Issue：A/1   Revise No. ：0     Issue Date：July 1, 2023

1.目的 purpose

为确保华凯提供信息技术服务管理体系（英文缩写 ITSMS，下同）认证过程的有效性，本文件规定了开展信息技术服务管理体系认证的基本过程和特定要求。

To ensure the effectiveness of the certification process for the Information Technology Service Management System (ITSMS) provided by Huakai, this document specifies the basic process and specific requirements for conducting information technology service management system certification.

2.适用范围 scope of application

本文件适用于信息技术服务管理体系认证过程管理，仅包括 CNAS-CC175:2017(IDT ISO/IEC 20000-6:2017)及CNAS-SC175:2015 的特殊要求，对于 ISO17021 的通用要求已在 HIC-UD-01~15 程序中说明，此处不再详述。

This document is applicable to the certification process management of information technology service management system, and only includes the special requirements of CNAS-CC175:2015 (IDT ISO/IEC 20000-6:2017) and CNAS-SC175:2015. The general requirements for ISO17021 have been explained in the HIC-UD-01~15 procedures and will not be elaborated here.

3.职责Responsibilities

3.1 市场部门负责客户接洽、市场开发与合同接收、签订，负责认证证书发送和回收过程中的联络。

The marketing department is responsible for customer communication, market development, contract reception, and signing, as well as liaison during the process of sending and retrieving certification certificates

3.2 技委会负责组织合同评审；负责审核资料的跟踪、验收与归档管理和组织审核资 料认证决定的评定；以及向 CNAS/IAS 报送与认证有关的信息；负责对认证实施过程的监控。 负责对审核和认证人员的能力评定。

The Technical Committee is responsible for organizing contract reviews; Responsible for tracking, accepting, and archiving audit materials, as well as organizing the evaluation of certification decisions for audit materials; And submit information related to certification to CNAS/IAS; Responsible for monitoring the implementation process of certification. Responsible for assessing the abilities of auditors and certification personnel

3.3 审核部负责编制审核方案，进行审核准备，组成审核组实施现场审核，和对审核过 程的监督与控制；负责对审核人员的管理。

The audit department is responsible for preparing the audit plan, preparing for the audit, forming an audit team to conduct on-site audits, and supervising and controlling the audit process; Responsible for managing auditors

3.4 客服部、技委会负责获证客户的注册管理。

The customer service department and technical committee are responsible for the registration management of certified customers

3.5 合同评审人员和审核方案管理人员在进行人员评定时统称为项目管理人员。

Contract review personnel and audit plan management personnel are collectively referred to as project management personnel during personnel evaluation

3.6 管理部负责认证证书的制作。

The management department is responsible for the production of certification certificates

3.7 总经理负责认证证书的签发和认证注册资格（包括授予、保持、更新、扩大、缩小、 暂停和撤销认证）的批准。

The general manager is responsible for issuing certification certificates and approving certification registration qualifications (including granting, maintaining, updating, expanding, shrinking, suspending, and revoking certifications)

4. 程序和要求 Procedures and requirements

4.1 认证人员能力评价Capability evaluation of certified personnel

4.1.1 基本要求:按照以下原则分别对各类人员的能力进行初始评价、初始测试、能力监控与评价，能 力定期测试与评价，并保持评价记录。认证审核员、认证管理人员能力评价结果需经 由领导批准后方可在系统上录入。

Basic requirements: Conduct initial evaluation, initial testing, ability monitoring and evaluation of various personnel's abilities according to the following principles, regularly test and evaluate their abilities, and maintain evaluation records. The evaluation results of the abilities of certification auditors and certification management personnel must be approved by the leadership before they can be entered into the system

4.1.2 认证通用知识和技能见附录 B 所要求的知识和技能。

Certification of general knowledge and skills as required in Appendix B

4.1.3 认证人员能力初始评价Initial evaluation of certification personnel's abilities

4.1.3.1 认证人员初始能力评价Initial evaluation of certification personnel's abilities

a. 所有认证人员的知识和能力要求、特定技能要求等，须满足 ISO/IEC 17021：2015《管理体系审核要求》（CNAS-CC01：2015）、《信息技术服务管理体系认证机构要求》（CNAS-CC175-2017）、本程序条款要求。

The knowledge and ability requirements, specific skill requirements, etc. of all certified personnel must meet the requirements of ISO/IEC 17021:2015 "Management System Audit Requirements" (CNAS-CC01:2015), "Information Technology Service Management System Certification Body Requirements" (CNAS-CC175-2017), and the provisions of this procedure.

b. 由管理部根据初始能力评价准则进行初始能力评价前的人事确认并记录，记录包括 被评价人的教育、工作、培训、审核（咨询）的相关信息，填写《认证人员登记表》、《审核经历汇总表》(审核员专用）以获取其知识和技能的证据，使对其能力有基本了解；《认证人员登记表》内容尽可能详细、充分、以便于识别被评价人员所具有的知识和技能；

The management department shall confirm and record the personnel before the initial capability evaluation based on the initial capability evaluation criteria, including the relevant information of the evaluated person's education, work, training, and audit (consultation), and fill out the "Certified Personnel Registration Form" and "Audit Experience Summary Form" (for auditors only) to obtain evidence of their knowledge and skills, so as to have a basic understanding of their abilities; The content of the "Certified Personnel Registration Form" should be as detailed and sufficient as possible to facilitate the identification of the knowledge and skills possessed by the evaluated personnel;

c. 管理部应在招聘人员入职时进行基本的面试考察，以了解其过去的工作经历知识和技能的情况；将面试情况记录在《管理体系认证人员面试报告》中，必要时对记录中相关信息进行验证、澄清和确认；

The management department should conduct basic interview assessments when recruiting personnel to understand their past work experience, knowledge, and skills; Record the interview situation in the "Interview Report for Management System Certification Personnel", and verify, clarify, and confirm the relevant information in the record if necessary;

d. 技术委员会获得管理部的上述有关材料记录后，组织评价人员根据本程序规定的评 价准则、《信息技术服务管理体系专业技术领域分析》对审核员进行初始能力评价， 将评价结果填写在《认证人员专业能力评价表》中。

After obtaining the relevant material records from the management department, the technical committee will organize evaluators to conduct initial competency evaluations of auditors based on the evaluation criteria specified in this procedure and the "Analysis of Professional Technical Fields of Information Technology Service Management System". The evaluation results will be filled in the "Certification Personnel Professional Competency Evaluation Form".

e. 技委会对批准评价合格的认证人员分别建档编制最新评价结果和注册状态，之后准备进入认证人员初始能力测试程序（见 4.1.3.2）。

The Technical Committee shall file and prepare the latest evaluation results and registration status for the certified personnel who have been approved and evaluated as qualified, and then prepare to enter the initial ability testing program for certified personnel (see 4.1.3.2).

4.1.3.2 认证人员初始能力测试Initial Ability Test for Certification Personnel

4.1.3.2.1 审核员/技术专家的初始能力测试

Initial competency testing for auditors/technical experts

a. 技委会根据 4.1.3.1.d 的《认证人员专业能力评价表》所输出的认证业务范围（对 应的技术领域），依据《信息技术服务管理体系专业技术领域分析》中有关的知识内容编制并提供一份《审核员认证管理人员专业能力测试表》做测试，并交回技委会。经技委会评价，管理者代表审批，审定符合要求报总经理批准即认定该审核员能力合格可安排其参加审核。如测试结果为不合格的，则需要对该工作岗位进行特定知识和技能的专项培训并再考核合格后方可参加审核。

The Technical Committee shall prepare and provide a "Auditor Certification Management Personnel Professional Ability Test Form" for testing based on the certification business scope (corresponding technical field) output from the "Certification Personnel Professional Ability Evaluation Form" 4.1.3.1. d, and the relevant knowledge content in the "Analysis of Information Technology Service Management System Professional Technical Field", and submit it back to the Technical Committee. After evaluation by the Technical Committee and approval by the management representative, if the auditor meets the requirements and is approved by the General Manager, it is deemed that the auditor's ability is qualified and can be arranged to participate in the audit. If the test result is unqualified, specialized training on specific knowledge and skills for the job position is required, and only those who pass the assessment can participate in the audit.

b. 级别审核员首次参加华凯审核，需由具有组长资格的人员进行见证，并填写《机构内部新入职审核员初始能力见证评价报告》。见证不合格者需重新安排见证或经专项培训考核合格后方可正式执行审核任务。CCAA 见证可替代首次见证。特殊情况由审核部负责人批准。

Level auditors participating in the Huakai audit for the first time must be witnessed by personnel with team leader qualifications and fill out the "Initial Ability Witness Evaluation Report for Newly Employed Auditors within the Institution". Those who fail the witnessing must be re arranged for witnessing or undergo special training and assessment before they can officially carry out the audit task. CCAA witnessing can replace the first witnessing. Special circumstances shall be approved by the head of the audit department.

4.1.3.2.2 项目管理员（申请/合同评审人员、计划/方案管理人员）的初始能力测试

Initial competency testing for project administrators (application/contract reviewers, planning/scheme managers)

a. 纳入《认证人员一览表》备案的项目管理人员，由技委会依据《信息技术服务管理体系专业技术领域分析》中有关的知识内容编制并提供一份《审核员认证管理人员专业能力测试表》做测试，并交回技委会。经技委会评价，管理者代表审批，审定符合要求报总经理批准即认定该项目管理员具备相应专业能力。如评价、测试结果为不合格的，则需要对该工作岗位进行特定知识和技能的专项培训并再考核合格后 方可上岗。

The project management personnel included in the "List of Certified Personnel" for filing shall be prepared and provided with a "Professional Ability Test Form for Auditor Certification Management Personnel" by the Technical Committee based on the relevant knowledge content in the "Analysis of Professional Technical Fields of Information Technology Service Management System" for testing, and shall be returned to the Technical Committee. After evaluation by the Technical Committee and approval by the management representative, if it meets the requirements and is approved by the General Manager, it is deemed that the project administrator has the corresponding professional competence. If the evaluation or test results are unqualified, specific knowledge and skills training for the job position is required, and only those who pass the assessment can be employed

4.1.3.2.3 报告检查/认证决定人员的初始能力测试

Initial capability testing of personnel for report inspection/certification decision-making

a. 纳入《认证人员一览表》备案的报告检查/认证决定人员，技委会根据 4.1.3.1.d的《认证人员专业能力评价表》所输出的认证业务范围（对应的技术领域），依据《信息技术服务管理体系专业技术领域分析》中有关的知识内容编制并提供一份《审核员认证管理人员专业能力测试表》做测试，并交回技委会。经技委会评价，管理者代表审批，审定符合要求报总经理批准即认定该报告检查/认证决定人员具 备相应专业能力。如评价、测试结果为不合格的，则需要对该工作岗位进行特定知识和技能的专项培训并再考核合格后方可上岗。

The report inspection/certification decision personnel included in the "List of Certification Personnel" for filing shall be tested by the Technical Committee based on the certification business scope (corresponding technical field) output by the "Certification Personnel Professional Ability Evaluation Form" 4.1.3.1. d, and the relevant knowledge content in the "Analysis of Professional Technical Fields of Information Technology Service Management System". The Technical Committee shall prepare and provide a "Auditor Certification Management Personnel Professional Ability Test Form" for testing, and submit it back to the Technical Committee. After evaluation by the Technical Committee and approval by the management representative, if the report meets the requirements and is approved by the General Manager, it is deemed that the personnel responsible for inspection/certification have the corresponding professional competence. If the evaluation or test results are unqualified, the job position needs to receive specialized training in specific knowledge and skills, and then pass the assessment before being able to take up the post.

4.1.3.2.4 能力评价人员的初始能力测试Initial ability testing of capability evaluators

a. 纳入《认证人员一览表》备案的能力评价人员，由管理者代表依据《信息技术服务 管理体系专业技术领域分析》中有关的知识内容编制并提供一份《审核员认证管理人员专业能力测试表》做测试，并交回技委会。经技委会评价，管理者代表审批，审定符合要求报总经理批准即认定该能力评价人员具备相应专业能力。如评价、测试结果为不合格的，则需要对该工作岗位进行特定知识和技能的专项培训并再考核合格后方可上岗。

The ability evaluation personnel included in the "List of Certified Personnel" for filing shall be prepared and provided with a "Professional Ability Test Form for Auditor Certification Management Personnel" by the management representative based on the relevant knowledge content in the "Analysis of Professional Technical Fields of Information Technology Service Management System" for testing, and shall be returned to the Technical Committee. After evaluation by the Technical Committee and approval by the management representative, if the assessment meets the requirements and is submitted to the General Manager for approval, it is deemed that the evaluator has the corresponding professional competence. If the evaluation or test results are unqualified, the job position needs to receive specialized training in specific knowledge and skills, and then pass the assessment before being able to take up the post.

