ISO 20000:2018 checklist

Use this checklist to assess your ISO 20000:2018 audit readiness and implementation status.

Want to improve your score and compliance? Let CyberArrow do it for you. Schedule a live demo

Control ID Control Name Control Description Implementation Status

4.1 Understanding The The organization shall determine external and
Organization and Its internal issues that are relevant to its purpose
Context and that affect its ability to achieve the
intended outcome(s) of its SMS. NOTE The
word “ issue” in this context can be factors Not Implemented
which have a positive or negative impact.
These are important factors for the
organization in the context of its ability to
deliver services of an agreed quality to its
customers.
4.2.a Understanding The The organization shall determine the
Needs and interested parties that are relevant to the
Expectations of service management system and the Not Implemented
Interested Parties - services.
Management System
4.2.b Understanding The The organization shall determine the
Needs and requirements of these interested parties
Expectations of relevant to service management. NOTE: The
Interested Parties - requirements of interested parties may include Not Implemented
Service Management legal and regulatory requirements and
contractual obligations related to SMS
services.
4.3 Service Management The organization shall determine the
System Scope boundaries and applicability of the SMS to
Determination establish its scope. The definition of the scope
of the SMS shall include the services in scope Not Implemented
and the name of the organization managing
and delivering the services. This scope shall
be available as documented information.
4.3.a Service Management When determining the scope of the service
Scope Determination management system, the organization shall
- External and Internal consider the external and internal issues Not Implemented
Issues referred to in Requirement 4.1 (Understanding
the organization and its context)
4.3.b Service Management When determining the scope of the service
Scope Determination management system the organization shall
- Requirements of 4.2 consider the requirements referred to in Not Implemented
Requirement 4.2 (Understanding the needs
and expectations of interested parties)

1 cyberarrow.io
4.3.c Service Management When determining the scope of the service
Scope Determination management system, the organization shall
Not Implemented
- Services consider the services delivered by the
organization.
4.4 Service Management The organization shall establish, implement,
System maintain and continually improve an SMS,
including the processes needed and their Not Implemented
interactions, in accordance with the
requirements of the ISO 20000-1 standard.
5.1.a Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Establish Policy the service management system by ensuring
that the service management policy and Not Implemented
service management objectives are
established and are compatible with the
strategic direction of the organization.
5.1.b Leadership and Top management shall demonstrate
Commitment - SMS leadership and commitment with respect to
Plan the service management system by ensuring
that the service management plan is created,
Not Implemented
implemented and maintained in order to
support the service management policy, and
the achievement of the service management
objectives and service requirements.
5.1.c Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Authority the service management system by ensuring
that appropriate levels of authority are Not Implemented
assigned for making decisions related to the
SMS and the services.
5.1.d Leadership and Top management shall demonstrate
Commitment - Value leadership and commitment with respect to
the service management system by ensuring Not Implemented
that what constitutes value for the
organization and its customers is determined.
5.1.e Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Service Lifecycle the service management system by ensuring Not Implemented
there is control of other parties involved in the
service lifecycle.
5.1.f Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Integration the service management system by ensuring Not Implemented
the integration of the SMS requirements into
the organization’ s business processes.

2 cyberarrow.io
5.1.g Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Resources the service management system by ensuring Not Implemented
that the resources needed for the SMS and
the services are available.
5.1.h Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Communicate the service management system by
communicating the importance of effective Not Implemented
service management, achieving the service
management objectives, delivering value and
conforming to the SMS requirements.
5.1.i Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Achieve Outcomes the service management system by ensuring Not Implemented
that the SMS achieves its intended
outcome(s).
5.1.j Leadership and Top management shall demonstrate
Commitment - Direct leadership and commitment with respect to
& Support the service management system by directing Not Implemented
and supporting persons to contribute to the
effectiveness of the SMS and the services.
5.1.k Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Continual the service management system by promoting Not Implemented
Improvement continual improvement of the SMS and the
services.
5.1.l Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Demonstrate the service management system by
Leadership supporting other relevant management roles Not Implemented
to demonstrate their leadership as it applies to
their areas of responsibility.
5.2.a, 2.b, Policy Establishment - Top management shall establish an service
2.c, 2.d, Appropriateness, management policy that is appropriate to the
2.2.a Objectives, purpose of the organization and includes
Commitment to service management objectives or provides
Satisfy, Commitment the framework for setting service Not Implemented
to Continually management objectives, includes a
Improve, Documented commitment to satisfy applicable
requirements related to service management,
and includes a commitment to the continual
improvement of the service management
system. The service management policy shall
be available as documented information.
5.2.2.b Policy Establishment - The service management policy shall be
Not Implemented
Communication communicated within the organization.

3 cyberarrow.io
5.2.2.c Policy Establishment - The service management policy shall be
Not Implemented
Availability to Others available to interested parties, as appropriate.
5.3 Roles, Top management shall ensure that the
Responsibilities, and responsibilities and authorities for roles
Not Implemented
Authorities relevant to service management and services
are assigned and communicated.
5.3.a Roles, Top management shall assign responsibility
Responsibilities, and and authority for ensuring that the service
Not Implemented
Authorities - management system conforms to the
Conformity requirements of this International Standard.
5.3.b Roles, Top management shall assign the
Responsibilities, and responsibility and authority for reporting on
Not Implemented
Authorities - the performance of the service management
Reporting system to top management.
6.1.1.a, Address Risks and When planning for the service management
1.1.b, Opportunities - system, the organization shall consider the
1.1.c Planning for Success, issues referred to in Requirements 4.1
Reduce Undesired (Understanding the organization and its
Effects, Achieve context) and 4.2 (Understanding the needs
Continual and expectations of interested parties), and Not Implemented
Improvement determine the risks and opportunities that
need to be addressed to ensure the service
management system can achieve its intended
outcome(s), prevent or reduce undesired
effects, and achieve continual improvement.
6.1.2.a.1, Address Risks and When planning for the service management
1.2.a.2, Opportunities - Plan system, the organization shall determine and
1.2.a.3 to Address Risks document risks related to the organization, not
meeting service requirements, and risks Not Implemented
related to the involvement of other parties in
the service lifecycle.
6.1.2.b Address Risks and When planning for the service management
Opportunities - Impact system, the organization shall determine and
& Opportunities document the impact on customers of risks Not Implemented
and opportunities for the SMS and the
services.
6.1.2.c Address Risks and When planning for the service management
Opportunities - system, the organization shall determine and Not Implemented
Acceptance Criteria document the risk acceptance criteria.
6.1.2.d Address Risks and When planning for the service management
Opportunities - system, the organization shall determine and
Not Implemented
Management of Risks document the approach to be taken for the
management of risks.
6.1.3.a Address Risks and When planning for the service management
Opportunities - Risk system, the organization shall plan actions to
Not Implemented
Actions address these risks and opportunities and
their priorities.

