FAQs

IPMA certifications are based on the global competence standard: ‘International Competence Baseline (ICB)’. This standard is defined by the IPMA and describes the competences that project, programme and portfolio managers should possess. Download the ICB here.

The certification process involves several steps for the assessment of a candidate and is described in detail in the International Certification Regulations (ICR). Download the ICR here.

For a candidate to be awarded an IPMA certificate, they must have successfully completed each of the assessment steps within 18 months from the date of acceptance of their application.

Candidates are allowed to retake a specific stage of the qualification only once, before having to start the qualification from the beginning.

For levels A, B and C (and also re-certification), the referees providing the reference statement need to be able verify the applicant’s eligibility in relation to the level and domain of certification for which the candidate is applying for.

Referees may be contacted by APMG to solicit additional evidence.

In the event that a candidate is unsuccessful at any of the stages listed below, they are allowed to retake only once before having to restart the qualification from the beginning.

Assessment stages that can be retaken once:

• Level A - Report and Interview.
• Level B - Report, Oral Examination and Interview.
• Level C - Report and Short Answer Question paper.
• Level D - Multiple Choice Question paper and Short Answer Question paper.

We recommend you allow a suitable interval for revision before re-sitting the assessment stage.

Candidates may either re-sit through an APMG accredited provider or book an open/public examination.

Re-certification is due five years after initial certification for all levels and domains. It is the responsibility of the certificate holder to initiate the re-certification process through application up to a maximum of six months from their certificate expiry date. An extension may be provided up to 12 months from the certificate expiry date, with justification.

Before applying for re-certification, you may wish to consider whether a higher level of certification is now better suited to your career development and experience. In that case, you should apply in accordance with the regulations for the relevant certificate.

All levels require a minimum of 35 hours’ evidence of Continual Professional Development (CPD) per annum (175 hours total) since the last (re-)certification.

Applications for re-certification will be considered by a suitably qualified assessor at the relevant level. The assessor may decide to recommend:

• re-certification without the provision of any further information.
• that you be called to interview with two assessors.
• rejection of your application (if the evidence you supply is insufficient or inappropriate).

You are required to submit to the following documents as part of the re-certification application: application form, CV, full self-assessment, CPD log demonstrating you have completed 35 hours of CPD per annum and two referee statements.

You will need to submit your re-certification application and supporting documents to APMG. We will contact you in advance of your certification expiry date with further details. Your application will be processed and the team will contact you with regards to payment of the appropriate fees.

To support candidates in understanding how they will achieve competency elements and key competency indicators found in IPMA’s International Competence Baseline document, the standards have been translated into syllabuses which better reflect UK qualifications. As part of this translation, competency elements were grouped together to form learning outcomes with key competency indicators being grouped to form assessment criteria. Candidates will provide assessment evidence through the various assessment methods. Due to the translation from standards to qualifications, competency elements and key competency indicators will be met providing candidates provide sufficient evidence of learning outcomes and assessment criteria in the syllabus.

Training for ISO 37000 Governance of Organizations is available from FluidRock Governance via the website. Candidates are reminded that the International Standards Organization owns the copyright and must therefore purchase the standard separately for this course. If the candidate’s local standards body has accredited it, the candidate should be able to purchase the standard from there, additional information can be found on the ISO website.

The primary reference for the Foundation qualification is the international standard ISO 37000 and the course manual: ISO 37000 Governance of Organizations – Foundation Course.

The Foundation exam is only available in English.

Foundation course material is available for one year from date of first registration. The training and examination preparation takes approximately 15 hours to complete.

Yes, candidates are allowed to refer to the ISO 37000 standard and the course manual.

The ISO 37000 Governance of Organizations certificates are not valid for a defined period of time and will not expire.

ISO/IEC 20000 is the international standard for IT service management and allows organizations to prove best practice in their IT management.

ISO/IEC 20000 was released in 2005 based on the ITIL® best practice framework and updated in 2011. Worldwide, the adoption of ISO/IEC20000 has grown rapidly and it has become a competitive differentiator for delivery of IT services.

ISO/IEC 20000 can be used:

• By businesses that are going out to tender for their services.
• To provide a consistent approach by all service providers in a supply chain.
• To benchmark IT service management.
• As the basis for an independent assessment.
• To demonstrate the ability to meet customer requirements.
• To improve services.

ISO/IEC 20000 promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements. For an organization to function effectively it has to identify and manage numerous linked activities. Activities using resources are managed in order to enable the transformation of inputs into outputs and can be considered as a process.

ITIL is a set of processes and good practices that has been developed by a global network of experts and is owned by the UK Government.

An ISO standard is developed by national bodies participating in the development of the standard through technical committees. The standards are drafted in accordance with specific rules and a standard needs to attract at least 75% of support from the national bodies via a casting of votes before it can be accepted.

An ISO standard is high level guidance whereas the ITIL processes are more detailed and organizations can adopt and adapt them for their own ends.

Put simply, ISO/IEC 20000 tells you WHAT to do and ITIL tells you HOW to do it.

ITIL certification is concerned with people whereas ISO/IEC 20000 certifies companies and ensures they are compliant to the standard.

ITIL can't be used to certify organizations, because each one will need to adapt the method to suit its requirements. ISO/IEC 20000 refers frequently to the ITIL glossary, but it stipulates that certain standards must be adopted in order to grant a certificate.

The ISO/IEC 20000 standards are the basis for the exams and can be purchased from BSI. The ISO/IEC 20000 pocketbook covers areas of the syllabus and can also be purchased from APMG Business Books.

