ISO/IEC 20000-6:2017
(Main)Information technology — Service management — Part 6: Requirements for bodies providing audit and certification of service management systems
Information technology — Service management — Part 6: Requirements for bodies providing audit and certification of service management systems
ISO/IEC 20000-6:2017 specifies requirements and provides guidance for certification bodies providing audit and certification of an SMS in accordance with ISO/IEC 20000‑1. It does not change the requirements specified in ISO/IEC 20000‑1. ISO/IEC 20000-6:2017 can also be used by accreditation bodies for accreditation of certification bodies. A certification body providing SMS certification is expected to be able to demonstrate fulfilment of the requirements specified in ISO/IEC 20000-6:2017, in addition to the requirements in ISO/IEC 17021‑1.
Technologies de l'information — Gestion des services — Partie 6: Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la gestion des services
General Information
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 20000-6
First edition
2017-06
Information technology — Service
management —
Part 6:
Requirements for bodies providing
audit and certification of service
management systems
Technologies de l’information — Gestion des services —
Partie 6: Exigences pour les organismes procédant à l’audit et à la
certification des systèmes de management de la gestion des services
Reference number
ISO/IEC 20000-6:2017(E)
©
ISO/IEC 2017
---------------------- Page: 1 ----------------------
ISO/IEC 20000-6:2017(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 20000-6:2017(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 1
5 General requirements . 1
5.1 Legal and contractual matters . 1
5.2 Management of impartiality . 2
5.3 Liability and financing . 2
6 Structural requirements . 2
7 Resource requirements . 2
7.1 Competence of personnel . 2
7.1.1 General considerations . 2
7.1.2 Determination of competence criteria . 2
7.1.3 Evaluation processes . 3
7.1.4 Other considerations . 3
7.2 Personnel involved in certification activities . 3
7.3 Use of individual external auditors and external technical experts . 3
7.4 Personnel records. 3
7.5 Outsourcing. 3
8 Information requirements . 4
8.1 Public information . 4
8.2 Certification documents . 4
8.3 Reference to certification and use of marks . 4
8.4 Confidentiality . 4
8.5 Information exchange between a certification body and its clients . 4
9 Process requirements . 4
9.1 Pre-certification activities . 4
9.1.1 Application . 4
9.1.2 Application review . 4
9.1.3 Audit programme . 5
9.1.4 Determining audit time . 5
9.1.5 Multi-site sampling . 8
9.1.6 Multiple management systems standards . 8
9.2 Planning audits . 9
9.2.1 Determining audit objectives, scope and criteria . 9
9.2.2 Audit team selection and assignments . 9
9.2.3 Audit plan . 9
9.3 Initial certification .10
9.4 Conducting audits .10
9.4.1 General.10
9.4.2 Conducting the opening meeting .10
9.4.3 Communication during the audit .10
9.4.4 Obtaining and verifying information .10
9.4.5 Identifying and recording audit findings .11
9.4.6 Preparing audit conclusions .11
9.4.7 Conducting the closing meeting .11
9.4.8 Audit report .11
9.4.9 Cause analysis of nonconformities .11
9.4.10 Effectiveness of corrections and corrective actions .11
© ISO/IEC 2017 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 20000-6:2017(E)
9.5 Certification decision .11
9.6 Maintaining certification .11
9.7 Appeals .11
9.8 Complaints .11
9.9 Client records .11
9.10 Management system requirements for certification bodies .12
Bibliography .13
iv © ISO/IEC 2017 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 20000-6:2017(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www . i so .org/ iso/ foreword .html.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: w w w . i s o .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
subcommittee, SC 40, IT Service Management and IT Governance.
A list of all parts in the ISO/IEC 20000 series can be found on the ISO website.
