APMG Scheme Regulations v2.2
APMG Scheme Regulations v2.2
APMG Scheme Regulations v2.2
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
Introduction
Certification for the IT service management system (SMS) of an IT service provider organization is
one means of providing assurance that the organization has implemented an SMS for the effective
delivery of IT services. Requirements for an SMS can originate from a number of sources and this
document has been developed to assist with the certification of SMS that fulfil the requirements of
the International IT service management standard, ISO/IEC 20000-1:2011.
The criteria for bodies operating audit and certification of management systems are contained in the
International Standard, ISO/IEC 17021:2011. If such bodies are to be accredited as complying with
ISO/IEC 17021:2011 with the objective of auditing and certifying SMS in accordance with ISO/IEC
20000-1:2011 and the APMG Scheme, some additional requirements to, and guidance for ISO/IEC
17021:2011 are necessary. These are provided by this document.
The text in this document follows the structure of ISO/IEC 17021:2011, and the additional APMG-
specific requirements and guidance on the application of ISO/IEC 17021:2011 for SMS certification
are identified by the letters SM.
The term shall is used throughout this document to indicate those provisions which, reflecting the
requirements of ISO/IEC 17021:2011 and ISO/IEC 20000-1:2011, are mandatory. The term should
is used to indicate those provisions which, although they constitute guidance for the application of
the requirements, are expected to be adopted by a certification body.
NOTE: Until December 2010, this Scheme was owned and managed by itSMF. On 1 January 2011,
ownership and management transferred to APM Group Ltd (APMG) and the Scheme name was
changed appropriately. Version 2 and subsequent versions of this document reflect this change of
ownership and name.
1 Scope
This document specifies requirements and provides guidance, in addition to the requirements
contained within ISO/IEC 17021:2011 for bodies providing audit and certification of SMS within the
APMG Scheme. It is primarily intended to support the registration by APMG of certification bodies
providing APMG certification against the criteria contained within the ISO/IEC 20000-1:2011
standard.
2 Normative references
The following referenced documents are indispensable for the application of this document. For
dated references, only the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.
Certificate: a document indicating that a client organizations SMS conforms to specified SMS
standards and any supplementary documentation required under the Scheme. The certificate is
issued by a certification body in accordance with the conditions of its registration by
APMG and bearing the APMG Certification Scheme mark
Certification body: third party registered with APMG that assesses and certifies the SMS of a client
organization with respect to published APMG Scheme requirements, and any supplementary
documentation required under the Scheme. Within the APMG Scheme these are frequently referred
to as Registered Certification Bodies (RCBs).
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
Information Technology (IT): the use of technology for the storage, communication or processing
of information. The technology typically includes computers, telecommunications, applications and
other software. The information may include business data, voice, images, video etc. IT is often
used to support business processes, through the use of IT services.
Mark: legally registered trade mark or otherwise protected symbol which is issued under the rules of
a registration by APMG or of a certification body, indicating that adequate confidence in the
management system operated by a body has been demonstrated
Organization; the entity seeking certification that may be a company, corporation, firm, enterprise,
authority or institution, or part or combination thereof, whether incorporated or not, public or private,
that has its own functions and administration and is able to ensure that effective service
management is exercised. Such an organization is frequently referred to as a Service Provider.
4 Principles
There are no additional requirements.
5 General requirements
The decision shall be based upon the findings and certification recommendation of the audit team as
provided in their certification audit report and any other relevant information available to the
certification body.
6 Structural requirements
There are no additional requirements.
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
7 Resource requirements
SM 7.2.4: All technical experts used on audits must have successfully completed the three day
itSMF accredited ISO/IEC 20000 Consultant training course or the APMG Practitioner equivalent,
hold the associated certificate and have two years relevant IT service management experience.
