ISO/IEC 20000 Part 6 Published

ISO/IEC 20000-6 Information technology – Service management - Part 6: Requirements for bodies providing audit and certification of service management systems was published in June 2017. Apart from ISO/IEC 20000-1, this is the only other standard containing requirements in the 20000 series.  All other parts of the 20000 series provide guidance.

Part 6 can be compared with ISO/IEC 27006 in the 27000 series which fulfils the same aims. Service providers have to meet all the requirements of ISO/IEC 20000-1 in order to be certified by a certification body (CB). Part 6 gives additional guidance to the CB when conducting an ISO/IEC 20000-1 audit. It does not change or add to the requirements specified in ISO/IEC 20000-1.

Part 6 is aimed at a different audience than the other parts of the 20000 series. Most parts of the 20000 series provide requirements or guidance for service providers. For example, in part 1, the requirements are most commonly phrased as ‘The service provider shall ……’. Part 6 is aimed at ‘bodies providing audit and certification’.  Part 6 is unusual in that it contains a mix of requirements and guidance. The requirements and guidance are phrased as ‘The certification body shall…’ or ‘The certification body should …..’.

The introduction and clause 1 of the standard provide an explanation of part 6:

‘This document is for use by certification bodies for auditing and certifying a service management system (SMS) in accordance with ISO/IEC 20000-1. It can also be used by accreditation bodies when assessing certification bodies. It is intended to be used in conjunction with ISO/IEC 17021-1, which sets out criteria for certification bodies providing audit and certification of management systems. This document provides requirements additional to those in ISO/IEC 17021-1.

Correct application of this document will enable certification bodies to harmonize their application of ISO/IEC 17021-1 for assessments against ISO/IEC 20000-1. It will also enable accreditation bodies to harmonize their application of the standards they use to assess certification bodies.’

Accreditation bodies (AB), such as UKAS in the UK, assess the CBs to ensure that they are working to the requirements of 17021-1, other related standards such as part 6 and that their auditors are competent and conducting fair and objective audits.

Currently the International Accreditation Forum (IAF), an over-arching organisation for ABs, has issued a mandatory document. IAF MD18, used by all CBs when auditing against ISO/IEC 20000-1. The requirements of IAF MD18 have been reviewed, updated and absorbed into part 6 and therefore IAF MD18 will be removed once part 6 is transitioned into use.

Part 6 is short at 13 pages. The normative references (essential documents) are ISO/IEC 17021-1, ISO/IEC 20000-1 and ISO/IEC 20000-10. Part 6 has been deliberately written taking into account that part 1 and part 10 (terms) are due to be updated in 2018. Part 6 does not refer to any specific clauses in part 1 and will work with both the current editions of part 1 and part 10 as well as the future editions.

The contents list follows the structure of ISO/IEC 17021-1 but does not repeat its text. Where there are no additional requirements, then it states ‘The requirements in ISO/IEC 17021-1, <clause number> apply’.  Where there are requirements additional to those in ISO/IEC 17021-1, they are shown as subclauses numbered “SMxxx”.

Some of the additional requirements are summarised below:

• Competence requirements for auditors obviously need to cover part 1 but also knowledge of parts 2, 3 and 10. Awareness of legal and regulatory requirements relevant to an SMS is also required relevant to the jurisdiction
• A table sets out the number of man days for an audit based on effective number of personnel in scope of the SMS. This can be adjusted up or down according to risk, complexity, number of locations, integrated/combined audits etc
• Acceptable and unacceptable use of remote auditing methods
• Criteria for multi-site sampling and audit sampling
• The information security policy, risks and controls evidenced in the SMS must be appropriate for the services in the scope of the SMS. This needs to be checked even if the client is also certified to ISO/IEC 27001
• The auditor needs to be clear on the other parties involved in the service lifecycle in the scope of the SMS and how they are controlled.  This also includes checking that risks at the boundaries of the scope of the SMS have been considered by the service provider.

Part 6 will be mandatory for bodies providing accredited certification. There will be a transition period for its use, probably 2 years although the details are yet to be agreed. Accreditation bodies will use part 6 when accrediting certification bodies.

For other users of the 20000 series such as service providers, part 6 will not be required reading.