© ISO/IEC 2017 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 20000-6:2017(E)
Introduction
This document is for use by certification bodies for auditing and certifying a service management
system (SMS) in accordance with ISO/IEC 20000-1. It can also be used by accreditation bodies when
assessing certification bodies. It is intended to be used in conjunction with ISO/IEC 17021-1, which
sets out criteria for certification bodies providing audit and certification of management systems. This
document provides requirements additional to those in ISO/IEC 17021-1.
Correct application of this document will enable certification bodies to harmonize their application of
ISO/IEC 17021-1 for assessments against ISO/IEC 20000-1. It will also enable accreditation bodies to
harmonize their application of the standards they use to assess certification bodies.
This document follows the structure of ISO/IEC 17021-1, as far as possible. The requirements additional
to those in ISO/IEC 17021-1 are shown as subclauses numbered “SMxxx”.
ISO/IEC 17021-1 and this document use the term “client” for the organization seeking certification.
vi © ISO/IEC 2017 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 20000-6:2017(E)
Information technology — Service management —
Part 6:
Requirements for bodies providing audit and certification
of service management systems
1 Scope
This document specifies requirements and provides guidance for certification bodies providing audit
and certification of an SMS in accordance with ISO/IEC 20000-1. It does not change the requirements
specified in ISO/IEC 20000-1. This document can also be used by accreditation bodies for accreditation
of certification bodies.
A certification body providing SMS certification is expected to be able to demonstrate fulfilment of the
requirements specified in this document, in addition to the requirements in ISO/IEC 17021-1.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification
of management systems — Part 1: Requirements
ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system
requirements
ISO/IEC TR 20000-10, Information technology — Service management — Part 10: Concepts and
terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021-1 and
ISO/IEC TR 20000-10 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
4 Principles
For the purposes of this document, the principles in ISO/IEC 17021-1:2015, Clause 4 apply.
5 General requirements
5.1 Legal and contractual matters
The requirements in ISO/IEC 17021-1:2015, 5.1 apply.
© ISO/IEC 2017 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 20000-6:2017(E)
5.2 Management of impartiality
The requirements in ISO/IEC 17021-1:2015, 5.2 apply. In addition, the following requirements and
guidance apply.
5.2.1 SM5.2.1 Conflicts of interest
Certification bodies may carry out the following duties without them being considered as consultancy
or having a potential conflict of interest:
a) arranging and participating as a lecturer in training courses. Where these courses relate to
service management, related management systems or auditing, certification bodies shall confine
themselves to the provision of generic information and advice which is publicly available, i.e. they
shall not provide company-specific advice;
b) making available or publishing on request information describing the certification body’s
interpretation of the requirements of the certification audit standards;
c) activities prior to audit, solely aimed at determining readiness for certification audit. These
activities shall not result in the provision of recommendations or advice that would contravene
this subclause. The certification body shall be able to confirm that such activities do not contravene
these requirements and that they are not used to justify a reduction in the eventual certification
audit duration;
d) performing second and third-party audits according to standards or regulations other than those
being part of the scope of accreditation;
e) adding value during certification audits and surveillance visits, e.g. by identifying opportunities for
improvement, as they become evident during the audit, without recommending specific solutions.
The certification body shall not provide internal service management reviews of the client’s SMS
subject to certification. The certification body shall be independent of the body or bodies (including any
individuals) which provide the internal SMS audit.
5.3 Liability and financing
The requirements in ISO/IEC 17021-1:2015, 5.3 apply.
6 Structural requirements
The requirements in ISO/IEC 17021-1:2015, Clause 6 apply.
7 Resource requirements
7.1 Competence of personnel
7.1.1 General considerations
The requirements in ISO/IEC 17021-1:2015, 7.1.1 apply.
7.1.2 Determination of competence criteria
The requirements in ISO/IEC 17021-1:2015, 7.1.2 apply. In addition, the following requirements and
guidance apply.
