Information technology -- Service management

ISO/IEC 20000-6:2017 specifies requirements and provides guidance for certification bodies providing audit and certification of an SMS in accordance with ISO/IEC 20000‑1. It does not change the requirements specified in ISO/IEC 20000‑1. ISO/IEC 20000-6:2017 can also be used by accreditation bodies for accreditation of certification bodies. A certification body providing SMS certification is expected to be able to demonstrate fulfilment of the requirements specified in ISO/IEC 20000-6:2017, in addition to the requirements in ISO/IEC 17021‑1.

Technologies de l'information -- Gestion des services

General Information

Status
Published
Publication Date
05-Jun-2017
Current Stage
6060 - International Standard published
Start Date
10-May-2017
Completion Date
06-Jun-2017
Ref Project

Buy Standard

Standard
ISO/IEC 20000-6:2017 - Information technology -- Service management
English language
13 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 20000-6
First edition
2017-06
Information technology — Service
management —
Part 6:
Requirements for bodies providing
audit and certification of service
management systems
Technologies de l’information — Gestion des services —
Partie 6: Exigences pour les organismes procédant à l’audit et à la
certification des systèmes de management de la gestion des services
Reference number
ISO/IEC 20000-6:2017(E)
ISO/IEC 2017
---------------------- Page: 1 ----------------------
ISO/IEC 20000-6:2017(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017, Published in Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 20000-6:2017(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Principles ..................................................................................................................................................................................................................... 1

5 General requirements ..................................................................................................................................................................................... 1

5.1 Legal and contractual matters ................................................................................................................................................... 1

5.2 Management of impartiality ........................................................................................................................................................ 2

5.3 Liability and financing ...................................................................................................................................................................... 2

6 Structural requirements .............................................................................................................................................................................. 2

7 Resource requirements ................................................................................................................................................................................. 2

7.1 Competence of personnel .............................................................................................................................................................. 2

7.1.1 General considerations ............................................................................................................................................... 2

7.1.2 Determination of competence criteria .......................................................................................................... 2

7.1.3 Evaluation processes .................................................................................................................................................... 3

7.1.4 Other considerations .................................................................................................................................................... 3

7.2 Personnel involved in certification activities ................................................................................................................ 3

7.3 Use of individual external auditors and external technical experts .......................................................... 3

7.4 Personnel records................................................................................................................................................................................. 3

7.5 Outsourcing................................................................................................................................................................................................ 3

8 Information requirements ......................................................................................................................................................................... 4

8.1 Public information ............................................................................................................................................................................... 4

8.2 Certification documents .................................................................................................................................................................. 4

8.3 Reference to certification and use of marks .................................................................................................................. 4

8.4 Confidentiality ......................................................................................................................................................................................... 4

8.5 Information exchange between a certification body and its clients ......................................................... 4

9 Process requirements ..................................................................................................................................................................................... 4

9.1 Pre-certification activities ............................................................................................................................................................. 4

9.1.1 Application ............................................................................................................................................................................ 4

9.1.2 Application review ......................................................................................................................................................... 4

9.1.3 Audit programme ............................................................................................................................................................ 5

9.1.4 Determining audit time .............................................................................................................................................. 5

9.1.5 Multi-site sampling ........................................................................................................................................................ 8

9.1.6 Multiple management systems standards ................................................................................................. 8

9.2 Planning audits ....................................................................................................................................................................................... 9

9.2.1 Determining audit objectives, scope and criteria ................................................................................ 9

9.2.2 Audit team selection and assignments ......................................................................................................... 9

9.2.3 Audit plan ............................................................................................................................................................................... 9

9.3 Initial certification ............................................................................................................................................................................10

9.4 Conducting audits ..............................................................................................................................................................................10

9.4.1 General...................................................................................................................................................................................10

9.4.2 Conducting the opening meeting ....................................................................................................................10

9.4.3 Communication during the audit ...................................................................................................................10

9.4.4 Obtaining and verifying information ...........................................................................................................10

9.4.5 Identifying and recording audit findings .................................................................................................11

9.4.6 Preparing audit conclusions ...............................................................................................................................11

9.4.7 Conducting the closing meeting ......................................................................................................................11

9.4.8 Audit report .......................................................................................................................................................................11

