Skip to content

ISO/IEC 20000 – Different Types of Audit



ISO/IEC 20000 audits

In ISO/IEC 20000-1 there are requirements for 3 types of audits. Most people recognize the need for internal audit but may forget that there are also requirements for information security audits and configuration audits.

Internal audit (clause of ISO20000-1)

The internal audit requirements are common to all management system standards e.g. 9001, 27001. The audit is not just against the requirements of ISO20000-1 but also against the service requirements and the SMS i.e. the organization’s SM policy, SM objectives, SM plan. There is a requirement to audit that all of these items are ‘effectively implemented and maintained’.

Internal audits need to be conducted to ensure objectivity and impartiality. Auditors are not allowed to audit their own work. There are usually 3 options to resource auditors:

  • an internal audit department within your organization
  • staff within IT services auditing each other’s work
  • external consultants conducting internal audits on your behalf.

A procedure is required to provide details of the objectives of internal audits, responsibilities and reporting. The internal audit programme needs to be planned including the criteria, scope, frequency and methods for the audit. The audit may find nonconformities and can make recommendations for improvement.

After an audit, the audit results are written up and reported to the management responsible for the  audited area that are then responsible for ensuring that corrective actions are taken. The actions also need to be verified to close any nonconformities found.

ISO 19011 provides useful guidance on internal auditing.


Posted in ISO Schemes.

Tagged with , .

APMG Launches New Operation in Brazil

Priscylla Monteiro -Business Development Manager, APMG South and Central America

Priscylla Monteiro -Business Development Manager, APMG South and Central America

APMG International is thrilled to unveil the successful launch of our new operation in Brazil, São Paulo.

The launch of this operation has been catalyzed by a rise in Professional Certifications in South America.

This operation allows us to expand our reach to Portuguese speaking professionals – giving them access to our extensive portfolio of qualifications. It’s an exciting prospect – as this expansion gives many more individuals the opportunity to enhance their business knowledge, skills and performance.

Priscylla Monteiro is spear-heading the operation as manager – enabling Accredited Training Organizations (ATOs) in South America access to over 40 APMG certification and qualification schemes.

Priscylla said that the operation has so far been well received, “The market is pleased to have a local APMG presence. Having the chance to represent APMG in South America will be a great and enjoyable challenge for me.

“My strategy will be to work closely with our customers to help them to identify the best product for their business and to develop a successful growth plain in partnership with them.”


Posted in Events.

Tagged with , .

Signing On the Dotted Line


Contracts are a part of everyday life; from employment contracts and mortgages to the additional warranty offered on purchases of white goods. So should I be reading every word in these documents, or I should I just shrug and put my signature in the allocated space? Most people will agree with me when I say that a contract is not a riveting read. But we all know that we should be aware of what we are signing ourselves up for before we put pen to paper.

I am the first to admit that I always tick the ‘I agree’ or ‘I have read & understood the terms and conditions’ box as soon as it appears – without clicking on the link to read the details of the terms and conditions. It’s quicker that way; I don’t have time to read the small print, I just want to get to where I am going without paperwork holding me up. I make the assumption that the terms and conditions given to me by my lender or high street retailer are OK, because surely anything untoward in there would have already been picked up by someone else signing before me?

However in business we don’t see these ‘standard’ agreements as often. Contracts between organizations are usually initiated for a specific project. Therefore the detail contained within the contract will be more highly defined and appropriate to the parties involved than a high street retailer agreement. There would have been negotiation and discussion on the responsibilities and requirements of both parties before the contract was drafted. And both of you have pledged your commitment to this venture.


Posted in Qualifications.

Tagged with , , , , .

How Cyber-Space Has Changed The Way We Export

The Queen's Awards for Enterprise: International Trade 2010UK Trade and Investment (UKTI) has nearly reached the end of its sixth Export Week. UKTI hold a series of export-focused events throughout the UK – empowering businesses to start their venture into exporting or increasing their international trade.

Harnessing the excitement surrounding this occasion – we reflect on APMG’s own success in exporting and its journey towards achieving a Queens Award for Enterprise in the International Trade Category.

Awarded to us in 2012 – the award serves as recognition of outstanding continuous performance over a period of six years. APMG proudly displays the Queen’s Award Emblem as recognition of our enduring commitment to developing leading qualifications – that challenge and reward candidates with critical knowledge and skills.

The award also recognizes the exemplary training delivered by our Accredited Training Organizations (ATOs) who operate across the globe. It’s commendable that our ATOs survive our scrupulous assessment process – so candidates can be confident that our ATOs are committed to providing world-class training.


Posted in Accreditation, Cyber Security, Events, Exams, Project Mgmt, Qualifications.

Tagged with , , , , , .

COBIT in 3 Minutes

COBIT 5 Logo1. The current version 


2. The basics

Originally designed for auditors to audit the IT organization, COBIT 5 (Control Objectives for Information and Related Technology) is about linking business goals to IT objectives (note the linkage here from vision to mission to goals to objectives). COBIT 5 (launched April 2012) provides metrics and maturity models to measure whether or not the IT organization has achieved its objectives. Additionally, COBIT identifies the associated responsibilities of the business process owners as well as those of the IT process owners.

