1

R20.112IT18 ISO/IEC 20000-1:2018 Information Technology Service

Management System (ITSMS) Supplement

1.0 Scope - This R20.112 applies to organizations requiring assessment and/or registration of
their management system in accordance with ISO/IEC 20000-1:2018 Third Edition dated
2018-09.

The following steps represent additions/clarifications to those defined in SRI Procedures QP

4.0 through QP 8.0 with relevant documents (R20.xx) as indicated. The management
system requirements specified in ISO/IEC 20000-1 are complementary (not alternative) to
specified technical requirements and applicable law and regulation.

1.1 Purpose - The purpose of this document is to outline the process for providing
organizations with assessment and registration of their Information Technology
Service Management Systems. It also provides requirements for auditing
organizations to ISO/IEC 20000-1:2018.

1.2 References;
 EA-7/03 – February 2000 – EA Guidelines for Accreditation of Bodies
Operating Certification/Registration of Information Security Management
Systems.
 ISO/IEC 20000-1:2018 – Information technology – Service Management- Part
1: Specification, Third Edition.
 ISO/IEC 17021-1:2015 – Conformity assessment – Requirements for bodies
providing audit and certification of management systems
 ISO/IEC 20000-2: 2012 – Guidance on the application of service
management systems.
 ISO/IEC 20000-3: 2012 Guidance on scope definition and applicability of ISO
20000-1
 APMG ISO/IEC 20000 Certification Scheme 15/015 (for those clients who
seek AMPG marks)
 ISO/IEC 20000-6:2017 Requirements for bodies providing audit and
certification of service management systems

2.0 Definitions

2.1 Availability: ability of a component or service to perform its required function at a

stated instant or over a stated period of time.

2.2 Configuration Baseline: snapshot of the state of a service or individual configuration

items at a point in time.

2.3 Change Record – record containing details of which configuration items (see 2.4) are
affected and how they are affected by an authorized change.

2.4 Configuration Item – component of an infrastructure or an item which is, or will be,
under the control of configuration management.

2.5 Configuration Management Data Base (CMDB) – data used to record attributes of
configuration items, and the relationships between configuration items, throughout
their life cycle.

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 1 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 2.6 Incident – any event which is not part of the standard operation of a service and
which causes or may cause an interruption to, or a reduction in, the quality of that
service.

2.7 Problem – unknown underlying cause of one or more incidents.

2.8 Release – collection of new and/or changed configuration items which are tested and
introduced into the live environment together.

2.9 Request for Change - form or screen used to record details of a request for a change
to any configuration item within a service or infrastructure.

2.10 Service Desk - customer facing support group who do a high proportion of the total
support work.

2.11 Service Level Agreement- written agreement between a service provider and a
customer that documents services and agreed service levels.

2.12 Service Management- management of services to meet the business requirements.

2.13 Service Provider- the organization aiming to achieve ISO/IEC 20000-1:2018

certification.

2.14 Major (HOLD) Nonconformity - The absence of, or failure to implement and maintain
one or more required management system elements, or a situation which would, on
the basis of objective evidence, raise significant doubt as to the capability of the
ITSMS to achieve the standard policy and objectives of the organization.

2.15 Minor Nonconformity - A single system failure or lapse in conformance with a

procedure, process or element, relating to the applicable standard

3.0 General

3.1 Service Management requirements and supplementation are typically derived from
ISO/IEC 20000-1:2018, ISO/IEC 20000-2:2012, ISO/IEC 20000-3:2009, ISO/IEC
20000-4:2010, ISO/IEC 20000-5:2010 and Information Technology Infrastructure
Library (ITIL) documentation, as well as the instructions and requirements of EA-
7/03. If an organization already has an operative system, (e.g. in relation to or
integrated with ISO 9001, ISO 14001, or ISO/IEC 27001) it may be preferable to
satisfy the requirements of ISO/IEC 20000-1 within the current established standard
and management system implementation.