SM 7.2.5: The following criteria shall be applied for each auditor in the SMS audit team. The auditor
shall have:
a) at least four years full time practical workplace experience in information technology, of
which at least two years in a role or function relating to IT Service Management;
b) successfully completed a minimum of a five day training programme on the subject of
auditing and audit management, two days of which shall have been an itSMF accredited
ISO/IEC 20000 Auditor training course or the APMG equivalent and hold the associated
certificate;
c) prior to assuming responsibility for performing as an auditor, the candidate should have
gained experience in the entire process of assessing an SMS. This experience should have
been gained by participation in a minimum of two SMS assessments, including review of
documentation and improvement programmes, implementation assessment and audit reporting;
d) Maintained their own knowledge and skill in auditing SMS.
Auditors performing as lead auditor shall additionally fulfil the following requirements:
1. have acted in the role of audit team leader in at least three SMS audits, under the direction
and guidance of an auditor competent as an audit team leader
2. have demonstrated they possess adequate knowledge and attributes to manage the
assessment process;
Any variations to these pre-requisite levels shall be documented by the certification body e.g. for
personnel already qualified as auditors in a related discipline.
SM 7.2.10: Auditors shall be able to demonstrate their knowledge and experience, as outlined
above, for example through:
SM 8.1: The certification body shall inform APMG of any new certifications or changes in certification
status within twenty working days of the decision being taken.
SM 8.4.1: The APMG Scheme certification mark is a registered trademark. Certification bodies are
licensed to use the logo, either in colour or black and white, for the following purposes:
a) in marketing collateral describing the APMG Certification Scheme and any specific
associated service that they offer
b) on certificates issued to organisations successfully passing an audit
When used in colour, the mark shall be reproduced in the exact colours and font of the issued logo.
The mark will be supplied to certification bodies on acceptance of their application to join the
Scheme.
The certification body may sub-license organisations, which they have certified under the Scheme,
to use the mark subject to the conditions above on their corporate collateral. The certification body
will inform such organisations of the permitted uses of the mark when issuing a certificate.
In particular the mark must not be altered or used in a misleading way, for example to imply
certification of something which is not certified. No other use of the logo is permitted and APMG will
take strong action against any perceived abuse of the mark, whether by a certification body or any
other organisation.
The certification body shall exercise proper control over ownership, use and display of its SMS
certification marks. If the certification body confers the right to use a mark to indicate certification of
an SMS, the certification body shall ensure that the client organization uses the specified mark only
as authorized in writing by the certification body.
9 Process requirements
SM 9.1.1: A certification body may offer other management system certification linked with SMS
certification, or may offer SMS certification only. The SMS audit can be combined with audits of
other management systems. This combination is possible provided it can be demonstrated that the
audit satisfies all requirements for certification of the SMS. All the elements important to an SMS
shall appear clearly, and be readily identifiable, in the audit reports. The quality of the audit shall not
be adversely affected by the combination of the audits.
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
SM 9.1.3: The following requirements apply to the audit team as a whole.
a) In each of the following areas at least one audit team member shall satisfy the
certification body's criteria for taking responsibility within the team:
b) The audit team shall be competent to review all aspects of the service level agreements
in the client organization's SMS back to the appropriate elements of the SMS.
c) The audit team shall have appropriate work experience and practical application of the
service management processes (this does not mean that an auditor needs a complete range
of experience of all areas of service management, but the audit team as whole shall have
enough appreciation and experience to cover the SMS scope being audited).
Technical experts with specific knowledge regarding the process and IT service management issues
and legislation affecting the client organization, but who do not satisfy all of the above criteria, may
be part of the audit team. Technical experts shall work under the supervision of the lead auditor. An
audit team may consist of one person provided that the person meets all the criteria set out in a)
above.7.3
SM 9.1.4 Certification bodies shall allow auditors sufficient time to perform the activities related to an
assessment. Annex A provides a framework for determining auditor time expected for an effective
audit.
SM 9.1.5: Multiple site sampling decisions in the area of SMS certification are more complex than
the same decisions are for quality management systems. Where a client organization has a number
of sites meeting the criteria from a) to c) below, certification bodies may consider using a sample-
based approach to multiple-site certification audit:
a) all sites are operating under the same SMS, which is centrally administered and audited
and subject to central management review;
b) all sites are included within the client organizations internal SMS audit programme;
c) all sites are included within the client organizations SMS management review
programme.
A certification body wishing to use a sample-based approach shall have procedures in place to
ensure the following.
a) The initial contract review identifies, to the greatest extent possible, the difference
between sites such that an adequate level of sampling is determined.
b) A representative number of sites have been sampled by the certification body, taking into
account:
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
c) A representative sample is selected from all sites within the scope of the client
organizations SMS; this selection should be based upon judgmental choice to reflect the
factors presented in item c) above as well as a random element.
d) The surveillance programme has been designed in the light of the above requirements
and covers all sites of the client organization or within the scope of the SMS certification
within a reasonable time.
The audit shall address the client organization's head office activities to ensure that a single SMS
applies to all sites and delivers central management at the operational level. The audit shall address
all the issues outlined above.
SM 9.1.9: The audit plan shall identify any network-assisted auditing techniques that will be utilized
during the audit, as appropriate.
NOTE Network assisted auditing techniques may include, for example, teleconferencing, web meeting,
interactive web based communications and remote electronic access to the SMS documentation and/or
SMS processes. The focus of such techniques should be to enhance audit effectiveness and efficiency,
and should support the integrity of the audit process.
SM 9.1.10: The certification body may adopt reporting procedures that suit its needs but as a
minimum these procedures shall ensure that:
a) a meeting takes place between the audit team and the client organization's management
prior to leaving the premises, at which the audit team provides
1) a written or oral indication regarding the conformity of the client organization's
SMS with the particular certification requirements,
2) an opportunity for the client organization to ask questions about the findings and
their basis;
SM 9.1.14: Those who make the certification decision shall not have participated in the audit.
9.2.1 Application
SM 9.2.1: The certification body shall ensure that the scope and boundaries of the SMS of the client
organization are clearly defined in terms of the characteristics of the business and the organization.
ISO/IEC 20000-1:2011 1.2 contains advice on the application of the standard, and 4.5.1 gives explicit
requirements for scope definition.
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
APMG have also published requirements specific to the APMG Scheme in a document titled
Requirements for scope statements.
SM 9.2.2.4: The entity, which may be an individual, which takes the decision on
granting/withdrawing a certification within the certification body, should incorporate a level of
knowledge and experience in all areas which is sufficient to evaluate the audit processes and
associated recommendations made by the audit team.
Note: ITSM organizations and SMS processes can be complex and subsequent to frequent change.
In such situations annual audits may not be appropriate and certification bodies should demonstrate
they have considered these issues.
9.2.5.2: The entity which takes the decision on granting certification should not normally overturn a
negative recommendation of the audit team. If such a situation does arise, the certification body
shall document and justify the basis for the decision to overturn the recommendation.
9.4 Recertification
There are no additional requirements.
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
10 Management system requirements for certification bodies
There are no additional requirements.
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group
Limited. The APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards
Annex A: Audit times based on IAF guidelines
This table provides a framework for determining the amount of auditor time required for
conducting an SMS audit of a Service Provider organization, based on the number of
employees within the scope of the certification audit.
These figures relate to total on and offsite time. A minimum of 80% of this time should spent
on-site
Note: The number of days within this table relates to both stage 1 and stage 2 audits
and assumes that the organization is located within a single site with a normally
scoped certification.
Note: The auditor time required for a re-certification audit is estimated at 66% of the
time required for the initial certification audit.
Note: The auditor time for surveillance audits each year is normally 33% of the auditor
time required for the initial certification audit.
The APM Group Limited 2014. This document is not to be reproduced or re-sold without express permission from The APM Group Limited. The
APMG-International ISO/IEC 20000 and Swirl Device logo is a trade mark of the APM Group Limited.
Version 2.2 January 2014 Owner Head of Standards