certificate and audit reports remain valid until expiry; a certificate is evidence of your certified status regardless of whether you continue with the same CB for surveillance.
| IMPORTANT | Never select a CB based on price alone. A cheap audit by an auditor without genuine ISO 20000 competence may produce a certificate that sophisticated clients and regulators will question. Prioritize auditor competence and CB reputation. |
CB Evaluation Criteria Scorecard
| Criterion | Weight | How to Assess | Red Flags |
|---|---|---|---|
| KAN Accreditation for ISO 20000 | Critical | Verify on KAN directory; CB must have specific ISO 20000 accreditation | No KAN accreditation; only ISO 9001 accredited |
| IAF MLA Recognition | High | Verify accreditation body is IAF MLA member; check cb website for statement | Accreditation body not listed as IAF MLA member |
| Auditor Competence – ISO 20000 | Critical | Request auditor CVs; check lead auditor qualifications; ask about ITIL training | Auditors newly qualified; no prior ISO 20000 audit experience |
| IT Service Management Background | High | Ask if auditors have ITIL or equivalent; prior experience in IT environments | Auditors from manufacturing or general auditing backgrounds only |
| Multi-Standard Capability | High | Ask if CB can conduct combined ISO 20000 + ISO 27001 audits; check auditor qualifications | CB can only do ISO 20000; separate auditors required for ISO 27001 |
| Indonesian Market Presence | Medium | Ask if CB has local office; prior audit experience in Indonesia; regulatory familiarity | Foreign CB with no Indonesian experience; long turnaround times |
| Client References | Medium | Request 2–3 references from Indonesian IT service organizations certified by this CB | Cannot provide Indonesian references; all references are foreign |
| Audit Fee Structure | Medium | Get detailed fee schedule for Stage 1, Stage 2, surveillance; man-day rates; travel costs | Vague pricing; all-in fees that hide true scope; high travel cost burden |
| Turnaround Time | Medium | Ask how quickly they can schedule; how quickly certification decision is made | Months-long scheduling delays; certification decision takes weeks after audit |
| BITLION INSIGHT | Bitlion maintains a curated list of KAN-accredited ISO 20000 certification bodies with verified Indonesian market presence and multi-standard audit capability. This list is updated quarterly and includes contact information and auditor profiles for major CBs. |