Why This Matters
Understanding the 12 most common nonconformity types enables organizations to address them proactively during SMS implementation rather than discovering them during audit. Each of these 12 categories has been raised at ISO 20000 audits dozens of times across organizations of all sizes and industries. Forewarned is forearmed. Implement preventive controls for each, and your audit will likely proceed without major surprises.
Finding 1: Scope Statement Inconsistency
The scope document describes certain services as being managed under the SMS, but the actual service portfolio includes additional services, or differs significantly from what is documented. An auditor reviewing the scope statement and then interviewing staff may find that staff describe managing five services, but the scope statement lists three. Prevention: Before Stage 1, validate the scope statement against the actual service portfolio. If your organization manages any service at all, it must either be in the SMS scope or be explicitly listed as "out of scope." If services have changed since the scope was written, update the scope statement and have it re-approved.
Finding 2: Service Management Plan Not Current
The SMP was produced during SMS implementation and never updated. It describes resources, timelines, or organizational structures that have since changed. Prevention: Build SMP review into the annual management review cycle. Assign the SMS coordinator the responsibility to propose SMP updates annually, review them for accuracy, and have top management re-approve if changes have been made. Maintain version control.
Finding 3: Service Management Objectives Not Measurable
Objectives are stated in purely qualitative terms: "improve incident response," "reduce problems," "increase customer satisfaction." There are no numerical targets, baselines, or measurement methods. Prevention: Apply SMART criteria to all SMS objectives. Instead of "improve incident response," use "achieve 95% of critical incident resolutions within 4-hour SLA by 31 December 2026, measured by monthly incident records." Each objective should have a baseline (current state), a target (desired state), a measurement frequency, and an owner.
Finding 4: Risk Assessment Not Updated
An initial risk assessment was conducted during SMS implementation but has never been reviewed. The SMS context has changed (new services added, new regulations, new threats, key personnel turned over), but the risk register is unchanged. Prevention: Schedule an annual risk assessment review as part of the management review calendar. Additionally, trigger-based reviews when significant context changes occur. Update the risk register when context changes.
Finding 5: Incident Management Records Incomplete
Incidents are logged, but many records are missing critical fields: classification is incomplete, escalation status is not documented, SLA status is blank, closure verification is missing. Prevention: In your ITSM tool, enforce mandatory fields so that incidents cannot be marked as "closed" until all required fields are completed. Sample 10–20 incident records monthly and review for completeness. Assign the incident manager ownership of data quality.
Finding 6: Problem Management Stale
Problem records are opened but not progressively analyzed. A problem may be open for six months with no RCA work. The known error database is empty or rarely updated. Prevention: Hold a weekly or bi-weekly problem review meeting with problem manager, incident manager, and change manager attendance. Assign specific RCA timelines (e.g., P1 problems get RCA within one week, P2 within two weeks). Track mean time to RCA as a KPI.
Finding 7: Change Records Missing Approval or PIR
Changes are implemented without evidence of documented approval. Post-implementation reviews are not consistently completed. Prevention: Make CAB minutes a mandatory attachment to the change record; the minutes serve as approval evidence. Make PIR a mandatory field in your ITSM tool; changes cannot be marked "completed" without PIR completion. Sample changes monthly for completeness.
Finding 8: CMDB Inaccuracy
The CMDB data does not match the actual environment. Configuration items are listed with outdated versions, relationships are wrong, or data has never been verified. Prevention: Establish a quarterly CMDB verification cycle. Select a representative sample of 10–20 CIs and physically verify their attributes against the actual environment. Track CMDB accuracy as a KPI. Assign an accountable CMDB administrator with sufficient time allocation.
Finding 9: SLA Performance Not Evidenced
SLA commitments exist in writing, but no systematic performance monitoring occurs. No monthly service reports are produced. There is no visibility into whether SLA targets are being met. Prevention: Implement availability and performance monitoring from the day SMS operations begin. Establish a monthly service reporting cycle as a mandatory SMS activity. Use monitoring tools to automatically measure SLA metrics and populate monthly reports.
Finding 10: Internal Audit Not Covering All Clauses
An internal audit is conducted, but it covers only Clause 8 practices (incident, problem, etc.). Clauses 4–7 (context, leadership, planning, support) and Clause 9 (performance evaluation) are not audited. Prevention: Develop an annual internal audit program that explicitly maps audit sessions to all ISO 20000-1:2018 clauses. Rotate topics across the year. Ensure auditors are competent in management system requirements, not just operational practices.
Finding 11: Management Review Incomplete or Missing Inputs
A management review is held, but documented minutes are sparse or absent. Required inputs (customer feedback, audit results, nonconformity status, objective performance, external environment changes) are not all addressed. Prevention: Create a standardized management review agenda template that explicitly lists all required inputs from Clause 9.3. Create a minutes template that shows what was reviewed and what decisions/follow-up actions were made. Hold management review at least annually; quarterly is better.
