The Importance of ISO 19770 Certification

First Posted October 27, 2023 Anglepoint Blog

In this article Anglepoint’s President and Chairman Ron Brill explains what the ISO 19770 certification is about, where it can fit into your organisation, and how to leverage it to maximise your results. You can also take our ISO Readiness Quiz to help you discover if your organisation is ISO/IEC 19770-1 ready. As Chair of the ISO Committee for IT Asset Management and Vice Chair of the ITAM Forum, Ron is passionate about bringing this level of accountability and measurability to the ITAM industry. In internal ISO terminology these committees, where the international standards are actually being developed, are called working groups. The group dedicated to IT Asset Management is known as Working Group 21.

What is the importance of ITAM standards?

ITAM standards are significant in that they are a means to benchmark the industry, establish a proscribed level of maturity the ITAM function should meet and a best practice guide. The standards help organisations understand the key concepts that should be considered when running an effective ITAM program.

These standards provide:

1. Interoperability

Because ITAM does not operate in a silo and has interactions with several other functions within the organisation, from Information Security to Finance and Legal, all ISO standards are designed with interoperability in mind. A big part of ISO is related to adopting a service-provider mindset—focusing on value while minimising duplication of efforts, minimising risks and maximising benefits for the organisation by ensuring that one process or system produces whatever another process or system requires at the time of requirement.

2. Common Language

ITAM standards provide a common language and terminology, which facilitates easier communication and knowledge sharing within the ITAM ecosystem, whether between ITAM and other functions within the same organisation or among ITAM practitioners in different countries or in different companies. This knowledge sharing may also occur among software publishers, SAM tool vendors, consultants, and end-user organisations.

3. External Certifications

Having these external certifications means that a reputable third party (we will explore these later in this article) has determined that an organisation is complying with the ISO standard. The availability of external certification for ITAM is still a work in progress. In principle, external certifications allow you to demonstrate to other parties such as software publishers, customers, business partners, or regulatory bodies and regulators that you have achieved the highest level of recognition possible for your SAM or ITAM program. This recognition can help satisfy legal requirements, help obtain better commercial terms, and allow your organisation to participate in bids that stipulate such requirements. In the case of a security breach and resulting lawsuits, they allow your organisation to demonstrate that you have taken IT governance seriously by implementing the acknowledged best-in-class management system for IT Asset Management. This should ultimately help to reduce any fines and penalties.

4. Benchmarking

Benchmarking data is incredibly useful in order to assess how your ITAM program is operating in comparison to your peer group in the industry. Are you doing the same things and are you getting the same results? This benchmarking can only be done effectively when you are comparing apples to apples. When comparing different organisations that follow the same standard, similar measures of performance can be referenced.

5. Management Assurance

Executives who are typically not experts in software asset management can be reassured that their organisation is doing the right things around SAM, in line with recognised industry best practices. It demonstrates that the organisation is not just implementing a project plan to improve but actually following best practices for SAM in order to realise increased levels of management maturity.

How are international standards in ITAM developed, and where do they come from?

There is only one global standards organisation in the world, and that is ISO. It was established after the Second World War and is headquartered in Geneva, Switzerland. ISO is currently made up of about 165 member countries who all agreed not only to participate in the development of the work but also to adopt the approved standards. Each country appoints one national standards body to be its representative for ISO. In the U. S. that national standards body is the American National Standards Institute (ANSI). In the UK, it is the British Standards Institute (BSI), and so on. National bodies then delegate experts to participate in the various committees. All experts are volunteers, and they are the ones who actually write the standards. These standards normally need to be refreshed once every five years. That is ISO’s way of ensuring that all committees keep their standards current. Given that it takes about two years from start to finish to develop a standard, that means that about three years after a given standard is published, the committee needs to start working on the next edition. Each such committee has a chair (or a Convener in ISO terminology) who is elected by vote of the member countries for a three-year term. Within each working group, there could be multiple work streams for the different projects under development or for different study groups. It is important to state here that, while committee members come from different countries and different organisations and from different backgrounds, they all operate purely as independent experts, not representing the interests of any country or employer. There is no voting within the committee, and all decisions are reached by consensus. ISO, for its part, conducts global ballots at key stages of the development lifecycle where countries get to vote and provide comments on the work that is done within these committees.