2 © ISO/IEC 2017 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 20000-6:2017(E)
7.1.2.1 SM7.1.2.1 The term “technical area”
ISO/IEC 20000-1 states that all requirements are generic and are intended to be applicable to all clients,
regardless of type, size and the nature of the services delivered. For ISO/IEC 20000-1 audits, the term
“technical area” relates to the SMS, including service management processes and the services within
the scope of the SMS. “Technical area” does not relate to any underlying technology used to enable
service delivery.
7.1.3 Evaluation processes
The requirements in ISO/IEC 17021-1:2015, 7.1.3 apply.
7.1.4 Other considerations
The requirements in ISO/IEC 17021-1:2015, 7.1.4 apply.
7.2 Personnel involved in certification activities
The requirements in ISO/IEC 17021-1:2015, 7.2 apply. In addition, the following requirements and
guidance apply.
7.2.1 SM7.2.1 Competence of personnel involved in certification activities
The certification body shall define criteria for the training and competence development of auditors
and personnel involved in managing and supporting certification activities. The certification body shall
ensure knowledge, as appropriate for each role, of:
a) the requirements specified in ISO/IEC 20000-1;
b) the relevant parts of ISO/IEC 20000, especially ISO/IEC 20000-2, ISO/IEC 20000-3 and
ISO/IEC TR 20000-10.
The certification body shall ensure that auditors and personnel involved in managing and supporting
certification activities have appropriate awareness of the impact of legal and regulatory requirements
relevant to auditing an SMS, according to the jurisdictions in scope. Awareness of legal and regulatory
requirements does not imply profound legal knowledge: a management system certification audit is not
a legal compliance audit.
The certification body shall ensure auditors keep knowledge and skills in service management and
auditing up to date through continual professional development.
7.3 Use of individual external auditors and external technical experts
The requirements in ISO/IEC 17021-1:2015, 7.3 apply.
7.4 Personnel records
The requirements in ISO/IEC 17021-1:2015, 7.4 apply.
7.5 Outsourcing
The requirements in ISO/IEC 17021-1:2015, 7.5 apply.
© ISO/IEC 2017 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 20000-6:2017(E)
8 Information requirements
8.1 Public information
The requirements in ISO/IEC 17021-1:2015, 8.1 apply.
8.2 Certification documents
The requirements in ISO/IEC 17021-1:2015, 8.2 apply. In addition, the following requirements and
guidance apply.
8.2.1 SM8.2.1 Scope definition
The guidance in ISO/IEC 20000-3 should be used when defining the scope.
8.3 Reference to certification and use of marks
The requirements in ISO/IEC 17021-1:2015, 8.3 apply.
8.4 Confidentiality
The requirements in ISO/IEC 17021-1:2015, 8.4 apply. In addition, the following requirements and
guidance apply.
8.4.1 SM8.4.1 Access to the client’s documents, including records
Before the certification audit is agreed, the certification body shall ask the client to report if any SMS
documents or records cannot be made available for review by the audit team because they contain
confidential or sensitive information. The certification body shall determine whether the SMS can be
adequately audited in the absence of these documents or records. If any documents or records are
essential for the audit and are not available, the certification body shall advise the client that an audit
cannot take place until appropriate access arrangements are granted.
8.5 Information exchange between a certification body and its clients
The requirements in ISO/IEC 17021-1:2015, 8.5 apply.
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
The requirements in ISO/IEC 17021-1:2015, 9.1.1 apply.
9.1.2 Application review
The requirements in ISO/IEC 17021-1:2015, 9.1.2 apply. In addition, the following requirements and
guidance apply.
9.1.2.1 SM9.1.2.1 Application review
The certification body shall review the application from the client to ensure a clear understanding of
the areas of activity of the client and the likely risks to the SMS and the services.
4 © ISO/IEC 2017 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 20000-6:2017(E)
9.1.3 Audit programme
The requirements in ISO/IEC 17021-1:2015, 9.1.3 apply.
9.1.4 Determining audit time
The requirements in ISO/IEC 17021-1:2015, 9.1.4 apply. In addition, the following requirements and
guidance apply.