4.1.4 认证人员工作过程中的能力监控与评价

Ability monitoring and evaluation of certification personnel during the work process

4.1.4.1 工作过程中能力监控评价是通过在认证人员日常实际工作、审核中的能力表现 予以多方式的证实其能力是否得到保持。

Ability monitoring and evaluation during the work process is a multi-faceted verification of whether the abilities of certified personnel have been maintained through their performance in daily practical work and audits

4.1.4.2 对审核项目中审核员（含实习审核员）、技术专家的审核工作的专业能力和合规性的过程监控评价。于每一个审核项目中，由审核组长现场按照规定的考察项目实施并记录在《机构内部审核员见证评审报告》中。如现场表现见证评价结果出现一项为“较差”或“差”的，则需要对该审核人员进行补充培训及考核。

Process monitoring and evaluation of the professional competence and compliance of auditors (including intern auditors) and technical experts in the audit project. In each audit project, the audit team leader shall conduct on-site inspections according to the prescribed inspection items and record them in the "Internal Auditor Witness Review Report of the Institution". If the on-site performance witness evaluation result shows one item as "poor" or "poor", the auditor needs to receive supplementary training and assessment.

4.1.4.3 委托客户对审核组成员的工作表现及能力的过程监控评价。所有的认证审核项 目结束后，在客户获证后由客服人员与认证组织联系，提供一份《认证组织满意度调查表》（评价对象为公司的项目管理人员及本次审核的审核组各成员），请获证组织在对公司信息沟通、审核组成员在审核工作的专业性、工作能力和合规性、服务质量等进行评定。客服部收回调查评价表后进行统计分析，对评价不合格的当事人，应视为客户投诉处理，按照相关程序要求进行处理。

Entrust the client to monitor and evaluate the performance and abilities of the audit team members during the process. After all certification audit projects are completed, customer service personnel will contact the certification organization to provide a "Certification Organization Satisfaction Survey Form" (evaluating the company's project management personnel and members of the audit team for this audit). The certification organization will evaluate the company's information communication, the professionalism, work ability, compliance, and service quality of the audit team members. After the customer service department retrieves the investigation and evaluation form, statistical analysis should be conducted. Those who fail the evaluation should be treated as customer complaints and processed according to relevant procedures.

4.1.5 认证人员的能力定期测试及评价

Regular testing and evaluation of the abilities of certified personnel

4.1.5.1审核员的年度见证考核Annual witness assessment of auditors

公司根据审核人员使用频率和活动的风险水平，策划审核人员的见证频率，具体见《审核人员管理办法》。

The company plans the witnessing frequency of auditors based on their frequency of use and the level of risk associated with their activities, as outlined in the 'Auditor Management Measures'.

4.1.5.2 对关键岗位人员（项目管理人员、认证决定人员、能力评价人员）的能力进行年度确认每年 1-2 月技委会、审核部组成评价组，按照《认证管理人员专业能力评价表》对关键岗位人员进行考评。对测试不合格的关键岗位人员，技委会将撤销其相应的技术领域中的业务代码范围。

Annual confirmation of the abilities of key personnel (project management personnel, certification decision personnel, ability evaluation personnel) is conducted. In January and February each year, the technical committee and audit department form an evaluation team to evaluate key personnel according to the "Professional Ability Evaluation Form for Certification Management Personnel". For key personnel who fail the test, the technical committee will revoke their corresponding business code scope in the technical field.

4.1.6 审核员初次担任组长的能力评价

Assessment of the ability of auditors to serve as team leaders for the first time

4.1.6.1 级别审核员初次担任组长的，需要对其组长资格的能力进行一次见证评价。申 请人需填写《审核员见证申请表》，经在审核任务批准后由审核部安排见习组长作为审核 组的组长开展审核。现场见证人员为具有注册审核员资格及组长资格的审核人员。现 场见证后见证员填写《机构内部审核组长见证评价报告》。

Level auditors who serve as team leaders for the first time need to undergo a witness evaluation of their ability to qualify as team leaders. The applicant needs to fill out the "Auditor Witness Application Form", and after the approval of the audit task, the audit department will arrange a trainee team leader as the leader of the audit team to conduct the audit. The on-site witnesses are auditors with registered auditor qualifications and team leader qualifications. After on-site witnessing, the witness shall fill out the "Internal Audit Team Leader Witness Evaluation Report of the Institution"

4.1.6.2 级别审核员的组长资格的能力见证原则为一次见证，对见证结论最终意见为 不合格的，需提出申请再次见证直至见证结论最终意见为合格，审核部才能在后续安 排审核项目时给与其组长角色。

The principle of witnessing the ability of a level auditor's team leader qualification is to witness once. If the final opinion of the witness conclusion is unqualified, an application must be made to witness again until the final opinion of the witness conclusion is qualified. Only then can the audit department assign the role of team leader to them when arranging audit projects in the future.

4.1.7 能力评价负面结果的处理Handling of Negative Results in Capability Evaluation

4.1.7.1 公司在认证业务范围认可后，对某一唯一性特定技术领域认证人员能力评价 的结果为不满意的，且通过后续的培训依然不能满足要求的，或是如具备某一特定技术领域的专业能力审核员，被公司解雇的，将对公司的能力产生影响。技术委员会应及时报告管理者代表或总经理，并分析对公司整体能力的限制性因素和对目前认证产 生的影响；

If the company is dissatisfied with the evaluation of the certification personnel's ability in a specific technical field after the certification business scope is recognized, and cannot meet the requirements after subsequent training, or if a professional auditor with a specific technical field is dismissed by the company, it will have an impact on the company's ability. The technical committee should promptly report to the management representative or general manager, and analyze the limiting factors on the overall capability of the company and the impact on the current certification

4.1.7.2 通过分析，批准后由管理部快速招聘具备特定技术领域认证人员予以补充，技术委员会并按照本程序有关要求进行对其初始能力评价。

After analysis and approval, the management department will quickly recruit personnel with certification in specific technical fields to supplement, and the technical committee will conduct an initial capability evaluation in accordance with the relevant requirements of this procedure

4.1.8 认证人员能力评价准则的确定

Determination of Criteria for Evaluating the Competence of Certification Personnel

4.1.8.1 申请/合同评审人员的能力准则

Competency criteria for application/contract reviewers

a) 具有大学专科以上学历，有两年以上工作经历；

Having a college diploma or above and over two years of work experience

b) 熟悉、理解“认证认可条例”、“认可机构认可准则、规则、指南”的要求及公司 的相关认证审核程序、申请和合同评审作业认证制度的规定；

Familiarize and understand the requirements of the "Certification and Accreditation Regulations", "Accreditation Criteria, Rules, and Guidelines for Accreditation Bodies", as well as the company's relevant certification audit procedures, application and contract review procedures, and certification system regulations

c) 掌握ISO/IEC 20000-1标准中所规定的要求以及ISO/IEC 20000的相关部分，特别是ISO/IEC 20000-2，ISO/IEC 20000-3和ISO/IEC TR 20000-10相关的知识点，了解相关法律法规的要求；

Master the requirements specified in the ISO/IEC 20000-1 standard and the relevant parts of ISO/IEC 20000, especially the knowledge points related to ISO/IEC 20000-2, ISO/IEC 20000-3, and ISO/IEC TR 20000-10, and understand the requirements of relevant laws and regulations;

d) 熟悉国民经济专业分类和机构各体系技术领域分类分组和管理要求的内容；

Familiar with the classification of national economic specialties and the technical field classification, grouping, and management requirements of various institutional systems

e) 能熟练使用机构计算机管理系统。

Proficient in using institutional computer management systems

f) 熟悉相关行业实践的通用术语和过程的理解（不具备时可由相应专业专家协同）；

Familiar with the general terminology and process of relevant industry practices (can be coordinated by corresponding professional experts if not available)

g) 熟悉客户产品、过程和组织类型、规模、治理、结构方面内容（不具备时可由相应专业专家协同）。

Familiar with customer products, processes, organizational types, scales, governance, and structural aspects (if not available, can be coordinated by corresponding professional experts)

h) 如申请/合同评审人员同时为审核员时，对其审核员资格的评价可替代认证管理人 员的能力评价。

If the applicant/contract reviewer is also an auditor, the evaluation of their auditor qualifications can replace the ability evaluation of certification management personnel

4.1.8.2 审核方案管理人员（包括确定审核项目、指派审核任务人员）的能力准则

Competency criteria for audit plan management personnel (including determining audit projects and assigning audit task personnel)

a) 具有大学专科以上学历，有两年以上工作经历；

Having a college diploma or above and over two years of work experience

b) 具有一定的分析、判断能力及良好的口头和文字表达能力；

Having certain analytical and judgmental abilities, as well as good oral and written communication skills

c) 有良好的服务意识，有责任心、有耐心，能与客户进行良好的沟通。

Have a good sense of service, responsibility, patience, and the ability to communicate effectively with customers

d) 熟悉理解“认证认可条例”、“认可机构认可准则、规则、指南”的要求及公司认证审核程序及有关认证管理制度的相关规定；

Familiarize and understand the requirements of the "Certification and Accreditation Regulations", "Accreditation Criteria, Rules, and Guidelines for Accreditation Bodies", as well as the company's certification audit procedures and relevant regulations on certification management systems

e) 了解ISO/IEC 20000-1标准中所规定的要求以及ISO/IEC 20000的相关部分，特别是ISO/IEC 20000-2，ISO/IEC 20000-3和ISO/IEC TR 20000-10相关的知识点，了解相关法律法规的要求；

Understand the requirements specified in the ISO/IEC 20000-1 standard and the relevant parts of ISO/IEC 20000, especially the knowledge points related to ISO/IEC 20000-2, ISO/IEC 20000-3, and ISO/IEC TR 20000-10, and understand the requirements of relevant laws and regulations

f) 能熟练运用机构计算机管理系统。

Proficient in using institutional computer management systems

g) 17021 要求的其他知识和技能。

Other knowledge and skills required by 17021

h) 如审核方案管理人员同时为审核员时，对其审核员资格的评价可替代其认证管理人 员的能力评价。

When the management personnel of the audit plan are also auditors, the evaluation of their auditor qualifications can replace the ability evaluation of their certification management personnel.