4 cyberarrow.io
6.1.3.b.1 Address Risks and When planning for the service management
Opportunities - system, the organization shall plan how to Not Implemented
Integration integrate and implement the actions into its
SMS processes.
6.1.3.b.2 Address Risks and When planning for the service management
Opportunities - system, the organization shall plan how to
Not Implemented
Evaluate evaluate the effectiveness of these actions.
Effectiveness
6.2 Service Management The organization shall establish service
objectives and management objectives at relevant functions
planning to achieve and levels. The organization shall retain Not Implemented
them documented information on the service
management objectives.
6.2.1.a, Service Management The organizations service management
2.1.b, Objectives - objectives shall be consistent with the service
2.1.c, Consistent With management policy, shall be measurable (if
Not Implemented
Policies, Measurable, practicable), and shall take into account
Account Other applicable service management requirements.
Requirements
6.2.1.d Service Management The organizations service management
Objectives - objectives shall be monitored. Not Implemented
Monitored
6.2.1.e Service Management The organizations service management
Objectives - objectives shall be communicated. Not Implemented
Communicated
6.2.1.f Service Management The organizations service management
Not Implemented
Objectives - Updated objectives shall be updated as appropriate.
6.2.2.a Service Management When planning how to achieve its service
Objectives Planning - management objectives, the organization Not Implemented
Tasks shall determine what will be done.
6.2.2.b Service Management When planning how to achieve its service
Objectives Planning - management objectives, the organization
Resources shall determine what resources will be Not Implemented
required.
6.2.2.c Service Management When planning how to achieve its service
Objectives Planning - management objectives, the organization Not Implemented
Responsibilities shall determine who will be responsible.
6.2.2.d Service Management When planning how to achieve its service
Objectives Planning - management objectives, the organization Not Implemented
Timeline shall determine when it will be completed.
6.2.2.e Service Management When planning how to achieve its service
Objectives Planning - management objectives, the organization
Not Implemented
Results Evaluation shall determine how the results will be
evaluated.
6.3 Plan the Service The organization shall create, implement and
Management System maintain a service management plan. Not Implemented
Planning shall take into consideration the

5 cyberarrow.io
 service management policy, service
management objectives, risks and
opportunities, service requirements and
requirements specified in this document.
6.3.a, 3.b, Plan the Service The service management plan shall include or
3.c, 3.d, Management System contain a reference to: a) list of services; b)
3.e, 3.f, - Content known limitations that can impact the SMS
3.g, 3.h and the services; c) obligations such as
relevant policies, standards, legal, regulatory
and contractual requirements, and how these
obligations apply to the SMS and the services;
d) authorities and responsibilities for the SMS
and the services; e) human, technical,
information and financial resources necessary Not Implemented
to operate the SMS and the services; f)
approach to be taken for working with other
parties involved in the service lifecycle; g)
technology used to support the SMS; h) how
the effectiveness of the SMS and the services
will be measured, audited, reported and
improved. Other planning activities shall
maintain alignment with the service
management plan.
7.1 Resources The organization shall determine and provide
the human, technical, information and
financial resources needed for the
establishment, implementation, maintenance
Not Implemented
and continual improvement of the SMS and
the operation of the services to meet the
service requirements and achieve the service
management objectives.
7.2.a Competence - The organization shall determine the
Necessary necessary competence of persons doing work
Competency under its control that affects the performance Not Implemented
and effectiveness of the SMS and the
services.
7.2.b Competence - The organization shall ensure that these
Appropriate Training persons are competent on the basis of Not Implemented
and Education appropriate education, training or experience.
7.2.c Competence - The organization shall, where applicable, take
Evaluate actions to acquire the necessary competence
Not Implemented
Effectiveness and evaluate the effectiveness of the actions
taken.
7.2.d Competence - The organization shall retain appropriate
Documentation documented information as evidence of Not Implemented
competence.

6 cyberarrow.io
7.3.a Awareness - Service Persons doing work under the organization's
Management Policy control shall be aware of the service Not Implemented
management policy.
7.3.b Awareness - Persons doing work under the organization's
Objectives control shall be aware of the service Not Implemented
management objectives.
7.3.c Awareness - Services Persons doing work under the organization's
control shall be aware of the services relevant Not Implemented
to their work.
7.3.d Awareness - Persons doing work under the organization's
Contribution control shall be aware of their contribution to
Not Implemented
the effectiveness of the SMS, including the
benefits of improved performance.
7.3.e Awareness - Persons doing work under the organization's
Consequences control shall be aware of the implications of Not Implemented
not conforming with the SMS requirements.
7.4.a Communication - The organization shall determine the need for
What internal and external communications relevant
to the service management system. The Not Implemented
organization must determine 'what' to
communicate.
7.4.b Communication - The organization shall determine the need for
When internal and external communications relevant
to the service management system. The Not Implemented
organization must determine 'when' to
communicate.
7.4.c Communication - With The organization shall determine the need for
Whom internal and external communications relevant
to the service management system. The Not Implemented
organization must determine 'with whom' to
communicate.
7.4.d Communication - How The organization shall determine the need for
internal and external communications relevant
to the service management system. The Not Implemented
organization must determine how to
communicate.
7.4.e Communication - The organization shall determine the need for
Who internal and external communications relevant
to the service management system. The Not Implemented
organization must determine who will be
responsible for the communication.
7.5.1.a Documentation for The organization's service management
Service Management system shall include documented information
System - ISO required by this International Standard (ISO Not Implemented
20000-1).
7.5.1.b Documentation for The organization's service management Not Implemented
Service Management system shall include documented information

7 cyberarrow.io
 System - Necessary determined by the organization as being
Information necessary for the effectiveness of the service
management system. Note: The extent of
documented information for an service
management system can differ from one
organization to another due to: 1) The size of
organization and its type of activities,
processes, products and services 2) The
complexity of processes, services and their
interfaces 3) The competence of persons
Documented information of external origin
determined by the organization to be
necessary for the planning and operation of
the SMS shall be identified as appropriate and
controlled.
7.5.2.a Documented Service When creating and updating documented
Management System information the organization shall ensure
Not Implemented
- Description appropriate identification and description (e.g.
a title, date, author, or reference number).
7.5.2.b Documented Service When creating and updating documented
Management System information the organization shall ensure
- Format appropriate format (e.g. language, software Not Implemented
version, graphics) and media (e.g. paper,
electronic)
7.5.2.c Documented Service When creating and updating documented
Management System information the organization shall ensure
Not Implemented
- Adequacy appropriate review and approval for suitability
and adequacy.
7.5.3.1.a Control Documented Documented information required by the
Information - service management system and by this
Availability International Standard (ISO20000-1) shall be Not Implemented
controlled to ensure its available and suitable
for use, where it is needed.
7.5.3.1.b Control Documented Documented information required by the
Information - service management system and by this
Protection International Standard (ISO 20000-1) shall be
controlled to ensure it is adequately protected Not Implemented
(e.g. from loss of confidentiality, improper use
or loss of integrity).
7.5.3.2.a Control Documented For the control of documented information, the
Information - organization shall address the distribution, Not Implemented
Distribution access, retrieval and use.
7.5.3.2.b Control Documented For the control of documented information, the
Information - Storage organization shall address the storage and Not Implemented
preservation, including the preservation of
legibility.

