iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 19770-11:2021

(Main)

Information technology — IT asset management — Part 11: Requirements for bodies providing audit and certification of IT asset management systems

Information technology — IT asset management — Part 11: Requirements for bodies providing audit and certification of IT asset management systems

This document specifies requirements and provides guidance for certification bodies providing audit and certification of an ITAMS in accordance with ISO/IEC 19770-1. It does not change the requirements specified in ISO/IEC 19770-1. This document can also be used by accreditation bodies for the accreditation of certification bodies. However, this document does not specify requirements or provides guidance for accreditation bodies to audit certification bodies. A certification body providing ITAMS certification is expected to be able to demonstrate fulfilment of the requirements specified in this document, in addition to the requirements in ISO/IEC 17021-1.

Technologies de l'information — Gestion de biens de logiciel — Partie 11: Exigences pour les organismes procédant à l’audit et à la certification des systèmes de management de la gestion des actifs logiciels

General Information

Status
Published
Publication Date
07-Jun-2021
ICS
03.120.20 - Product and company certification. Conformity assessment
35.080 - Software
Technical Committee
ISO/IEC JTC 1/SC 7 - Software and systems engineering
Drafting Committee
ISO/IEC JTC 1/SC 7/WG 21 - Information technology asset management
Current Stage
6060 - International Standard published
Start Date
08-Jun-2021
Due Date
19-Sep-2022
Completion Date
08-Jun-2021
Ref Project

Buy Standard

ISO/IEC 19770-11:2021 - Information technology -- IT asset managementISO/IEC 19770-11:2021 - Information technology -- IT asset management
PreviousNext
Standard
ISO/IEC 19770-11:2021 - Information technology -- IT asset management
English language
16 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC PRF 19770-11:Version 17-apr-2021 - Information technology -- IT asset managementISO/IEC PRF 19770-11:Version 17-apr-2021 - Information technology -- IT asset management
PreviousNext
Draft
ISO/IEC PRF 19770-11:Version 17-apr-2021 - Information technology -- IT asset management
English language
16 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 19770-11
First edition
2021-06
Information technology — IT asset
management —
Part 11:
Requirements for bodies providing
audit and certification of IT asset
management systems
Technologies de l'information — Gestion de biens de logiciel —
Partie 11: Exigences pour les organismes procédant à l’audit et à la
certification des systèmes de management de la gestion des actifs
logiciels
Reference number
ISO/IEC 19770-11:2021(E)
©
ISO/IEC 2021

---------------------- Page: 1 ----------------------
ISO/IEC 19770-11:2021(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 19770-11:2021(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 1
5 General requirements . 2
5.1 Legal and contractual matters . 2
5.2 Management of impartiality . 2
5.2.1 General. 2
5.2.2 SM5.2.2 Conflicts of interest . 2
5.3 Liability and financing . 2
6 Structural requirements . 2
7 Resource requirements . 3
7.1 Competence of personnel . 3
7.1.1 General considerations . 3
7.1.2 Determination of competence criteria . 3
7.1.3 Evaluation processes . 5
7.1.4 Other considerations . 6
7.2 Personnel involved in certification activities . 6
7.3 Use of individual external auditors and external technical experts . 6
7.4 Personnel records. 6
7.5 Outsourcing. 6
8 Information requirements . 6
8.1 Public information . 6
8.2 Certification documents . 6
8.2.1 General. 6
8.2.2 SM8.2.2 Scope definition . 6
8.3 Reference to certification and use of marks . 6
8.4 Confidentiality . 7
8.4.1 General. 7
8.4.2 SM8.4.2 Access to the client’s documents, including records . 7
8.5 Information exchange between a certification body and its clients . 7
9 Process requirements . 7
9.1 Pre-certification activities . 7
9.1.1 Application . 7
9.1.2 Application review . 7
9.1.3 Audit programme . 7
9.1.4 Determining audit time . 7
9.1.5 Multi-site sampling .10
9.1.6 Multiple management systems standards .11
9.2 Planning audits .11
9.2.1 Determining audit objectives, scope and criteria .11
9.2.2 Audit team selection and assignments .11
9.2.3 Audit plan .11
9.3 Initial certification .12
9.3.1 General.12
9.3.2 SM9.3.2 Identification of other parties .12
9.3.3 SM9.3.3 Integration of ITAMS documentation with that for other
management systems .12
9.4 Conducting audits .12
© ISO/IEC 2021 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 19770-11:2021(E)