4.1.8.3 报告检查/认证决定人员评定准则

Report inspection/certification decision personnel evaluation criteria

a) 掌握ISO/IEC 20000-1标准中所规定的要求以及ISO/IEC 20000的相关部分，特别是ISO/IEC 20000-2，ISO/IEC 20000-3和ISO/IEC TR 20000-10相关的知识点，了解相关法律法规的要求；熟悉有相关行业实践的通用术语和过程内容；熟悉信息技术服务管理相关的术语和定义（包括：范围和删减的适用性；信息技术服务管理的相关工具、方法、技术及其在认证过程中的应用的影响）；

Master the requirements specified in the ISO/IEC 20000-1 standard and the relevant parts of ISO/IEC 20000, especially the knowledge points related to ISO/IEC 20000-2, ISO/IEC 20000-3, and ISO/IEC TR 20000-10, and understand the requirements of relevant laws and regulations; Familiar with common terminology and process content related to industry practices; Familiar with the terminology and definitions related to information technology service management (including: scope and applicability of deletions; impact of relevant tools, methods, technologies, and their application in the certification process of information technology service management)

b) 17021 要求的其他知识和技能Other knowledge and skills required by 17021；

c) 特殊行业/高风险行业认证业务范围的认证决定人员宜具备不低于该业务范围专业审核员的要求；一般行业/中低风险行业认证业务范围的认证决定人员宜具备专业大类中的某一专业小类相关审核员的能力要求；

The certification decision personnel for the scope of certification business in special/high-risk industries should meet the requirements of professional auditors no less than those in the scope of the business; Certification decision-makers for general/medium low risk industries should possess the ability requirements of auditors related to a specific professional subcategory within a major category

d) 认证评定亦可由级别审核员与该专业的技术专家一同做出认证决定；

Certification assessment can also be made jointly by level auditors and technical experts in the field to make certification decisions

e) 如报告检查/认证决定人员同时为审核员时，对其审核员资格的评价可替代其认证管理人员的能力评价；

When the personnel responsible for reporting inspection/certification decisions are also auditors, the evaluation of their auditor qualifications can replace the ability evaluation of their certification management personnel

4.1.8.4 负责实施专业能力评价的人员评价准则：

Personnel evaluation criteria responsible for implementing professional competence evaluation

a) 具有相应专业技术领域的基本理论知识；

Have basic theoretical knowledge in the corresponding professional and technical fields

b) 熟悉机构专业能力评价准则、证实方法；

Familiar with the evaluation criteria and verification methods for institutional professional competence

c) 具有一定的分析、判断能力Having certain analytical and judgmental abilities；

d) 熟悉国民经济专业分类和机构各体系技术领域分类分组和管理要求的内容；

Familiar with the classification of national economic specialties and the technical field classification, grouping, and management requirements of various institutional systems

e) 如专业能力评价人员同时为审核员时，对其审核员资格的评价可替代其认证管理人 员的能力评价。

When the professional competence evaluator is also an auditor, the evaluation of their auditor qualifications can replace the competence evaluation of their certification management personnel

4.1.8.5 审核人员、技术专家能力评价准则

a) 教育：与信息技术服务管理相关的专业的本科以上学历并取得相应的学位证书；

Evaluation criteria for the abilities of auditors and technical experts

b) 经历：至少4年信息技术方面全职实际工作经历，其中至少2年的工作经历来自与信息技术有关的职责或职能；

Experience: At least 4 years of full-time practical work experience in information technology, with at least 2 years of work experience in responsibilities or functions related to information technology

c) CCAA 注册信息技术服务管理体系级别审核员；

CCAA Registered Information Technology Service Management System Level Auditor

d) 满足 ISO/IEC 17021：2015 《合格评定管理体系审核要求》（CNAS-CC01：2015）中的 7.1 章要求；

Meet the requirements of Chapter 7.1 of ISO/IEC 17021:2015 "Audit Requirements for Conformity Assessment Management Systems" (CNAS-CC01:2015)

e) 具有相应技术领域的基本理论知识和一定的实践经验；

Having basic theoretical knowledge and practical experience in the corresponding technical field

f) 熟悉该技术领域相关的组织信息技术服务的过程；

Familiar with the process of organizing information technology services related to this technology field

g) 能识别组织影响信息技术服务的关键活动，并能对其控制的有效性进行评价；

Ability to identify key activities that affect information technology services within an organization and evaluate the effectiveness of their control

h) 掌握ISO/IEC 20000-1标准中所规定的要求以及ISO/IEC 20000的相关部分，特别是ISO/IEC 20000-2，ISO/IEC 20000-3和ISO/IEC TR 20000-10相关的知识点，了解相关法律法规的要求；

Master the requirements specified in the ISO/IEC 20000-1 standard and the relevant parts of ISO/IEC 20000, especially the knowledge points related to ISO/IEC 20000-2, ISO/IEC 20000-3, and ISO/IEC TR 20000-10, and understand the requirements of relevant laws and regulations

i) 适用时，具有特定的资格证书；

When applicable, possessing specific qualification certificates

j) 通过持续的专业发展，保持最新的信息技术服务管理和审核的知识与技能。(技术专家的专业能力要求与审核员的专业能力要求一致。提供技术培训的，应有充分证据证明技术培训的有效性)。

Maintain the latest knowledge and skills in information technology service management and auditing through continuous professional development. The professional competence requirements for technical experts are consistent with those for auditors. Those providing technical training should have sufficient evidence to prove the effectiveness of the training.

4.2 认证人员能力的保持与发展

Maintaining and developing the abilities of certified personnel

4.2.1 持续专业发展方式审核员和其他认证人员可以通过华凯提供持续专业发展机会以及自学等方式获得专业持续发展：

Continuous professional development auditors and other certified personnel can obtain professional continuous development through Huakai's provision of continuous professional development opportunities and self-study

a) 获取工作经验Obtain work experience；

b) 培训training

c) 辅导guidance；

d) 自学self-study；

e) 研讨会、会议或其他类似活动Seminar, conference or other similar activities。

4.2.2 持续专业培训包括但不仅限于以下内容：

Continuous professional training includes but is not limited to the following content

a) 信息技术、服务管理理论与实践、适用标准和法律法规知识以及技术领域能力准则 的最新要求；

The latest requirements for information technology, service management theory and practice, applicable standards and legal and regulatory knowledge, as well as technical domain competency guidelines

b) 华凯关于 ITSMS 审核和认证的最新要求；

Huakai's latest requirements for ITSMS audit and certification

c) 通过能力评价发现，审核员或其他认证人员的实际能力不能完全满足能力准则的要求，应对不满足的部分予以培训。

Through capability evaluation, it is found that the actual abilities of auditors or other certified personnel cannot fully meet the requirements of the competency criteria, and training should be provided for the parts that are not met

4.2.3 在组织交流和研讨时，华凯将考虑以下因素，以确保交流和研讨活动的有效性：

When organizing communication and discussions, Huakai will consider the following factors to ensure the effectiveness of the communication and discussion activities

4.2.3.1 华凯在必要时将交流和研讨的成果汇总，制定或修订相关文件，如：

Huakai will summarize the results of communication and discussion when necessary, and develop or revise relevant documents, such as:

- ITSMS 审核核认证的程序或作业指导文件；

ITSMS audit and certification procedures or job guidance documents

- ITSMS 审核检查单；ITSMS Audit Checklist

- ITSMS 审核核认证的能力需求分析、能力准则、能力评价过程或评价方法。

Capability requirement analysis, capability criteria, capability evaluation process or evaluation method for ITSMS audit and certification

4.2.3.2 上述交流和研讨的频次、范围、规模宜与下列方面相适宜：

The frequency, scope, and scale of the above exchanges and discussions should be appropriate for the following aspects

a) 华凯审核和认证活动的范围、规模和绩效；

The scope, scale, and performance of Huakai's audit and certification activities

b) 华凯审核和认证人员的数量、能力范围与水平、工作量和绩效。

The number, scope and level of competence, workload and performance of Huakai audit and certification personnel

5. 认证过程管理Certification process management

5.1 询问和申请Inquiry and application

5.1.1 应向申请认证的组织提供公开文件，公开文件的内容应包括以下信息：

Public documents should be provided to the organization applying for certification, and the content of the public documents should include the following information

a) 认证范围certification scope；

b) 认证工作程序Certification Work Procedure；

c) 认证依据Certification Basis；

d) 证书有效期Certificate validity period；

e) 认证收费标准等。 同时应告知申请组织：只有当其已按相应标准建立了管理体系并正常运行三个月以上、 至少完成一次内审、管理评审后，华凯方可安排现场审核。

Certification fee standards, etc. At the same time, the applying organization should be informed that Huakai can only arrange on-site audits if it has established a management system in accordance with the corresponding standards and has been operating normally for more than three months, and has completed at least one internal audit and management review

5.1.2 申请组织的授权代表签署《认证申请书》，并至少提供以下必要的申请信息：

The authorized representative of the applying organization shall sign the "Certification Application Form" and provide at least the following necessary application information:

a) 申请认证的组织名称、注册地址、经营地址、通讯地址及邮编、联系人、职务、联系方式；The name, registered address, business address, mailing address and postal code, contact person, position, and contact information of the organization applying for certification;

b) 认证类型Authentication Type；

c) 认证依据Certification Basis；

d) 体系覆盖的人数Number of people covered by the system；

e) 根据业务、组织、位置、资产和技术等方面的特性所确定的ITSMS的范围和边界， 包括对任何范围、删减的详细说明和正当性理由；

The scope and boundaries of ITSMS determined based on the characteristics of business, organization, location, assets, and technology, including detailed explanations and justification for any scope or deletion

f) 经营场所、分场所、临时场所以及各场所从事的活动等；

Business premises, branch offices, temporary premises, and activities conducted in various locations

g) 适用性声明、资产列表；

Applicability statement, asset list

h) 保密协议、信息安全敏感区域的声明；

Confidentiality Agreement, Declaration of Information Security Sensitive Areas

i) 提供咨询服务机构和人员信息；

Provide information on consulting service agencies and personnel

j) 申请组织对华凯的资质、诚信守法记录或认证人员身份背影的要求以及适用的、最新的与保守国家秘密或维护国家安全有的法律法规要求，以便华凯判断是否具备为申请组织实施认证活动的资格或条件；

The requirements for Huakai's qualifications, integrity and compliance records, or the identity and background of certified personnel, as well as applicable and latest legal and regulatory requirements related to the protection of state secrets or the maintenance of national security, are applied for by the organization, in order for Huakai to determine whether it has the qualifications or conditions to carry out certification activities for the applying organization;

k) 关于认证活动的限制条件(如出于安全和/或保密等原因，存在时)。

Restrictions on certification activities (such as for security and/or confidentiality reasons, when applicable)

5.1.3 申请组织还提供以下资料：

The applying organization also provides the following materials

a) 法人资格证明(工商营业执照、事业单位法人证书或社会团体法人登记证书)；

Certificate of Legal Person Qualification (Business License, Certificate of Legal Person for Public Institutions, or Certificate of Legal Person Registration for Social Organizations)

b) 取得相关法规规定的行政许可文件(适用时)；

Obtain the administrative license documents required by relevant laws and regulations (when applicable)

c) 从事的业务活动符合中国人民共和国相关法律、法规、信息技术服务标准和有关规范的要求；

The business activities undertaken comply with the requirements of relevant laws, regulations, information technology service standards and relevant specifications of the People's Republic of China

d) 对信息技术服务管理体系认证范围涉及的业务活动的描述，包括利用信息技术为内 部或外部顾客的业务过程提供支持的说明；

A description of the business activities involved in the certification scope of the information technology service management system, including an explanation of the use of information technology to support the business processes of internal or external customers

e) 已按认证依据和相关要求建立和实施了文件化的信息技术服务管理体系；

A documented information technology service management system has been established and implemented in accordance with the certification criteria and relevant requirements;

f) 体系有效运行3个月以上，并且已完成内部审核和管理评审。

The system has been effectively operating for more than 3 months and has completed internal audits and management reviews

5.1.4 上述必要信息应使华凯能够确定：

The above necessary information should enable Huakai to determine

a) 申请组织的行业类别和服务要求；

Industry category and service requirements for applying organization

b) 申请认证的范围Scope of certification application；

c) 申请组织的一般特征，包括其名称、物理场所的地址、利用信息技术为内部或外部 顾客的业务过程提供支持的说明、过程和运作的重要方面以及任何相关的法律义务；

The general characteristics of the applying organization include its name, the address of its physical location, a description of the use of information technology to support the business processes of internal or external customers, important aspects of the processes and operations, and any related legal obligations;

d) 申请组织与申请认证的领域相关的一般信息，包括其活动，人力与技术资源，以及适用时，其在一个较大实体中的职能和关系；

General information related to the organization and the field of certification application, including its activities, human and technical resources, and, where applicable, its functions and relationships within a larger entity;

e) 申请组织采用的所有影响符合性的外包过程的信息；

Information on all outsourcing processes that affect compliance adopted by the applying organization

f) 接受与信息技术服务管理体系有关的咨询的情况。

Receiving inquiries related to the information technology service management system

5.1.5 保密 secrecy

在认证审核前，华凯应要求客户报告是否有因包含有保密或敏感信息而不允许审核组 接触的任何ITSMS记录，并提供相应的理由。华凯应对在无法访问这些保密信息的情况下能否对ITSMS进行充分的审核做出决定，并予以记录，同时还应详细说明相应的理由。

Before the certification audit, Huakai should request the client to report whether there are any ITSMS records that the audit team is not allowed to access due to the inclusion of confidential or sensitive information, and provide corresponding reasons. Huakai should make a decision on whether to conduct a sufficient audit of ITSMS in the absence of access to these confidential information, record it, and provide detailed reasons.