9.4.9 Cause analysis of nonconformities ................................................................................................................11

9.4.10 Effectiveness of corrections and corrective actions .......................................................................11

© ISO/IEC 2017 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 20000-6:2017(E)

9.5 Certification decision ......................................................................................................................................................................11

9.6 Maintaining certification .............................................................................................................................................................11

9.7 Appeals .......................................................................................................................................................................................................11

9.8 Complaints ...............................................................................................................................................................................................11

9.9 Client records ........................................................................................................................................................................................11

9.10 Management system requirements for certification bodies .........................................................................12

Bibliography .............................................................................................................................................................................................................................13

iv © ISO/IEC 2017 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 20000-6:2017(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,

as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the

Technical Barriers to Trade (TBT) see the following URL: www . i so .org/ iso/ foreword .html.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: w w w . i s o .org/ iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

subcommittee, SC 40, IT Service Management and IT Governance.
A list of all parts in the ISO/IEC 20000 series can be found on the ISO website.
© ISO/IEC 2017 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 20000-6:2017(E)
Introduction

This document is for use by certification bodies for auditing and certifying a service management

system (SMS) in accordance with ISO/IEC 20000-1. It can also be used by accreditation bodies when

assessing certification bodies. It is intended to be used in conjunction with ISO/IEC 17021-1, which

sets out criteria for certification bodies providing audit and certification of management systems. This

document provides requirements additional to those in ISO/IEC 17021-1.

Correct application of this document will enable certification bodies to harmonize their application of

ISO/IEC 17021-1 for assessments against ISO/IEC 20000-1. It will also enable accreditation bodies to

harmonize their application of the standards they use to assess certification bodies.

This document follows the structure of ISO/IEC 17021-1, as far as possible. The requirements additional

to those in ISO/IEC 17021-1 are shown as subclauses numbered “SMxxx”.

ISO/IEC 17021-1 and this document use the term “client” for the organization seeking certification.

vi © ISO/IEC 2017 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 20000-6:2017(E)
Information technology — Service management —
Part 6:
Requirements for bodies providing audit and certification
of service management systems
1 Scope

This document specifies requirements and provides guidance for certification bodies providing audit

and certification of an SMS in accordance with ISO/IEC 20000-1. It does not change the requirements

specified in ISO/IEC 20000-1. This document can also be used by accreditation bodies for accreditation

of certification bodies.

A certification body providing SMS certification is expected to be able to demonstrate fulfilment of the

requirements specified in this document, in addition to the requirements in ISO/IEC 17021-1.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification

of management systems — Part 1: Requirements

ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system

requirements

ISO/IEC TR 20000-10, Information technology — Service management — Part 10: Concepts and

terminology
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 17021-1 and

ISO/IEC TR 20000-10 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
4 Principles

For the purposes of this document, the principles in ISO/IEC 17021-1:2015, Clause 4 apply.

5 General requirements
5.1 Legal and contractual matters
The requirements in ISO/IEC 17021-1:2015, 5.1 apply.
© ISO/IEC 2017 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 20000-6:2017(E)
5.2 Management of impartiality

The requirements in ISO/IEC 17021-1:2015, 5.2 apply. In addition, the following requirements and

guidance apply.
5.2.1 SM5.2.1 Conflicts of interest

Certification bodies may carry out the following duties without them being considered as consultancy

or having a potential conflict of interest:

a) arranging and participating as a lecturer in training courses. Where these courses relate to

service management, related management systems or auditing, certification bodies shall confine

themselves to the provision of generic information and advice which is publicly available, i.e. they

shall not provide company-specific advice;

b) making available or publishing on request information describing the certification body’s

interpretation of the requirements of the certification audit standards;

c) activities prior to audit, solely aimed at determining readiness for certification audit. These

activities shall not result in the provision of recommendations or advice that would contravene

this subclause. The certification body shall be able to confirm that such activities do not contravene

these requirements and that they are not used to justify a reduction in the eventual certification

audit duration;

d) performing second and third-party audits according to standards or regulations other than those

being part of the scope of accreditation;

e) adding value during certification audits and surveillance visits, e.g. by identifying opportunities for

improvement, as they become evident during the audit, without recommending specific solutions.