9.4.1 General.12
9.4.2 Conducting the opening meeting .12
9.4.3 Communication during the audit .12
9.4.4 Obtaining and verifying information .13
9.4.5 Identifying and recording audit findings .13
9.4.6 Preparing audit conclusions .13
9.4.7 Conducting the closing meeting .13
9.4.8 Audit report .13
9.4.9 Cause analysis of nonconformities .13
9.4.10 Effectiveness of corrections and corrective actions .13
9.5 Certification decision .13
9.6 Maintaining certification .13
9.7 Appeals .13
9.8 Complaints .13
9.9 Client records .14
10 Management system requirements for certification bodies .14
Annex A Knowledge and skills for ITAMS auditing and certification .15
Bibliography .16
iv © ISO/IEC 2021 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 19770-11:2021(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives or www .iec .ch/ members
_experts/ refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/
iso/ foreword .html. In the IEC, see www .iec .ch/ understanding -standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
subcommittee SC 7, Software and systems engineering.
A list of all parts in the ISO/IEC 19770 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html and www .iec .ch/ national
-committees.
© ISO/IEC 2021 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 19770-11:2021(E)

Introduction
This document is for use by certification bodies for auditing and certifying a management system for
IT asset management (ITAM), referred to as an “IT asset management system” (ITAMS) in accordance
with ISO/IEC 19770-1. It can also be used by accreditation bodies when assessing certification bodies.
It is intended to be used in conjunction with ISO/IEC 17021-1, which sets out criteria for certification
bodies providing audit and certification of management systems. This document provides requirements
additional to those in ISO/IEC 17021-1.
Correct application of this document enables certification bodies to harmonize their application
of ISO/IEC 17021-1 for audits against ISO/IEC 19770-1. It will also enable accreditation bodies to
harmonize their application of the standards they use to audit certification bodies.
This document follows the structure of ISO/IEC 17021-1, as far as possible. The requirements additional
to those in ISO/IEC 17021-1 are identified by subclauses titles that include “SMxxx”.
ISO/IEC 17021-1 and this document use the term “client” for the organization seeking certification.
vi © ISO/IEC 2021 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 19770-11:2021(E)
Information technology — IT asset management —
Part 11:
Requirements for bodies providing audit and certification
of IT asset management systems
1 Scope
This document specifies requirements and provides guidance for certification bodies providing audit
and certification of an ITAMS in accordance with ISO/IEC 19770-1. It does not change the requirements
specified in ISO/IEC 19770-1.
This document can also be used by accreditation bodies for the accreditation of certification bodies.
However, this document does not specify requirements or provides guidance for accreditation bodies to
audit certification bodies.
A certification body providing ITAMS certification is expected to be able to demonstrate fulfilment of
the requirements specified in this document, in addition to the requirements in ISO/IEC 17021-1.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification
of management systems — Part 1: Requirements
ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management
systems — Requirements
ISO/IEC 19770-5, Information technology — IT asset management — Part 5: Overview and vocabulary
ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system
requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021-1 and
ISO/IEC 19770-5 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
4 Principles
The principles in ISO/IEC 17021-1:2015, Clause 4 apply.
© ISO/IEC 2021 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 19770-11:2021(E)

5 General requirements
5.1 Legal and contractual matters
The requirements in ISO/IEC 17021-1:2015, 5.1 apply.
5.2 Management of impartiality
5.2.1 General
The requirements in ISO/IEC 17021-1:2015, 5.2 apply. In addition, the following requirements and
guidance apply.
5.2.2 SM5.2.2 Conflicts of interest
Certification bodies may carry out the following duties without them being considered as consultancy
or having a potential conflict of interest:
a) arranging and participating as a lecturer in training courses; where these courses relate to ITAM,
related management systems or auditing, certification bodies shall confine themselves to the
provision of generic information and advice which is publicly available, i.e. they shall not provide
company-specific advice;
b) making available or publishing on request information describing the certification body’s
interpretation of the requirements of the certification audit standards;
c) activities prior to audit, solely aimed at determining readiness for certification audit; these
activities shall not result in the provision of recommendations or advice that would contravene this
subclause; certification bodies shall be able to confirm that such activities do not contravene these
requirements and that they are not used to justify a reduction in the eventual certification audit
duration;
d) performing second and third-party audits according to other standards or regulations not directly
related to the ITAMS;
e) adding value during certification audits, e.g. by identifying opportunities for improvement, as they
become evident during the audit, without recommending specific solutions.
Certification bodies shall not provide internal ITAM reviews of the client’s ITAMS subject to
certification. Certification bodies shall be independent of the body or bodies (including any individuals)
which provide the internal ITAMS audit.
5.3 Liability and financing
The requirements in ISO/IEC 17021-1:2015, 5.3 apply.
6 Structural requirements
The requirements in ISO/IEC 17021-1:2015, Clause 6 apply.
2 © ISO/IEC 2021 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 19770-11:2021(E)