3.2 Service Management (SM), as defined in ISO/IEC 20000-1:2018, is a set of

capabilities and processes to direct and control the service provider’s activities and
resources for the design, transition, delivery, and improvement of services to fulfill
the service requirements. It involves coordination and implementation of service
management processes in seven major areas; Operational Planning and Control,
Service Portfolio, Relationship and Agreement, Supply and Demand, Service
Design/Build/Transition, Resolution and Fulfillment, and Service Assurance. It is
based on a documented Service Management Policy and Service Delivery
Processes (guided by Service Level Objectives- SLO’s and Service Level
Agreements- SLA’s) and follows a life-cycle approach to plan, implement, monitor,
review, and continually improve provisioning of Service Management to customers.

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 2 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 There are no allowable exclusions in an ISO/IEC 20000-1 Service Management
System; all requirements of the Standard are applicable to an SM implementation
and must be fulfilled in accordance with the specific Service Management Plan,
Policy, and Service Level Objectives and Agreements. In addition, this update
(which incorporates the requirements of the Third Edition ISO/IEC 20000-1:2018
requirements specification) reflects the changes in nomenclature, definitions, and
updated and expanded requirements necessary to effectively assess conformance to
the Third Edition, made a part of this R20.112 update by reference of Table A in
Section 10 of this document.

4.0 Requirements for SRI

4.1 SRI is fully accredited by the ANSI-ASQ National Accreditation Board (ANAB) and
Raad voor Accreditatie (RvA), in accordance with ISO/IEC 17021-1:2015 current
version or equivalent for ISO 9001:2015. SRI is fully accredited for ISO/IEC 20000-
1:2018, received subsequent approval and accreditation by ANAB and APMG, and
has now updated and resubmitted the application in conformance with AMPG 015
update and IAF MD 11, Issue 1, version 2. SRI’s Service Management sector
qualification consisted of an application review, witness audit, and recommendation
for the recognition of SRI’s Service Management sector program.

4.2 SRI has provided an application form for the applicable Service Management System
(SMS) registrations. This application provides ANAB and APMG with renewed
confidence that SRI has developed the necessary documented process to meet
ISO/IEC 20000-1:2018 Third Edition and Accreditation Body requirements.

4.3 SRI recognizes that ANAB and APMG will perform witness audits and oversight of
SRI in accordance with their internal procedures and ISO/IEC guidelines, including at
a minimum of one office audit per year and one ISO/IEC 20000-1-based witness
audit per year.

4.4 SRI affords applicable Authorities the right of review of records and information
related to their ITSMS sector qualification program, including SRI activities
associated with this document.

5.0 Requirements for Certification/Registration Bodies (CRBs)

5.1 SRI is a nationally recognized Certification Body and currently qualified to ISO
9001:2015 in accordance with ISO 17021-1 for management systems. SRI has
completed the application for ISO/IEC 20000, submitted that application for
acceptance, and was subsequently accredited for performance of certification to
ISO/IEC 20000-1:2018. Necessary auditor qualifications have been updated through
training and personnel interview and are available for review and approval by
applicable Authorities upon demand.

5.2 SRI has and/or uses qualified full-time or contract auditors and/or technical experts
engaged in certification/registration activities related to ISO/IEC 20000.

A. The essential management system evidence required to be presented in

order to perform SMS certification/ registration has not significantly changed
with the advent of ISO/IEC 20000-1:2018, and includes that necessary to
select, provide, and manage those individuals whose collective competence
is appropriate to the activities to be audited and the related Service

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 3 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 Management issues as described in ANAB Rule 25 dated 2017/01/01, clause
7, Audit Team Competence and associated APMG 015 and IAF MD 11
criteria.