如果华凯结论是在不审查所识别的保密或敏感信息时不能实施一次充分的审核，那么华凯应通知客户审核无法进行，除非适当的访问安排得到允许。注：一种替代的方式是由一名具有充分能力且具备查看保密或敏感信息所需许可级别的中间人来调阅这些记录，并证实所要求的信息。中间人应得到华凯和其客户的接受。 但是，这个中间人宜独立于客户。

If Huakai concludes that a sufficient audit cannot be conducted without reviewing the identified confidential or sensitive information, Huakai should notify the client that the audit cannot proceed unless appropriate access arrangements are granted. Note: An alternative approach is for an intermediary with sufficient capability and the necessary level of permission to view confidential or sensitive information to access these records and verify the requested information. Intermediaries should be accepted by Huakai and its clients. However, this intermediary should be independent of the client.

5.2 申请评审Application for review

5.2.1 审核部按照《认证审核管理程序》的规定进行评审以确保：

The audit department conducts evaluations in accordance with the "Certification Audit Management Procedure" to ensure

a) 识别申请组织的行业类别和与之相应的信息技术服务提供过程的特性和服务要求；

Identify the industry category of the applying organization and the corresponding characteristics and service requirements of the information technology service provision process

b) 掌握国家对相应行业的信息技术服务管理体系认证的管理要求；

Master the management requirements of the national information technology service management system certification for the corresponding industry

c) 申请组织及其管理体系的信息充分，可以进行审核；

The information of the applying organization and its management system is sufficient for review

d) 申请组织ITSMS范围不允许华凯接触的信息资产已明确告知了华凯；或者已将华凯接触这些信息资产应满足的法律要求、相关方要求及申请组织的要求等明确告知华凯；

The information assets that Huakai is not allowed to access within the scope of the ITSMS application have been clearly informed to Huakai; Or have clearly informed Huakai of the legal requirements, relevant party requirements, and application organization requirements that Huakai should meet when accessing these information assets;

e) 认证要求已有明确说明并形成文件，且已提供给申请组织；

The certification requirements have been clearly stated and documented, and have been provided to the applying organization;

f) 解决了华凯与申请组织之间任何已知的理解差异；

Resolved any known differences in understanding between Huakai and the applying organization;

g) 考虑了申请的认证范围、申请组织的运作场所、完成审核需要的时间、SMS和服务的可能风险和任何其他影响认证活动的因素；

Considering the scope of certification application, the operating location of the applying organization, the time required to complete the audit, potential risks of SMS and services, and any other factors that may affect certification activities;

h) 已根据特定的申请组织的具体情况分析对其实施审核和认证所需的能力，华凯有能 力实施认证活动；

Huakai has analyzed the required capabilities for conducting audits and certifications based on the specific situation of the applying organization, and is capable of carrying out certification activities;

i) 保持了决定实施审核的理由的记录。

Maintained records of the reasons for implementing the audit decision

5.2.2 认证证书转换 Certification certificate conversion

带认可标志的信息技术服务管理体系认证证书可进行转换，转换程序依据《认证证书转换管理办法》中关于认证证书转换的相关规定执行。

The certification certificate of the information technology service management system with the recognition mark can be converted, and the conversion procedure shall be carried out in accordance with the relevant provisions on certification certificate conversion in the "Management Measures for Certification Certificate Conversion"

5.2.3 对申请不通过的合同，由市场代表与合同递交部门或申请方联系，洽谈澄清有关 事实，取得一致意见后再次评审。如因其他原因构成不能受理的，则向申请方说明情况，发出《不予受理通知书》，按申请方要求退回有关资料。拒绝申请的原因应记录并使客户清楚。

For contracts that do not pass the application, the market representative shall contact the department or applicant submitting the contract to clarify the relevant facts and reach a consensus before re evaluating. If the case cannot be accepted due to other reasons, explain the situation to the applicant, issue a "Notice of Non acceptance", and return the relevant materials as requested by the applicant. The reasons for rejecting the application should be recorded and made clear to the client

5.2.4 合同的签订和管理程序参照《认证审核管理程序》中的相关规定。

The signing and management procedures of the contract shall refer to the relevant provisions in the "Certification Audit Management Procedure"

5.3 审核方案的策划Planning of audit plan

5.3.1 总要求General requirements

5.3.1.1 审核方案策划人员应根据申请评审的结果，按照《审核方案策划管理办法》 的过程要求进行审核方案策划，并将审核方案策划结果传递到审核组，由审核组在现场确认，必要时根据审核组在现场确认的结果调整审核方案。

The planning personnel of the audit plan should plan the audit plan according to the process requirements of the "Management Measures for Audit Plan Planning" based on the results of the application review, and transmit the audit plan planning results to the audit team for on-site confirmation. If necessary, the audit plan should be adjusted based on the results confirmed by the audit team on site.

5.3.1.2 根据申请评审时已识别的特定的申请组织的具体情况分析对其实施审核和认 证所需的能力，委派具备相应能力的审核组实施审核。当了解到特定的获证组织的 ITSMS 已发生变化时（特别是在监督审核、再认证审核方案策划时），审核方案管理人 员应对原有的能力分析进行审查，必要时进行更新，并按更新后的能力需求委派具备相应能力的审核组实施审核，确保审核的有效性。

Based on the specific situation of the identified application organization during the application review, analyze the necessary capabilities for conducting audits and certifications, and assign an audit team with the corresponding capabilities to carry out the audit. When it is learned that the ITSMS of a specific certified organization has changed (especially in the planning of supervision audits and re certification audit plans), the audit plan management personnel should review the original capability analysis, update it if necessary, and assign an audit team with corresponding capabilities to implement the audit according to the updated capability requirements to ensure the effectiveness of the audit.

5.3.1.3 审核时间的策划华凯按要求策划每个申请 ITSMS 认证的组织的初次审核（含一、二阶段）、监督审核及再认证审核所需的审核时间。初次认证审核分为第一阶段和第二阶段。确定受审核组织的审核时间时，应考虑组织的 ITSMS 范围所涉及的服务活动种类、组织规模及业务的复杂程度等因素对核定审核活动所需的审核时间的影响。安排审核时间应考虑以下因素:

Huakai plans the audit time required for the initial audit (including stages one and two), supervisory audit, and re certification audit of each organization applying for ITSMS certification according to the requirements. The initial certification review is divided into the first stage and the second stage. When determining the audit time for the audited organization, factors such as the types of service activities involved in the ITSMS scope of the organization, the size of the organization, and the complexity of the business should be considered in determining the audit time required for the approved audit activities. The following factors should be considered when scheduling the audit time:

a） ITSMS 范围的规模（例如，所使用的信息系统的数量和雇员的数量）；

The scale of ITSMS scope (e.g. the number of information systems used and the number of employees)

b） ITSMS 的复杂程度（例如，信息系统的关键程度和 ITSMS 的风险状况）；

The complexity of ITSMS (such as the criticality of information systems and the risk profile of ITSMS)

c）在 ITSMS 范围内开展的业务类型；

Business types conducted within the scope of ITSMS

d）在 ITSMS 各部分的实施过程中，所应用的技术的水平和多样性[例如，已实施的控 制措施、文件和（或）过程控制，以及纠正和（或）预防措施等]；

The level and diversity of technologies applied in the implementation process of various parts of ITSMS [such as implemented control measures, document and/or process controls, as well as corrective and/or preventive measures, etc.];

e）场所的数量Number of venues；

f）经证实的以往 ITSMS 绩效Confirmed past ITSMS performance；

g）在 ITSMS 范围内，所使用的外包和第三方安排的程度；

The degree of outsourcing and third-party arrangements used within the scope of ITSMS

h）适用于认证的标准和法规Standards and regulations applicable to certification。

ITSMS审核时间参照附录B要求执行

ITSMS audit time shall be executed in accordance with the requirements of Appendix B

5.3.1.4 应考虑受审核组织是否有不允许华凯接触的包含保密性/敏感性的信息资产或 华凯接触该类信息资产时应满足的特殊要求。同时应对客户不允许或者限制解除的信息资产对审核的影响进行评估并采取相应的措施。

Consideration should be given to whether the audited organization has any confidential/sensitive information assets that Huakai is not allowed to access, or any special requirements that Huakai should meet when accessing such information assets. At the same time, evaluate the impact of information assets that are not allowed or restricted by customers on the audit and take corresponding measures.

5.3.1.5 客户 ITSMS 的范围和边界Scope and boundaries of customer ITSMS

ITSMS 华凯应确保客户组织通过其组织单元、所提供的服务、交付服务的地点、服务提 供所用的技术以及其他适用的方面清晰界定其 ITSMS 的范围和边界。

ITSMS Huakai should ensure that customer organizations clearly define the scope and boundaries of their ITSMS through their organizational units, services provided, locations where services are delivered, technologies used for service provision, and other applicable aspects.

注 ：ISO/IEC TR 20000-3 第 6 章提供了关于 ITSMS 范围的通用原则。

Note: Chapter 6 of ISO/IEC TR 20000-3 provides general principles regarding the scope of ITSMS.

5.3.1.6 管理体系规范性文件的解释

Interpretation of normative documents of management system

如果需要对 ISO/IEC 20000-1 的应用做出解释，这种解释应由公正的和具备必要技术 能力的相关委员会或人员给出，并由华凯正式发布。

If an explanation of the application of ISO/IEC 20000-1 is required, it should be provided by a fair and technically competent committee or personnel, and officially published by Huakai.

5.3.1.7 审核方法Audit method

ITSMS 认证审核所使用的信息收集方法还宜包括对 ITSMS 过程有效性的测试。

The information collection method used for ITSMS certification review should also include testing the effectiveness of ITSMS processes.

ITSMS 认证审核计划中宜说明拟在审核中使用的远程审核技术。

The ITSMS certification audit plan should specify the remote audit technology to be used in the audit.

注：远程审核技术，例如，电话会议、网络会议、基于网络的互动式沟通和远程电子访问 ITSMS 文件和（或）ITSMS 过程等方式。关注这些技术将有助于提高审核的有效性和效率，并支持审核过程的完整性。

Note: Remote auditing techniques, such as telephone conferences, online meetings, network-based interactive communication, and remote electronic access to ITSMS files and/or ITSMS processes. Focusing on these technologies will help improve the effectiveness and efficiency of audits, and support the integrity of the audit process.

信息收集方法应包括（但不限于）：

The information collection methods should include (but are not limited to):

a) 面谈interview；

b) 对过程和活动进行观察Observe the process and activities；

c) 审查文件和记录Review documents and records。

如果在审核中使用远程审核技术，审核组在审核计划中应具体说明。

If remote audit technology is used in the audit, the audit team should specify it in the audit plan.

5.4 多场所组织及其服务点的抽样

Sampling of multi venue organizations and their service points

CNAS-CC11《基于抽样的多场所认证》的0至5.2中的要求适用。 当一个多场所组织在不同的场所或一组场所里运作一些不相似的过程或活动，华凯需要证明其决定在管理体系认证中实施抽样的理由的合理性，并予以记录。这应证实挪 亚对所有场所的管理体系符合性获得了同等程度的信心。还须关注对“虚拟地点”的 审核，如非永久场所、在线场所等等。在这类场所中，抽样可能是适宜的，或不适宜的。

The requirements from 0 to 5.2 of CNAS-CC11 "Sampling based Multi site Certification" apply. When a multi site organization operates some dissimilar processes or activities in different sites or a group of sites, Huakai needs to demonstrate the rationality of its decision to implement sampling in management system certification and record it. This should confirm that Noah has gained an equal level of confidence in the compliance of the management system in all places. We also need to pay attention to the review of 'virtual locations', such as non permanent locations, online locations, and so on. In such places, sampling may be appropriate or inappropriate.

5.4.1 多场所抽样的条件Conditions for sampling from multiple locations

当客户组织拥有满足以下条件的多个场所时，适用 CNAS-CC11，基于抽样的方法进行多 场所抽样审核：

When the client organization has multiple locations that meet the following conditions, CNAS-CC11 is applicable for conducting multi location sampling audits based on sampling methods:

a) 所有的场所在同一ITSMS下运行，并接受统一的管理、内部审核和管理评审；

All locations operate under the same ITSMS and undergo unified management, internal audits, and management reviews

b) 所有的场所都包含在客户组织的ITSMS 内部审核方案中，且在内部审核方案范围 内对所有场所进行内部审核；

All locations are included in the ITSMS internal audit plan of the client organization, and internal audits are conducted on all locations within the scope of the internal audit plan;

c)  所有的场所都包含在客户组织的 ITSMS 管理评审方案中；

All locations are included in the ITSMS management review plan of the client organization

d) 所有的场所执行相同的ITSMS流程，且所有的场所相互之间相对独立，不存在相互关联的过程；

All locations follow the same ITSMS process, and all locations are relatively independent of each other without any interrelated processes;

e) 客户组织对所有场所具有资源管理权力，可以收集所有场所的数据并要求其执行统 一的ITSMS管理措施。

The client organization has resource management authority over all locations and can collect data from all locations and require them to implement unified ITSMS management measures.

