What Stage 1 Is
Stage 1 is a documentation and readiness review, not an implementation audit. The auditor is assessing whether the SMS is sufficiently designed and documented to warrant proceeding to a full Stage 2 implementation audit. Stage 1 is typically conducted on-site or remotely and lasts approximately one day for most organizational scopes. The auditor will not examine operational evidence (incident records, change records, etc.) at Stage 1; that examination occurs at Stage 2. Instead, the Stage 1 auditor focuses on the SMS design—is it sound? Is it complete? Is it appropriate for the organization's scope and customer base? The output of Stage 1 is a Stage 1 report that identifies any significant gaps in documented information or SMS design that must be remediated before Stage 2 can proceed.
Stage 1 Objectives
The Stage 1 audit has five explicit objectives: (1) Confirm that the SMS scope is accurately defined and consistent with the organization's service portfolio. (2) Verify that all mandatory documented information exists and is controlled. (3) Assess the maturity of SMS design against ISO 20000-1:2018 requirements, clause by clause. (4) Identify any significant gaps that would prevent Stage 2 from being productive or that might result in major findings at Stage 2. (5) Confirm the Stage 2 audit plan, timing, and focus areas based on Stage 1 findings. A successful Stage 1 leaves no ambiguity about scope or documented information and sets clear expectations for Stage 2.
What Auditors Review at Stage 1
Scope Statement
The auditor will examine the scope statement (the document that defines what is included in and excluded from the SMS) for clarity and accuracy. The auditor may ask staff members to verbally describe the SMS scope and will compare that verbal description to the written scope. If discrepancies emerge (e.g., "the scope statement says we manage three services, but staff describe managing five"), the auditor will raise this as a potential nonconformity. The scope statement must be current; if the organization has added new services since the scope was written, the scope statement must be updated.
Service Management Plan
The SMP is the strategic document that describes how the SMS will operate and how it will achieve its objectives. The auditor will examine whether the SMP covers all required elements from ISO 20000-1:2018 Clause 6.2: general description of the SMS, scope, objectives, processes and their relationships, top management responsibilities, resources, and controls. The auditor will verify that the SMP is current (not more than a year or two old) and has been formally approved by top management.
Service Management Policy
The service management policy is a brief, signed statement of top management's commitment to the SMS and its alignment with organizational strategy. The auditor will verify that the policy is signed by the chief executive or equivalent, is publicly accessible to SMS staff, and is actually communicated (not just filed away).
Service Portfolio
The service portfolio is the list of all services the organization manages under the SMS. For each service, the auditor will verify that a status is defined (e.g., "operational," "development," "retired"), that the service is described (what customers does it serve? what does it do?), and that SLA references are clear (which customer SLAs apply to this service?).
SLAs
The auditor will verify that service level agreements exist for all customer relationships within the SMS scope. Each SLA should specify the services covered, the service levels (availability, response time, etc.), the measurement method, and penalties or credits for breach. SLAs must be signed by both the organization and the customer and must have current effective dates.
Practice Procedures for All Clause 8 Requirements
ISO 20000 Clause 8 covers 11 practices: incident management, problem management, change management, configuration management, service level management, availability management, capacity management, continuity management, information security management, budgeting and accounting, and supplier management. For each practice, the auditor will verify that a procedure document exists, that it is complete (it describes the process from initiation to closure), and that it is version-controlled (document number, version, date, owner).
Risk and Opportunity Assessment
ISO 20000 Clause 6.1 requires that the organization conduct a risk and opportunity assessment and document the results. The auditor will look for a documented assessment that identifies risks to the SMS (e.g., key person dependency, technology obsolescence, compliance risk) and opportunities to enhance the SMS (e.g., automation, process improvement). The assessment should show which risks have been accepted as residual risk and which have mitigating actions.
Internal Audit Program
The auditor will verify that an internal audit plan or program exists that covers all ISO 20000-1:2018 clauses (not just Clause 8 practices). The plan should show which clauses will be audited when and by whom. Ideally, the internal audit has been conducted before Stage 1, but if not, it should be scheduled before Stage 2.
Management Review
ISO 20000 Clause 9.3 requires periodic management review of the SMS. The auditor will look for documented minutes of a management review meeting that took place since the SMS was established. The minutes should show that required inputs were reviewed (performance data, audit results, external changes, feedback, nonconformities, objective achievement) and that outputs and follow-up actions were decided.