5.3 SRI’s processes and requirements to continue conformance to ISO/IEC 20000 sector
qualification includes as a minimum:
A. Evidence that SRI’s certification function has person(s) with appropriate
background and knowledge in accord with applicable Authority criteria.
B. Evidence of SRI’s criteria for the training and selection of audit team that
ensures appropriate levels of:
1) understanding of the SMS standard or normative document;
2) understanding of Service Management issues;
3) understanding of Service Management and Service Delivery;
4) technical knowledge of the activities and areas to be audited;
5) knowledge of regulatory requirements relevant to Information
Technology Service Management;
6) management system audit competencies;
7) management system knowledge.
This training was initially gained and evidenced by attending and passing an
approved SMS ISO/IEC 20000 Lead Auditor course. Updated training has
been performed internally, to upgrade knowledge and skills to the ISO/IEC
20000-1:2018 standard and applicable Authority criteria. Records of
attendance and passing are maintained in the independent contractor or
employee file for the life of the contractor's agreement or employment
contract.

C. Documented auditor training program performed initially, during the initial

qualification process, and with applicable Authority criteria revisions and
updates that conforms to IAF MD 18 and APMG 015. SRI shall document
their auditor training program and make it available for review and approval
by ANAB during the re-accreditation process. SRI utilizes applicable
Authority-approved training courses and/or hires qualified groups or
individuals to supply approved training courses. In addition, SRI provides
internal training, qualification, oversight, and validation and verification of
knowledge and criteria to all auditors on an ongoing basis. Content of the
training programs as defined by ANAB, APMG, and/or IRCA or other
approved Training Services Provider is:
1) Applicable to the requirements of the ISO/IEC 20000-1:2018 standard
2) A generally recognized scheme as used in the specific sector for
Certification/Registration of ISO/IEC 20000-1
D. SRI utilizes qualified auditors. Auditors are closely reviewed, competence
established, and evidence of required knowledge confirmed. Understanding
of the mandatory aspects of specific SMS training are recognized as
important in auditing to ISO/IEC 20000-1; these include knowledge and
competency in the seven major process areas of Service Management, in
addition to requisite industrial sector qualifications. Qualified ISO/IEC 20000-
1 auditors will exhibit;

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 4 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 1) A University Degree (extensive experience and supplementary
professional education and training can be equivalent).
2) Four years full time practical workplace experience in Information
Technology, of which at least two years are engaged in a role or
function relating to Service Management.
3) Proof of attendance and successful completion of a recognized
ITSMS training course covering SMS knowledge, auditing, and audit
management. At a minimum, the recognized training course must be
an ISO/IEC 20000 lead auditor certificate and/or the APMG
equivalent, as required by the applicable authority.
4) A minimum of 4 prior assessments (audit experience such as QMS,
EMS, SMS) equal to 20 days or more, including review of
documentation, risk analysis, implementation, assessment, and audit
reporting,
5) Qualification to SMS through Exemplar Global (formerly RABQSA),
IRCA, ITIL Foundation, or an alternate Personnel Accreditation Body
is preferred. The auditor must exhibit the following attributes:
objective, mature, discerning, analytical, persistent, and realistic.
Auditors must also understand complex information technology
operations and be able to understand the role of individual units in a
larger organization.
6) Lead Auditors shall have acted as an auditor in at least three
complete audits, and have demonstrated the capability to
communicate effectively, both orally and in writing, have knowledge
and attributes to manage the assessment process, and have
demonstrated the possession of adequate knowledge and appropriate
attributes in order to manage the assessment process.
7) All relevant experience shall be reasonably current.
8) Auditors must continually maintain and update knowledge and skills in
Service Management.

E. SRI has specific procedures, tools, and techniques in its system for granting,
maintaining, extending, reducing suspending, and withdrawing
certification/registration.

F. A full system witness audit from a recognized AB of an SMS audit.

G. SRI agrees to periodic surveillance and witness audits by ANAB.

H. No Certificates or approvals to ISO/IEC 20000-1 shall be issued by SRI

unless all major and minor nonconformances are addressed, with appropriate
root cause analysis, corrective action, and (if required) effectiveness of
implementation verified.