5.4.2 服务点抽样的条件 Conditions for Sampling Service Points

一般情况下服务点不在认证范围内，当华凯和客户组织协商一致时，多场所认证的范 围也可以包括服务点。如果认证范围包括服务点，应注明该场所是服务点。当客户组织拥有满足以下条件的多个服务点时，华凯可以考虑使用基于抽样的方法对服务点进行审核：

In general, service points are not within the scope of certification. When Huakai and the client organization reach an agreement, the scope of multi site certification can also include service points. If the certification scope includes service points, it should be noted that the location is a service point. When a customer organization has multiple service points that meet the following conditions, Huakai may consider using a sampling based method to audit the service points:

a)场所内的工作人员应为客户组织的员工或与客户组织具有合同关系的外包人员；

The staff in the venue should be employees of the client organization or outsourced personnel with a contractual relationship with the client organization;

b)所有场所的工作人员均在同一个ITSMS下进行管理，客户组织对人员具有分配和调配的权力，有权要求场所内提供服务的工作人员提供工作量和工作质量的数据；

All staff in the premises are managed under the same ITSMS, and the client organization has the authority to allocate and deploy personnel, and has the right to request data on workload and work quality from the staff providing services in the premises;

c)客户组织在所有的场所提供的服务和活动的变动，或场所的成立和撤销不影响客户组织的 ITSMS运行的完整性；

The changes in services and activities provided by the client organization in all locations, or the establishment and revocation of locations, do not affect the integrity of the client organization's ITSMS operation;

d)所有的场所都包含在客户组织的 ITSMS内部审核方案中。

All locations are included in the ITSMS internal audit plan of the client organization.

5.4.3 抽样的考虑 Consideration of Sampling

a)通过识别以下方面的差异，在初始合同评审和后续审核活动时应确定适当的抽样水平：

Appropriate sampling levels should be determined during initial contract review and subsequent audit activities by identifying differences in the following areas:

1) 地点，例如：场所规模，或在 SMS 内但不在认证范围内的临时场所的使用；

Location, such as the size of the premises or the use of temporary premises within SMS but not within the scope of certification;

2) 服务service；

3) 顾客customer；

4) 参与服务提供的其他方（例如：内部团体、供方、作为供方的顾客）；

Other parties involved in the provision of services (such as internal groups, suppliers, and customers serving as suppliers);

5) 语言language；

6) 所有班次之间工作方式的一致性。如果每个班次的运行方式相同时，审核有大量人员倒班的客户所需的时间可以少些。这要有记录审查，以证实所有班次之间工作方式的一致性。如果各班次之间是一致的，所有班次可被视为是一组活动且一个班次可作为审核样本；

The consistency of working methods among all shifts. If the operation mode of each shift is the same, the time required for auditing customers with a large number of personnel on duty can be reduced. This requires a record review to confirm consistency in the working methods between all shifts. If all shifts are consistent, all shifts can be considered as a group of activities and one shift can be used as a sample for auditing;

7) ITSMS 的局部变化 Local changes in ITSMS；

8) 法律法规要求statutory and regulatory。

b)应从客户SMS范围中选择有代表性的样本。该选择应基于认证机构的决定，并体现了 a）中所述的因素和随机因素。

Representative samples should be selected from the customer SMS scope. This selection should be based on the decision of the certification body and reflect the factors and random factors described in a).

c)审核计划的策划应考虑 a）和 b）中的要求。计划应在认证审核间的 3 年周期内覆盖 ITSMS 全部范围内有代表性的样本。

The planning of the audit plan should consider the requirements in a) and b). The plan should cover representative samples within the entire scope of ITSMS during the 3-year certification audit period.

5.4.4 抽样方法 sample method

a)抽样审核的结果可以满足证明其ITSMS的适宜性、充分性和有效性，并具有在抽样无 法满足上述要求时的应对措施；

The results of the sampling audit can demonstrate the suitability, adequacy, and effectiveness of its ITSMS, and have corresponding measures in case the sampling cannot meet the above requirements;

b)体现抽样样本的代表性和随机性；

Reflect the representativeness and randomness of the sampling sample

c)在多场所抽样时，初次认证审核抽样样本量通常不低于同种类样本总量的平方根；

When sampling in multiple locations, the sample size for the initial certification audit is usually not less than the square root of the total sample size of the same type;

监督审核抽样样本量通常不低于同种类样本总量平方根的0.6倍，再认证审核抽样样本量通常不低于同种类样本总量平方根的0.8倍；

The sample size for supervisory audit sampling is usually not less than 0.6 times the square root of the total sample size of the same type, and the sample size for re certification audit sampling is usually not less than 0.8 times the square root of the total sample size of the same type;

d)对服务点抽样时，样本覆盖认证范围内的所有业务类型，且应考虑同种业务类型的服务点的服务复杂程度；

When sampling service points, the sample should cover all business types within the authentication scope, and the service complexity of service points of the same business type should be considered;

e)对服务点抽样时，初次认证审核抽样样本量通常不低于同种类样本总量的平方根，监督审核抽样样本量通常不低于同种类样本总量平方根的0.6倍，再认证审核抽样样本量通常不低于同种类样本总量平方根的0.8倍。当有合理理由时，可适当降低样本量。

When sampling service points, the initial certification audit sample size is usually not less than the square root of the total sample size of the same type, the supervision audit sample size is usually not less than 0.6 times the square root of the total sample size of the same type, and the re certification audit sample size is usually not less than 0.8 times the square root of the total sample size of the same type. When there are reasonable reasons, the sample size can be appropriately reduced.

5.5 初次认证审核 Initial certification review

初次认证审核分第一阶段和第二阶段进行。第一阶段与第二阶段现场审核间隔应不少于5个工作日且不多于60个工作日。

The initial certification audit is conducted in the first and second stages. The interval between on-site audits in the first and second stages should be no less than 5 working days and no more than 60 working days.

在基准审核时间的基础上，对申请组织提供的申请材料，考虑增减因素后确定适宜的 初次审核时间。ITSMS第一阶段审核应安排在受审核组织的现场进行，当客户组织由于信息安全的原因在申请评审阶段不能提供足够的信息时，应增加第一阶段现场审核时间。

On the basis of the benchmark review time, the appropriate initial review time shall be determined for the application materials provided by the applying organization, taking into account the factors of increase or decrease. The first stage of ITSMS audit should be arranged on-site by the audited organization. When the client organization cannot provide sufficient information during the application review stage due to information security reasons, the on-site audit time for the first stage should be increased.

5.5.1 第一阶段审核Phase One Audit

在这个审核阶段，华凯应获得有关 ITSMS 设计的文件。该文件应包括 ISO/IEC 20000-1的 4.3.1 中所要求的文件。

At this review stage, Huakai should obtain documents related to ITSMS design. This document should include the documents required in 4.3.1 of ISO/IEC 20000-1

一阶段审核的目的是：结合客户的 ITSMS 方针和目标，尤其是其所声称的审核准备情况，了解客户的 ITSMS，为二阶段审核提供关注点。 一阶段审核包括但不限于文件评审。华凯应与客户就实施文件评审的时间和地点达成一致。在任何情况下，文件评审应在二阶段审核前完成。 一阶段审核的结果应记录在书面报告中。华凯应评审一阶段审核报告，以决定是否实施二阶段审核并选择具备必要能力的二阶段审核组成员。

The purpose of the first stage audit is to understand the client's ITSMS by combining their ITSMS policies and objectives, especially their claimed audit readiness, and provide focus for the second stage audit. The first stage audit includes but is not limited to document review. Huakai should reach an agreement with the client on the time and location for implementing document review. In any case, document review should be completed before the second stage audit. The results of the first stage audit should be recorded in a written report. Huakai should review the first stage audit report to determine whether to implement the second stage audit and select members of the second stage audit team with the necessary capabilities.

华凯应使得客户知晓在二阶段审核中可能要对更进一步的信息或文件进行详细检查。 第一阶段审核应在申请组织的现场进行，审核内容包括：

Huakai should make customers aware that further information or documents may need to be thoroughly examined during the second stage audit. The first stage of the audit should be conducted on-site by the applying organization, and the audit content includes:

a) 审核申请组织的信息技术服务管理体系文件；

Review the information technology service management system documents of the applicant organization

b) 评价申请组织的运作场所和现场的具体情况，并与申请组织的人员进行讨论，以确 定第二阶段审核的准备情况；

Evaluate the specific situation of the operating premises and site of the applying organization, and discuss with the personnel of the applying organization to determine the preparation for the second stage audit

c) 审查申请组织理解和实施信息技术服务管理体系标准要求的情况；

Review the organization's understanding and implementation of information technology service management system standard requirements

d) 审查申请组织是否系统而充分地识别与所提供的服务相关的法律法规和其他要求 及其遵守情况；

Review whether the applying organization has systematically and fully identified the laws, regulations, and other requirements related to the services provided, as well as their compliance

e) 审查第二阶段审核所需资源的配置情况，并与申请组织商定第二阶段审核的细节；

Review the allocation of resources required for the second stage audit and agree with the applying organization on the details of the second stage audit

f) 结合申请组织信息技术服务管理体系方针和目标，了解其审核准备状态，为策划第 二阶段的审核提供重点；

Based on the application organization's information technology service management system policy and objectives, understand its audit preparation status and provide key points for planning the second phase of the audit

g) 评价申请组织是否策划和实施了内部审核与管理评审，以及信息技术服务管理体系 的实施程度能否证明其已为第二阶段审核做好准备。

Evaluate whether the applying organization has planned and implemented internal audits and management reviews, and whether the implementation level of the information technology service management system can prove that it is ready for the second stage audit.

5.5.3 第二阶段审核Stage 2 Audit

第二阶段审核应在具备实施认证审核的条件下在申请组织的场所进行。如果第一阶段 审核提出影响实施第二阶段审核的问题，这些问题应在第二阶段审核前得到解决。第二阶段审核的目的是通过在申请组织的现场进行系统、完整地审核，评价申请组织的信息技术服务管理体系是否满足所有适用的认证依据的要求，并判断是否推荐认证注册。应重点关注申请组织是否充分识别了信息技术服务管理过程的重要性，并证实与申请组织的信息技术服务活动是相适应的。要求申请组织证实其对信息技术服务管理过程的分析和组织运作实施了适当的控制措施，应包括：

The second stage audit should be conducted at the location of the applying organization, provided that the conditions for implementing certification audits are met. If the first stage audit raises issues that affect the implementation of the second stage audit, these issues should be resolved before the second stage audit. The purpose of the second stage audit is to conduct a systematic and complete audit at the site of the applying organization, evaluate whether the information technology service management system of the applying organization meets all applicable certification requirements, and determine whether to recommend certification registration. Attention should be paid to whether the applying organization fully recognizes the importance of the information technology service management process and confirms that it is appropriate for the applying organization's information technology service activities. Requesting the applying organization to confirm that it has implemented appropriate control measures for the analysis of the information technology service management process and organizational operations, which should include:

a) 服务交付过程(服务级别管理，服务报告，服务连续性和可用性管理，信息技术服 务的预算和核算，能力管理，信息安全管理)；

Service delivery process (service level management, service reporting, service continuity and availability management, budgeting and accounting for information technology services, capability management, information security management)

b) 关系过程(业务关系管理，供方管理)；

Relationship Process (Business Relationship Management, Supplier Management)

c) 处理过程(事件管理，问题管理)；

Handling process (event management, problem management)

d) 控制过程(配置管理，变更管理)；

Control process (configuration management, change management)

e) 发布过程(发布管理)。Release process (release management).