7 Resource requirements
7.1 Competence of personnel
7.1.1 General considerations
7.1.1.1 General
The requirements in ISO/IEC 17021-1:2015, 7.1.1 apply. In addition, the following requirements and
guidance apply.
7.1.1.2 SM7.1.1.2 Generic competence requirements
The certification body shall ensure that it has knowledge of the technological, legal and regulatory
developments relevant to the ITAMS of the client which it assesses.
The certification body shall define the competence requirements for each certification function as
referenced in ISO/IEC 17021-1:2015, Table A.1. The certification body shall take into account all the
requirements specified in ISO/IEC 17021-1, 7.1.2 and 7.2.2 that are relevant for the ITAMS technical
areas as determined by the certification body.
NOTE Annex A provides a summary of the competence requirements for personnel involved in specific
certification functions.
7.1.2 Determination of competence criteria
7.1.2.1 General
The requirements in ISO/IEC 17021-1:2015, 7.1.2 apply. In addition, the following requirements and
guidance apply.
7.1.2.2 SM7.1.2.2 Competence requirements for ITAMS auditing
7.1.2.2.1 The term “technical area”
ISO/IEC 19770-1 states that all requirements are generic and intended to be applicable to IT assets of
organizations regardless of their types and sizes. IT assets encompass asset types such as executable
software (e.g. application programs, operating systems), non-executable software (e.g. fonts,
configuration information), and IT hardware (e.g. PC, server, printer). In addition, the requirements
of ISO/IEC 19770-1 can be applied to all technological environments and computing platforms (e.g.
virtualized software applications, cloud-based software-as-a-service). For ISO/IEC 19770-1 audits, the
term “technical area” relates to the ITAMS, including all ITAM-related processes and governance within
the scope of the ITAMS. “Technical area” does not relate to any underlying technology used to enable
ITAM.
7.1.2.2.2 General requirements
The audit team members shall at least have knowledge of:
a) management systems in general;
b) ITAMS maturity assessments;
c) service management system (SMS) or information security management systems (ISMS) as ITAMS
related management systems;
d) principles of auditing.
© ISO/IEC 2021 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 19770-11:2021(E)

NOTE Further information on the principles of auditing can be found in ISO 19011.
Criteria a), b) and d) apply to all auditors being part of the audit team. Criteria c) is only relevant for
audit team members involved in a combined management system audit as addressed in 9.1.6.
7.1.2.2.3 ITAMS standards and normative documents
Collectively, all members of the audit team shall have knowledge of all requirements specified in
ISO/IEC 19770-1 as well as the terminology specified in ISO/IEC 19770-5.
7.1.2.2.4 ITAM principles, practices and techniques
All members of the audit team shall have knowledge of:
a) ITAM roles and responsibilities;
b) processes applicable to ITAM;
c) organizational interfaces of ITAMS;
d) ITAM related tools, methods, techniques and their application;
The audit team shall also have team members with knowledge of IT compliance and software license
compliance in particular. This competency can be shared among the auditors in the audit team.
7.1.2.2.5 Business management practices
Auditors involved in ITAMS auditing shall have knowledge of:
a) business requirements for ITAM;
b) ITAM stakeholders;
c) general business management concepts, practices and the inter-relationship between ITAM
policies, objectives and results;
d) management processes and related terminology.
NOTE These processes also include human resources management, internal and external communication
and other relevant support processes.
7.1.2.2.6 Client business sector
Auditors involved in ITAMS auditing shall have knowledge of:
a) legal and regulatory requirements relating to ITAM, depending on geography and jurisdiction(s),
e.g. country-specific laws on internal control systems for IT assets, intellectual property, copyright,
data privacy and environmental regulations;
NOTE Knowledge of legal and regulatory requirements does not imply a profound legal background.
b) ITAM risks related to business sector, e.g. software license compliance as part of the overall IT
compliance following regulatory requirements for financial institutions;
c) generic terminology, processes and technologies related to the client business sector;
d) relevant business sector practices.
The criteria a) and b) may be shared amongst the audit team.
4 © ISO/IEC 2021 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 19770-11:2021(E)