I. SRI will provide copies when requested of all information pertaining to audit
results, (including notebooks, findings, supporting documents, and/or other

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 5 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 correspondence) with the audited organization for the purpose of the audited
organization sharing this information with their customer(s).

J. SRI requires the applicant to prepare a Service Management Plan describing

the Service Management System and identifying which services and
processes under the SMS standard or normative document are relevant and
applicable for the organization’s SMS implementation. The Service
Management Plan shall be part of the working documents provided to the
audit team at Stage 1.

K. SRI will ensure that the organization’s Service Management System risk and
business impact assessment activities properly reflect the nature and
services relevant to its activities, extends to the boundaries of its activities as
defined in the SMS standard or normative document, including Business
Relationship and Vendor Management analyses. SRI will confirm that this is
reflected in the organization’s Service Management Plan and associated
process documentation. Interfaces with services or activities that are not
completely within the certifiable scope of the SMS shall be addressed within
the SMS subject to certification/ registration restrictions and should be
included in the organization's information technology risk and continuity
assessments. An example of such a situation is the outsourcing of SMS
processes or services to third parties (e.g. hosting services providers,
telecommunications outsourcers, call center/help desk support service
providers, etc.).

L. SRI does not provide consulting services. Any independent contractor that,
in the past two years, has provided consulting services to a client shall have
no involvement with the ISO/IEC 20000-1 registration of that client. The
allowed only activity prior to audit is a pre assessment per R20.46.

Note: If SRI performs training for an organization for which it will provide
registration services, the training must be conducted and managed
separately from SRI’s registration program. The training must be available to
the public, held in a public venue, and not specific to the attendee base.

M. SRI does not provide internal audit review of service management of client’s
SMS that are subject to 3rd party audit.

5.4 SRI agrees to the “Right of Access” by ANAB, APMG, and other regulatory or
oversight bodies for review of all records and information concerning their activities
associated with this document and their approval as a certification body under this
system. This includes information from audits of clients in accordance with ISO/IEC
20000-1, current edition.

5.5 SRI agrees to allow ANAB and APMG member OEMs to perform surveillance
reviews of SRI’s processes and activities associated with this document and their
approval as a CRB under this system. This access may include the witnessing of
SRI audits at client locations.

6.0 Requirements for Auditors

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 6 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 6.1 All auditors shall, as a minimum, meet the basic education, training, work experience
and audit experience of specified ISO 19011 conditions and requirements, and
additionally must fully demonstrate the following:

A. Auditing Experience - To have participated in at least four audits for a

minimum of 20 days, which cover all the elements of the ISO/IEC 20000-1
standard within the last three years. Auditors shall have the ability to cover
all the clauses/elements as determined by the Vice President, Certification.
All members of the audit team shall be able to demonstrate appropriate
experience and understanding of all of the following:
1) the SMS standard or normative document;
2) the concepts of management systems in general;
3) issues related to various areas of Service Management;
4) the principles and processes related to risk and business
impact/continuity management;
5) general ISO auditing principles

B. The auditor must be trained in SMS requirements as defined in ISO/IEC

20000-1:2018 and ISO/IEC 20000-6:2017. This approved training covers all
those noted in A. above plus size, scope, complexity criteria and information
Confidentiality and Sensitivity aspects. This training can be performed by SRI
or may be obtained independently. If APMG marks are required, then auditor
training must also include APMG 15/015.