The Foundation exam is available in English, Chinese, Japanese, Portuguese and Spanish.

The Practitioner exams are available in English, German, Japanese, Brazilian Portuguese and Chinese (complex).

The Auditor exam is available in English, German, Japanese, Portuguese, Chinese (simple and complex) and Spanish.

For individuals self-studying it is almost impossible to say. As all candidates have different experience and amount of time available for study, it varies from person to person. We suggest you buy the required study material and have a look through for yourself before deciding how long you need to spend learning.

The qualifications currently do not have a defined validity period.

Pass marks for the ISO/IEC 20000 examinations are as follows:

Foundation: You will need to score 26/40 (65%) to pass the foundation exam.
Practitioner: You will need to score 40/80 (50%) to pass the practitioner exam.
Auditor: You will need to score 26/40 (65%) to pass the Auditor exam.

Any organization wishing to be formally certified against the scheme will need to be assessed by a Registered Certification Body (RCB). Once the requirements of ISO/IEC 20000 have been satisfied, the RCB will issue a certificate of conformance and the organization will be eligible to use the itSMF ISO/IEC 20000 logo as a sign of their achievement and may also request a listing on our dedicated website, enabling instant verification by visitors. www.isoiec20000certification.com

Over 600 organizations have been assessed by over 30 registered certification bodies against the standard that itSMF-UK developed.

It is difficult to compare one scheme with another. The itSMF scheme forms the basis of the majority of existing schemes so we believe it provides a very solid foundation which has been proven in practice through a number of certification bodies.

ISO/IEC 27001 is an international standard for Information Security management. It provides a model to establish, implement, maintain and continually improve a risk-managed Information Security Management System (ISMS). It forms the basis for effective management of sensitive, confidential information and for the application of information security controls.

Foundation

The primary references for the Foundation qualification are the International Standards:

• ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems – Requirements
• ISO/IEC 27000:2018 Information technology -- Security techniques -- Information security management systems – Overview and vocabulary.

Other references are made to:

• Supplementary reference paper for ISO/IEC 27001 Qualification.

The Foundation level requires knowledge of the requirements in ISO/IEC 27001:2022 and the terms, definition and concepts in ISO/IEC 27000:2018 as well as information in the supplementary reference paper as stated in the syllabus topic. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2022  and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27000:2018 or to the information referenced from it in this syllabus. Please note that the examination is closed book. The references provided should be considered to be indicative rather than comprehensive, i.e. there may be other valid references within the guidance.

For the primary reference, the relevant part of the standard is used as the major part of the reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to ISO/IEC 27001:2022 Clause 4.2.

The syllabus requires awareness of but does not require a detailed knowledge of other referenced standards:

• ISO 9001:2015, Quality management systems — Requirements
• ISO/IEC 20000-1:2018, Information technology – Service management - Part 1: Service management system requirements
• ISO/IEC 27002:2022, Information technology -- Security techniques -- Code of practice for information security management
• ISO/IEC 27003:2017, Information technology -- Security techniques -- Information security management systems guidance
• ISO/IEC 27004:2016 Information technology -- Security techniques -- Information security management – Monitoring, Measurement, Analysis and Evaluation
• ISO/IEC 27005:2022, Information technology -- Security techniques -- Information security risk management
• ISO/IEC 27006:2015, Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems
• ISO/IEC 27013:2015, Information technology -- Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.

Practitioner Information Security Officer

The primary references for the Practitioner – Information Security Officer course are the International Standards:

• ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems – Requirements
• ISO/IEC 27000:2018 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary
• ISO/IEC 27002:2022, Information technology -- Security techniques -- Code of practice for information security controls
• ISO/IEC 27005:2022, Information technology -- Security techniques -- Information security risk management

Reference is made to ISO/IEC 27003:2017, Information technology -- Security techniques Information security management system implementation guidance. Candidates do not need their own copy of this standard as the relevant information is available in the Supplementary reference paper for ISO/IEC 27001 Qualification, Sections 5 and 6.

Candidates are allowed to have a printed or digital copy of the standards listed above during the exam. 

Syllabus topics at levels 3 and 4 provide the primary references but may also include any other topic from the syllabus area. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2022 and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27002:2013 and ISO/IEC 27005:2022. Please note that the examination is open book.

Auditor

The primary references for the ISO/IEC 27001 Auditor course are the International Standards:

• ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems – Requirements
• ISO/IEC 27000:2018 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary
• ISO/IEC 27002:2022, Information technology -- Security techniques -- Code of practice for information security management
• ISO 19011:2018 Guidelines for auditing management systems
• APMG ISO/IEC 27001 Supplementary Paper

Other references are made to the Supplementary reference paper for ISO/IEC 27001 Qualification.

It is mandatory that all delegates have access to a personal copy of these documents during their training and at the Examination.

Please note that Auditor examinations are open book. No content related individual notes in the used standards are permitted.

Syllabus topics at levels 3 and 4 provide the primary references but may also include any other topic from the syllabus area.

The references provided should be considered to be indicative rather than comprehensive, i.e. there may be other valid references within the guidance.

For the primary reference, the relevant part of the standard is used as the major part of the reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to ISO/IEC 27001:2013 Clause 4.2.

For individuals self-studying it is almost impossible to say. As all candidates have different experience and amount of time available for study, it varies from person to person. We suggest you buy the manual and have a look through for yourself before deciding how long you need to spend learning.

For those studying with an accredited training organization, Foundation courses are generally delivered over 3 days, while combined Foundation and Practitioner courses are generally delivered over 5 days. It is well worth investigating with individual providers, as some will offer tailored, online or blended learning solutions.