7.1.2.2.7 Client products, processes and organization
Collectively, auditors involved in ITAMS auditing shall have knowledge of the impact of organization
type, size, governance, structure, functions and relationships on development and implementation of
the ITAMS and certification activities, including outsourcing.
7.1.2.3 SM7.1.2.3 Competence requirements for leading the ITAMS audit team
In addition to the requirements in 7.1.2.2, audit team leaders shall fulfil the following requirements,
which shall be demonstrated in audits under guidance and supervision:
a) knowledge and skills to manage the certification audit process and the audit team;
b) demonstration of the capability to communicate effectively, both orally and in writing.
The certification body shall ensure auditors keep knowledge and skills in ITAM and auditing up to date
through continual professional development.
7.1.2.4 SM7.1.2.4 Competence requirements for reviewing audit reports and making
certification decisions
7.1.2.4.1 General requirements
The personnel reviewing audit reports and making certification decisions shall have knowledge that
enables them to verify the appropriateness of the scope of certification as well as changes to the scope
and their impact on the effectiveness of the audit. Additionally, the personnel reviewing audit reports
and making the certification decisions shall have knowledge of:
a) management systems in general;
b) audit processes and procedures;
c) audit principles, practices and techniques.
7.1.2.4.2 ITAMS standards and normative documents
The personnel reviewing audit reports and making certification decisions shall have knowledge of
relevant ITAMS standards and other normative documents used in the certification process.
7.1.2.4.3 ITAM principles, practices and techniques
The personnel reviewing audit reports and making the certification decisions shall have knowledge of
the items listed in 7.1.2.2.4 a), b) and c).
7.1.2.4.4 Client business sector
The personnel reviewing audit reports and making certification decisions shall have knowledge of the
generic terminology and risks related to the relevant business sector practices.
7.1.3 Evaluation processes
7.1.3.1 General
The requirements in ISO/IEC 17021-1:2015, 7.1.3 apply. In addition, the following requirements and
guidance apply.
© ISO/IEC 2021 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC 19770-11:2021(E)

7.1.3.2 SM7.1.3.2 Demonstration of knowledge and experience
Knowledge and experience of personnel involved in the management and performance of audits
and other certification activities shall be evaluated, for example, by using recognized personnel
qualifications. Registration records under a personnel
...

INTERNATIONAL ISO/IEC
STANDARD 19770-11
First edition
Information technology — IT asset
management —
Part 11:
Requirements for bodies providing
audit and certification of IT asset
management systems
Technologies de l'information — Gestion de biens de logiciel —
Partie 11: Exigences pour les organismes procédant & l’audit et
& la certification des systèmes de management de la gestion des
actifs logiciels
PROOF/ÉPREUVE
Reference number
ISO/IEC 19770-11:2021(E)
©
ISO/IEC 2021

---------------------- Page: 1 ----------------------
ISO/IEC 19770-11:2021(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 19770-11:2021(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 1
5 General requirements . 2
5.1 Legal and contractual matters . 2
5.2 Management of impartiality . 2
5.2.1 General. 2
5.2.2 SM5.2.2 Conflicts of interest . 2
5.3 Liability and financing . 2
6 Structural requirements . 2
7 Resource requirements . 3
7.1 Competence of personnel . 3
7.1.1 General considerations . 3
7.1.2 Determination of competence criteria . 3
7.1.3 Evaluation processes . 5
7.1.4 Other considerations . 6
7.2 Personnel involved in certification activities . 6
7.3 Use of individual external auditors and external technical experts . 6
7.4 Personnel records. 6
7.5 Outsourcing. 6
8 Information requirements . 6
8.1 Public information . 6
8.2 Certification documents . 6
8.2.1 General. 6
8.2.2 SM8.2.2 Scope definition . 6
8.3 Reference to certification and use of marks . 6
8.4 Confidentiality . 7
8.4.1 General. 7
8.4.2 SM8.4.2 Access to the client’s documents, including records . 7
8.5 Information exchange between a certification body and its clients . 7
9 Process requirements . 7
9.1 Pre-certification activities . 7
9.1.1 Application . 7
9.1.2 Application review . 7
9.1.3 Audit programme . 7
9.1.4 Determining audit time . 7
9.1.5 Multi-site sampling .10
9.1.6 Multiple management systems standards .11
9.2 Planning audits .11
9.2.1 Determining audit objectives, scope and criteria .11
9.2.2 Audit team selection and assignments .11
9.2.3 Audit plan .11
9.3 Initial certification .12
9.3.1 General.12
9.3.2 SM9.3.2 Identification of other parties .12
9.3.3 SM9.3.3 Integration of ITAMS documentation with that for other
management systems .12
9.4 Conducting audits .12
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE iii

---------------------- Page: 3 ----------------------
ISO/IEC 19770-11:2021(E)