ITSMS初次认证第二阶段审核应关注客户组织的下列方面：

The second stage audit of ITSMS initial certification should focus on the following aspects of the customer organization

a) ISO/IEC 20000-1 的 4.3.1 中的文件要求；

Document requirements in 4.3.1 of ISO/IEC 20000-1

b) 对实施、监视、测量和评审服务管理目标计划和过程的有效控制；

Effective control over the implementation, monitoring, measurement, and review of service management objectives, plans, and processes

c) ITSMS 内部审核和管理评审；ITSMS Internal Audit and Management Review

d) 方针的管理责任；The management responsibility of the policy;

5.5.4 信息技术服务管理体系文件与其他管理体系文件的整合

Integration of Information Technology Service Management System Documents with Other Management System Documents

只要信息技术服务管理体系以及与其他管理体系的适当接口能够清楚地被识别，可以 允许申请组织将信息技术服务管理体系文件与其他管理体系文件(例如，质量管理体系、环境管理体系，职业健康安全管理体系等)相结合。

As long as the information technology service management system and appropriate interfaces with other management systems can be clearly identified, the applying organization is allowed to combine the information technology service management system documents with other management system documents (such as quality management system, environmental management system, occupational health and safety management system, etc.).

5.5.5 管理体系结合审核Management system combined with audit

5.5.5.1 华凯可以仅提供信息技术服务管理体系认证服务，或结合信息技术服务管理 体系认证提供其他管理体系认证服务。华凯应有程序确保在结合审核的情形下，对诸如审核范围的界定、审核时间的确定、审核方案的策划等进行有效的管理。

Huakai can only provide information technology service management system certification services, or provide other management system certification services in combination with information technology service management system certification. Huakai should have procedures to ensure effective management of tasks such as defining audit scope, determining audit time, and planning audit plans in conjunction with audits.

5.5.5.2 可以把信息技术服务管理体系的审核和其他管理体系的审核相结合，但是这 种结合必须以审核活动满足信息技术服务管理体系认证所有要求为前提，并且审核的质量不应由于结合审核而受到负面影响。在审核报告中，应清晰体现所有与信息技术服务管理体系有关的重要要素的描述并易于识别。

The audit of the information technology service management system can be combined with the audit of other management systems, but this combination must be based on the premise that the audit activities meet all the requirements of the information technology service management system certification, and the quality of the audit should not be negatively affected by the combined audit. In the audit report, all important elements related to the information technology service management system should be clearly described and easily identifiable.

5.5.5.3 在ISO/IEC 20000-1和ISO/IEC 27001的管理体系结合审核时，应审核ISO/IEC 20000-1中的信息安全管理过程，以确保：

When conducting a combined audit of the management systems in ISO/IEC 20000-1 and ISO/IEC 27001, the information security management process in ISO/IEC 20000-1 should be audited to ensure:

a）信息安全方针是与ITSMS和服务相关的；

The information security policy is related to ITSMS and services

b）识别相关的信息安全风险并实施信息安全控制，以支持ITSMS和服务；

Identify relevant information security risks and implement information security controls to support ITSMS and services

审核员可以从信息安全管理体系（ISMS）中找到一些支持性的证据。如果ISMS的范围是在ITSMS的范围之外，则ISO/IEC 20000-1中的信息安全管理过程是没有ISMS支持的，应作为一个独立的过程来审核。

Auditors can find some supporting evidence from the Information Security Management System (ISMS). If the scope of ISMS is outside the scope of ITSMS, the information security management process in ISO/IEC 20000-1 is not supported by ISMS and should be audited as an independent process.

应审核信息安全方针、风险和控制，以确保它们与客户ITSMS范围内的服务相适宜。

Information security policies, risks, and controls should be reviewed to ensure they are appropriate for the services within the scope of customer ITSMS.

5.5.6 初次认证的审核结论 Conclusion of the initial certification audit

审核组应该对第一阶段和第二阶段审核中收集的所有信息和证据进行汇总分析，评价 审核发现并就审核结论达成一致。

The audit team should summarize and analyze all the information and evidence collected during the first and second stage audits, evaluate the audit findings, and reach a consensus on the audit conclusions.

5.6 监督审核及再认证Supervision, audit and re certification

5.6.1 审核关注点的策划Planning of audit focus points

(1) 内审、管理评审和预防措施、纠正措施的实施情况；

Implementation status of internal audit, management review, preventive and corrective measures

(2) 针对上次评审的不符合所采取的措施的有效性；

The effectiveness of the measures taken in response to the non conformities identified in the last review

(3) 根据ITSMS标准及认证其他文件要求，与外部各方的沟通情况；

Communication with external parties in accordance with ITSMS standards and certification requirements

(4) 文件化管理体系的变更及涉及变更的区域；

Changes to the Document Management System and Areas Involved in Changes

(5) 针对获证组织与信息安全有关的资产威胁、脆弱性和影响的评估、控制措施的选择 及对控制措施有效性的监视测量。

Assessment of asset threats, vulnerabilities, and impacts related to information security for certified organizations, selection of control measures, and monitoring and measurement of the effectiveness of control measures

5.6.2 监督审核 Surveillance audit

监督审核执行《认证审核管理程序》的要求。

Supervise and audit the implementation of the requirements of the Certification Audit Management Procedure.

5.6.2.1 监督审核应包括（但不限于）以下内容：

Supervision and audit should include (but not limited to) the following contents:

(1) 体系保持和变化情况；System maintenance and changes;

(2) 顾客投诉情况；Customer complaint situation;

(3) 涉及变更的范围；Scope of changes involved;

(4) 内部审核与管理评审；Internal audit and management review;

(5) 服务目录的变化情况；Changes in the service directory;

(6) 对上次审核时提出的不符合所采取纠正措施的审查；

Review of corrective measures taken for non conformities identified during the last audit;

(7) 标志的使用和（或）任何其他对认证资格的引用；

The use of the logo and/or any other reference to certification qualifications;

(8) 适当时，其它选定的范围。When appropriate, other selected ranges

5.6.2.2 监督审核频次 Supervision and audit frequency

在满足认可要求的基础上，根据获证组织信息技术服务管理体系覆盖的业务活动的特点以及所承担的风险，合理设计和确定监督审核的时间间隔和频次。当获证组织信息 技术服务管理体系发生重大变更，或发生重大问题、服务质量事故、客户投诉等情况 时，应视情况可增加监督的频次。监督审核的最长时间间隔不超过 12 个月。由于获证 组织业务运作的时间(季节)特点及其内部审核安排等原因，可以合理选取和安排监督周期及时机，监督审核必须覆盖信息技术服务管理体系认证范围内的所有业务活动。

On the basis of meeting the recognition requirements, the time interval and frequency of supervision and audit shall be reasonably designed and determined according to the characteristics of the business activities covered by the certified organization's information technology service management system and the risks undertaken. When there are significant changes in the certified organization's information technology service management system, or when there are major issues, service quality accidents, customer complaints, etc., the frequency of supervision should be increased depending on the situation. The maximum time interval for supervision and review shall not exceed 12 months. Due to the seasonal characteristics of the certified organization's business operations and internal audit arrangements, the supervision period and timing can be reasonably selected and arranged. The supervision and audit must cover all business activities within the scope of the information technology service management system certification.

5.6.2.3 监督审核结果评价  Evaluation of Supervision and Audit Results

对于监督审核合格的获证组织，华凯应作出保持其信息技术服务管理体系认证资格的 决定；否则，应暂停、撤销或注销相应的认证资格。

For certified organizations that have passed the supervision and audit, Huakai should make a decision to maintain its information technology service management system certification qualification; Otherwise, the corresponding certification qualification should be suspended, revoked, or cancelled.

5.6.3.再认证审核 Re certification audit

再认证审核执行《通用认证审核管理程序》。

Re certification audit shall be carried out in accordance with the General Certification Audit Management Procedure

认证证书有效期满前，华凯根据获证组织的申请对获证组织实施再认证，以保证信息 技术服务管理体系认证证书持续有效。

Before the expiration of the certification certificate, Huakai will re certify the certified organization based on its application to ensure the continued validity of the information technology service management system certification certificate.

5.6.3.1 再认证审核的策划 Planning for Re certification Audit

5.6.3.1.1 华凯应策划和实施再认证审核，以评价获证组织是否持续满足信息技术服务管理体系标准和相关的认证规范性文件的所有要求。

Huakai should plan and implement a re certification audit to evaluate whether the certified organization continues to meet all requirements of the information technology service management system standards and relevant certification normative documents.

5.6.3.1.2 再认证审核应考虑信息技术服务管理体系在认证周期内的绩效，包括调阅 以前的监督审核报告。

The re certification audit should consider the performance of the information technology service management system during the certification period, including accessing previous supervision and audit reports.

5.6.3.1.3 当获证组织、获证组织的信息技术服务管理体系或其运作环境有重大变更 时，华凯应有程序确保对再认证审核活动可能需要进行的第一阶段审核实施管理。    

When there are significant changes in the certified organization, its information technology service management system, or its operating environment, Huakai should have procedures to ensure the implementation and management of the first stage audit that may be required for re certification audit activities.

5.6.3.1.4 对于多场所认证或依据多个管理体系标准进行的认证，再认证审核的策划 应确保现场审核具有足够的覆盖范围，以提供对信息技术服务管理体系认证的信任。

For multi site certification or certification based on multiple management system standards, the planning of re certification audits should ensure that on-site audits have sufficient coverage to provide trust in the certification of information technology service management systems.

5.6.3.2 再认证程序应与信息技术服务管理体系认证审核的要求和指南保持一致。

The re certification process should be consistent with the requirements and guidelines for information technology service management system certification audits.

5.6.3.3 华凯应根据再认证审核的结果，以及认证周期内的体系评价结果和认证使用方的投诉，作出是否更新认证的决定。如果在监督或再认证审核中，发现不符合存在，该不符合在华凯同意的时间内应得到有效的纠正。如果纠正没有在同意的时间内完成，认证范围应被缩小，或者暂停或撤销认证证书。允许采取纠正措施的时间应与不符合的严重程度和风险相适宜，以确保客户组织的产品或服务满足规定要求。

Huakai should make a decision on whether to update the certification based on the results of the re certification audit, as well as the system evaluation results during the certification period and complaints from the certification users. If any non-compliance is found during the supervision or re certification audit, it should be effectively corrected within the time agreed upon by Huakai. If the correction is not completed within the agreed time, the scope of certification should be narrowed, or the certification certificate should be suspended or revoked. The time allowed for corrective measures should be appropriate to the severity and risk of non-compliance, to ensure that the products or services of the customer organization meet the specified requirements.

5.7 选择和指派审核组 Select and assign audit teams

审核方案管理人员应根据实现审核目标所需的能力来选择和任命审核组（包括审核组长），应确保他们是经过华凯的审核能力和专业能力评定、有能力完成本次审核任务的人员。如果仅有一名审核员，该审核员应有能力履行适用于该审核的审核组长职责。决定审核组的规模和组成时，应考虑下列因素：

The management personnel of the audit plan should select and appoint the audit team (including the audit team leader) based on the required abilities to achieve the audit objectives, and ensure that they are personnel who have been assessed by Huakai's audit and professional abilities and have the ability to complete the audit task. If there is only one auditor, the auditor should be able to fulfill the responsibilities of the audit team leader applicable to that audit. When determining the size and composition of the audit team, the following factors should be considered:

审核组必须拥有审核范围内的所有技术领域（附录 A ITSMS 认证技术领域）对应的能力。应有能审核受审核组织认证范围的专业审核员，否则应在技术专家支持下实施审核。审核组长和审核员所需的知识和技能可以通过技术专家和翻译人员补充，技术专家和翻译人员应在审核员的指导下工作。使用翻译人员时，要避免其对审核产生不正当影响。每次审核（包括一阶段和二阶段审核）的审核组均应具备专业能力。

The audit team must have the corresponding capabilities for all technical areas within the audit scope (Appendix A ITSMS Certified Technical Areas). There should be professional auditors who can audit the certification scope of the audited organization, otherwise the audit should be carried out with the support of technical experts. The knowledge and skills required by the audit team leader and auditors can be supplemented by technical experts and translators, who should work under the guidance of the auditors. When using translators, it is important to avoid their undue influence on the review process. The audit team for each audit (including stage one and stage two audits) should possess professional competence.

