FREQUENTLY ASKED QUESTIONS
Here are the most frequently asked questions (FAQs) and answers about the ISO/IEC 19770-1 certification scheme. This webpage is updated frequently.
For more information, visit our Knowledge Base for videos, infographics, on-demand webinars, and more.
You can also sign up to receive updates about the ISO/IEC 19770-1 certification scheme.
Why did the ITAM Forum create an ISO/IEC 19770-1 certification scheme?
IT has become a critical component of every business. In fact, IT is now ‘the business’. Because of this, it’s now, more than ever, critical to track IT assets throughout their lifecycle, and this is why ITAM is becoming more strategic and receiving more scrutiny from senior management and the Board.
This video tells you more.
Which organisations are ISO/IEC 19770-1 certified?
Who created the certification scheme?
The ITAM Forum is the owner of this scheme. It established a Committee of Experts, nearly 100 individuals from 20 countries and 30+ industries, to draft the scheme and to determine how certification will be measured. This committee also works with NEN, the Royal Netherlands Standardization Institute, which provides guidance.
Does an organisation need a mature ITAM practice to be certified?
Any organisation can go through the certification process; however, a degree of ITAM maturity is needed to achieve certification. This is a management system certification scheme so organisations need to have a management system in place and to understand its role and purpose.
Is help available to organisations before they start the certification process?
We’ve created a Readiness Assessment Questionnaire to help organisations find out if they’re ready for ISO/IEC 19770-1 certification. You’ll receive a personalised report with tailored feedback. The questionnaire is based on four key areas aligned to the ISO/IEC 19770-1 standard:
- business plan
- management system
A ‘pre audit’ is available from Brand Compliance, the main auditor of the ITAM Forum ISO/IEC 19770-1 certification scheme. The pre audit provides a gap analysis, which highlights the improvements needed for certification.
Is a ‘check list’ available so we can self-audit and prepare for the audit?
A check list is not available. However, we have created a Readiness Assessment Questionnaire (10 minutes to complete). You’ll received a personalised report with tailored feedback in four yet areas aligned to the ISO/IEC 19770-1 standard.
Also, the pre audit will identify any gaps that need to be resolved before you start the official certification audit. There is no time limit between the pre audit and starting the official certification process.
The ISO/IEC 19770-1 standard itself should be used as your starting point. Everything you need to know, and everything that will be reviewed and checked by the auditor, is written within the standard.
What is the marking system for the certification scheme?
The ISO/IEC 19770-1 standard itself contains all of the requirements the auditor will look for. During an audit, the auditor will go through Chapters 4-10 of the standard and check to make sure your organisation has met all of the specific requirements.
What does the audit involve?
The process starts with a pre-audit, which assesses your organisation’s management system and verifies the scope for certification. The output of this is a gap analysis report that identifies the improvements needed to secure certification.
You will then have time to make the needed improvements. When you are ready to start the official certification process, you will start with Stage 1, which is the first stage of the initial certification audit. This stage focuses on whether or not your management system meets the ISO/IEC 19770-1 standard’s requirements.
Stage 2 is the second stage of the initial certification audit. It is a more in-depth audit that involves interviews and observations. The auditor will also check to make sure the management system is working effectively, and that processes and procedures are followed by all members of the ITAM team.
After Stage 2, you will have time to adjust and correct processes and procedures as necessary. When this is complete, Brand Compliance’s independent Certification Committee will review the auditor’s report, and if successful, issue a certificate.
For more information, watch this video from Brand Compliance, the certification scheme auditor.
Is the audit conducted remotely or in-person?
The process starts with a pre-audit, which assesses your organisation’s management system and verifies the scope for certification. This is done remotely.
When you are ready to start the official certification process, you will start with Stage 1, which is the first stage of the initial certification audit. This stage focuses on whether or not your management system meets the ISO/IEC 19770-1 standard’s requirements. This is done remotely.
Stage 2 is the second stage of the initial certification audit. It is a more in-depth audit that involves interviews and observations. This is done on-site and in-person.
How long does it take to perform an audit?
There are rules and guidelines, stipulated in ISO/IEC 19770-1, that an auditor must follow to determine the time needed to perform the audit. All auditors must adhere to these.
Factors affecting the time include: number of full-time-employees, complexity of the organisation’s management system, office locations, centralised/decentralised processes, different entities, etc.
On average, the process from Stage 1 to issuing the certificate takes 3-4 months, but it can vary. 70% of the audit time is spend on-site with an organisation.
How much does certification cost?
The pre-audit is a fixed price of 4,800 euros. The cost of the certification process is dependent on a number of factors. In general, the cost ranges from 15k to 25k Euros.
How long is certification valid?
Certification is valid for three years. Twice, during the two years after a certificate is issued, a surveillance audit will be conducted – a sample of your organisation’s management system will be analysed. A recertification audit will happen three years after the initial certification, which involves a full assessment of your organisation’s management system.
How often does an organisation need to be recertified?
Certification is valid for three years, but in year 2 and year 3 after the initial certification, Brand Compliance will conduct a surveillance audit to make sure the organisation’s management system is still working effectively. During Year 4, a recertification audit is conducted.
Can SAM and HAM be audited separately?
It is possible, but you will need to set up two management systems, one for SAM and one for HAM. Brand Compliance recommends including both SAM and HAM within one management system.
Chapter 2 of the ISO/IEC 19770-1 standard provides an overview of all possible IT assets, which will help you to define the scope of your management system.
If my organisation is already ISO certified (27001, 9001, etc.), will this impact certification for ISO/IEC 19770-1?
If you have already implemented a management system, you can use it and expand it to include ITAM. To do this, you will need to collaborate with different departments within your organisation.
What are the biggest mistakes organisations make when they start the certification journey?
The biggest hurdle is to define the scope of your organisation’s management system as there are many IT assets. You will also need to work with other departments within your organisation and sometimes, this can cause delays. These two factors are often underestimated.
What is the best approach for building the business case for certification?
This really depends on your organisation… what’s important to it, it’s key risks and how certification can help. If you need help building a business case, please outreach to us – we are happy to help.
See our document: How to Build a Business Case for ISO/IEC 19770-1 Certification