ISO Focus 5-2007...• ISO/IEC 90003 – The quality improvement tool for software engineering •...

• Infosys CEO Nandan Nilekani• Watch your language ! Terminology Standards

ISO FocusVolume 4, No. 5, May 2007, ISSN 1729-8709

The Magazine of the International Organization for Standardization

IT Quality and Security

ISO Focus is published 11 times a year (single issue : July-August). It is available in English.

Annual subscription 158 Swiss Francs Individual copies 16 Swiss Francs

PublisherISO Central Secretariat(International Organization for Standardization)1, ch. de la Voie-CreuseCH-1211 Genève 20Switzerland

Telephone + 41 22 749 01 11Fax + 41 22 733 34 30E-mail [email protected] www.iso.org

Manager : Roger Frost

Editor : Elizabeth Gasiorowski-Denis

Assistant Editor : Dale Campbell

Artwork : Pascal Krieger and Pierre Granier

ISO Update : Dominique Chevaux

Subscription enquiries : Sonia Rosas FriotISO Central Secretariat

Telephone + 41 22 749 03 36Fax + 41 22 749 09 47E-mail [email protected]

© ISO, 2007. All rights reserved.

The contents of ISO Focus are copyright and may not, whether in whole or in part, be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying or otherwise, without written permission of the Editor.

The articles in ISO Focus express the views of the author, and do not necessarily reflect the views of ISO or of any of its members.

ISSN 1729-8709Printed in Switzerland

Contents

• Infosys CEO Nandan Nilekani• Watch your langage ! Terminology Standards

ISO FocusVolume 4, No. 5, May 2007, ISSN 1729-8709

The Magazine of the International Organization for Standardization

IT Quality and Security1 Comment Dr. Walter Fumy, Chairman ISO/IEC

JTC 1/SC 27, IT Security techniques.

2 World Scene Highlights of events from around the world

3 ISO SceneHighlights of news and developments from ISO members

4 Guest ViewMr. Nandan Nilekani, CEO and Managing Director, Infosys Technologies

ISO Focus May 2007

8 Main Focus• Managing information security• Electronic commerce and identity access management• Incident handling and disaster recovery services• Security product and technology assurance• Software and system engineering

• Shaping the software agenda• ISO/IEC 90003 – The quality improvement tool for software

engineering• ISO/IEC 19770 and the software industry • The first year : An update on ISO/IEC 20000• ISO/IEC 25000 SQuaRE series of standards

43 Developments and Initiatives• TC 37 Terminology and language• ISO and IEEE – Standard software and

systems engineering terminology • ISO/IEC structuring and designation standards –

A framework for industry

48 New on the shelf2007 ISO Catalogue now available • ISO 14065 – New tool for

international efforts to address greenhouse gas emissions

49 Coming up

Managing Information Security

CommentInformation technology – Security and quality

Today’s global economy relies heav-ily on the use of electronic infor-mation and information technology

providing important services in sectors like e-business, finance, medical admin-istration, emergency services, and tele-communications, as well as many gov-ernment services.

Compromising the confidentiali-ty, integrity, availability, accountability, authenticity or reliability of an organiza-tion’s IT assets is very likely to have an unfavorable impact, including the risk of significant financial losses. Conse-quently, there is an increasing and crit-ical need to protect information and to manage the security of information and communication systems.

In addition, legislation in many countries requires that an organization’s management take appropriate action to mitigate risks related to the business and the use of IT systems. Such legislation may cover not only horizontal aspects, such as privacy/data protection issues or account-ing standards, but also specific sectors such as healthcare or financial services.

While the original motivation for introducing IT security measures has often been security enhancements, appropriate security solutions also offer substantial potential for cost savings and for accom-plishing new business opportunities. But organizations are not just fighting the bad guys or enabling new opportunities, they also need to show customers or business partners that they are properly protected. As security is such a strong component within quality and compliance require-ments, many organizations address this issue using international standards.

Quality managementIT service providers are under

persistent pressure to deliver high quali-ty service at minimum cost. The ISO/IEC 20000 standard benchmarks the capability of enterprises and organizations in deliver-ing managed services, measuring service levels and assessing performance.

The implementation of ISO/IEC 20000 will reduce operational exposure to risk, meet contractual and tendering

Dr. Walter Fumy, Chairman ISO/IEC JTC 1/SC 27, IT Security techniques. Dr. Fumy works for Medical Solutions, Siemens AG, Munich.