C. The following requirements apply to the audit team as a whole:

1) In each of the following areas at least one audit team member should
satisfy the certification/ registration body's criteria for taking
responsibility within the team:
a) managing the team,
b) knowledge of legislative and regulatory requirements and of
compliance in the particular information technology service
management field,
c) identifying service management-related risks, threats, and
vulnerabilities
d) identifying the vulnerabilities of the service provider
organization and understanding their impact, mitigation, and
control,
e) knowledge of the current technical state-of-art in the sector,
f) knowledge of risk and business impact assessment related to
information technology;
2) The audit team should be competent to trace indications of incidents
and problems identified in the implementation of the organization's
SMS back to the appropriate elements of Service Management.
3) An audit team may consist of one person provided that the person
meets all the criteria set out above.
4) At least one member of the team must be competent in the SMS
technical area. Specifically, the auditor must meet one of the two
following options:
 the auditor must hold IAF 33 (see R20.41) and QMS Technical
area 33-1, and demonstrated competency for general auditing skill
and knowledge as part of the annual auditor review process or

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 7 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
  the auditor must hold IAF 33 (See R20.41) and participate in an
interview to determine competency related to service
management processes and services within the scope of the
SMS.
o NOTE: The second option is for auditors who are not
qualified to ISO 9001
When an auditor demonstrates competency as described above, the
technical area code SMS-33 is added to the eVENTS system.
5) Certification decision personnel follow the same requirements stated
above for auditors.
6) Support personnel (CCC, Quote, etc.), must be familiar with required
internal SRI documentation related to their role in applicable
processes.

6.2 To maintain their SMS auditor qualification, all auditors must participate in continuing
education. Training should include review of the changes to the industry standards,
auditing methods and ISO requirements at a minimum of 15 hours total within every
three-year period.

7.0 Requirements for Assessment and Reporting

7.1 SMS Assessment Teams

A. The assessment team leader must be a qualified lead auditor per ISO 19011
as identified in SRI’s accredited system.

B. The team may include other auditors that are approved per SRI.

C. The assessment team should include an auditor qualified for the supplier’s
commodity(ies) (IAF Scope Category). The commodity requirement may be
met by a technical expert in-lieu of an auditor (per ANAB guidelines) who is
additional to the team membership. SMS credentials are the minimum
bonafide occupational qualification.

D. Auditor credentials shall be made available to the organization upon request

7.1.1 SRI shall ensure that all members of the team are aware of the requirements of
ISO/IEC 20000-1 and other applicable Authority criteria as may affect the scope of
their assessment activity. The SMS Lead Auditor shall provide guidance to the
assessment team throughout the assessment on the interpretation of SMS
requirements and, when requested, the significance of any issues identified.

7.1.2 SRI shall review before the assessment what records are considered as confidential
or sensitive by the organization such that these records could not be examined by
the audit team during the assessment of the organization. The certification/
registration body shall judge whether the records that can be examined warrant an
effective assessment. If the certification/ registration body concludes that an
effective assessment is not warranted, the certification/ registration body shall inform
the organization that the assessment can take place only when appropriate access
arrangements have been accepted by the organization.

7.1.3 ANAB or Representatives may accompany the assessment team as observers of the
assessment process at any time with due notice. When customer representatives

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 8 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 are participating in the audit, the Team Leader shall have the option of including (or
not) in the assessment report any findings brought forward by these representatives.

7.2 Duration of Assessment

7.2.1 An estimation of time that might be required for a certification audit is helpful to plan
the audit. However, it is important to note that due to various factors that may affect
the necessary time (size, scope, complexity of services, number of users, volume of
information handled, number of information systems, number of networks, number of
platforms, number of critical systems, remote teleworking, number and types of
electronic transactions and requirements, number and size of software and/or
system development projects, applicable legislation and any sector-specific
requirements), it is not possible to give a definitive estimate on how necessary time
can be determined. The estimation may need to be adjusted if more detailed
information is made available or if factors change. In all cases where adjustments
are made to the appropriate starting point, sufficient evidence and records shall be
maintained to justify variations.