The certification body shall not provide internal service management reviews of the client’s SMS

subject to certification. The certification body shall be independent of the body or bodies (including any

individuals) which provide the internal SMS audit.
5.3 Liability and financing
The requirements in ISO/IEC 17021-1:2015, 5.3 apply.
6 Structural requirements
The requirements in ISO/IEC 17021-1:2015, Clause 6 apply.
7 Resource requirements
7.1 Competence of personnel
7.1.1 General considerations
The requirements in ISO/IEC 17021-1:2015, 7.1.1 apply.
7.1.2 Determination of competence criteria

The requirements in ISO/IEC 17021-1:2015, 7.1.2 apply. In addition, the following requirements and

guidance apply.
2 © ISO/IEC 2017 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 20000-6:2017(E)
7.1.2.1 SM7.1.2.1 The term “technical area”

ISO/IEC 20000-1 states that all requirements are generic and are intended to be applicable to all clients,

regardless of type, size and the nature of the services delivered. For ISO/IEC 20000-1 audits, the term

“technical area” relates to the SMS, including service management processes and the services within

the scope of the SMS. “Technical area” does not relate to any underlying technology used to enable

service delivery.
7.1.3 Evaluation processes
The requirements in ISO/IEC 17021-1:2015, 7.1.3 apply.
7.1.4 Other considerations
The requirements in ISO/IEC 17021-1:2015, 7.1.4 apply.
7.2 Personnel involved in certification activities

The requirements in ISO/IEC 17021-1:2015, 7.2 apply. In addition, the following requirements and

guidance apply.
7.2.1 SM7.2.1 Competence of personnel involved in certification activities

The certification body shall define criteria for the training and competence development of auditors

and personnel involved in managing and supporting certification activities. The certification body shall

ensure knowledge, as appropriate for each role, of:
a) the requirements specified in ISO/IEC 20000-1;

b) the relevant parts of ISO/IEC 20000, especially ISO/IEC 20000-2, ISO/IEC 20000-3 and

ISO/IEC TR 20000-10.

The certification body shall ensure that auditors and personnel involved in managing and supporting

certification activities have appropriate awareness of the impact of legal and regulatory requirements

relevant to auditing an SMS, according to the jurisdictions in scope. Awareness of legal and regulatory

requirements does not imply profound legal knowledge: a management system certification audit is not

a legal compliance audit.

The certification body shall ensure auditors keep knowledge and skills in service management and

auditing up to date through continual professional development.
7.3 Use of individual external auditors and external technical experts
The requirements in ISO/IEC 17021-1:2015, 7.3 apply.
7.4 Personnel records
The requirements in ISO/IEC 17021-1:2015, 7.4 apply.
7.5 Outsourcing
The requirements in ISO/IEC 17021-1:2015, 7.5 apply.
© ISO/IEC 2017 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 20000-6:2017(E)
8 Information requirements
8.1 Public information
The requirements in ISO/IEC 17021-1:2015, 8.1 apply.
8.2 Certification documents

The requirements in ISO/IEC 17021-1:2015, 8.2 apply. In addition, the following requirements and

guidance apply.
8.2.1 SM8.2.1 Scope definition
The guidance in ISO/IEC 20000-3 should be used when defining the scope.
8.3 Reference to certification and use of marks
The requirements in ISO/IEC 17021-1:2015, 8.3 apply.
8.4 Confidentiality

The requirements in ISO/IEC 17021-1:2015, 8.4 apply. In addition, the following requirements and

guidance apply.
8.4.1 SM8.4.1 Access to the client’s documents, including records

Before the certification audit is agreed, the certification body shall ask the client to report if any SMS

documents or records cannot be made available for review by the audit team because they contain

confidential or sensitive information. The certification body shall determine whether the SMS can be

adequately audited in the absence of these documents or records. If any documents or records are

essential for the audit and are not available, the certification body shall advise the client that an audit

cannot take place until appropriate access arrangements are granted.
8.5 Information exchange between a certification body and its clients
The requirements in ISO/IEC 17021-1:2015, 8.5 apply.
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
The requirements in ISO/IEC 17021-1:2015, 9.1.1 apply.
9.1.2 Application review

The requirements in ISO/IEC 17021-1:2015, 9.1.2 apply. In addition, the following requirements and

guidance apply.
9.1.2.1 SM9.1.2.1 Application review

The certification body shall review the application from the client to ensure a clear understanding of

the areas of activity of the client and the likely risks to the SMS and the services.