3. Summary

COBIT is owned and supported by ISACA. It was released in 1996; the current Version 5.0 (April 2012) brings together COBIT 4.1, Val IT 2.0 and Risk IT frameworks.

The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector (Figures 1 and 2).

COBIT 5 Principles

Figure 1: The COBIT 5 Principles


Posted in Exams, IT Service Mgmt.

Tagged with , , .

BiSL in 3 Minutes


1. Current version

BiSL® (Business Information Services Library) 2nd Edition

2. The basics

BiSL (Business Information Services Library) is a framework and collection of best practices for business information management.

3. Summary

BiSL (Business Information Services Library) was developed by a Dutch IT service provider, PinkRoccade and made public in 2005. BiSL was then transferred to the public domain and adopted by the ASL BiSL Foundation. The current version is the 2nd Edition, published in 2012.

BiSL focuses on how business organizations can improve control over their information systems: demand for business support, use of information systems and contracts and other arrangements with IT suppliers. BiSL offers guidance in business information management: support for the use of information systems in the business processes, operational IT control and information management.

The library consists of a framework, best practices, standard templates and a self-assessment. The BiSL framework gives a description of all the processes that enable the control of information systems from a business perspective.


Posted in Qualifications.

Tagged with .

ASL in 3 Minutes

ASL Logo1. Current Version

ASL®2 (Application Services Library)

2. The basics

ASL (Application Services Library) is a framework and collection of best practices for application management.

3. Summary

ASL (Application Services Library) was developed by a Dutch IT service provider, PinkRoccade, in the 1990s and was made public in 2001. Since 2002 the framework and the accompanying best practices have been maintained by the ASL BiSL Foundation. The current version is ASL2, published in the Netherlands in 2009.

ASL is concerned with managing the support, maintenance, renewal and strategy of applications in an economically sound manner. The library consists of a framework, best practices, standard templates and a self-assessment. The ASL framework provides descriptions of all the processes that are needed for application management.

The framework distinguishes six process clusters, which are viewed at operational, managing and strategic levels see Figure.

The application support cluster at the operational level aims to ensure that the current applications are used in the most effective way to support the business processes, using a minimum of resources and leading to a minimum of operational disruptions.

The application maintenance and renewal cluster ensures that the applications are modified in line with changing requirements, usually as a result of changes in the business processes, keeping the applications up-to-date. The connecting processes form the bridge between the service organization cluster and the development and maintenance cluster.

The management processes ensure that the operational clusters are managed in an integrated way.

Finally, there are two clusters at the strategic level. The aim of the application strategy cluster is to address the long-term strategy for the application(s). The processes needed for the long-term strategy for the application management organization are described in the application management organization strategy cluster.


Posted in Project Mgmt, Qualifications.

Tagged with , , .

ISO/IEC 20000 – Minimizing the Documentation

Hands with empty paper reaches out from big heap of crumpled papers

I wrote a previous blog about the mandatory documents required by ISO/IEC 20000-1. Following on from that, I have been asked how to minimize the number of documents.

The mandatory documents were listed in a previous blog. They add up to:

• 6 policies
• 8 plans
• 14 processes for clauses 5 – 9 plus other processes for sub-clauses of clause 4 e.g. documentation management, resource management, internal audit, continual improvement
• 19 procedures
• 5 definitions
• 12 other documents e.g. SLA, service catalogue.

Remember that documents do not need to be very long – in fact they are more likely to be used if they are kept short and succinct. Some documents can be embedded within a tool e.g. procedures. Documents should be written to be used and useful, not just because the standard requires it.


Posted in ISO Schemes.

Tagged with .

AXELOS has granted APMG extended contract

I am delighted to inform you that AXELOS has announced today that APMG has been awarded an extended contract as an AXELOS Exam Institute (EI) for a further three years from January 2015. AXELOS took the decision to offer the extended contracts in order to ensure that its EIs have the stability to make further investments in quality systems, enhanced exam delivery and increase their global reach. Continued…

Posted in Accreditation.

Tagged with , , , .

Agile in 3 Minutes

AgilePM Logo1.   The basics

Originating from the world of IT where the concept of Agile refers to a set of software development methods based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams. Nowadays, the principles of the Agile approach are also used in other domains, for example design & engineering, product development, manufacturing, etc.

2.   Summary

Incremental software development methods have been traced back to 1957. ‘Lightweight’ software development methods evolved in the mid-1990s as a reaction against ‘heavyweight’ methods, which were characterized by their critics as a heavily regulated, regimented, micromanaged, waterfall model of development. Supporters of lightweight methods (and now Agile methods) contend that they are a return to earlier practices in software development.

Early implementations of lightweight methods include Scrum (1993), Crystal Clear, Extreme Programming (XP, 1996), Adaptive Software Development, Feature Driven Development, DSDM (1995, called DSDM-Atern since 2008), and the Rational Unified Process (RUP, 1998). These are now typically referred to as Agile methods, after the Agile Manifesto.

The Agile Manifesto was written in February 2001, at a summit of independent-minded practitioners of several programming methods.


Posted in Agile, AgilePM, Project Mgmt.

Tagged with , , , .