APMG Scheme Regulations v2.2

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

Information Technology Service Management

Requirements for bodies providing audit and Certification of


IT Service Management Systems under the APMG
Certification Scheme

Document Reference APMG 15/015

The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
Introduction
Certification for the IT service management system (SMS) of an IT service provider organization is
one means of providing assurance that the organization has implemented an SMS for the effective
delivery of IT services. Requirements for an SMS can originate from a number of sources and this
document has been developed to assist with the certification of SMS that fulfil the requirements of
the International IT service management standard, ISO/IEC 20000-1:2011.

The criteria for bodies operating audit and certification of management systems are contained in the
International Standard, ISO/IEC 17021:2011. If such bodies are to be accredited as complying with
ISO/IEC 17021:2011 with the objective of auditing and certifying SMS in accordance with ISO/IEC
20000-1:2011 and the APMG Scheme, some additional requirements to, and guidance for ISO/IEC
17021:2011 are necessary. These are provided by this document.

The text in this document follows the structure of ISO/IEC 17021:2011, and the additional APMG-
specific requirements and guidance on the application of ISO/IEC 17021:2011 for SMS certification
are identified by the letters SM.

The term shall is used throughout this document to indicate those provisions which, reflecting the
requirements of ISO/IEC 17021:2011 and ISO/IEC 20000-1:2011, are mandatory. The term should
is used to indicate those provisions which, although they constitute guidance for the application of
the requirements, are expected to be adopted by a certification body.

NOTE: Until December 2010, this Scheme was owned and managed by itSMF. On 1 January 2011,
ownership and management transferred to APM Group Ltd (APMG) and the Scheme name was
changed appropriately. Version 2 and subsequent versions of this document reflect this change of
ownership and name.

1 Scope
This document specifies requirements and provides guidance, in addition to the requirements
contained within ISO/IEC 17021:2011 for bodies providing audit and certification of SMS within the
APMG Scheme. It is primarily intended to support the registration by APMG of certification bodies
providing APMG certification against the criteria contained within the ISO/IEC 20000-1:2011
standard.

2 Normative references
The following referenced documents are indispensable for the application of this document. For
dated references, only the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.

ISO/IEC 17021:2011, Conformity assessment Requirements for bodies providing audit


and certification of management systems
ISO/IEC 20000-1:2011, Information technology - Service management Part1: Specification
PD ISO/IEC TR 20000-3:2009 Information Technology Service management Part 3:
guidance on scope definition and applicability of ISO/IEC 20000-1

3 Terms and definitions


For the purposes of this document, the terms and definitions given in ISO/IEC 17021:2011 and the
following apply.

Certificate: a document indicating that a client organizations SMS conforms to specified SMS
standards and any supplementary documentation required under the Scheme. The certificate is
issued by a certification body in accordance with the conditions of its registration by
APMG and bearing the APMG Certification Scheme mark

Certification body: third party registered with APMG that assesses and certifies the SMS of a client
organization with respect to published APMG Scheme requirements, and any supplementary
documentation required under the Scheme. Within the APMG Scheme these are frequently referred
to as Registered Certification Bodies (RCBs).
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
Information Technology (IT): the use of technology for the storage, communication or processing
of information. The technology typically includes computers, telecommunications, applications and
other software. The information may include business data, voice, images, video etc. IT is often
used to support business processes, through the use of IT services.

Mark: legally registered trade mark or otherwise protected symbol which is issued under the rules of
a registration by APMG or of a certification body, indicating that adequate confidence in the
management system operated by a body has been demonstrated

Organization; the entity seeking certification that may be a company, corporation, firm, enterprise,
authority or institution, or part or combination thereof, whether incorporated or not, public or private,
that has its own functions and administration and is able to ensure that effective service
management is exercised. Such an organization is frequently referred to as a Service Provider.

4 Principles
There are no additional requirements.

5 General requirements

5.1 Legal and contractual matters

5.1.1 Legal responsibility


There are no additional requirements.

5.1.2 Certification agreement


There are no additional requirements.