Competence and Training
The auditor will verify that SMS staff have been trained on the SMS and that training records exist. This need not be formal classroom training; it can be on-the-job training, recorded, and documented.
| KEY CONCEPT | Stage 1 determines the focus areas for Stage 2. Auditors use Stage 1 findings and identified gaps to plan where to spend their Stage 2 time. A strong Stage 1 with clear documentation and no major findings means a more efficient and productive Stage 2. |
Stage 1 Findings
Stage 1 may result in three types of findings: major findings (prevent Stage 2 progression until resolved; typically indicate missing mandatory documented information or fundamental scope inconsistencies), minor findings (can typically be addressed before or during Stage 2; indicate incomplete or out-of-date documentation), and observations (areas noted for attention; no corrective action required). A common major finding is "Scope statement does not match actual service portfolio—scope must be clarified and approved before Stage 2." A common minor finding is "Service management plan missing section on risk and opportunity management." An observation might be "Documentation could be more explicit on escalation procedures for critical incidents."
Most Common Stage 1 Nonconformities
Organizations preparing for Stage 1 should be especially mindful of these gaps, which frequently trigger Stage 1 nonconformities: (1) Scope statement inconsistent with actual service portfolio—services described in scope do not match the services staff say they manage. (2) Service management plan missing or incomplete—critical sections are absent or outdated. (3) SLAs not signed or significantly out of date—customer sign-off is missing or the document is years old. (4) No documented risk assessment—the organization has not formally assessed risks to the SMS. (5) Internal audit not yet conducted—no evidence of internal audit activity. (6) Management review not yet conducted—no evidence of periodic management review of the SMS. (7) Practice procedures missing for key Clause 8 requirements—one or more practices lack documented procedures. (8) No document control system—documents do not have version numbers, dates, or approval records.
After Stage 1
Within 2–3 weeks of Stage 1, the CB will issue the Stage 1 report. Review the findings and major nonconformities carefully. If major findings are present, develop a corrective action plan that shows exactly how you will remediate each gap and by what date. Plan 4–8 weeks for remediation if significant findings were raised. Once remediation is complete, submit evidence of closure to the CB. Once the CB accepts closure of all major findings, Stage 2 can be scheduled. The interval from Stage 1 to Stage 2 is typically 4–12 weeks, allowing time for remediation if needed.
Remote vs On-Site Stage 1
Stage 1 can typically be conducted remotely via video conferencing if the organization and CB agree. For a remote Stage 1, prepare a document sharing platform (shared folder or secure online portal) where the auditor can access all documented information. In the week before the remote Stage 1, provide the auditor advance access to all documents so they can ask clarifying questions before the video session. The video session will then focus on scope validation, governance structure, and next steps. Remote Stage 1 audits save travel costs and are increasingly accepted; however, if the auditor identifies the need for on-site review (e.g., to physically verify the CMDB or meet with staff), an on-site visit may be requested.
| IMPORTANT | Do not submit to Stage 1 before all mandatory documented information exists. Stage 1 findings for missing documents will delay Stage 2 by weeks and incur additional audit fees for follow-up review. Ensure all mandatory documented information is complete, controlled, and current before scheduling Stage 1. |
Stage 1 Document Review Checklist
| Document | Clause Reference | What Auditors Check | Common Finding |
|---|---|---|---|
| Scope Statement | 4.3 | Is it clear, unambiguous, and consistent with verbal description? | Scope too broad or vague; inconsistent with actual services |
| Service Management Policy | 5.2 | Is it signed by top management? Is it communicated? Is it accessible? | Policy missing or unsigned; not demonstrated to staff |
| Service Management Plan | 6.2 | Does it cover all required elements? Is it complete? Is it current? | Plan missing critical sections; significantly outdated |
| Service Portfolio | 5.1 | Are all in-scope services listed? Are statuses defined? Are SLA links clear? | Missing services; unclear which services are in SMS scope |
| SLAs | 7.5 | Do signed agreements exist with all in-scope customers? Are they current? | Missing signed agreements; SLAs expired or not customer-signed |
| Practice Procedures – All Clause 8 | 8 | Do procedures exist for all 11 requirements? Are they complete and controlled? | Missing procedures; procedures incomplete or not version-controlled |
| Risk and Opportunity Assessment | 6.1 | Has a formal assessment been conducted? Is residual risk documented? | No documented risk assessment; risk register absent |
| Internal Audit Program | 9.2 | Has the internal audit been conducted or scheduled? Does it cover all clauses? | No internal audit planned; only certain clauses to be audited |
| Management Review | 9.3 | Has management review been conducted? Are documented minutes available? | Management review not yet conducted; no written record |
| Competence and Training | 7.2 | Is there evidence that SMS staff have been trained on the SMS? Records kept? | No training records; staff competence not demonstrated |
| BITLION INSIGHT | Bitlion GRC provides a Stage 1 preparation checklist and document readiness tracker that helps organizations verify readiness against all Stage 1 auditor focus areas before engaging the certification body. This reduces the risk of Stage 1 findings that delay certification. |