9.4.1 General.12
9.4.2 Conducting the opening meeting .12
9.4.3 Communication during the audit .12
9.4.4 Obtaining and verifying information .13
9.4.5 Identifying and recording audit findings .13
9.4.6 Preparing audit conclusions .13
9.4.7 Conducting the closing meeting .13
9.4.8 Audit report .13
9.4.9 Cause analysis of nonconformities .13
9.4.10 Effectiveness of corrections and corrective actions .13
9.5 Certification decision .13
9.6 Maintaining certification .13
9.7 Appeals .13
9.8 Complaints .13
9.9 Client records .14
10 Management system requirements for certification bodies .14
Annex A Knowledge and skills for ITAMS auditing and certification .15
Bibliography .16
iv PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 19770-11:2021(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives or www .iec .ch/ members
_experts/ refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/
iso/ foreword .html. In the IEC, see www .iec .ch/ understanding -standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
subcommittee SC 7, Software and systems engineering.
A list of all parts in the ISO/IEC 19770 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html and www .iec .ch/ national
-committees.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE v

---------------------- Page: 5 ----------------------
ISO/IEC 19770-11:2021(E)

Introduction
This document is for use by certification bodies for auditing and certifying a management system for
IT asset management (ITAM), referred to as an “IT asset management system” (ITAMS) in accordance
with ISO/IEC 19770-1. It can also be used by accreditation bodies when assessing certification bodies.
It is intended to be used in conjunction with ISO/IEC 17021-1, which sets out criteria for certification
bodies providing audit and certification of management systems. This document provides requirements
additional to those in ISO/IEC 17021-1.
Correct application of this document enables certification bodies to harmonize their application
of ISO/IEC 17021-1 for audits against ISO/IEC 19770-1. It will also enable accreditation bodies to
harmonize their application of the standards they use to audit certification bodies.
This document follows the structure of ISO/IEC 17021-1, as far as possible. The requirements additional
to those in ISO/IEC 17021-1 are identified by subclauses titles that include “SMxxx”.
ISO/IEC 17021-1 and this document use the term “client” for the organization seeking certification.
vi PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 19770-11:2021(E)
Information technology — IT asset management —
Part 11:
Requirements for bodies providing audit and certification
of IT asset management systems
1 Scope
This document specifies requirements and provides guidance for certification bodies providing audit
and certification of an ITAMS in accordance with ISO/IEC 19770-1. It does not change the requirements
specified in ISO/IEC 19770-1.
This document can also be used by accreditation bodies for the accreditation of certification bodies.
However, this document does not specify requirements or provides guidance for accreditation bodies to
audit certification bodies.
A certification body providing ITAMS certification is expected to be able to demonstrate fulfilment of
the requirements specified in this document, in addition to the requirements in ISO/IEC 17021-1.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification
of management systems — Part 1: Requirements
ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management
systems — Requirements
ISO/IEC 19770-5, Information technology — IT asset management — Part 5: Overview and vocabulary
ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system
requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021-1 and
ISO/IEC 19770-5 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
4 Principles
The principles in ISO/IEC 17021-1:2015, Clause 4 apply.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 1

---------------------- Page: 7 ----------------------
ISO/IEC 19770-11:2021(E)

5 General requirements
5.1 Legal and contractual matters
The requirements in ISO/IEC 17021-1:2015, 5.1 apply.
5.2 Management of impartiality
5.2.1 General
The requirements in ISO/IEC 17021-1:2015, 5.2 apply. In addition, the following requirements and
guidance apply.
5.2.2 SM5.2.2 Conflicts of interest
Certification bodies may carry out the following duties without them being considered as consultancy
or having a potential conflict of interest:
a) arranging and participating as a lecturer in training courses; where these courses relate to ITAM,
related management systems or auditing, certification bodies shall confine themselves to the
provision of generic information and advice which is publicly available, i.e. they shall not provide
company-specific advice;
b) making available or publishing on request information describing the certification body’s
interpretation of the requirements of the certification audit standards;
c) activities prior to audit, solely aimed at determining readiness for certification audit; these
activities shall not result in the provision of recommendations or advice that would contravene this
subclause; certification bodies shall be able to confirm that such activities do not contravene these
requirements and that they are not used to justify a reduction in the eventual certification audit
duration;
d) performing second and third-party audits according to other standards or regulations not directly
related to the ITAMS;
e) adding value during certification audits, e.g. by identifying opportunities for improvement, as they
become evident during the audit, without recommending specific solutions.
Certification bodies shall not provide internal ITAM reviews of the client’s ITAMS subject to
certification. Certification bodies shall be independent of the body or bodies (including any individuals)
which provide the internal ITAMS audit.
5.3 Liability and financing
The requirements in ISO/IEC 17021-1:2015, 5.3 apply.
6 Structural requirements
The requirements in ISO/IEC 17021-1:2015, Clause 6 apply.
2 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 19770-11:2021(E)