5.1.3 Responsibility for certification decisions

The decision shall be based upon the findings and certification recommendation of the audit team as
provided in their certification audit report and any other relevant information available to the
certification body.

6 Structural requirements
There are no additional requirements.

The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
7 Resource requirements

7.1 Competence of management and personnel


There are no additional requirements.

7.2 Personnel involved in the certification activities

7.2.1 There are no additional requirements.

7.2.2 There are no additional requirements.

7.2.3 There are no additional requirements.

SM 7.2.4: All technical experts used on audits must have successfully completed the three day
itSMF accredited ISO/IEC 20000 Consultant training course or the APMG Practitioner equivalent,
hold the associated certificate and have two years relevant IT service management experience.

SM 7.2.5: The following criteria shall be applied for each auditor in the SMS audit team. The auditor
shall have:
a) at least four years full time practical workplace experience in information technology, of
which at least two years in a role or function relating to IT Service Management;
b) successfully completed a minimum of a five day training programme on the subject of
auditing and audit management, two days of which shall have been an itSMF accredited
ISO/IEC 20000 Auditor training course or the APMG equivalent and hold the associated
certificate;
c) prior to assuming responsibility for performing as an auditor, the candidate should have
gained experience in the entire process of assessing an SMS. This experience should have
been gained by participation in a minimum of two SMS assessments, including review of
documentation and improvement programmes, implementation assessment and audit reporting;
d) Maintained their own knowledge and skill in auditing SMS.

Auditors performing as lead auditor shall additionally fulfil the following requirements:

1. have acted in the role of audit team leader in at least three SMS audits, under the direction
and guidance of an auditor competent as an audit team leader
2. have demonstrated they possess adequate knowledge and attributes to manage the
assessment process;

Any variations to these pre-requisite levels shall be documented by the certification body e.g. for
personnel already qualified as auditors in a related discipline.

7.2.6 There are no additional requirements.

7.2.7 There are no additional requirements.

7.2.8 There are no additional requirements.

7.2.9 There are no additional requirements.

SM 7.2.10: Auditors shall be able to demonstrate their knowledge and experience, as outlined
above, for example through:

a) recognized SMS-specific qualifications;


b) registration as an auditor;
c) approved SMS training courses;
d) up to date continual professional development records;
e) practical demonstration through witnessing auditors going through the SMS audit process
on real client systems
f) at least annually recorded personal reviews and feedback
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
8 Information requirements

8.1 Publicly accessible information

SM 8.1: The certification body shall inform APMG of any new certifications or changes in certification
status within twenty working days of the decision being taken.

8.2 Certification documents


There are no additional requirements.

8.3 Directory of certified clients


There are no additional requirements.

8.4 Reference to certification and use of marks (itSMF)

SM 8.4.1: The APMG Scheme certification mark is a registered trademark. Certification bodies are
licensed to use the logo, either in colour or black and white, for the following purposes:

a) in marketing collateral describing the APMG Certification Scheme and any specific
associated service that they offer
b) on certificates issued to organisations successfully passing an audit

When used in colour, the mark shall be reproduced in the exact colours and font of the issued logo.
The mark will be supplied to certification bodies on acceptance of their application to join the
Scheme.

The certification body may sub-license organisations, which they have certified under the Scheme,
to use the mark subject to the conditions above on their corporate collateral. The certification body
will inform such organisations of the permitted uses of the mark when issuing a certificate.

In particular the mark must not be altered or used in a misleading way, for example to imply
certification of something which is not certified. No other use of the logo is permitted and APMG will
take strong action against any perceived abuse of the mark, whether by a certification body or any
other organisation.

The certification body shall exercise proper control over ownership, use and display of its SMS
certification marks. If the certification body confers the right to use a mark to indicate certification of
an SMS, the certification body shall ensure that the client organization uses the specified mark only
as authorized in writing by the certification body.

9 Process requirements

9.1 General requirements

SM 9.1.1: A certification body may offer other management system certification linked with SMS
certification, or may offer SMS certification only. The SMS audit can be combined with audits of
other management systems. This combination is possible provided it can be demonstrated that the
audit satisfies all requirements for certification of the SMS. All the elements important to an SMS
shall appear clearly, and be readily identifiable, in the audit reports. The quality of the audit shall not
be adversely affected by the combination of the audits.