The methodology used as a basis for the calculation of audit duration is the ISO/IEC
20000-6:2017 table 1 and related content in section 9.1.4. It is used to determine
the appropriate starting point/duration for the audit event. Various factors noted
above may affect the necessary time to perform an effective audit on-site, as
identified in Table 2 (Decreases) and Table 3 (Increases) and in section 9.4.1.3
(other management system standards). Justifications must be captured in the
proposal directory by the Proposal Manager or delegate.

A portion of the audit time can be conducted as a remote audit, per R20.22. Multi-
site sampling is conducted per MD 1 and 7.4 below. Integrated audits are conducted
per R20.105, with the following additional minimum requirements:
 The scope of the ISMS must be consistent with the scope of the SMS. If the
scope of the ISMS is outside of the scope of the SMS, then an integrated
audit is not appropriate and a stand-alone SMS must be quoted and executed
without the support of the ISMS.

7.2.2 A full assessment of all ISO/IEC 20000-1 requirements is mandated for any
organization transitioning from an already existing conforming system to ISO/IEC
20000-1 that was not previously assessed using qualified SMS auditors and the
requirements of this document. This includes and is representative of consideration
for upgrading of Service Management Systems to the requirements of ISO/IEC
20000-1:2018 applicable Authority criteria.

7.3 The audit team shall record all nonconformances identified during an assessment on
form R20.35. The team leader shall assign a nonconformance to the categories of
“Major” (HOLD) or “Minor”. These are defined in section 2.
7.4 Multiple site sampling decisions in the area of SMS registration are more complex
than the same decisions are for Quality Management Systems. SRI will maintain
procedures, which include the full range of issues below in the building of their
sampling program. (Refer to R20.114)
Prior to undertaking its first assessment based on sampling, SRI shall provide to the
accreditation body the methodology and procedures which it employs and provide
demonstrable evidence of how these take account of the issues below to manage
multiple site SMS assessment.

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 9 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 SRI’s procedures should ensure that the initial contract review identifies, to the
greatest extent possible, the difference between sites such that an adequate level of
sampling is determined in accordance with the provisions below.
Where an organization has a number of similar sites covered by a single SMS, a
certificate may be issued to the organization to cover all such sites provided that:
A. all sites are operating under the same SMS, which is centrally administered
and audited and subject to central management review;
B. all sites have been audited in accordance with the organization’s internal
security review procedure(s);
C. a representative number of sites have been sampled by the certification/
registration body, taking into account the requirements below:
1) the results of internal audits of head office and the sites,
2) the results of management review,
3) variations in the size of the sites,
4) variations in the business purpose of the sites,
5) complexity of the SMS,
6) complexity of the information systems at the different sites,
7) variations in working practices,
8) variations in activities undertaken,
9) potential interaction with critical information systems or information
systems processing sensitive information,
10) Service Management Plan and Service Level Objectives/Agreement
conditions, and
11) differing legal requirements;

D. the sample should be partly selective based on the above in point c) and
partly non-selective and should result in a range of different sites being
selected, without excluding the random element of site selection;
E. the surveillance program should be designed in the light of the above
requirements and should, within a reasonable time, cover all sites of the
organization or within the scope of the SMS certification/ registration included
in the listing of security controls;
F. in the case of a nonconformity being observed either at the head office or at a
single site, the corrective action procedure should apply to the head office and
all sites covered by the certificate/ registration.
The Audit described below should address the organization's head office
activities to ensure that a single SMS applies to all sites and delivers central
management at the operational level. The audit shall address all the issues
outlined above.

7.5 Initial Stage 1 Audit

Prior to the on-site certification audit, the following must be provided to SRI;

A. General information concerning the SMS and activities it covers,

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 10 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 B. A copy of the set of SMS documentation as required by ISO/IEC 20000-1
(current version) and, as required by SMS implementation, applicable
Authority criteria, customer requirements, organizational policy, and/or other
critical associated documentation.