“ There is a critical need to manage the security

of information and communication systems. “

requirements, demonstrate service qual-ity and deliver the best possible service. Accordingly it can result in cost savings for users, whether large or small enter-prises, as well as increased productivity and improved customer service.

Regarding software asset man-agement, the implementation of ISO/IEC 19770-1:2006, Information tech-nology – Software asset management – Part 1 : Processes, enables organizations to benchmark their capability in deliv-ering services, measuring service levels and assessing performance.

Until now the application of these business processes has been arbitrary, and relatively few organizations have been able to implement a comprehensive soft-ware asset management strategy with the potential of massive savings in license costs and maintenance fees.

International center of security expertise

As this issue of ISO Focus illus-trates, ISO/IEC JTC 1/SC 27 has estab-lished itself as a primary resource for inter-national standards on application-indepen-dent IT security techniques. In recent years, SC 27 has developed many specifications and guidelines already in use by commerce, industry and government.

The current work of SC 27 forms five complimentary streams of security standardization and is carried out in five Working Groups : Information Security Management System (ISMS) standards and guidelines (WG 1), security controls and services (WG 4), security (in partic-ular cryptographic) techniques (WG 2), identity management and privacy technol-ogies (WG 5), and security evaluation of IT systems and products (WG 3).

SC 27 cooperates with a large number of partner committees, such as

those developing banking standards, for example ISO/TC 68, or telecommunica-tions standards, for example ITU-T.

As experts agree, the major chal-lenge for enterprises and the public sec-tor today is not the security technology itself, but how to establish appropriate procedures, management and controls for achieving and maintaining IT security. Training and education, as well as support and commitment from top management, will continue to be key issues.

With these developments, the work of SC 27 has become timelier than ever. With the ISO/IEC 27000 series on informa-tion security management systems, SC 27 has established a truly international lan-guage for managing information securi-ty – beyond question the most important development in this area to date.

By continuously enhancing its work programme and taking on board the latest in business practice, such as privacy technology or identity manage-ment, new and emerging threats and risks, as well as advances in security technol-ogy, SC 27 is well positioned to shape the future of IT security.

Finally, let me take this oppor-tunity to extend my appreciation to all of the authors who have made this issue of ISO Focus on security and quality possible.

ISO Focus May 2007 1

World Sceneenergy demand management standards. John Tucker can be contacted at : john.tucker @standards.org.au

ISO standards support aims of World Health DayMore than 700 ISO Interna-tional Standards for healthcare help to implement the aims of World Health Day on 7 April 2007. The theme was interna-tional health security, urging governments, organizations and business to “ Invest in health, build a safer future ”. The World Health Organiza-tion (WHO) is a partner in 57 ISO technical bodies that develop ISO standards.

The February 2007 issue of ISO Focus highlighted ISO’s work in the field of healthcare information technology to develop standards facilitating the implementation and diffu-sion of innovative initiatives such as electronic health records and digitized healthcare services.

European Parliamentarians visit ISOA delegation from the Com-mittee on the Internal Market and Consumer Protection (IMCO) of the European Par-liament visited the ISO Cen-tral Secretariat on 26 February 2007. This committee is cur-rently investigating how regu-lations for products could be improved through legislation.

Led by Mr. Malcolm Harbour, the delegation included Mrs. Barbara Weiler and Mr. André Brie. ISO Secretary-General Alan Bryden presented the current trends concerning voluntary International Stand-ards and their increasing use and referencing in the context of public policies, in particu-lar those related to security and safety or to sustainable development.

UNIDO-African Union expert group meeting At the invitation of UNIDO and the African Union Com-mission, a high level expert meeting was hosted on

22-24 February 2007 in Tunis, with the support of the Tunisian Ministry of Industry, Energy and SMEs. The meet-ing addressed the issue of “ standards compliance and conformity assessment (SCCA) for the development of sustainable trade as a major potential source of poverty reduction in Africa ”.

nical barriers to trade and transfer technology and good business practices.

Mrs. Maureen Mutasa, ISO Regional Liaison Officer, pre-sented the implementation in Africa of the ISO Action Plan for developing countries.

Visit with Swiss Federal Councillor Doris Leuthard The Swiss Confederation is currently reviewing its poli-cies to optimize its regulatory framework and practices and its various agreements and commitments regarding tech-nical obstacles to trade. In this context, ISO Secretary-General Alan Bryden visited Mrs. Doris Leuthard, Federal Councilor in charge of Economic Affairs, in Bern on 26 March, accompanied by Mr. Hans-Peter Homberger, Director General of SNV, the Swiss member of ISO.