4 © ISO/IEC 2017 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 20000-6:2017(E)
9.1.3 Audit programme
The requirements in ISO/IEC 17021-1:2015, 9.1.3 apply.
9.1.4 Determining audit time

The requirements in ISO/IEC 17021-1:2015, 9.1.4 apply. In addition, the following requirements and

guidance apply.
9.1.4.1 SM9.1.4.1 Determining audit time for initial audit

The certification body shall use the number of effective client personnel as the basis for determining

audit time for an initial certification audit. The certification body shall use Table 1 when determining

audit time. Table 1 is based on 8-hour days. The figures may be adjusted if the hours per day are higher

or lower than 8 h.

The number of effective client personnel shall be calculated as full-time equivalents (FTE). The

calculation of effective client personnel shall be based on those in the scope of the SMS. The certification

body shall be able to justify the rationale used for the relationship between the number of effective

client personnel supporting the SMS and the services and the audit time.

If the number of effective client personnel supporting the SMS and the services exceeds 1 175, the

certification body’s procedures shall provide for the calculation of audit time, following the progression

in Table 1 in a consistent manner and define the days by extrapolation beyond the last band in Table 1.

The certification body shall base their plans for an initial audit on a minimum audit time of 2,5 d, after

adjustments, irrespective of the number of client personnel.

The audit duration shall not be less than 80 % of the audit time. If additional time is needed for planning

or report writing, this shall not reduce the audit duration.

Table 1 — Relationship between effective number of personnel and audit time before

adjustments (initial audit)
Effective number of client Audit time: Stage 1 +
personnel Stage 2 (days)
1–15 3,5
16–25 4,5
26–45 5,5
46–65 6
66–85 7
86–125 8
126–175 9
176–275 10
276–425 11
426–625 12
626–875 13
876–1 175 15

NOTE Audit time is defined as the time needed to plan and accomplish a complete and effective audit of

the client’s management system. Audit time includes the total time on-site at a client’s location (physical or

virtual) and time spent off-site carrying out planning, document review, interacting with client personnel and

report writing. Duration of management system certification audits is defined as that part of audit time spent

conducting audit activities from the opening meeting to the closing meeting, inclusive.

The effective number of personnel consists of all personnel involved within the scope of certification

including those working on each shift. When included within the scope of certification, it shall

© ISO/IEC 2017 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 20000-6:2017(E)

also include non-permanent (e.g. contractors) and part-time personnel. Dependent upon the hours

worked, part-time personnel numbers and employees partially in scope may be reduced or increased

and converted to an equivalent number of full time personnel. When a high percentage of personnel

perform activities or roles which are considered repetitive, a reduction to the number of personnel,

which is coherent and applied consistently on a client to client basis within the scope of certification, is

permitted.
9.1.4.2 SM9.1.4.2 Adjustments to audit time

All attributes of the client’s SMS and the services shall be considered and adjustments made to the initial

audit time for those factors that could justify more or less time. Regardless of the adjustment factors,

the certification body shall ensure that sufficient audit time is allocated to accomplish a complete and

effective audit of the client’s SMS. The certification body shall document and be able to justify a decrease

or increase in audit time.

Tables 2 and 3 show how relevant factors can affect the audit times in Table 1. A shift means handovers

and interfaces across multiple locations and/or teams operating in consecutive work periods.

The maximum reduction shall be 30 % of the Table 1 audit time.
Table 2 — Factors which can decrease audit time
Potential decrease factors
1 A low rate of change to the SMS and the services.

2 Previously demonstrated effective performance of the SMS, e.g. previously certified with another accred-

ited certification body.
3 Combined audit of the SMS with one or more other relevant management systems.

4 Prior knowledge of the organization, e.g. already certified to another standard by the same certifica-

tion body.
5 A single, simple service.

6 Identical activities performed on all shifts, with appropriate evidence of equivalent performance on all

shifts, e.g. service desk.

7 A significant proportion of service management personnel carry out a similar simple function.

8 Single site with low number of personnel.

9 A low level of reliance on other parties, such as suppliers, internal groups or customers acting as suppli-

ers, involved in the provision of services.
6 © ISO/IEC 2
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.