 Objective of the Stage 1 audit is to provide a focus for planning the

Stage 2 audit, by gaining an understanding of the organization’s
Service Management Policy and objectives and preparedness for the
Stage 2 audit.
o If the audit of the SMS is integrated with ISMS, then the scope of
the ISMS must be consistent with the scope of the SMS. If the
scope of the ISMS is outside of the scope of the SMS, then an
integrated audit is not appropriate and a stand-alone SMS must
be quoted and executed without the support of the ISMS.
Auditors are to notify the office if stage 2 plans should be
converted from integrated to stand alone, based on a failure to
meet the criteria identified above.

The Stage 1 shall not be restricted to a documentation review. The documentation

review shall be completed prior to the commencement of the Stage 2 audit.

A. Results of the Stage 1 shall be documented in a written report.

B. SRI will review the report before deciding to proceed to the Stage 2 audit and
selection of team members with the necessary competence.
C. SRI makes the organization aware of the types of information and records
required for examination at the Stage 2 event.

7.6 Stage 2 Audit

An audit plan is drafted based on any corrective action notifications documented at

the Stage 1 event. If remote auditing is planned, it must be identified per R20.22.
Objectives of the Stage 2 audit are;

A. to confirm that the organization adheres to its own policies, objectives and
procedures
B. to confirm that the SMS conforms to all the requirements of ISO/IEC 20000-1 and
is achieving the organization’s policy objectives.

7.7 Audit Team Conclusions and Reporting

7.7.1 SRI shall present the audit report to the client which includes references to
clauses/processes listed in the ISO/IEC 20000-1:2018 Third Edition, as a minimum,
stating its conclusions on conformance and effectiveness of the SMS overall to the
ISO/IEC 20000-1 requirements. The assessment shall be documented in an
appropriate notebook or an electronic facsimile. In the event that registration is
denied or suspended, an appropriate course of action shall be agreed between the
organization and SRI. Where there is a failure to agree on a course of action, the
appropriate appeals procedure (QP 8.0) of SRI may be invoked.

7.8 Surveillance Activities and Reassessments

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 11 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 SRI conducts surveillance audits and re-assessments in accordance with ISO/IEC
17021-1 and the requirements of the guidance document. These organizations may
also be subject to witness audits as previously described.

A. Initial assessments shall cover the entire ISO/IEC 20000-1 standard.

B. Surveillance shall be conducted, as a minimum, once per year.
C. During a three-year period, the entire ISO/IEC 20000-1 Standard must be
completely assessed with important/critical areas covered during surveillance
in accordance with IAF Guidance.
D. The Team leader shall advise whether recorded nonconformance(s)
jeopardize an existing certificate.
E. If transfers are conducted at surveillance and or Reassessments, and the
SMS is integrated with the ISMS, then the scope of the ISMS must be
consistent with the scope of the SMS. If the scope of the ISMS is outside of
the scope of the SMS, then an integrated audit is not appropriate and a
stand-alone SMS must be quoted and executed without the support of the
ISMS. Auditors are to notify the office if transfer audit plans should be
converted from integrated to stand alone, based on a failure to meet the
criteria identified above.

7.9 Certification/Registration

7.9.1 SRI is responsible for ensuring the continued integrity and validity of the certificates it
issues and for drawing up and implementing a procedure to enable it to carry out this
responsibility.

7.9.2 For the SMS Sector qualification program, accredited registration documents shall be
in the form of a certificate. Letters of conformance and unaccredited assessment
statements, if any, shall be clearly distinguishable from accredited certificates.

7.9.3 The certificate(s) shall include the following information at a minimum:

A. The appropriate version of the ISO/IEC 20000-1 Standard.

B. Effective date and expiration dates, with a maximum period of three years.
C. Scope of Registration

7.9.4 If desired, separate certificates for the applicable ISO/IEC 20000-1 and ISO 9001
may be issued.

7.9.5 All certificates shall be specific in terms of the scope of the SMS and the standard(s)
being covered.

7.9.6 The certificate(s) shall have marks in accordance with the ANAB and/or APMG
requirements. In case of misuse of the marks or logos by SRI, or when ANAB or
APMG detect systemic nonconformities, the accreditation may be suspended or
withdrawn.