9.1.2 There are no additional requirements.

The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
SM 9.1.3: The following requirements apply to the audit team as a whole.

a) In each of the following areas at least one audit team member shall satisfy the
certification body's criteria for taking responsibility within the team:

1) managing the team,


2) management systems and process applicable to SMS,
3) knowledge of SMS processes and their implementation,
4) knowledge of SMS effectiveness review and measurement of the processes,
5) related and/or relevant SMS standards, industry best practices and procedures,
6) knowledge of incident handling methods,
7) knowledge of the current technology where service management might be
relevant or an issue,
8) knowledge of risk management processes and methods.

b) The audit team shall be competent to review all aspects of the service level agreements
in the client organization's SMS back to the appropriate elements of the SMS.
c) The audit team shall have appropriate work experience and practical application of the
service management processes (this does not mean that an auditor needs a complete range
of experience of all areas of service management, but the audit team as whole shall have
enough appreciation and experience to cover the SMS scope being audited).

Technical experts with specific knowledge regarding the process and IT service management issues
and legislation affecting the client organization, but who do not satisfy all of the above criteria, may
be part of the audit team. Technical experts shall work under the supervision of the lead auditor. An
audit team may consist of one person provided that the person meets all the criteria set out in a)
above.7.3

SM 9.1.4 Certification bodies shall allow auditors sufficient time to perform the activities related to an
assessment. Annex A provides a framework for determining auditor time expected for an effective
audit.

SM 9.1.5: Multiple site sampling decisions in the area of SMS certification are more complex than
the same decisions are for quality management systems. Where a client organization has a number
of sites meeting the criteria from a) to c) below, certification bodies may consider using a sample-
based approach to multiple-site certification audit:
a) all sites are operating under the same SMS, which is centrally administered and audited
and subject to central management review;
b) all sites are included within the client organizations internal SMS audit programme;
c) all sites are included within the client organizations SMS management review
programme.

A certification body wishing to use a sample-based approach shall have procedures in place to
ensure the following.
a) The initial contract review identifies, to the greatest extent possible, the difference
between sites such that an adequate level of sampling is determined.
b) A representative number of sites have been sampled by the certification body, taking into
account:

1) the results of internal audits of head office and the sites,


2) the results of management review,
3) variations in the size of the sites,
4) variations in the business purpose of the sites,
5) complexity of the SMS,
6) complexity of the service management systems at the different sites,
7) variations in working practices,
8) variations in activities undertaken,
9) any differing legal requirements.

The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
c) A representative sample is selected from all sites within the scope of the client
organizations SMS; this selection should be based upon judgmental choice to reflect the
factors presented in item c) above as well as a random element.

d) The surveillance programme has been designed in the light of the above requirements
and covers all sites of the client organization or within the scope of the SMS certification
within a reasonable time.

The audit shall address the client organization's head office activities to ensure that a single SMS
applies to all sites and delivers central management at the operational level. The audit shall address
all the issues outlined above.

9.1.6 There are no additional requirements.

9.1.7 There are no additional requirements.

9.1.8 There are no additional requirements.

SM 9.1.9: The audit plan shall identify any network-assisted auditing techniques that will be utilized
during the audit, as appropriate.

NOTE Network assisted auditing techniques may include, for example, teleconferencing, web meeting,
interactive web based communications and remote electronic access to the SMS documentation and/or
SMS processes. The focus of such techniques should be to enhance audit effectiveness and efficiency,
and should support the integrity of the audit process.

SM 9.1.10: The certification body may adopt reporting procedures that suit its needs but as a
minimum these procedures shall ensure that:

a) a meeting takes place between the audit team and the client organization's management
prior to leaving the premises, at which the audit team provides
1) a written or oral indication regarding the conformity of the client organization's
SMS with the particular certification requirements,
2) an opportunity for the client organization to ask questions about the findings and
their basis;

The audit report should provide the following information:

a) an account of the audit including a summary of the document review;


b) an account of the certification audit of the client organization's implementation of the
service management core processes;

9.1.11 There are no additional requirements.

9.1.12 There are no additional requirements.

9.1.13 There are no additional requirements.

SM 9.1.14: Those who make the certification decision shall not have participated in the audit.