8 cyberarrow.io
7.5.3.2.c Control Documented For the control of documented information, the
Information - Change organization shall address the control of Not Implemented
Control changes (e.g. version control).
7.5.3.2.d Control Documented For the control of documented information, the
Information - organization shall address the retention and Not Implemented
Retention disposition.
7.6 Knowledge The organization shall determine and maintain
the knowledge necessary to support the
operation of the SMS and the services. The
knowledge shall be relevant, usable and
available to appropriate persons. NOTE
Knowledge is specific to the organization, its Not Implemented
SMS, services and interested parties.
Knowledge is used and shared to support the
achievement of the intended outcome(s) and
the operation of the SMS and the services.
8.1 Operational Planning The organization shall plan, implement and
and Control - control the process needed to meet service
Implementation management requirements, and to implement
the actions determined in requirement related
to actions to address risks and opportunities.
The organization shall control planned
changes to the SMS and review the Not Implemented
consequences of unintended changes, taking
action to mitigate any adverse effects, as
necessary. The organization shall ensure that
outsourced processes are controlled.
8.1.a Operational Planning The organization shall plan, implement and
and Control - Criteria control the process needed to meet service
management requirements, and to implement
the actions determined in requirement related Not Implemented
to actions to address risks and opportunities
by establishing performance criteria for the
processes based on requirements.
8.1.b Operational Planning The organization shall plan, implement and
and Control - Control control the process needed to meet service
of Processes management requirements, and to implement
the actions determined in requirement related
to actions to address risks and opportunities Not Implemented
by implementing control of the processes in
accordance with the established performance
criteria.
8.1.c Operational Planning The organization shall plan, implement and
and Control - control the process needed to meet service
Documented management requirements, and to implement Not Implemented
Information the actions determined in requirement related
to actions to address risks and opportunities

9 cyberarrow.io
 by keeping documented information to the
extent necessary to have confidence that the
processes have been carried out as planned.
8.2.1 Service Delivery The organization shall operate the SMS
ensuring co-ordination of the activities and the
resources. The organization shall perform the
activities required to deliver services. NOTE A
service portfolio is used to manage the entire
lifecycle of all services including proposed
services, those in development, live services
defined in the service catalogue(s) and
Not Implemented
services that are to be removed. The
management of the service portfolio ensures
that the service provider has the right mix of
services. Service portfolio activities in this
document include planning the services,
control of parties involved in the service
lifecycle, service catalogue management,
asset management and configuration
management.
8.2.2 Plan the Services The service requirements for existing
services, new services and changes to
services shall be determined and
documented. The organization shall
determine the criticality of services based on
the needs of the organization, customers,
users and other interested parties. The
organization shall determine and manage
dependencies and duplication between
services. The organization shall propose
changes where needed to align the services Not Implemented
with the service management policy, service
management objectives and service
requirements, taking into consideration known
limitations and risks. The organization shall
prioritize requests for change and proposals
for new or changed services to align with
business needs and service management
objectives, taking into consideration available
resources.
8.2.3.1 Control of Parties The organization shall retain accountability for
Involved in the the requirements specified in ISO 20000-1
Service Lifecycle and the delivery of the services regardless of
which party is involved in performing activities Not Implemented
to support the service lifecycle. The
organization shall determine and apply criteria
for the evaluation and selection of other

10 cyberarrow.io
 parties involved in the service lifecycle. Other
parties can be an external supplier, an internal
supplier or a customer acting as a supplier.
Other parties shall not provide or operate all
services, service components or processes
within the scope of the SMS.
8.2.3.1.a Control of Parties The organization shall determine and
Involved in the document services that are provided or
Service Lifecycle - operated by other parties. Not Implemented
Operated by Other
Parties
8.2.3.1.b Control of Parties The organization shall determine and
Involved in the document service components that are
Not Implemented
Service Lifecycle - provided or operated by other parties.
Service Components
8.2.3.1.c Control of Parties The organization shall determine and
Involved in the document processes, or parts of processes, in
Not Implemented
Service Lifecycle - the organization’ s SMS that are operated by
Processes other parties.
8.2.3.1.d Control of Parties The organization shall integrate services,
Involved in the service components and processes in the
Service Lifecycle - SMS that are provided or operated by the
Integrate organization or other parties to meet the
service requirements. The organization shall Not Implemented
co-ordinate activities with other parties
involved in the service lifecycle including the
planning, design, transition, delivery and
improvement of services.
8.2.3.2.a Control of Parties The organization shall define and apply
Involved in the relevant controls for other parties from the
Service Lifecycle - following measurement and evaluation of Not Implemented
Performance process performance.
Measurement
8.2.3.2.b Control of Parties The organization shall define and apply
Involved in the relevant controls for other parties from the
Service Lifecycle - following measurement and evaluation of the
Effectiveness effectiveness of services and service Not Implemented
Measurement components in meeting the service
requirements.
8.2.4.a Service Catalogue The organization shall create and maintain
Management - one or more service catalogues. The service
Document catalogue(s) shall include information for the
organization, customers, users and other Not Implemented
interested parties to describe the services,
their intended outcomes and dependencies
between the services.

11 cyberarrow.io
8.2.4.b Service Catalogue The organization shall provide access to
Management - appropriate parts of the service catalogue(s)
Not Implemented
Access to its customers, users and other interested
parties.
8.2.5 Asset Management The organization shall ensure that assets
used to deliver services are managed to meet
the service requirements and the obligations
such as relevant policies, standards, legal, Not Implemented
regulatory and contractual requirements, and
how these obligations apply to the SMS and
the services.
8.2.6 Configuration The types of CI shall be defined. Services
Management shall be classified as CIs. Configuration
information shall be recorded to a level of
detail appropriate to the criticality and type of
services. CIs shall be controlled. Changes to
CIs shall be traceable and auditable to
maintain the integrity of the configuration
information. The configuration information Not Implemented
shall be updated following the deployment of
changes to CIs. At planned intervals, the
organization shall verify the accuracy of the
configuration information. Where deficiencies
are found, the organization shall take
necessary actions. Configuration information
shall be made available for other service
management activities as appropriate.
8.2.6.a Configuration Access to configuration information shall be
Management - controlled. The configuration information
Identification recorded for each CI shall include unique Not Implemented
identification.
8.2.6.b Configuration Access to configuration information shall be
Management - Type controlled. The configuration information Not Implemented
recorded for each CI shall include type of CI.
8.2.6.c Configuration Access to configuration information shall be
Management - controlled. The configuration information
Not Implemented
Description recorded for each CI shall include description
of the CI.
8.2.6.d Configuration Access to configuration information shall be
Management - controlled. The configuration information
Not Implemented
Relationship recorded for each CI shall include relationship
with other CIs.
8.2.6.e Configuration Access to configuration information shall be
Management - Status controlled. The configuration information Not Implemented
recorded for each CI shall include status.

