An Overview of ISO 19770-1 Processes – Part 1 of 3
Software is a business asset.
That statement may be so obvious to you that my writing it seems a waste of bandwidth. However, many businesses nevertheless have been “late to the dance” when it comes to effective management of that business asset. While they may rigorously record and catalog the details of their IT hardware and infrastructure, they often fail to pay anything close to the same level of attention to the programs powering those assets.
To a certain extent, that is perhaps unsurprising, since software is a very different kind of asset. Where businesses usually own their network hardware outright, most software use is dependent on the details of a license agreement with the software publisher. Where hardware is relatively easy to safeguard from external dangers, the threats to software are constantly evolving and require similarly constantly evolving strategies to thwart them. Where there is no appreciable risk that a business’ employees are going to bring stolen network switches to work for their personal use, it can be very difficult to keep employees from installing and using pirated or otherwise unlicensed software on company computers.
However, just because software asset management (“SAM”) is a challenge does not mean that business may be (or should want to be) excused from rising to it. Considering the high costs associated not only with software licensing but also with the effort that must be spent to “fix” software-related problems when they occur, businesses simply cannot afford to have ineffective (not to mention missing) SAM tools at their disposal.
With that fact in mind, the International Organization for Standardization (“ISO”) and the International Electrotechnical Commission (“IEC”) released International Standard 19770-1 on May 1, 2006. Standard 19770-1 “establishes a baseline for an integrated set of processes for [SAM].” The standard divides the processes into three main categories – Organizational Processes, Core SAM Processes, and Primary Process Interfaces.
The ISO 19770-1 Organizational Management Processes for SAM are divided into two process subsets: (1) those regarding the SAM Control Environment, which include processes specific to corporate governance as well as organizational roles and responsibilities, policies and procedures, and assurance of competence with regard to SAM; and (2) those regarding SAM Planning and Implementation, which, predictably, include processes specific to planning, implementation, monitoring and continual improvement of SAM.
The key “message” of the Control Environment processes is that effective SAM is impossible without input and support from an organization’s corporate officers, who ultimately are the ones responsible for clearly defining the organizational roles, responsibilities, policies and procedures regarding planning and implementation of SAM. Officers are uniquely situated within an organization not only to oversee the big-picture implementation of effective SAM, but also to objectively assess the risks of incomplete or uninitiated SAM. Therefore, naturally, it must be the officers who select the individuals to execute SAM within the organization, and it must be the officers who approve the initiatives those executives undertake. ISO 19770-1 makes clear that, unless the officers become interested stakeholders, the SAM process will go nowhere.
Once the “captains” for an organization’s SAM efforts place themselves in charge of those efforts, they must make sure that the organization has a useful and standardized “playbook” to guide the SAM process and to prevent the need for micro-management. The SAM Planning and Implementation processes in ISO 19770-1 let the captains know what needs to go in that playbook. As with many ISO standards, one of the goals of ISO 19770-1 is to promote a set of processes that to a large extent implement themselves. While the ISO 19770-1 standard speaks in terms of “SAM owners” – those responsible for the management of one or a set of discrete SAM processes – the processes that an organization implements under ISO 19770-1 are standardized, cross-linked with other SAM processes, and tied by cross-reference to the ISO standard itself. Once implemented correctly, SAM under ISO 19770-1 should exhibit a cost-benefit ratio much lower than might be expected.