5.8 审核的实施要求

Implementation requirements for audit

5.8.1 保密管理要求在现场审核中的落实

Implementation of confidentiality management requirements in on-site audits

5.8.1.1 审核组在审核现场发现存在任一情况时应立即向公司汇报，并按公司所确定的相应措施完成后续工作：

When the audit team discovers any situation on the audit site, they should immediately report it to the company and complete the follow-up work according to the corresponding measures determined by the company:

a) 如果发现受审核组织不允许接触信息资产或无法满足受审核组织关于接触信息资产的相关要求时，华凯对审核和认证所受到的影响进行评估并采取相应措施（例如终止审核、缩小审核和认证的范围等）；

If it is found that the audited organization does not allow access to information assets or cannot meet the relevant requirements of the audited organization regarding access to information assets, Huakai will evaluate the impact on the audit and certification and take corresponding measures (such as terminating the audit, narrowing the scope of the audit and certification, etc.)

b) 如果受审核组织事先没有禁止华凯接触某一信息资产或未和告知华凯关于接触信息资产的相关要求，而华凯在认证过程中发现自己不具备接触该信息资产的资格和条件时，应立即向受审核组织提出。

If the audited organization has not previously prohibited Huakai from accessing a certain information asset or has not informed Huakai of the relevant requirements for accessing information assets, and Huakai discovers during the certification process that it does not have the qualifications and conditions to access the information asset, it should immediately raise the issue to the audited organization.

5.8.1.2 审核组成员不宜在审核过程中以任何方式记录受审核组织的保密或敏感信息； 在离开受审核组织前，应请受审核组织检查和确认审核组携带的文件、资料和设备中未夹带受审核组织的任何保密或敏感信息。

Members of the audit team should not record confidential or sensitive information of the audited organization in any way during the audit process; Before leaving the audited organization, the audited organization should be requested to inspect and confirm that the documents, materials, and equipment carried by the audit team do not contain any confidential or sensitive information of the audited organization.

5.9 特殊审核 Special review

特殊审核，包括扩大认证范围的审核、提前较短时间通知的审核（含投诉调查、认证 范围变更、暂停恢复等）执行《授予、保持、更新、扩大、缩小、暂停和撤销认证的管理程序》的规定。

Special audits, including audits that expand the scope of certification and audits with shorter advance notice (including complaint investigations, changes in certification scope, suspension and resumption, etc.), shall comply with the provisions of the "Management Procedure for Granting, Maintaining, Updating, Expanding, Narrowing, Suspending and Revoking Certification".

5.10 审核报告  Audit Report

审核报告编制的基本要求参照《认证审核管理程序》。认证审核报告应提供客户 IT 组织在识别、评估和管理服务风险方面的信息。

The basic requirements for preparing audit reports refer to the Certification Audit Management Procedure. The certification audit report should provide information on the customer's IT organization's identification, assessment, and management of service risks.

5.10.1 报告程序应确保：The reporting procedure should ensure that

(1)在离开客户组织场所前，在审核组和客户组织管理者之间召开一次会议，并提供：

Before leaving the client organization premises, hold a meeting between the audit team and the client organization manager and provide:

a）ITSMS与特定认证要求的符合性方面的书面或口头说明；

Written or oral statements on the compliance of ITSMS with specific certification requirements;

b）客户组织就审核发现及其根据提出问题的机会。

Customer organizations have the opportunity to review findings and raise questions based on them.

(2)审核组向华凯提供关于审核发现的审核报告，这些审核发现是针对客户组织的ITSMS与所有认证要求的符合性。

The audit team provides Huakai with an audit report on the audit findings, which are related to the compliance of the client organization's ITSMS with all certification requirements.

5.10.2 审核报告应提供以下信息或对这些信息的引用：

The audit report should provide the following information or references to this information

a) 审核的说明，其中包括了文件评审摘要；

Explanation of the review, including a summary of the document review;

b) 对客户组织信息安全风险分析进行的认证审核的说明；

Explanation of the certification audit conducted for the customer organization's information security risk analysis;

c) 所使用的全部审核时间和分别用于文件评审、风险分析的评审、现场审核和审核报告的时间的详细说明；

A detailed description of all audit time used and the time allocated for document review, risk analysis review, on-site audit, and audit report review;

d) 所进行的审核询问，及其选择的理由和所使用的方法。

The audit inquiries conducted, along with the reasons for their selection and the methods used.

5.10.3 审核报告应足够详细，以帮助和支持认证决定。审核报告应包括：

The audit report should be sufficiently detailed to assist and support certification decisions. The audit report should include:

a) 认证范围的界定，以及提及范围的任何变更。

The definition of the scope of certification and any changes to the scope mentioned.

b) 审核覆盖的区域（例如，认证要求和接受审核的场所），也包括所采用的主要审核 路线和所使用的审核方法；

The area covered by the audit (such as certification requirements and audit venues), including the main audit routes and audit methods used;

c) 观察结果，包括正面的（例如，值得注意的特点）和负面的（例如，潜在的不符合）；Observation results, including positive (e.g. noteworthy features) and negative (e.g. potential nonconformities);

d) 已识别的任何不符合的详细情况，包括支持它们的客观证据和这些不符合所涉及的或认证所需的其他文件的要求；

Any identified non conformities, including objective evidence supporting them and the requirements of other documents related to or required for certification;

e) 有关客户组织的 ITSMS与认证要求的符合性方面的意见和对不符合的清楚说明，所 引用的适用性声明的版本，以及适用时，与客户组织先前的认证审核结果的任何有用的对照。

Opinions on the compliance of ITSMS and certification requirements of the client organization, clear explanations of non conformities, the version of the applicability statement cited, and any useful comparisons with the client organization's previous certification audit results when applicable.

f) 完成的问卷、检查清单、观察结果、日志或审核员笔记可能构成完整的审核报告的一部分。如果使用这些方法，这些文件应提供给华凯，以此作为支持认证决定的证据。在审核过程中，有关被评价样本的信息应包含在审核报告或其他认证资料中。

The completed questionnaire, checklist, observation results, logs, or auditor notes may form part of the complete audit report. If these methods are used, these documents should be provided to Huakai as evidence to support the certification decision. During the audit process, information about the evaluated sample should be included in the audit report or other certification materials.

报告应考虑客户组织所采用的内部组织和规程的充分性，以便对其 ITSMS建立信心。 除了在 CNAS-CC01:2015的 9.4.8中对审核报告的要求，报告还应包括：

The report should consider the adequacy of the internal organization and procedures adopted by the client organization in order to establish confidence in its ITSMS. In addition to the requirements for audit reports in section 9.4.8 of CNAS-CC01:2015, the report should also include:

a）对 ITSMS内部审核和管理评审的信任程度；

The level of trust in ITSMS internal audits and management reviews;

b）有关 ITSMS的实施和有效性的最重要的正面与负面观察的摘要；

Summary of the most important positive and negative observations regarding the implementation and effectiveness of ITSMS

c）审核组关于是否授予客户组织 ITSMS认证的建议，以及支持该建议的信息。

The audit team's recommendation on whether to grant ITSMS certification to the client organization, as well as supporting information for this recommendation.

5.11 认证决定 Certification decision

认证决定工作执行《认证决定管理程序》的要求，并同时满足以下要求：

The certification decision work shall comply with the requirements of the Certification Decision Management Procedure and meet the following requirements simultaneously:

5.11.1 当了解到特定的获证组织的 ITSMS 已发生变化时（特别是在监督审核、再认证审核方案策划时），并已对原有的能力分析评价后进行更新，应按更新后的能力需求委派具备相应能力的认证决定人员完成认证评定，确保认证决定的有效性。

When it is learned that the ITSMS of a specific certified organization has changed (especially in the planning of supervision audits and re certification audit plans), and the original capability analysis and evaluation have been updated, certification decision personnel with corresponding capabilities should be appointed to complete the certification assessment according to the updated capability requirements to ensure the effectiveness of the certification decision.

5.11.2 关注信息安全有关的资产、威胁、脆弱性的识别情况、信息安全风险评估、风险处置及其相应的控制措施的有效性。

Pay attention to the identification of assets, threats, and vulnerabilities related to information security, information security risk assessment, risk disposal, and the effectiveness of corresponding control measures.

5.12 认证证书格式 Certification certificate format

执行《认证证书及认证标志使用规则》，并满足以下要求：

Implement the "Rules for the Use of Certification Certificates and Certification Marks" and meet the following requirements:

5.12.1 证书内容Certificate Content

认证证书内容应以中文书写，至少包括以下方面：

The content of the certification certificate should be written in Chinese and include at least the following aspects

(1)认证证书名称，即信息技术服务管理体系认证证书；

Certification certificate name, namely Information Technology Service Management System Certification Certificate

(2)符合 5.12.2 项规定的证书编号；

Certificate number that meets the requirements of section 5.12.2

(3)获证组织名称、注册地址、受审核地址和邮政编码；

Certified organization name, registered address, audited address, and postal code

(4)符合相应的认证依据；

Comply with the corresponding certification criteria

(5)通过认证的服务类别；

Verified service categories

(6)颁证日期、换证日期以及证书有效期的起止年月日。如颁证日期：2002 年5月1日，有效期：2002年5月1日至2005年4月30日；

Date of issuance, date of renewal, and start/end date of certificate validity. The certificate was issued on May 1, 2002 and is valid from May 1, 2002 to April 30, 2005

(7)认证机构的名称及其标志；

Name and logo of the certification body

(8)认证机构的印章和法定代表人代表或其授权人的签字；

Seal of certification body and signature of legal representative or authorized person

(9)认可标识及认可注册号(应为国家认监委确定的认可机构的标识，以申请认可为目的发出的证书可没有此内容)；

Accreditation mark and accreditation registration number (should be the mark of the accreditation institution determined by the National Accreditation Administration, and certificates issued for the purpose of applying for accreditation may not have this content)

如果认证所覆盖产品(或服务)的类别及其所涉及的过程和覆盖的场所较多，需在证书附件上加以注明。

If there are multiple categories of products (or services) covered by certification, as well as the processes and locations involved, they should be indicated in the certificate attachment

15.2.2 证书编号Certificate No

15.2.2.1 对同一个组织实施的同一个信息技术服务管理体系认证，赋予一个认证证书编号。

Assign a certification certificate number to the certification of the same information technology service management system implemented by the same organization.

4.2.2 证书编号由认证机构批准号、获证年份号、信息技术服务管理体系的英文缩写、顺序号、认证属性、服务类别和子证书号构成，格式如下：

The certificate number consists of the approval number of the certification body, the year of certification, the English abbreviation of the information technology service management system, the serial number, the certification attribute, the service category, and the sub certificate number. The format is as follows:

 

 

7 记录表单 Records

（1）HIC-114《认证人员登记表》

HIC-114 Certification Personnel Registration Form

（2）HIC-133《审核经历汇总表》

HIC-133 Summary of Audit Experience

（3）HIC-122《管理体系认证人员面试报告》

HIC-122 Interview Report for Management System Certification Personnel

（4）HIC-127《认证人员专业能力评价表》

HIC-127 "Professional Ability Evaluation Form for Certification Personnel"

（5）HIC-115《审核员认证管理人员专业能力测试表》

HIC-115 "Auditor Certification Management Personnel Professional Ability Test Form"

（6）HIC-136《CCAA注册管理体系审核员见证评审报告》

HIC-136 "CCAA Registration Management System Auditor Witness Review Report"

（7）HIC-135《机构内部审核员见证评审报告》

HIC-135 "Internal Auditor Witness Review Report for Institutions"

（8）HIC-134《审核员见证申请》

HIC-134 "Auditor Witness Application"

（9）HIC-127《认证人员专业能力评价表》

HIC-127 "Professional Ability Evaluation Form for Certification Personnel"

（10）HIC-129《认证管理人员专业能力评价表》

HIC-129 "Professional Capability Evaluation Form for Certification Management Personnel"

（11）HIC-114 《认证人员登记表》

HIC-114 Certification Personnel Registration Form

（12）HIC-101《认证申请书》

HIC-101 Certification Application Form

附录A  APPENDIX A

ITSMS认证技术领域  ITSMS certification technology field

 

附录B ITSMS 审核时间    

Appendix B ITSMS Audit Time

B1 确定初次审核的审核时间  Determine the audit time for the initial audit

HIC应使用客户的有效人数作为计算初次认证审核时间的基础。使用表1 确定审核时间。表1 是基于每天工作8小时的。如果每天工作时间低于或超过8小时的，可对该表进行相应调整。

HIC should use the effective number of customers as the basis for calculating the initial certification audit time. Use Table 1 to determine the audit time. Table 1 is based on an 8-hour workday. If the daily working hours are less than or exceed 8 hours, the table can be adjusted accordingly.