7 Resource requirements
7.1 Competence of personnel
7.1.1 General considerations
7.1.1.1 General
The requirements in ISO/IEC 17021-1:2015, 7.1.1 apply. In addition, the following requirements and
guidance apply.
7.1.1.2 SM7.1.1.2 Generic competence requirements
The certification body shall ensure that it has knowledge of the technological, legal and regulatory
developments relevant to the ITAMS of the client which it assesses.
The certification body shall define the competence requirements for each certification function as
referenced in ISO/IEC 17021-1:2015, Table A.1. The certification body shall take into account all the
requirements specified in ISO/IEC 17021-1, 7.1.2 and 7.2.2 that are relevant for the ITAMS technical
areas as determined by the certification body.
NOTE Annex A provides a summary of the competence requirements for personnel involved in specific
certification functions.
7.1.2 Determination of competence criteria
7.1.2.1 General
The requirements in ISO/IEC 17021-1:2015, 7.1.2 apply. In addition, the following requirements and
guidance apply.
7.1.2.2 SM7.1.2.2 Competence requirements for ITAMS auditing
7.1.2.2.1 The term “technical area”
ISO/IEC 19770-1 states that all requirements are generic and intended to be applicable to IT assets of
organizations regardless of their types and sizes. IT assets encompass asset types such as executable
software (e.g. application programs, operating systems), non-executable software (e.g. fonts, configuration
information), and IT hardware (e.g. PC, server, printer). In addition, the requirements of ISO/IEC 19770-1
can be applied to all technological environments and computing platforms (e.g. virtualized software
applications, cloud-based software-as-a-service). For ISO/IEC 19770-1 audits, the term “technical area”
relates to the ITAMS, including all ITAM-related processes and governance within the scope of the ITAMS.
“Technical area” does not relate to any underlying technology used to enable ITAM.
7.1.2.2.2 General requirements
The audit team members shall at least have knowledge of:
a) management systems in general;
b) ITAMS maturity assessments;
c) service management system (SMS) or information security management systems (ISMS) as ITAMS
related management systems;
d) principles of auditing.
NOTE Further information on the principles of auditing can be found in ISO 19011.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 3

---------------------- Page: 9 ----------------------
ISO/IEC 19770-11:2021(E)

Criteria a), b) and d) apply to all auditors being part of the audit team. Criteria c) is only relevant for
audit team members involved in a combined management system audit as addressed in 9.1.6.
7.1.2.2.3 ITAMS standards and normative documents
Collectively, all members of the audit team shall have knowledge of all requirements specified in
ISO/IEC 19770-1 as well as the terminology specified in ISO/IEC 19770-5.
7.1.2.2.4 ITAM principles, practices and techniques
All members of the audit team shall have knowledge of:
a) ITAM roles and responsibilities;
b) processes applicable to ITAM;
c) organizational interfaces of ITAMS;
d) ITAM related tools, methods, techniques and their application;
The audit team shall also have team members with knowledge of IT compliance and software license
compliance in particular. This competency can be shared among the auditors in the audit team.
7.1.2.2.5 Business management practices
Auditors involved in ITAMS auditing shall have knowledge of:
a) business requirements for ITAM;
b) ITAM stakeholders;
c) general business management concepts, practices and the inter-relationship between ITAM
policies, objectives and results;
d) management processes and related terminology.
NOTE These processes also include human resources management, internal and external communication
and other relevant support processes.
7.1.2.2.6 Client business sector
Auditors involved in ITAMS auditing shall have knowledge of:
a) legal and regulatory requirements relating to ITAM, depending on geography and jurisdiction(s),
e.g. country-specific laws on internal control systems for IT assets, intellectual property, copyright,
data privacy and environmental regulations;
NOTE Knowledge of legal and regulatory requirements does not imply a profound legal background.
b) ITAM risks related to business sector, e.g. software license compliance as part of the overall IT
compliance following regulatory requirements for financial institutions;
c) generic terminology, processes and technologies related to the client business sector;
d) relevant business sector practices.
The criteria a) and b) may be shared amongst the audit team.
4 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 19770-11:2021(E)