Mrs. Leuthard was also inter-ested in developments in ISO relating to energy efficiency and renewable sources, as well as food safety and social responsibility.

APEC ministers mining meeting John Tucker, CEO of Stand-ards Australia, represented ISO at the APEC Ministers Responsible for Mining Meet-ing (MRM3), 12-16 February 2007, in Perth Australia.

Mr. Tucker participated in the stakeholder dialogue at the MRM3 where he told APEC mining ministers, industry leaders, NGOs and other stake-holders about International Standards in the context of good regulatory practice, vol-untary alternatives to regula-tion and WTO Technical Barri-ers to Trade Code compliance, and the current development of an International Standard for social responsibility.

At the stakeholder dialogue meeting, four issues were dis-cussed : global supply and demand ; regulation ; business facilitation ; and environmen-tal/social issues.

APEC recognizes the impor-tance of global standards through the work of its Stand-ards and Conformance Sub-committee (SCSC) on good regulatory practice and through the active and ongoing interest by APEC’s Business Advisory Council (ABAC).

Mr. Tucker spoke about the role of International Standards in delivering test methods, sys-tems, solutions and benefits to the global mining industry through occupational health and safety management sys-tems ; environmental manage-ment systems ; and water and

World Scene

Left to right : Alan Bryden, ISO Secretary-General, Doris Leuthard, Swiss Federal Councillor, Hans-Peter Homberger, Director General of SNV, the Swiss member of ISO.

Mitch Hooke (left), Chief Executive of the Minerals Council of Australia and inaugural Chair of the APEC Mining Industry Forum (MIF), and John Tucker (right), CEO of Standards Australia.

European parliamentarians visit ISO.

Mr Kandeh Yumkella, Director General of UNIDO, adressing the meeting

Mr Kandeh Yumkella, Director General of UNIDO, stressed that the meeting would assist in developing a “ framework for regional and national pro-grammes and concrete, sys-temic recommendations for accelerating trade develop-ment through technical assist-ance in the area of SCCA with a view to trade capacity building in Africa at sub-regional and national level ”.

According to Ms. Elizabeth Tankeu, Commissioner for Trade and Industry for the African Union, “ increasing trade capacity of African coun-tries, both within the African continent and on world mar-kets, was key to economic competitiveness, itself a key factor for social progress on the continent ”.

ISO Secretary-General Alan Bryden illustrated how the use of International Stand-ards, including for conformity assessment, could assist in eliminating unnecessary tech-

Mr. Bryden expressed the gratitude of the ISO family for the support of the Swiss Authorities to the Central Secretariat in Geneva and for their support to ISO’s pro-grammes for developing countries.

2 ISO Focus May 2007

ISO Sceneof those conducting assess-ments and the ethical princi-ples of the process.

Because psychological assess-ment is increasingly used in hiring practices, the instru-ments and procedures require scrutiny. Professional imple-mentation and interpretation of assessments benefit not only clients, but also organizations. It is expected that the standard will be published in 2010.

Brand valuation project committeeExperts from 10 countries met in Berlin for the first meeting of the ISO Project Committee, Brand valuation, 15-16 March 2007. Germany chairs the committee and DIN, the German Institute for Standardization, holds the secretariat.

At the meeting, a resolution was made to develop an ISO standard specifying require-ments for the procedures and methods of monetary brand value measurement. The intro-duction of “ international accounting standards ” would allow, under certain circum-stances, the inclusion of brand values in financial statements.

Committee participants include financial and other service providers, and repre-sentatives from research organizations and high-profile industrial firms.

Mergers and takeovers in the global economy and increas-ing competition make a relia-ble and comparable monetary assessment of a company’s success necessary. In both cases, brand valuation plays a crucial role in evaluating a company’s potential.

Three new Project CommitteesISO Project Committees (PCs) are a new form of flexi-ble organization associated with project proposals on innovative topics, functioning in a similar manner to Techni-cal Committees, but with a more streamlined structure and on a limited number of standards. Three new PCs have been established on Psy-chological assessment, Brand valuation and Credit assess-ment services. For further information on these three committees described below, contact : Dr. Holger Mühlbauer [email protected]

An ISO standard for psychological assessment proceduresExperts from 12 countries met at the kick-off meeting of the ISO Project Committee, Psy-chological assessment, in Ber-lin on 8-9 March 2007, where it was decided to develop a standard on procedures and methods to assess people in work and organizational set-tings. