1、Information technology Service management Part 6: Requirements for bodies providing audit and certification of service management systems BS ISO/IEC 20000-6:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information technology Service management Part 6: Requir
2、ements for bodies providing audit and certification of service management systems Technologies de linformation Gestion des services Partie 6: Exigences pour les organismes procdant laudit et la certification des systmes de management de la gestion des services INTERNATIONAL STANDARD ISO/IEC 20000-6
3、Reference number ISO/IEC 20000-6:2017(E) First edition 2017-06 ISO/IEC 2017 National foreword This British Standard is the UK implementation of ISO/IEC 20000-6:2017. The UK participation in its preparation was entrusted to Technical Committee IST/60/2, IT Service Management. A list of organizations
4、represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 9
5、78 0 580 85566 5 ICS 35.020; 03.080.99; 03.120.20 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 June 2017. Amendments/corrigenda issued since publication D
6、ate Text affected BRITISH STANDARD BS ISO/IEC 20000-6:2017Information technology Service management Part 6: Requirements for bodies providing audit and certification of service management systems Technologies de linformation Gestion des services Partie 6: Exigences pour les organismes procdant laudi
7、t et la certification des systmes de management de la gestion des services INTERNATIONAL STANDARD ISO/IEC 20000-6 Reference number ISO/IEC 20000-6:2017(E) First edition 2017-06 ISO/IEC 2017 BS ISO/IEC 20000-6:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Publish
8、ed in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permissio
9、n can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 20000-6:2017(E) BS ISO/IEC
10、 20000-6:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including
11、photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +
12、41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 20000-6:2017(E)ISO/IEC 20000-6:2017(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 Terms and definitions . 1 4 Principles . 1 5 General requirements . 1 5.1 Legal and contractual matters . 1 5.2 Management
13、 of impartiality 2 5.3 Liability and financing 2 6 Structural requirements 2 7 Resource requirements . 2 7.1 Competence of personnel 2 7.1.1 General considerations . 2 7.1.2 Determination of competence criteria 2 7.1.3 Evaluation processes 3 7.1.4 Other considerations 3 7.2 Personnel involved in cer
14、tification activities 3 7.3 Use of individual external auditors and external technical experts 3 7.4 Personnel records. 3 7.5 Outsourcing 3 8 Information requirements . 4 8.1 Public information . 4 8.2 Certification documents 4 8.3 Reference to certification and use of marks 4 8.4 Confidentiality .
15、4 8.5 Information exchange between a certification body and its clients . 4 9 Process requirements . 4 9.1 Pre-certification activities . 4 9.1.1 Application 4 9.1.2 Application review . 4 9.1.3 Audit programme 5 9.1.4 Determining audit time 5 9.1.5 Multi-site sampling 8 9.1.6 Multiple management sy
16、stems standards . 8 9.2 Planning audits . 9 9.2.1 Determining audit objectives, scope and criteria 9 9.2.2 Audit team selection and assignments . 9 9.2.3 Audit plan . 9 9.3 Initial certification 10 9.4 Conducting audits 10 9.4.1 General.10 9.4.2 Conducting the opening meeting 10 9.4.3 Communication
17、during the audit .10 9.4.4 Obtaining and verifying information .10 9.4.5 Identifying and recording audit findings .11 9.4.6 Preparing audit conclusions .11 9.4.7 Conducting the closing meeting 11 9.4.8 Audit report .11 9.4.9 Cause analysis of nonconformities 11 9.4.10 Effectiveness of corrections an
18、d corrective actions .11 ISO/IEC 2017 All rights reserved iii Contents Page BS ISO/IEC 20000-6:2017 ISO/IEC 20000-6:2017(E)9.5 Certification decision 11 9.6 Maintaining certification .11 9.7 Appeals .11 9.8 Complaints .11 9.9 Client records 11 9.10 Management system requirements for certification bo
19、dies .12 Bibliography .13 iv ISO/IEC 2017 All rights reserved BS ISO/IEC 20000-6:2017 ISO/IEC 20000-6:2017(E)9.5 Certification decision 11 9.6 Maintaining certification .11 9.7 Appeals .11 9.8 Complaints .11 9.9 Client records 11 9.10 Management system requirements for certification bodies .12 Bibli
20、ography .13 iv ISO/IEC 2017 All rights reserved ISO/IEC 20000-6:2017(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
21、participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, govern
22、mental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are descr
23、ibed in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives). Attention is draw
24、n to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on t
25、he ISO list of patent declarations received (see www .iso .org/ patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y asse
26、ssment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/ iso/ foreword .html. For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and expr
27、essions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/ iso/ foreword .html. This document was prepared by Technical Committee ISO/IEC JTC 1,
28、Information technology, subcommittee, SC 40, IT Service Management and IT Governance. A list of all parts in the ISO/IEC 20000 series can be found on the ISO website. ISO/IEC 2017 All rights reserved v BS ISO/IEC 20000-6:2017 ISO/IEC 20000-6:2017(E) Introduction This document is for use by certifica
29、tion bodies for auditing and certifying a service management system (SMS) in accordance with ISO/IEC 20000-1. It can also be used by accreditation bodies when assessing certification bodies. It is intended to be used in conjunction with ISO/IEC 17021-1, which sets out criteria for certification bodi
30、es providing audit and certification of management systems. This document provides requirements additional to those in ISO/IEC 17021-1. Correct application of this document will enable certification bodies to harmonize their application of ISO/IEC 17021-1 for assessments against ISO/IEC 20000-1. It
31、will also enable accreditation bodies to harmonize their application of the standards they use to assess certification bodies. This document follows the structure of ISO/IEC 17021-1, as far as possible. The requirements additional to those in ISO/IEC 17021-1 are shown as subclauses numbered “SMxxx”.
32、 ISO/IEC 17021-1 and this document use the term “client” for the organization seeking certification.vi ISO/IEC 2017 All rights reserved BS ISO/IEC 20000-6:2017 ISO/IEC 20000-6:2017(E) Introduction This document is for use by certification bodies for auditing and certifying a service management syste
33、m (SMS) in accordance with ISO/IEC 20000-1. It can also be used by accreditation bodies when assessing certification bodies. It is intended to be used in conjunction with ISO/IEC 17021-1, which sets out criteria for certification bodies providing audit and certification of management systems. This d
34、ocument provides requirements additional to those in ISO/IEC 17021-1. Correct application of this document will enable certification bodies to harmonize their application of ISO/IEC 17021-1 for assessments against ISO/IEC 20000-1. It will also enable accreditation bodies to harmonize their applicati
35、on of the standards they use to assess certification bodies. This document follows the structure of ISO/IEC 17021-1, as far as possible. The requirements additional to those in ISO/IEC 17021-1 are shown as subclauses numbered “SMxxx”. ISO/IEC 17021-1 and this document use the term “client” for the o
36、rganization seeking certification.vi ISO/IEC 2017 All rights reserved Information technology Service management Part 6: Requirements for bodies providing audit and certification of service management systems 1 Scope This document specifies requirements and provides guidance for certification bodies
37、providing audit and certification of an SMS in accordance with ISO/IEC 20000-1. It does not change the requirements specified in ISO/IEC 20000-1. This document can also be used by accreditation bodies for accreditation of certification bodies. A certification body providing SMS certification is expe
38、cted to be able to demonstrate fulfilment of the requirements specified in this document, in addition to the requirements in ISO/IEC 17021-1. 2 Normative references The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this do
39、cument. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17021-1:2015, Conformity assessment Requirements for bodies providing audit and certification of management systems Part 1:
40、Requirements ISO/IEC 20000-1, Information technology Service management Part 1: Service management system requirements ISO/IEC TR 20000-10, Information technology Service management Part 10: Concepts and terminology 3 Terms and definitions For the purposes of this document, the terms and definitions
41、 given in ISO/IEC 17021-1 and ISO/IEC TR 20000-10 apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at h t t p :/ www .electropedia .org/ ISO Online browsing platform: available at h t t p :/ www .iso .org/ obp 4 P
42、rinciples For the purposes of this document, the principles in ISO/IEC 17021-1:2015, Clause 4 apply. 5 General requirements 5.1 Legal and contractual matters The requirements in ISO/IEC 17021-1:2015, 5.1 apply. INTERNATIONAL ST ANDARD ISO/IEC 20000-6:2017(E) ISO/IEC 2017 All rights reserved 1 BS ISO
43、/IEC 20000-6:2017 ISO/IEC 20000-6:2017(E) 5.2 Management of impartiality The requirements in ISO/IEC 17021-1:2015, 5.2 apply. In addition, the following requirements and guidance apply. 5.2.1 SM5.2.1 Conflicts of interest Certification bodies may carry out the following duties without them being con
44、sidered as consultancy or having a potential conflict of interest: a) arranging and participating as a lecturer in training courses. Where these courses relate to service management, related management systems or auditing, certification bodies shall confine themselves to the provision of generic inf
45、ormation and advice which is publicly available, i.e. they shall not provide company-specific advice; b) making available or publishing on request information describing the certification bodys interpretation of the requirements of the certification audit standards; c) activities prior to audit, sol
46、ely aimed at determining readiness for certification audit. These activities shall not result in the provision of recommendations or advice that would contravene this subclause. The certification body shall be able to confirm that such activities do not contravene these requirements and that they ar
47、e not used to justify a reduction in the eventual certification audit duration; d) performing second and third-party audits according to standards or regulations other than those being part of the scope of accreditation; e) adding value during certification audits and surveillance visits, e.g. by id
48、entifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions. The certification body shall not provide internal service management reviews of the clients SMS subject to certification. The certification body shall be independent of the body
49、 or bodies (including any individuals) which provide the internal SMS audit. 5.3 Liability and financing The requirements in ISO/IEC 17021-1:2015, 5.3 apply. 6 Structural requirements The requirements in ISO/IEC 17021-1:2015, Clause 6 apply. 7 Resource requirements 7.1 Competence of personnel 7.1.1 General considerations The requirements in ISO/IEC 17021-1:2015, 7.1.1 apply. 7.1.2 Determination of competence criteria The requirements in ISO/IEC 17021-1:2015, 7.1.2 apply. In addition