9.1.4.1 SM9.1.4.1 Determining audit time for initial audit
The certification body shall use the number of effective client personnel as the basis for determining
audit time for an initial certification audit. The certification body shall use Table 1 when determining
audit time. Table 1 is based on 8-hour days. The figures may be adjusted if the hours per day are higher
or lower than 8 h.
The number of effective client personnel shall be calculated as full-time equivalents (FTE). The
calculation of effective client personnel shall be based on those in the scope of the SMS. The certification
body shall be able to justify the rationale used for the relationship between the number of effective
client personnel supporting the SMS and the services and the audit time.
If the number of effective client personnel supporting the SMS and the services exceeds 1 175, the
certification body’s procedures shall provide for the calculation of audit time, following the progression
in Table 1 in a consistent manner and define the days by extrapolation beyond the last band in Table 1.
The certification body shall base their plans for an initial audit on a minimum audit time of 2,5 d, after
adjustments, irrespective of the number of client personnel.
The audit duration shall not be less than 80 % of the audit time. If additional time is needed for planning
or report writing, this shall not reduce the audit duration.
Table 1 — Relationship between effective number of personnel and audit time before
adjustments (initial audit)
Effective number of client Audit time: Stage 1 +
personnel Stage 2 (days)
1–15 3,5
16–25 4,5
26–45 5,5
46–65 6
66–85 7
86–125 8
126–175 9
176–275 10
276–425 11
426–625 12
626–875 13
876–1 175 15
NOTE Audit time is defined as the time needed to plan and accomplish a complete and effective audit of
the client’s management system. Audit time includes the total time on-site at a client’s location (physical or
virtual) and time spent off-site carrying out planning, document review, interacting with client personnel and
report writing. Duration of management system certification audits is defined as that part of audit time spent
conducting audit activities from the opening meeting to the closing meeting, inclusive.
The effective number of personnel consists of all personnel involved within the scope of certification
including those working on each shift. When included within the scope of certification, it shall
© ISO/IEC 2017 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 20000-6:2017(E)
also include non-permanent (e.g. contractors) and part-time personnel. Dependent upon the hours
worked, part-time personnel numbers and employees partially in scope may be reduced or increased
and converted to an equivalent number of full time personnel. When a high percentage of personnel
perform activities or roles which are considered repetitive, a reduction to the number of personnel,
which is coherent and applied consistently on a client to client basis within the scope of certification, is
permitted.
9.1.4.2 SM9.1.4.2 Adjustments to audit time
All attributes of the client’s SMS and the services shall be considered and adjustments made to the initial
audit time for those factors that could justify more or less time. Regardless of the adjustment factors,
the certification body shall ensure that sufficient audit time is allocated to accomplish a complete and
effective audit of the client’s SMS. The certification body shall document and be able to justify a decrease
or increase in audit time.
Tables 2 and 3 show how relevant factors can affect the audit times in Table 1. A shift means handovers
and interfaces across multiple locations and/or teams operating in consecutive work periods.
The maximum reduction shall be 30 % of the Table 1 audit time.
Table 2 — Factors which can decrease audit time
Potential decrease factors
1 A low rate of change to the SMS and the services.
2 Previously demonstrated effective performance of the SMS, e.g. previously certified with another accred-
ited certification body.
3 Combined audit of the SMS with one or more other relevant management systems.
4 Prior knowledge of the organization, e.g. already certified to another standard by the same certifica-
tion body.
5 A single, simple service.
6 Identical activities performed on all shifts, with appropriate evidence of equivalent performance on all
shifts, e.g. service desk.
7 A significant proportion of service management personnel carry out a similar simple function.
8 Single site with low number of personnel.
9 A low level of reliance on other parties, such as suppliers, internal groups or customers acting as suppli-
ers, involved in the provision of services.
6 © ISO/IEC 2
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.