客户的有效人数应根据全职等效人数（FTE）来计算。在计算有效的客户人员时，应基于ITSMS 范围内的人员。HIC应能够证实支持客户ITSMS和服务的有效人数与审核时间之间的关系的合理性。

The effective number of customers should be calculated based on the Full Time Equivalent (FTE). When calculating effective customer personnel, it should be based on personnel within the scope of ITSMS. HIC should be able to demonstrate the reasonableness of the relationship between the number of effective personnel supporting customer ITSMS and services and audit time.

如果支持ITSMS和服务的客户的有效人数超过了 1175人时，沿用表 1 的递进规律计算审核时间，并通过推断来确定表1 以外的人天数。

If the effective number of customers supporting ITSMS and services exceeds 1175, use the progressive rule in Table 1 to calculate the audit time, and determine the number of person days outside Table 1 through inference.

无论客户人员数量是多少，调整后的初次审核时间应不低于2.5天。

Regardless of the number of customer personnel, the adjusted initial audit time should not be less than 2.5 days.

管理体系认证审核时间不应低于 80%的审核时间。如果策划或编制报告需要额外的时间，这不应减少管理体系认证审核时间。

The audit time for management system certification should not be less than 80% of the audit time. If planning or preparing a report requires additional time, this should not reduce the management system certification audit time.

表 1 客户的有效人数与调整前的审核时间（初次审核）之间的关系

Table 1 Relationship between Effective Number of Customers and Pre Adjustment Review Time (Initial Review)

客户的有效人数 Effective number of customers	审核时间：1阶段+2阶段（天） Review time: 1 stage+2 stages (days)
1-15	3.5
16-25	4.5
26-45	5.5
46-65	6
66-85	7
86-125	8
126-175	9
176-275	10
276-425	11
426-625	12
626-875	13
876-1175	15

 

注：审核时间是指策划并完成一次完整和有效的客户管理体系审核所需的时间。审核时间包括在客户场所（物理的或虚拟的）现场的所有时间和在非现场进行的策划、文件评审、与客户人员沟通和撰写报告所花费的时间。管理体系认证审核时间是指用于实施一次从首次会到末次会的审核活动所用的那部分审核时间。

Note: Audit time refers to the time required to plan and complete a complete and effective customer management system audit. The audit time includes all time spent on-site at the client's premises (physical or virtual) and the time spent on planning, document review, communication with client personnel, and report writing off-site. The management system certification audit time refers to the portion of audit time used to implement an audit activity from the first meeting to the last meeting

有效人数，由认证范围内所涉及的所有人员（包括倒班人员）组成。在认证范围内的人员，还应包括非永久雇员（例如合同工）和兼职人员。根据其所工作的小时数，可减少或增加兼职人数和部分工作包含在认证范围内的员工，并转化为等效的全职员工数量。当大量员工从事重复性的活动或任务时，允许减少认证范围内的员工数量。这种减少要有条理，要根据每个客户的情况进行一致地应用。

The effective number consists of all personnel involved in the certification scope (including shift personnel). Personnel within the scope of certification should also include non permanent employees (such as contract workers) and part-time workers. According to the number of hours worked, the number of part-time employees and employees whose work is included in the certification scope can be reduced or increased, and converted into an equivalent number of full-time employees. When a large number of employees engage in repetitive activities or tasks, it is allowed to reduce the number of employees within the scope of certification. This reduction should be organized and applied consistently based on each customer's situation.

B2 调整审核时间  Adjust the review time

应考虑客户ITSMS和服务的所有属性，并根据这些因素对初次审核时间做出调整。该调整可以证明更多或更少的审核时间是合理的。无论考虑了何种调整因素，HIC应确保分配了充足的审核时间，以完成一次对客户ITSMS完整且有效的审核。应对审核时间的增加或减少形成文件，并能够说明其合理性。

All attributes of customer ITSMS and services should be considered, and adjustments should be made to the initial audit time based on these factors. This adjustment can prove that more or less review time is reasonable. Regardless of the adjustment factors considered, HIC should ensure that sufficient audit time is allocated to complete a complete and effective audit of the customer's ITSMS. Document the increase or decrease in audit time and explain its reasonableness.

表2 和表3 显示了相关因素是如何影响表1 中的审核时间。倒班是指在一个连续工作周期内运营的多个地点和（或）小组之间的工作交接或协同工作。

Tables 2 and 3 show how the relevant factors affect the audit time in Table 1. Shift work refers to the handover or collaborative work between multiple locations and/or teams operating within a continuous work cycle.

对表1 中审核时间的减少不应超过 30%。

The reduction in audit time in Table 1 should not exceed 30%.

表 2 减少审核时间的因素  Table 2 Factors that Reduce Audit Time

序号 Serial Number	潜在的减少因素 Potential reducing factors
1	ITSMS和服务很少发生变化；ITSMS and services rarely change
2	以往已证实了 SMS 的有效实施，例如：以前获得了另一家已认可的认证机构的认证；The effective implementation of SMS has been confirmed in the past, such as obtaining certification from another recognized certification body;
3	对ITSMS和一个或多个其他相关管理体系进行结合审核； Conduct a combined audit of ITSMS and one or more other related management systems;
4	事先已了解组织，例如：组织已获得了同一家认证机构的其他标准的认证； Prior knowledge of the organization, for example: the organization has obtained certification for other standards from the same certification body;
5	单一的、简单的服务；A single, simple service;
6	所有班次实施完全相同的活动，并有适宜证据表明所有班次中具有同等的绩效；如服务台；All shifts implement identical activities and there is appropriate evidence to demonstrate equal performance across all shifts; Like a service desk;
7	大部分参与服务管理的人员从事相似的单一职能； Most of the personnel involved in service management are engaged in similar single functions;
8	人数少的单一场所；A single venue with a small number of people;
9	对参与服务提供的其他方的依赖程度低，例如供方、内部团体或作为供方的顾客；Low dependence on other parties involved in service provision, such as suppliers, internal groups, or customers serving as suppliers;

表3 增加审核时间的因素  Table 3 Factors for Increasing Audit Time

序号 Serial Number	潜在的增加因素 Potential additional factors
1	复杂的后勤，包括多重管理、多个工作场所、处于在同一时区或横跨多个时区；Complex logistics, including multiple management, multiple workplaces, being in the same time zone or spanning multiple time zones;
2	不同地点之间语言差异的复杂性，例如员工说一种以上的语言（需要翻译或使得审核员无法独立工作）； The complexity of language differences between different locations, such as employees speaking more than one language (requiring translation or making it difficult for auditors to work independently);
3	ITSMS范围大或复杂，例如大量的服务、人员或地点，不易理解和维持的专业化服务； ITSMS has a large or complex scope, such as a large number of services, personnel, or locations, and specialized services that are difficult to understand and maintain;
4	影响客户ITSMS的法律法规要求高，例如：知识产权、隐私、食品、药品、航空、核；The legal and regulatory requirements that affect customer ITSMS are high, such as intellectual property, privacy, food, medicine, aviation, and nuclear;
5	不同的班次实施不同的活动；Implement different activities for different shifts
6	特定审核的ITSMS范围中包含临时场所； The ITSMS scope for specific audits includes temporary locations;
7	ITSMS范围内有复杂的业务过程； There are complex business processes within the scope of ITSMS;
8	高度依赖参与服务提供的其他方，例如供方、内部团体或作为供方的顾客； Highly dependent on other parties involved in service provision, such as suppliers, internal groups, or customers acting as suppliers;
9	经常有增加新服务、服务移除、服务转换或服务发生重大变更； Frequently adding new services, removing services, converting services, or making significant changes to services;

B3 其他管理体系标准认证对审核时间调整

Adjustment of audit time for certification of other management system standards

如果客户通过了其他相关管理体系标准的认证，如ISO 9001和（或）ISO/IEC 27001，认证机构可以减少初次审核时间。

If the client has obtained certification for other relevant management system standards, such as ISO 9001 and/or ISO/IEC 27001, the certification body can reduce the initial audit time.

仅在满足以下条件时，方可根据获得了其他相关管理体系标准的认证而减少审核时间：Only when the following conditions are met, can the audit time be reduced based on obtaining certification of other relevant management system standards:

a）其他管理体系标准的认证是与所审核的ITSMS相关的；

The certification of other management system standards is related to the ITSMS being audited

b）任何现有的证书是有效的，且已认可的认证机构在最近的12个月内对其至少实施了一次审核；

Any existing certificate is valid and has been audited by a recognized certification body at least once in the past 12 months;

c） 其他管理体系标准的认证范围，是等同于或大于ISO/IEC 20000-1认证的范围；

The certification scope of other management system standards is equivalent to or greater than the scope of ISO/IEC 20000-1 certification;

审核时间的减少量，应取决于客户服务管理体系与其他管理体系整合的程度。

The reduction in audit time should depend on the degree of integration between the customer service management system and other management systems.

无论客户是获得了何种其他相关管理体系标准的认证，认证机构应确保为对客户ITSMS实施完整有效的审核分配了充足的时间。

No matter what other relevant management system standards the client has obtained certification for, the certification body should ensure that sufficient time is allocated for a complete and effective audit of the client's ITSMS.

注：当同时审核两个或多个不同领域的管理体系时，叫做“结合审核”；当这些管理体系被整合到一个单一的管理体系时，审核的原则和程序与结合审核相同。

Note: When auditing management systems from two or more different fields simultaneously, it is called "combined auditing"; When these management systems are integrated into a single management system, the principles and procedures of auditing are the same as those of combined auditing.

B4 确定监督审核和再认证审核的审核时间 

Determine the audit time for supervision audit and re certification audit

在确定实施监督审核和再认证审核所需的时间时，应考虑以下因素：

When determining the time required for implementing supervisory audits and re certification audits, the following factors should be considered:

a) 管理体系认证审核时间不低于总审核时间的80%；

The audit time for management system certification shall not be less than 80% of the total audit time;

b) 年度监督审核，可以是一次审核或多次审核，其审核时间应不少于初次审核的1/3；The annual supervision audit can be one or multiple audits, and the audit time should not be less than one-third of the initial audit;

c) 再认证审核的审核时间，不应少于初次审核的2/3；

The audit time for re certification review should not be less than 2/3 of the initial audit

d) 调整后的监督审核时间应不低于1天；

The adjusted supervision and review time should not be less than 1 day

e) 调整后的再认证审核时间应不低于2天。

The adjusted re certification review time should not be less than 2 days

B5 远程审核  Remote audit

审核不是在同一个地点面对面的进行而是在其他地点进行的，叫做远程审核。审核计划中应识别出审核中将使用的远程审核技术。

The audit is not conducted face-to-face at the same location but in other locations, which is called remote audit. The audit plan should identify the remote audit techniques that will be used in the audit.

表4 描述了使用远程审核时的可接受的和不可接受的做法。认证机构不应使用表4 中不可接受的做法，可以使用可接受的做法。

Table 4 describes acceptable and unacceptable practices when using remote auditing. The certification body should not use the unacceptable practices in Table 4, and acceptable practices can be used.

远程审核不应将审核时间减少到低于根据表1 并考虑了适当调整之后所计算出的审核时间。

Remote auditing should not reduce the audit time below the calculated audit time based on Table 1 and considering appropriate adjustments.

如果在认证机构制定的审核计划中，远程审核活动所占时间超过了所策划的现场审核时间的30%时，认证机构应将相应理由形成文件。

If remote audit activities exceed 30% of the planned on-site audit time in the audit plan developed by the certification body, the certification body should document the corresponding reasons.

表 4 可接受和不可接受的远程审核实践

Table 4 Acceptable and Unacceptable Remote Audit Practices

	可接受  Acceptable
1	电话会议：视频和音频、网络会议、交互式网络通信； Telephone conferences: video and audio, online meetings, interactive network communication;
2	远程访问用于支持 SMS 的工具； Remote access to tools that support SMS;
3	远程访问 SMS 文件和记录的资料库； Remote access to SMS files and records database;
	不可接受  Not acceptable
4	仅仅依赖文件；Relying solely on files;
5	假设所有场所的职能是相同的，但没有支持该假设的证据； Assuming that the functions of all places are the same, but there is no evidence to support this assumption;
6	实施审核时没有与人员进行面谈； No face-to-face interviews were conducted with personnel during the implementation of the audit;

注：现场审核时间是指为单个场所分配的现场审核时间。即使是在客户的某个场所对其偏远场所进行电子审核，也被视为是远程审核。

Note: On site audit time refers to the on-site audit time allocated for a single location. Even if an electronic audit is conducted at a remote location of a customer, it is considered a remote audit.