12 cyberarrow.io
8.3.1.a Relationship and The organization may use suppliers to provide
Agreement - Operate or operate services. Not Implemented
Services
8.3.1.b Relationship and The organization may use suppliers to provide
Agreement - Operate or operate service components. Not Implemented
Service Components
8.3.1.c Relationship and The organization may use suppliers to
Agreement - Operate operate processes, or parts of processes, that Not Implemented
Processes are in the organization’ s SMS.
8.3.2.a Business Relationship The customers, users and other interested
Management - parties of the services shall be identified and Not Implemented
Documentation documented.
8.3.2.b Business Relationship The organization shall have one or more
Management - designated individuals responsible for Not Implemented
Responsibility managing customer relationships and
maintaining customer satisfaction.
8.3.2.c Business Relationship The organization shall establish arrangements
Management - for communicating with its customers and
Communication other interested parties. The communication
Arrangements shall promote understanding of the evolving
Not Implemented
business environment in which the services
operate and shall enable the organization to
respond to new or changed service
requirements.
8.3.2.d Business Relationship At planned intervals, the organization shall
Management - review the performance trends and the Not Implemented
Review Performance outcomes of the services.
8.3.2.e Business Relationship At planned intervals, the organization shall
Management - measure satisfaction with the services based
Measure Satisfaction on a representative sample of customers. The Not Implemented
results shall be analyzed, reviewed to identify
opportunities for improvement and reported.
8.3.2.f Business Relationship Service complaints shall be recorded,
Management - managed to closure and reported. Where a
Service Complaints service complaint is not resolved through the Not Implemented
normal channels, a method of escalation shall
be provided.
8.3.3 Service Level The organization and the customer shall
Management agree the services to be delivered. For each
service delivered, the organization shall
establish one or more SLAs based on the
documented service requirements. The
SLA(s) shall include service level targets, Not Implemented
workload limits and exceptions. Where service
level targets are not met, the organization
shall identify opportunities for improvement.
NOTE Agreement of the services to be

13 cyberarrow.io
 delivered between the organization and its
customers can take many forms such as a
documented agreement, minutes of verbal
agreement in a meeting, agreement indicated
by email or agreement to terms of service.
8.3.3.a Service Level At planned intervals, the organization shall
Management - monitor, review and report on performance Not Implemented
Performance against service level targets.
8.3.3.b Service Level At planned intervals, the organization shall
Management - monitor, review and report on actual and
Not Implemented
Changes periodic changes in workload compared to
workload limits in the SLA(s).
8.3.4.1 Management of The organization shall have one or more
External Suppliers designated individuals responsible for
Not Implemented
managing the relationship, contracts and
performance of external suppliers.
8.3.4.1.a Management of For each external supplier, the organization
External Suppliers - shall agree a documented contract. The
Scope contract shall include or contain a reference to
scope of the services, service components, Not Implemented
processes or parts of processes to be
provided or operated by the external supplier
8.3.4.1.b Management of For each external supplier, the organization
External Suppliers - shall agree a documented contract. The
Requirements contract shall include or contain a reference to Not Implemented
requirements to be met by the external
supplier.
8.3.4.1.c Management of For each external supplier, the organization
External Suppliers - shall agree a documented contract. The
Service Level Targets contract shall include or contain a reference to Not Implemented
service level targets or other contractual
obligations.
8.3.4.1.d Management of For each external supplier, the organization
External Suppliers - shall agree a documented contract. The
Authorities & contract shall include or contain a reference to Not Implemented
Responsibilities authorities and responsibilities of the
organization and the external supplier.
8.3.4.1.e Management of The organization shall assess the alignment
External Suppliers - of service level targets or other contractual
Alignment obligations for the external supplier against Not Implemented
SLAs with customers, and manage identified
risks.
8.3.4.1.f Management of The organization shall define and manage the
External Suppliers - interfaces with the external supplier. Not Implemented
Interfaces

14 cyberarrow.io
8.3.4.1.g Management of At planned intervals, the organization shall
External Suppliers - monitor the performance of the external
Monitor Performance supplier. Where service level targets or other Not Implemented
contractual obligations are not met, the
organization shall ensure that opportunities for
improvement are identified.
8.3.4.1.h Management of At planned intervals, the organization shall
External Suppliers - review the contract against current service
Review Contract requirements. Changes identified for the
contract shall be assessed for the impact of Not Implemented
the change on the SMS and the services
before the change is approved.
8.3.4.1.i Management of Disputes between the organization and the
External Suppliers - external supplier shall be recorded and Not Implemented
Disputes managed to closure.
8.3.4.2.a Management of For each internal supplier or customer acting
Internal Suppliers and as a supplier, the organization shall develop,
Customers Acting as agree and maintain a documented agreement
Not Implemented
a Supplier - to define the service level targets, other
Documented commitments, activities and interfaces
Agreement between the parties.
8.3.4.2.b Management of At planned intervals, the organization shall
Internal Suppliers and monitor the performance of the internal
Customers Acting as supplier or the customer acting as a supplier.
a Supplier - Monitor Where service level targets or other agreed Not Implemented
commitments are not met, the organization
shall ensure that opportunities for
improvement are identified.
8.4.1.a Budgeting and The organization shall budget and account for
Accounting for services or groups of services in accordance Not Implemented
Services - Financial with its financial management policies and
Management processes.
8.4.1.b Budgeting and Costs shall be budgeted to enable effective
Accounting for financial control and decision-making for
Services - Costs services. NOTE: Many, but not all,
organizations charge for their services. Not Implemented
Budgeting and accounting for services in this
document excludes charging, to ensure
applicability to all organizations.
8.4.1.c Budgeting and At planned intervals, the organization shall
Accounting for monitor and report on actual costs against the Not Implemented
Services - Monitor & budget, review the financial forecasts and
Report manage costs.
8.4.2.a Demand At planned intervals, the organization shall
Management - determine current demand and forecast future Not Implemented
Current Demand demand for services.

15 cyberarrow.io
8.4.2.b Demand At planned intervals, the organization shall
Management - monitor and report on demand and
Monitor & Report consumption of services. NOTE: Demand
management is responsible for understanding
current and future customer demand for Not Implemented
services. Capacity management works with
demand management to plan and provide
sufficient capacity to meet the demand.
8.4.3 Capacity The capacity requirements for human,
Management technical, information and financial resources
shall be determined, documented and Not Implemented
maintained taking into consideration the
service and performance requirements.
8.4.3.a Capacity The organization shall plan capacity to include
Management - current and forecast capacity based on Not Implemented
Current & Forecast demand for services.
8.4.3.b Capacity The organization shall plan capacity to include
Management - expected impact on capacity of agreed
Not Implemented
Impact service level targets, requirements for service
availability and service continuity.
8.4.3.c Capacity The organization shall plan capacity to include
Management - timescales and thresholds for changes to Not Implemented
Thresholds service capacity.
8.4.3.d Capacity The organization shall provide sufficient
Management - capacity to meet agreed capacity and
Monitor performance requirements. The organization
Not Implemented
shall monitor capacity usage, analyze
capacity and performance data and identify
opportunities to improve performance.
8.5.1.1.a Change Management A change management policy shall be
Policy - Service established and documented to define service
Not Implemented
Components components and other items that are under
the control of change management.
8.5.1.1.b Change Management A change management policy shall be
Policy - Categories established and documented to define
Not Implemented
categories of change, including emergency
change, and how they are to be managed.
8.5.1.1.c Change Management A change management policy shall be
Policy - Criteria for established and documented to define criteria
Change to determine changes with the potential to Not Implemented
have a major impact on customers or
services.
8.5.1.2 Change Management Requests for change, including proposals to
Initiation add, remove or transfer services, shall be
recorded and classified. Assessing, Not Implemented
approving, scheduling and reviewing of new
or changed services in the scope shall be

16 cyberarrow.io
 managed through the change management
activities. Requests for change not being
managed shall be managed through the
change management activities.
8.5.1.2.a Change Management The organization shall use service design and
Initiation - New transition in planning for new or changed
Services services for new services with the potential to
Not Implemented
have a major impact on customers or other
services as determined by the change
management policy.
8.5.1.2.b Change Management The organization shall use service design and
Initiation - Changes to transition in planning for new or changed
Services services for changes to services with the
Not Implemented
potential to have a major impact on customers
or other services as determined by the
change management policy.
8.5.1.2.c Change Management The organization shall use service design and
Initiation - Categories transition in planning for new or changed
of Change services for categories of change that are to Not Implemented
be managed by service design and transition
according to the change management policy
8.5.1.2.d Change Management The organization shall use service design and
Initiation - Service transition in planning for new or changed Not Implemented
Removal services for removal of a service.
8.5.1.2.e Change Management The organization shall use service design and
Initiation - Service transition in planning for new or changed
Transfer to Customer services for transfer of an existing service Not Implemented
from the organization to a customer or other
party.
8.5.1.2.f Change Management The organization shall use service design and
Initiation - Service transition in planning for new or changed
Transfer From services for transfer of an existing service Not Implemented
Customer from a customer or other party to the
organization.
8.5.1.3 Change Management The organization and interested parties shall
Activities make decisions on the approval and priority of
requests for change. Decision-making shall Not Implemented
take into consideration the risks, business
benefits, feasibility and financial impact.
8.5.1.3.a Change Management Decision making shall also consider potential
Activities - Existing impacts of the change on existing services. Not Implemented
Services
8.5.1.3.b Change Management Decision making shall also consider potential
Activities - Interested impacts of the change on customers, users Not Implemented
Parties and other interested parties.

17 cyberarrow.io
8.5.1.3.c Change Management Decision making shall also consider potential
Activities - Policies & impacts of the change on policies and plans Not Implemented
Plans required by this document.
8.5.1.3.d Change Management Decision making shall also consider potential
Activities - Capacity & impacts of the change on capacity, service
Availability availability, service continuity and information Not Implemented
security.
8.5.1.3.e Change Management Decision making shall also consider potential
Activities - Other impacts of the change on other requests for Not Implemented
Requests change, releases and plans for deployment.
8.5.1.3.f Change Management Approved changes shall be prepared, verified
Activities - Verification and, where possible, tested. Proposed
& Testing deployment dates and other deployment Not Implemented
details for approved changes shall be
communicated to interested parties.
8.5.1.3.g Change Management The activities to reverse or remedy an
Activities - unsuccessful change shall be planned and,
Unsuccessful where possible, tested. Unsuccessful changes Not Implemented
Changes shall be investigated and agreed actions
taken.
8.5.1.3.i Change Management The organization shall review changes for
Activities - Review effectiveness and take actions agreed with Not Implemented
Effectiveness interested parties.
8.5.1.3.j Change Management At planned intervals, request for change
Activities - Trends records shall be analyzed to detect trends.
The results and conclusions drawn from the Not Implemented
analysis shall be recorded and reviewed to
identify opportunities for improvement.
8.5.2.1.a Plan New or Changed Planning shall use the service requirements
Services - Authorities for the new or changed services determined in
& Responsibilities planning services and shall include or contain Not Implemented
a reference to authorities and responsibilities
for design, build and transition activities.
8.5.2.1.b Plan New or Changed Planning shall use the service requirements
Services - Activities for the new or changed services determined in
planning services and shall include or contain Not Implemented
a reference to activities to be performed by
the organization or other parties with their
timescales.
8.5.2.1.c Plan New or Changed Planning shall use the service requirements
Services - Resources for the new or changed services determined in
planning services and shall include or contain Not Implemented
a reference to human, technical, information
and financial resources.
8.5.2.1.d Plan New or Changed Planning shall use the service requirements
Services - for the new or changed services determined in Not Implemented
Dependencies planning services and shall include or contain

18 cyberarrow.io
 a reference to dependencies on other
Not Implemented
services.
8.5.2.1.e Plan New or Changed Planning shall use the service requirements
Services - Testing for the new or changed services determined in
planning services and shall include or contain Not Implemented
a reference to testing needed for the new or
changed services.
8.5.2.1.f Plan New or Changed Planning shall use the service requirements
Services - for the new or changed services determined in Not Implemented
Acceptance Criteria planning services and shall include or contain
a reference to service acceptance criteria.
8.5.2.1.g Plan New or Changed Planning shall use the service requirements
Services - Outcomes for the new or changed services determined in
planning services and shall include or contain Not Implemented
a reference to intended outcomes from
delivering the new or changed services,
expressed in measurable terms.
8.5.2.1.h Plan New or Changed Planning shall use the service requirements
Services - Impact for the new or changed services determined in
planning services and shall include or contain Not Implemented
a reference to impact on the SMS, other
services, planned changes, customers, users
and other interested parties.
8.5.2.1.i Plan New or Changed For services that are to be removed, the
Services - Dates for planning shall additionally include the date(s)
Removal for the removal of the services and the Not Implemented
activities for archiving, disposal or transfer of
data, documented information and service
components.
8.5.2.1.j Plan New or Changed For services that are to be transferred, the
Services - Dates for planning shall additionally include the date(s)
Transfer for the transfer of the services and the
Not Implemented
activities for the transfer of data, documented
information, knowledge and service
components.
8.5.2.1.k Plan New or Changed The CIs affected by new or changed services
Services - CIs shall be managed through configuration Not Implemented
Affected management.
8.5.2.2 Service Design The new or changed services shall be
designed and documented to meet the service Not Implemented
requirements.
8.5.2.2.a Service Design - The design shall include relevant items from
Authorities & the following authorities and responsibilities of Not Implemented
Responsibilities the parties involved in the delivery of the new
or changed services.
8.5.2.2.b Service Design - The design shall include relevant items from Not Implemented
Resources the following requirements for changes to

19 cyberarrow.io
 human, technical, information and financial
resources.
8.5.2.2.c Service Design - The design shall include relevant items from
Competency the following requirements for appropriate Not Implemented
education, training and experience.
8.5.2.2.d Service Design - The design shall include relevant items from
SLAs the following new or changed SLAs, contracts
Not Implemented
and other documented agreements that
support the services.
8.5.2.2.e Service Design - The design shall include relevant items from
Change to SMS the following changes to the SMS including
Not Implemented
new or changed policies, plans, processes,
procedures, measures and knowledge.
8.5.2.2.f Service Design - The design shall include relevant items from
Not Implemented
Impact on Services the following impact on other services.
8.5.2.2.g Service Design - The design shall include relevant items from
Service Catalogue the following updates to the service Not Implemented
Update catalogue(s).
8.5.2.3.a Service Build & The new or changed services shall be built
Transition - Tested and tested to verify that they meet the service
requirements, conform to the documented
design and meet the agreed service
acceptance criteria. If the service acceptance Not Implemented
criteria are not met, the organization and
interested parties shall make a decision on
necessary actions and deployment.
8.5.2.3.b Service Build & Release and deployment management shall
Transition - Release be used to deploy approved new or changed Not Implemented
& Deployment services into the live environment.
8.5.2.3.c Service Build & Following the completion of the transition
Transition - Report activities, the organization shall report to
Not Implemented
interested parties on the achievements
against the intended outcomes.
8.5.3.a Release and The organization shall define the types of
Deployment release, including emergency release, their Not Implemented
Management - Types frequency and how they are to be managed.
8.5.3.b Release and The organization shall plan the deployment of
Deployment new or changed services and service
Management - Plan components into the live environment.
Planning shall be coordinated with change
management and include references to the
related requests for change, known errors or Not Implemented
problems which are being closed through the
release. Planning shall include the dates for
deployment of each release, deliverables and
methods of deployment.

20 cyberarrow.io
8.5.3.c Release and The release shall be verified against
Deployment documented acceptance criteria and
Management - approved before deployment. If the
Acceptance Criteria acceptance criteria are not met, the Not Implemented
organization and interested parties shall make
a decision on necessary actions and
deployment.
8.5.3.d Release and Before deployment of a release into the live
Deployment environment, a baseline of the affected CIs
Management - shall be taken. The release shall be deployed
Not Implemented
Baseline into the live environment so that the integrity
of the services and service components is
maintained.
8.5.3.e Release and The success or failure of releases shall be
Deployment monitored and analyzed. Measurements shall
Management - include incidents related to a release in the
Measurement period following deployment of a release. The
results and conclusions drawn from the
analysis shall be recorded and reviewed to Not Implemented
identify opportunities for improvement.
Information about the success or failure of
releases and future release dates shall be
made available for other service management
activities as appropriate.
8.6.1.a Incident Management Incidents shall be recorded and classified.
- Recording & Not Implemented
Classification
8.6.1.b Incident Management Incidents shall be prioritized taking into
Not Implemented
- Priority consideration impact and urgency.
8.6.1.c Incident Management Incidents shall be escalated if needed.
Not Implemented
- Escalation
8.6.1.d Incident Management Incidents shall be resolved. Not Implemented
- Resolution
8.6.1.e Incident Management Incidents shall be closed.
Not Implemented
- Closure
8.6.1.f Incident Management Records of incidents shall be updated with Not Implemented
- Update actions taken.
8.6.1.g Incident Management The organization shall determine criteria to
- Criteria identify a major incident. Major incidents shall
Not Implemented
be classified and managed according to a
documented procedure.
8.6.1.h Incident Management Top management shall be kept informed of
Not Implemented
- Reporting major incidents.
8.6.1.i Incident Management The organization shall assign responsibility for
Not Implemented
- Responsibility managing each major incident.

21 cyberarrow.io
8.6.1.j Incident Management After the incident has been resolved, the
- Opportunities for major incident shall be reported and reviewed Not Implemented
Improvement to identify opportunities for improvement.
8.6.2.a Service Request Service requests shall be recorded and
Management - classified.
Not Implemented
Recording &
Classification
8.6.2.b Service Request Service requests shall be prioritized.
Not Implemented
Management - Priority
8.6.2.c Service Request Service requests shall be fulfilled.
Management - Not Implemented
Fulfillment
8.6.2.d Service Request Service requests shall be closed.
Management - Not Implemented
Closure
8.6.2.e Service Request Records of service requests shall be updated
Management - with actions taken. Instructions for the
Availability fulfilment of service requests shall be made Not Implemented
available to persons involved in service
request fulfilment.
8.6.3 Problem Management The organization shall analyze data and
trends on incidents to identify problems. The
organization shall undertake root cause
analysis and determine potential actions to Not Implemented
prevent the occurrence or recurrence of
incidents.
8.6.3.a Problem Management Problems shall be recorded and classified.
- Recording & Not Implemented
Classification
8.6.3.b Problem Management Problems shall be prioritized.
Not Implemented
- Priority
8.6.3.c Problem Management Problems shall be escalated if needed.
Not Implemented
- Escalation
8.6.3.d Problem Management Problems shall be resolved if possible.
Not Implemented
- Resolution
8.6.3.e Problem Management Problems shall be closed. Not Implemented
- Closure
8.6.3.f Problem Management Records of problems shall be updated with
- Update actions taken. Changes needed for problem
Not Implemented
resolution shall be managed according to the
change management policy.
8.6.3.g Problem Management Where the root cause has been identified, but
- Reduce Impact the problem has not been permanently
resolved, the organization shall determine Not Implemented
actions to reduce or eliminate the impact of
the problem on the services. Known errors
shall be recorded. Up-to-date information on

22 cyberarrow.io
 known errors and problem resolutions shall be
made available for other service management
activities as appropriate.
8.6.3.h Problem Management At planned intervals, the effectiveness of
- Monitor problem resolution shall be monitored, Not Implemented
Effectiveness reviewed and reported.
8.7.1.a Service Availability At planned intervals, the risks to service
Management - Risks availability shall be assessed and Not Implemented
documented.
8.7.1.b Service Availability The organization shall determine the service
Management - availability requirements and targets. The
Requirements agreed requirements shall take into
consideration relevant business requirements, Not Implemented
service requirements, SLAs and risks. Service
availability requirements and targets shall be
documented and maintained.
8.7.1.c Service Availability Service availability shall be monitored, the
Management - results recorded and compared with the
Not Implemented
Monitoring targets. Unplanned non-availability shall be
investigated and necessary actions taken.
8.7.2 Service Continuity At planned intervals, the risks to service Not Implemented
Management continuity shall be assessed and documented.
8.7.2.a Service Continuity The organization shall determine the service
Management - continuity requirements. The agreed
Requirements requirements shall take into consideration Not Implemented
relevant business requirements, service
requirements, SLAs and risks.
8.7.2.b Service Continuity The organization shall create, implement and
Management - maintain one or more service continuity plans. Not Implemented
Continuity Plan
8.7.2.c Service Continuity The service continuity plan(s) shall include or
Management - contain a reference to criteria and Not Implemented
Invoking Criteria responsibilities for invoking service continuity.
8.7.2.d Service Continuity The service continuity plan(s) shall include or
Management - contain a reference to procedures to be
Procedures implemented in the event of a major loss of Not Implemented
service.
8.7.2.e Service Continuity The service continuity plan(s) shall include or
Management - contain a reference to targets for service
Targets availability when the service continuity plan is Not Implemented
invoked.
8.7.2.f Service Continuity The service continuity plan(s) shall include or
Management - contain a reference to service recovery Not Implemented
Recovery requirements.
8.7.2.g Service Continuity The service continuity plan(s) shall include or
Management - contain a reference to procedures for Not Implemented
Returning to Normal returning to normal working conditions.

23 cyberarrow.io
8.7.2.h Service Continuity The service continuity plan(s) and list of
Management - contacts shall be accessible when access to Not Implemented
Accessibility the normal service location is prevented.
8.7.2.i Service Continuity At planned intervals, the service continuity
Management - Plan plan(s) shall be tested against the service
Testing continuity requirements. The service
continuity plan(s) shall be re-tested after
major changes to the service environment.
The results of the tests shall be recorded. Not Implemented
Reviews shall be conducted after each test
and after the service continuity plan(s) has
been invoked. Where deficiencies are found,
the organization shall take necessary actions.
8.7.2.j Service Continuity The organization shall report on the cause,
Management - impact and recovery when the service Not Implemented
Reporting continuity plan(s) has been invoked.
8.7.3.1 Information Security Management with appropriate authority shall
Policy approve an information security policy
relevant to the organization. The information
security policy shall be documented and take
into consideration the service requirements
and the legal, regulatory, as well as
contractual requirements. The information
security policy shall be made available as
appropriate. The organization shall Not Implemented
communicate the importance of conforming to
the information security policy and its
applicability to the SMS and the services to
appropriate persons within: a) the
organization; b) customers and users; c)
external suppliers, internal suppliers and other
interested parties.
8.7.3.2.a Information Security At planned intervals, the information security
Controls - Risks risks to the SMS and the services shall be
assessed and documented. Information
security controls shall be determined,
implemented and operated to support the Not Implemented
information security policy and address
identified information security risks. Decisions
about information security controls shall be
documented.
8.7.3.2.b Information Security The organization shall agree and implement
Controls - information security controls to address
Not Implemented
Implementation information security risks related to external
organizations.

24 cyberarrow.io
8.7.3.2.c Information Security The organization shall monitor and review the
Controls - effectiveness of information security controls
Effectiveness and take necessary actions. Not Implemented
Measurement
8.7.3.3 Information Security The organization shall analyze the information
Incidents security incidents by type, volume and impact
on the SMS, services and interested parties. Not Implemented
Information security incidents shall be
reported and reviewed to identify opportunities
for improvement.
8.7.3.3.a Information Security Information security incidents shall be
Incidents - Recording recorded and classified. Not Implemented
& Classification
8.7.3.3.b Information Security Information security incidents shall be
Incidents - Priority prioritized taking into consideration the Not Implemented
information security risk.
8.7.3.3.c Information Security Information security incidents shall be
Not Implemented
Incidents - Escalation escalated if needed.
8.7.3.3.d Information Security Information security incidents shall be
Not Implemented
Incidents - Resolution resolved.
8.7.3.3.e Information Security Information security incidents shall be closed.
Not Implemented
Incidents - Closure
9.1 Monitoring, The organization shall retain appropriate
Measurement, documented information as evidence of the
Analysis and results. The organization shall evaluate the
Evaluation SMS performance against the service
management objectives and evaluate the Not Implemented
effectiveness of the SMS. The organization
shall evaluate the effectiveness of the
services against the service requirements.
9.1.a Monitoring, The organization shall determine what needs
Measurement, to be monitored and measured.
Not Implemented
Analysis and
Evaluation - Scope
9.1.b Monitoring, The organization shall determine the
Measurement, methods for monitoring, measurement, Not Implemented
Analysis and analysis and evaluation, as applicable, to
Evaluation - Methods ensure valid results.
9.1.c Monitoring, The organization shall determine when and by
Measurement, whom the monitoring and measurement of the
Not Implemented
Analysis and service management system effectiveness
Evaluation - When shall be performed.
9.1.d Monitoring, The organization shall determine when the
Measurement, results from service management system
Analysis and effectiveness monitoring and measurement Not Implemented
Evaluation - Review shall be analyzed and evaluated.
of Results

25 cyberarrow.io
9.2.1.a.1, Internal Audit - The organization shall conduct internal audits
2.1.a.2, General at planned intervals to provide information on
2.1.b Requirements whether the SMS: a) conforms to: 1) the Not Implemented
organization’ s own requirements for its SMS;
2) the requirements of ISO 20000-1; b) is
effectively implemented and maintained.
9.2.2.a Audit Program(s) - The organization shall plan, establish,
Establish implement and maintain an audit program(s)
including the frequency, methods,
responsibilities, planning requirements and Not Implemented
reporting, which shall take into consideration
the importance of the processes concerned
and the results of previous audits
9.2.2.b Audit Program(s) - The organization shall define the audit criteria
Not Implemented
Scope and scope for each audit.
9.2.2.c Audit Program(s) - The organization shall select auditors and
Objectivity conduct audits that ensure objectivity and the Not Implemented
impartiality of the audit process.
9.2.2.d Audit Program(s) - The organization shall ensure that the results
Reporting of the audits are reported to relevant Not Implemented
managers.
9.2.2.e Audit Program(s) - The organization shall retain documented
Documentation information as evidence of the audit Not Implemented
program(s) and the audit results.
9.3 Management Review Top management shall review the
- Service organization’ s SMS, at planned intervals, to
Management System ensure its continuing suitability, adequacy and
effectiveness. The organization shall retain
documented information as evidence of the Not Implemented
results of management reviews. The outputs
of the management review shall include
decisions related to continual improvement
opportunities and any need for changes to the
SMS and the services.
9.3.a Management Review The management review shall include
Input - Status of Past consideration of the status of actions from Not Implemented
Actions previous management reviews.
9.3.b Management Review The management review shall include
Input - Internal and consideration of changes in external and
Not Implemented
External Issues internal issues that are relevant to the service
management system.
9.3.c.1 Management Review The management review shall include
Input - Corrective consideration of information on the service Not Implemented
Actions management performance, including trends in
nonconformities and corrective actions.
9.3.c.2 Management Review The management review shall include
Not Implemented
Input - Monitoring consideration of information on the service

26 cyberarrow.io
 management monitoring and measurement
evaluation results.
9.3.c.3 Management Review The management review shall include
Input - Audit Results consideration of information on the service Not Implemented
management audit results.
9.3.d Management Review The management review shall include
Input - Continual consideration of opportunities for continual Not Implemented
Improvement improvement.
9.3.e Management Review The management review shall include
Input - Feedback consideration of feedback from customers and Not Implemented
other interested parties.
9.3.f Management Review The management review shall include
Input - Suitability consideration of adherence to and suitability
Not Implemented
of the service management policy and other
policies required by ISO 20000-1.
9.3.g Management Review The management review shall include
Input - Achievement consideration of achievement of service Not Implemented
Objectives management objectives.
9.3.h Management Review The management review shall include
Not Implemented
Input - Performance consideration of performance of the services.
9.3.i Management Review The management review shall include
Input - Delivery consideration of performance of other parties Not Implemented
Performance involved in the delivery of the services.
9.3.j Management Review The management review shall include
Input - Resources consideration of current and forecast human,
technical, information and financial resource Not Implemented
levels, and human and technical resource
capabilities.
9.3.k Management Review The management review shall include
Input - Risk consideration of results of risk assessment
Assessment and the effectiveness of actions taken to Not Implemented
address risks and opportunities.
9.3.l Management Review The management review shall include
Input - Changes consideration of changes that can affect the Not Implemented
SMS and the services.
9.4 Service Reporting The organization shall determine reporting
requirements and their purpose. Reports on
the performance and effectiveness of the
SMS and the services shall be produced
using information from the SMS activities and
delivery of the services. Service reporting Not Implemented
shall include trends. The organization shall
make decisions and take actions based on the
findings in service reports. The agreed actions
shall be communicated to interested parties.

27 cyberarrow.io
10.1.1.a.1 Nonconformity and When nonconformity occurs, the organization
Corrective Action - shall react to the nonconformity, and as Not Implemented
Corrective Action applicable take action to control and correct it.
10.1.1.a.2 Nonconformity and When nonconformity occurs, the organization
Corrective Action - shall react to the nonconformity and as Not Implemented
Consequences applicable deal with the consequences.
10.1.1.b.1 Nonconformity and When a nonconformity occurs, the
Corrective Action - organization shall evaluate the need for action
Review to eliminate the causes of nonconformity, in Not Implemented
order that it does not recur or occur elsewhere
by reviewing the nonconformity.
10.1.1.b.2 Nonconformity and When a nonconformity occurs, the
Corrective Action - organization shall evaluate the need for action
Root Cause to eliminate the causes of nonconformity, in
Not Implemented
order that it does not recur or occur elsewhere
by determining the causes of the
nonconformity.
10.1.1.b.3 Nonconformity and When a nonconformity occurs, the
Corrective Action - organization shall evaluate the need for action
Potential to Recur to eliminate the causes of nonconformity, in
order that it does not recur or occur elsewhere Not Implemented
by determining if similar nonconformities exist,
or could potentially occur.
10.1.1.c Nonconformity and When a nonconformity occurs, the
Corrective Action - organization shall implement any action Not Implemented
Implementation needed to correct the nonconformity.
10.1.1.d Nonconformity and When a nonconformity occurs, the
Corrective Action - organization shall review the effectiveness of
Not Implemented
Review Corrective any corrective action taken.
Action
10.1.1.e Nonconformity and When a nonconformity occurs, the
Corrective Action - organization shall make changes to the
Changes to Service service management system, if necessary. Not Implemented
Management System Corrective actions shall be appropriate to the
effects of the nonconformities encountered.
10.1.2.a Nonconformity and When a nonconformity occurs, the
Corrective Action - organization shall retain documented
Documentation information as evidence of the nature of the Not Implemented
nonconformities and any subsequent actions
taken.
10.1.2.b Nonconformity and When a nonconformity occurs, the
Corrective Action - organization shall retain documented
Not Implemented
Results information as evidence of the results of any
corrective action.
10.2 Continual The organization shall continually improve the
Improvement suitability, adequacy and effectiveness of the Not Implemented
SMS and the services. The organization shall

28 cyberarrow.io
 determine evaluation criteria to be applied to
the opportunities for improvement when
making decisions on their approval.
Evaluation criteria shall include alignment of
the improvement with service management
objectives. Opportunities for improvement
shall be documented.
10.2.a Continual The organization shall manage approved
Improvement - improvement activities that include setting one
Targets or more targets for improvement in areas such Not Implemented
as quality, value, capability, cost, productivity,
resource utilization and risk reduction.
10.2.b Continual The organization shall manage approved
Improvement - Priority improvement activities that include ensuring
Not Implemented
that improvements are prioritized, planned
and implemented.
10.2.c Continual The organization shall manage approved
Improvement - improvement activities that include making Not Implemented
Changes changes to the SMS, if necessary.
10.2.d Continual The organization shall manage approved
Improvement - improvement activities that include measuring
Measurement implemented improvements against the Not Implemented
target(s) set and where target(s) are not
achieved, taking necessary actions.
10.2.e Continual The organization shall manage approved
Improvement - improvement activities that include reporting
Reporting on implemented improvements. NOTE:
Improvements can include reactive and pro- Not Implemented
active actions such as correction, corrective
action, preventive action, enhancements,
innovation and re-organization.

29 cyberarrow.io