The ITAM Standards Committee within ISO, (also known as Working Group 21,) was established in 2004 and now has over 175 members from over 25 countries. There are several liaison organisations that participate in the work of the committee and the members represent a cross-section of the ITAM ecosystem. There are representatives from all areas of the industry including end-user organisations, software publishers, SAM tool vendors, consulting firms, analysts, media firms, audit firms, and industry bodies.

What do the ISO Standards include?

Currently, there are six published ITAM standards that can be divided into three groups.

Firstly, the Management System standards address mostly the end-user perspective of SAM and are less relevant to non-end-user organisations. This group includes the ITAM flagship standard, 19770-1. The first edition of this standard was published in 2006 and was the first standard of this committee. Today they are on the third edition of this standard, originally published in 2017. Each new edition is demarcated by the addition of a dash followed by a number. The 19770–8 standard provides a mapping framework between -1 and other standards and governance frameworks. It was published in 2020, and the hope is to see organisations who own such other frameworks, pick up the mapping task using the—8 template.

Next, the Information Structure standards provide a schema for storing and exchanging ITAM-related information. They allow for more efficient and effective ways to exchange information within the ITAM ecosystem between software publishers, tool vendors and end users.

This includes the—2 standard which defines and provides Software Identification Tags (SWID tags), the—3 standard which provides an entitlement data schema and the—4 standard which is for resource utilisation measurement. The nature of these standards (XML schemas) is that they are likely of more interest to software publishers and tool vendors.

There are creative ways that end-user organisations can utilise these information structure standards, and end-users certainly need to be aware of them. An example of this is—2 for SWID tags which have been adopted and are mandated by parts of the U.S. federal government for information security purposes. SWID tags allow for an XML tag to be digitally signed by the software publisher, and this in turn allows the organisation to ensure software is genuine and has not been tampered with.

Finally, there is the Overview & Vocabulary standard -5 which is the only free standard.

The committee is currently working on updates to three of the standards mentioned here. Additionally, work has begun on six brand-new standards as well as technical reports. All these standards are available for purchase, either from the ISO web store or each country’s national body.

The 19770-1 standard

This is the ISO Management System Standard (MSS) and is based on the Deming Cycle of Continuous Improvement, also known as the Plan, Do, Check, Act method. This concept will be recognised by anyone familiar with Six Sigma and Lean Manufacturing as it utilises the important aspects of a cycle that is iterative and continuous—constant adjustments and improvements. The organisation changes by the day, and the SAM program must change with it or risk becoming irrelevant.

Plan, Do, Check, Act: Applying The Deming Cycle of Continuous Improvement

• The Plan phase is probably the most important as this determines the needs of the organisation and the scope of ITAM required to satisfy those needs. Policies are developed, risks are assessed, and a detailed plan is created identifying all required resources.

• The Do phase is to execute/implement the plan that has been developed in the Plan phase.

• The Check phase is to perform continuous monitoring and review of the ITAM program to see if it is performing as expected and to follow up on exceptions.

• The Act phase is to remediate any nonconformity identified in the Check phase, as well as perform other activities such as taking preventative action to ensure future risks are proactively mitigated.

The IT Asset Management system is at the heart of this standard. All other ISO management system standards will have the exact same structure. The fact that the same management structure is used across all ISO management system standards is invaluable, particularly when you’re considering the joint implementation of two or more ISO standards, such as ITAM and Security.

The 19770-1 standard identifies 15 process areas for ITAM, and provides a suggested tiering structure for the order of implementation; this also allows for partial certification so that organisations can more quickly achieve their initial certification, implementing the processes that up Tier 1, then expand to Tiers 2 and 3 at a later stage.

Tier One—Trustworthy Data.

This is about getting to a point where you have trustworthy data. If you don’t have that first, there’s really nothing else you can do but return to the start and focus on understanding what comprises your IT estate.

Tier Two—Lifecycle Integration.

This is building on your trustworthy data to achieve management of the IT Asset lifecycle.

Tier Three—Optimisation.

This focuses on continuous improvement and cross-functional optimisation and leveraging data from IT Asset Management to add value to the wider organisation.

It is important to note here that in early 2024 there will be a FinOps update to the ISO 19770-1 Standard. This will see a change in this tiering structure and incorporate FinOps... Continue to full article here...