7.9.7 If any member of the RRP and/or the Certification Director (or equivalent) rejects the
registration process, or disagrees with the Audit Team, SRI shall attempt to correct
or resolve any items or issues that are the basis for disapproval. If an agreement
cannot be reached between the RRP members and the Certification Director, the
Certification Director shall in writing submit the RRP conclusions to the President &
COO for resolution. The COO will then choose a third properly qualified individual.
The third individual then resolves the issue through majority agreement. (QP-3)

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 12 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 7.9.8 Competencies required for the certification decision include;

A. General knowledge of business operations, legal, and regulatory

requirements pertaining to the industry sector
B. Excellent communication and people skills
C. Team and goal oriented
D. Ability to work under pressure and meet deadlines
E. Proficiency in or knowledge of using a variety of computer software
applications including MS Word, MS Excel, Lotus Notes and the internet
F. Excellent attention to detail
G. Ability to exercise strong judgment in analyzing, appraising, evaluating, and
solving problems of a difficult procedural, organizational, administrative, or
technical nature
H. Negotiating skills
I. Knowledge of organizational structure, workflow, business practices, and
operating procedures
J. At least 4 years Industry Experience, including at least 2 years in Quality
Control and Quality Assurance
K. At least a Secondary Education plus experience or College Degree
L. Qualified Lead Auditor or Equivalent Experience
M. Varied Sector Specific background
N. Knowledge of various standards, methods and certification requirements and
accreditation requirements
O. Knowledge of the Registration Review Process
P. Understanding of ISO 19011 and report content
Q. Ability to handle confidential information
R. Ability to review and determine auditor competency and oversee /perform
internal witness events (IWA). Overall responsible for the IWA system.
S. Background, experience and or training in the cited standard as applied to the
RRP in process.

7.9.8.1 Competence is ascertained during annual reviews as conducted by the President

and COO.

8.0 Authentication and Oversight of Accreditation Bodies, Certification/Registration

Bodies, and Auditors

8.1 ANAB shall have primary responsibility to oversee the activities of all recognized
organizations under this system.

8.2 Sector qualification of SRI shall be approved by the ANAB and be conducted in
accordance with procedures and the requirements of ISO/IEC 20000-1, current
edition. This includes an annual ANAB review to evaluate the effectiveness of the
process for recognition of SRI. The review shall be in accordance with ANAB
procedures.

8.3 Oversight performed by other member companies on ANAB, APMG, or SRI,

including witness audit results, shall be used by ANAB, APMG, and SRI assessment.
Any issues resulting from oversight should be relayed to SRI for action and follow-up.

8.4 SRI’s internal appeals/complaint process is to be used before other actions are
taken. If any client cannot resolve issues with SRI then the matter shall be referred to
ANAB and/or APMG, as appropriate. If the problem is related to SRI performance

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 13 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx
 and cannot be resolved to the satisfaction of the organization or the OEM(s)
involved, and when all levels of appeal have been exhausted, the matter may be
referred to the appropriate Authority.

8.5 ANAB may suspend or withdraw the sector qualification of SRI.

8.6 Auditor credentials are valid for three years and may be renewed based on the proof
of continuing education and performance of required assessments.

9.0 Records of Applicants and clients

9.1 Records are retained for the duration of the current cycle plus one full certification cycle.

Note: In some jurisdictions, the law stipulates that records need to be maintained for a
longer time period.

ISO/IEC 20000-1:2018 Information Technology Service Management System (ITSMS) Supplement Form Date: 05/17/19
©2019 by SRI Quality System Registrar Form Revision: 0
All rights reserved Page: 14 of 14
Form: /conversion/tmp/activity_task_scratch/767304593.docx