Essential steps to prepare for ISO 19770-1 certification

What's needed to obtain ISO 19770-1 certification for ITAM? And how do you go about it? This blog gives you some pointers -->

ISO/IEC 19770-1:2017 certification demonstrates an organisation's commitment to standardised, efficient and compliant IT asset management. Being certified offers business benefits such as continued C-level attention for ITAM, improved data security and compliance, better vendor relationships and continuous improvement. It also facilitates interoperability with other important IT functions, communication and knowledge sharing.

Obtaining ISO 19770-1 certification is not something that’s done “on the side”. There’s no set time frame, it will depend on your organisation’s prior preparation, specific needs, and scale. If you are starting from scratch or need an overhaul of your systems, it will take longer than an organisation that already has a strong management system in place for another ISO standard, for example for ISO 27001.

It will probably take more time than expected, so make sure to start early.

In general, the process can be divided into these steps:

• Preparation
• Pre-audit
• Remediation phase
• Actual audit
• Certification

Getting started - how to prepare

Get (re-)acquainted with the standard

First, make sure to be informed! You need to understand the business, management, and performance standards that the ISO certification for ITAM is based on. Specifically:

• What is in & what’s new in the 2017 version of the standard?
• Did you implement all the improvements?
• Are some elements of your ITAM program outdated? (Pop quiz: When did you update policy documentation for the last time?)
• Are you sure you are covering SAM, HAM as well as cloud solutions?

Note: certification is valid for 3 years, even if the standard changes in the meantime.

Did your organisation go through reorganisations, mergers, personnel changes? Or did you switch your tooling- or platform partner? Then it is important to ask yourself the following questions:

• Is the responsibility for asset verification centralised?
• Is the role of ITAM process owner still clear? Does it still exist, and is the person responsible aware of the responsibilities that come with the role?
• Is verification of ITAM tooling roll-out still covered in the contract with the new provider? And how about data quality in general? Is that covered?

Consult your peers

After getting (re)acquainted with the ISO standard, you can consult your peers. After all, they might be going through the same process, and you might learn from them.

• How are other companies preparing? Although the certification itself if fairly is new, that doesn’t mean you can’t use existing LinkedIn- and user groups to share your thoughts.
• Consult your colleagues: Does your company hold other ISO certifications? If you’re working for a larger company, chances are that there’s already an ISO 27001 or 20000 certification in place. By reaching out to the colleagues who managed those audits to find out what you can learn from them.

Pre-audit activities 

Before you start and dive into the audit, you can prepare your team and organisation. Here are some tips we wholeheartedly recommend.

Perform you own Internal Assessment: Once your company understands the benchmark for certification, the company should hold an in-depth internal audits of current processes, RACI matrices and team roles. (By the way, a yearly assessment is mandatory for certification, so that’s an easy box to tick)

Enlist external expertise: Another way to prepare for an audit is working with an external ITAM specialist who performs an assessment as a "dress rehearsal" for the real thing. Being new to the company's way of working, chances are this can be done as a one-off project or as part of a service.

Prepare Your Team: This is the moment to make sure you have the right people on board. Can they answer the questions? Do you know where the ITAM roles are delegated? It’s best you find out for yourself, and not during the actual audit.

• If your team is used to an internal audit then they can also answer the questions better, because they recognise them. They are familiar with the content and with the session.
• Make sure your documents are in check! This is the perfect time to make sure your process descriptions, RACI’s, information portals, plans, corporate guidelines, etc. are up-to-date.

Result / adaptation – Setting up for success

Next to assessing your status, you need to make sure that you fix what needs to be fixed before the next phase of the audit. Make sure that all the differences you found, are addressed in an ITAM improvement plan.

• Make the necessary improvements. Based on the standards analysis and internal review, your team should make the changes needed to meet the upcoming audit requirements.
• Plan the hours needed for interviews and callbacks: Apart from the time need for interviews, allow time for the team to provide examples and answer follow-up questions from the auditor.

The assessment 

After the assessment by an external, independent auditor, two things can happen:

• There are non-conformities: In this case you will receive a non-conformity form to complete, which must be returned within a specified time period. In this form you explain how you plan to remediate the issues. If the auditor agrees you move on.
• Standards have been met: your organisation will be nominated for certification to a Certification Committee (independent auditors within the assessment organisation).

Congratulations! You have been certified! And then?

ISO/IEC 19770-1 certificates are valid for three years. During this time, two surveillance audits are performed and then, the re-certification process will occur.

Having a hard time getting started? 

Are you unsure where to start? For example, because you don’t have the manpower to handle it all, or lack the experience?

Having been on 3 different sides of the process, Softline offers a 360° approach to ISO 19770 certification. Next to co-writing the certification method and supporting companies in implementing the ISO management framework, we also went through our own certification process. Resulting in Softline being the first company worldwide to be ISO/IEC 19770-1 certified.