7.1.2.2.7 Client products, processes and organization
Collectively, auditors involved in ITAMS auditing shall have knowledge of the impact of organization
type, size, governance, structure, functions and relationships on development and implementation of
the ITAMS and certification activities, including outsourcing.
7.1.2.3 SM7.1.2.3 Competence requirements for leading the ITAMS audit team
In addition to the requirements in 7.1.2.2, audit team leaders shall fulfil the following requirements,
which shall be demonstrated in audits under guidance and supervision:
a) knowledge and skills to manage the certification audit process and the audit team;
b) demonstration of the capability to communicate effectively, both orally and in writing.
The certification body shall ensure auditors keep knowledge and skills in ITAM and auditing up to date
through continual professional development.
7.1.2.4 SM7.1.2.4 Competence requirements for reviewing audit reports and making
certification decisions
7.1.2.4.1 General requirements
The personnel reviewing audit reports and making certification decisions shall have knowledge that
enables them to verify the appropriateness of the scope of certification as well as changes to the scope
and their impact on the effectiveness of the audit. Additionally, the personnel reviewing audit reports
and making the certification decisions shall have knowledge of:
a) management systems in general;
b) audit processes and procedures;
c) audit principles, practices and techniques.
7.1.2.4.2 ITAMS standards and normative documents
The personnel reviewing audit reports and making certification decisions shall have knowledge of
relevant ITAMS standards and other normative documents used in the certification process.
7.1.2.4.3 ITAM principles, practices and techniques
The personnel reviewing audit reports and making the certification decisions shall have knowledge of
the items listed in 7.1.2.2.4 a), b) and c).
7.1.2.4.4 Client business sector
The personnel reviewing audit reports and making certification decisions shall have knowledge of the
generic terminology and risks related to the relevant business sector practices.
7.1.3 Evaluation processes
7.1.3.1 General
The requirements in ISO/IEC 17021-1:2015, 7.1.3 apply. In addition, the following requirements and
guidance apply.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 5

---------------------- Page: 11 ----------------------
ISO/IEC 19770-11:2021(E)

7.1.3.2 SM7.1.3.2 Demonstration of knowledge and experience
Knowledge and experience of personnel involved in the management and performance of audits
and other
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 20200:2023(Main)
Plastics — Determination of the degree of disintegration of plastic materials under composting conditions in a laboratory-scale test

This document specifies a method of determining the degree of disintegration of plastic materials when exposed to a laboratory-scale composting environment. The method is not applicable to the determination of the biodegradability of plastic materials under composting conditions. Further testing is necessary to be able to claim compostability.

  • Standard
    9 pages
    English language
    sale 15% off
  • Standard
    9 pages
    French language
    sale 15% off
ISO
ISO 9241-221:2023(Main)
Ergonomics of human-system interaction — Part 221: Human-centred design process assessment model

This document specifies the process references model (PRM) for human-centred design (HCD) according to ISO 9241-220, as well as the process assessment model (PAM) for assessing these processes, based on ISO/IEC 33020 and in accordance with the requirements of ISO/IEC 33004. This HCD PAM contains a set of indicators to be considered while interpreting the intent of the HCD PRM defined in ISO 9241-220. These indicators can also be applied when implementing a process improvement programme post an assessment. NOTE 1 The PRM in this document focuses on assessing HCD processes rather than system life cycle, for example as in ISO/IEC/IEEE 15288, or software life cycle, as in ISO/IEC/IEEE 12207. NOTE 2 If processes beyond the scope of ISO 9241-220 are required, appropriate processes from other PRMs, such as ISO/IEC/IEEE 12207, ISO/IEC/IEEE 15288 or ISO/TS 18152, can be added based on the business needs of the organization. The intended application of this document is computer-based interactive systems. While the processes apply to interactive systems that deliver services, they do not cover the design of those services. The relevant aspects of the processes can also be applied to simple or non-computer-based interactive systems. NOTE 3 HCD concentrates on the human-centred aspects of design and not on other aspects of design, such as mechanical construction, programming or the basic design of services. The process descriptions in this document provide the basis for a rigorous assessment of an enterprise’s capability to carry out human-centred processes in conformity with the ISO/IEC 33004 and ISO/IEC 33020. This document is intended for use by organizations that want to address and improve their treatment of human-centred design of either their internal systems or the products and services they provide, and the procurement of systems and parts of systems. The processes can be applied by small- and medium-sized enterprises as well as by large organizations. NOTE 4 The scope of application of the PAM is the same as that of the PRM, which is described in ISO 9241-220:2019, Clause 1.

  • Standard
    102 pages
    English language
    sale 15% off
ISO
ISO 19642-1:2023(Main)
Road vehicles — Automotive cables — Part 1: Vocabulary and design guidelines

This document defines terms in the field of cables applied in road vehicle general purpose applications, for use in the other parts of the ISO 19642 series.

  • Standard
    27 pages
    English language
    sale 15% off
ISO
ISO/IEC 9797-1:2011/Amd 1:2023(Amendment)
Information technology — Security techniques — Message Authentication Codes (MACs) — Part 1: Mechanisms using a block cipher — Amendment 1
  • Standard
    1 page
    English language
    sale 15% off
ISO
ISO 23316-7:2023(Main)
Tractors and machinery for agriculture and forestry — Electrical high-power interface 700 V DC / 480 V AC — Part 7: Mechanical integration

This document instructs the manufacturers of tractors and implements how to integrate mechanically and use the HPI. NOTE The terms "tractor" and "implement” are used instead of “supply system” and “consumer system” for better understanding in this part.