9.2 Initial audit and certification

9.2.1 Application
SM 9.2.1: The certification body shall ensure that the scope and boundaries of the SMS of the client
organization are clearly defined in terms of the characteristics of the business and the organization.

Information on scope statements is contained in the document PD ISO/IEC TR 20000-3:2009


Information Technology Service management Part 3.

ISO/IEC 20000-1:2011 1.2 contains advice on the application of the standard, and 4.5.1 gives explicit
requirements for scope definition.

The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
APMG have also published requirements specific to the APMG Scheme in a document titled
Requirements for scope statements.

9.2.2 Application review


There are no additional requirements.

9.2.2.1: There are no additional requirements.

9.2.2.2: There are no additional requirements.

9.2.2.3: There are no additional requirements.

SM 9.2.2.4: The entity, which may be an individual, which takes the decision on
granting/withdrawing a certification within the certification body, should incorporate a level of
knowledge and experience in all areas which is sufficient to evaluate the audit processes and
associated recommendations made by the audit team.

9.2.3 Initial certification audit


There are no additional requirements.

9.2.3:1 There are no additional requirements.

SM 9.2.3.1.1: Integration of SMS documentation with that for other management


systems.
The client organization can combine the documentation for SMS and other management systems
(such as quality, information security, health and safety, and environment) as long as the SMS can
be clearly identified together with the appropriate interfaces to the other systems.

Note: ITSM organizations and SMS processes can be complex and subsequent to frequent change.
In such situations annual audits may not be appropriate and certification bodies should demonstrate
they have considered these issues.

9.2.4: Initial certification audit conclusions


There are no additional requirements.

9.2.5: Information for granting initial certification


There are no additional requirements.

9.2.5.1: There are no additional requirements.

9.2.5.2: The entity which takes the decision on granting certification should not normally overturn a
negative recommendation of the audit team. If such a situation does arise, the certification body
shall document and justify the basis for the decision to overturn the recommendation.

9.3 Surveillance activities


There are no additional requirements.

9.4 Recertification
There are no additional requirements.

9.5 Special audits


There are no additional requirements.

9.6 Suspending, withdrawing or reducing the scope of certification

SM 9.6.1: Any suspensions, withdrawals or reductions of certification or certification scope shall be


notified to APMG within twenty working days of the occurrence.

The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
10 Management system requirements for certification bodies
There are no additional requirements.

The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
Annex A: Audit times based on IAF guidelines
This table provides a framework for determining the amount of auditor time required for
conducting an SMS audit of a Service Provider organization, based on the number of
employees within the scope of the certification audit.

These figures relate to total on and offsite time. A minimum of 80% of this time should spent
on-site

Number of Auditor time required in a Annual auditor time required in


employees in IT certification audit a surveillance audit
1 - 25 3 1
26 - 45 4 1 or 2
46 65 5 2
66 85 6 2
86 125 7 2 or 3
126 175 8 3
176 275 9 3
276 425 10 3 or 4
426 625 11 4
626 875 12 4
876 1175 13 4 or 5
1176 1550 14 5
1551 2025 15 5
2026 2675 16 5 or 6
2676 3450 17 6
3451 4350 18 6
4351 5450 19 6 or 7
5451 6800 20 7
6801 8500 21 7
8501 10700 22 7 or 8
> 10700 Follow progression above

Note: The number of days within this table relates to both stage 1 and stage 2 audits
and assumes that the organization is located within a single site with a normally
scoped certification.

Note: The auditor time required for a re-certification audit is estimated at 66% of the
time required for the initial certification audit.

Note: The auditor time for surveillance audits each year is normally 33% of the auditor
time required for the initial certification audit.

The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group Limited. The
APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards

You might also like