Finding 12: Supplier Agreements Absent or Outdated
Key suppliers delivering into the SMS have no formal written agreement, or agreements have expired. Prevention: Maintain a supplier register with agreement status and expiry dates. As part of the annual management review, review all supplier agreements. Establish a reminder system (calendar alerts, register review) to ensure agreements are renewed before expiry.
| KEY CONCEPT | Major vs minor nonconformity: major NCs prevent certificate issuance and must be resolved before the certificate is granted; minor NCs allow certification with agreed corrective action plans. The most common major NCs are scope inconsistencies, systemic incident/problem/change record gaps, missing SLA performance data, and CMDB inaccuracy. The difference is whether the gap affects fundamental SMS operation. |
The Pattern Behind the Findings
Most nonconformities fall into three categories: (1) Governance infrastructure not genuinely operational — the SMS was set up but governance processes (management review, internal audit, objective measurement) are not running consistently. (2) Records not maintained consistently — processes are running, but the data is incomplete or inconsistent, suggesting the ITSM tool is not enforcing discipline or that quality review is absent. (3) Data management not disciplined — records exist but have never been verified; the CMDB was populated years ago and never updated; SLA targets exist but are not being measured.
Recurring Nonconformities at Surveillance Audits
If the same NC is raised at Stage 2 and again at a Year 1 surveillance audit, it signals systemic SMS failure. For example, if incident records are incomplete at Stage 2 and are still incomplete at Year 1 surveillance, the root cause was not addressed; the organization fixed the symptoms for the audit but did not fix the underlying discipline. Address root causes, not symptoms. If the problem is that staff are not filling in classification fields, the root cause is likely that the ITSM tool does not enforce the field as mandatory or that the incident manager is not reviewing data quality. Fix the tool enforcement or the data quality review process.
| IMPORTANT | Recurring nonconformities at surveillance audits can escalate from minor to major and may result in certificate suspension if the organization demonstrates it cannot sustain SMS discipline. Prevent this by addressing root causes rigorously. |
12 Common Audit Findings Summary
| Finding | Clause | Severity Risk | Prevention | Evidence Required |
|---|---|---|---|---|
| Scope statement inconsistency | 4.3 | Major | Validate scope against actual service portfolio before Stage 1; update as services change | Current scope document; service portfolio alignment verified |
| Service management plan not current | 6.2 | Minor | Build SMP review into annual management review cycle; update version control | Dated SMP; version history; approval records; annual review evidence |
| Service management objectives not measurable | 6.3, 9.1 | Minor | Apply SMART criteria; assign baseline and target values; establish measurement frequency | Documented objectives with baseline, target, measurement method |
| Risk assessment not updated | 6.1 | Minor | Schedule annual risk assessment review; trigger-based review when context changes | Initial risk assessment; annual review evidence; updated risk register |
| Incident management records incomplete | 8.1 | Major | Enforce mandatory fields in ITSM tool; monthly sampling and review; quality checks | Sample of 20 incident records with all mandatory fields completed |
| Problem management stale | 8.2 | Major | Weekly problem review with management; assign RCA timelines; KPI on mean time to RCA | Open problem list with RCA status; known error database active and current |
| Change records missing approval or PIR | 8.3 | Major | Enforce CAB minutes; PIR mandatory field in ITSM tool; monthly quality checks | Sample of 20 change records with CAB approval and PIR evidence |
| CMDB inaccuracy | 8.4 | Major | Quarterly CMDB verification cycle; CMDB accuracy as KPI; assign CMDB owner accountability | Quarterly verification records; sample CI accuracy checks; relationship mapping |
| SLA performance not evidenced | 8.5 | Major | Monthly service reporting; availability monitoring from day one; SLA dashboard implementation | Monthly service reports (3+ months); performance metrics; SLA status tracking |
| Internal audit not covering all clauses | 9.2 | Minor | Audit program mapping all clauses; rotation schedule; auditor competence in management system | Annual audit schedule; audit reports; evidence of all clauses covered |
| Management review incomplete or missing inputs | 9.3 | Minor | Standardized agenda and template; checklist of required inputs; documented outputs | Management review minutes; evidence of all inputs reviewed; documented follow-up |
| Supplier agreements absent or outdated | 8.11 | Minor | Supplier register with agreement expiry dates; annual supplier agreement review; reminder system | List of suppliers with agreement status; current signed agreements; review records |
| BITLION INSIGHT | Bitlion GRC provides a pre-audit self-assessment covering all 12 common finding categories. Organizations can run this self-assessment 4–6 weeks before Stage 2 to identify and remediate gaps proactively. |