  • Standard
    5 pages
    English language
    sale 15% off
ISO
ISO/TS 24665:2023(Main)
Playground and recreational areas — Framework for the competence of playground inspectors and playground maintenance technicians

This document gives guidance and requirements for the education, examination and evaluation of the inspectors’ and maintenance technicians’ competence concerning public playground and recreational areas. This document describes the knowledge and competence required for each specific task an inspector or technician performs. This document is intended primarily for public playgrounds, but the principles are applicable to other recreational areas. This document does not include benefit/risk assessment methods. This document does not cover the competence of staff conducting product certification. NOTE 1 The different types of inspections covered are: routine visual inspection; operational inspection; annual main inspection; post-installation inspection; post-accident inspection; pre-installation consultation; mid-installation surveillance. NOTE 2 This document can be applicable to: roller-sport infrastructure; multi-sport arenas; outdoor exercise equipment; bouldering walls; portable and permanent socketed goals; parkour facilities; adventure playgrounds; ropes courses; inflatable play equipment.

  • Technical specification
    23 pages
    English language
    sale 15% off
  • Draft
    22 pages
    English language
    sale 15% off
  • Draft
    22 pages
    English language
    sale 15% off
ISO
ISO 22574:2023(Main)
Road vehicles — Brake linings friction materials — Visual inspection

This document defines visual aspects for the identification and assessment of product characteristics for friction materials in terms of quality and for commercial and technical agreements. The sequence of the product characteristics represents no order of priority. Inspection is carried out in unused, “as supplied” condition. In some characteristic features, there are differences between brake linings with an effective lining pad area less than 120 cm2 and larger than 120 cm2. The acceptance criteria ensure exclusion of any characteristics that could impact the function and performance of brake linings and applies unless other agreements between the customer and the supplier.

  • Standard
    35 pages
    English language
    sale 15% off
ISO
ISO 7055:2023(Main)
Natural gas — Upstream area — Determination of drag reduction in laboratory for slick water

This document specifies a method for the determination of drag reduction of slick water, which is mainly used to evaluate the drag reduction performance of slick water. This document uses the pipeline method to evaluate the drag reduction, which is currently recognized as the best method to evaluate the drag reduction performance. This document describes the device, experimental conditions and operating steps in detail. The drag reduction value obtained by evaluation according to this document can effectively represent the on-site drag reduction performance.

  • Standard
    5 pages
    English language
    sale 15% off
ISO
ISO/TS 7127:2023(Main)
Light and lighting — Building information modelling properties for lighting — Lighting systems

This technical specification identifies and clarifies lighting properties for digital building design and maintenance. This document provides all the needed properties to design and to describe lighting systems. These properties are intended to be used for mapping between data providers and requesters. The mapping of the identifiers enables the exchange of luminaire and sensing device data within different databases. The unambiguous mapping and description of properties improves the data quality, reduces misinterpretations and the processing time in digital environments. Therefore, the properties listed in this document establish the essential description of lighting systems in BIM systems and databases. The listed properties in this document are used to structure the product data sheet which is complemented with real product information.

  • Technical specification
    61 pages
    English language
    sale 15% off
  • Draft
    61 pages
    English language
    sale 15% off
  • Draft
    61 pages
    English language
    sale 15% off
ISO
ISO 10300-3:2023(Main)
Calculation of load capacity of bevel gears — Part 3: Calculation of tooth root strength

This document specifies the fundamental formulae for use in the tooth root stress calculation of straight and helical (skew), Zerol and spiral bevel gears including hypoid gears, with a minimum rim thickness under the root of 3,5 mmn. All load influences on tooth root stress are included, insofar as they are the result of load transmitted by the gearing and able to be evaluated quantitatively. Stresses, such as those caused by the shrink fitting of gear rims, which are superposed on stresses due to tooth loading, are intended to be considered in the calculation of the tooth root stress, σF, or the permissible tooth root stress σFP. This document is not applicable in the assessment of tooth flank fracture. The formulae in this document are based on virtual cylindrical gears and restricted to bevel gears whose virtual cylindrical gears have transverse contact ratios of εvα This document does not apply to stress levels above those permitted for 103 cycles, as stresses in that range can exceed the elastic limit of the gear tooth. NOTE This document is not applicable to bevel gears which have an inadequate contact pattern under load. The user is cautioned that when the formulae are used for large average mean spiral angles (βm1 + βm2)/2 > 45°, for effective pressure angles αe > 30° and/or for large facewidths b > 13 mmn, the calculated results of this document should be confirmed by experience.

  • Standard
    43 pages
    English language
    sale 15% off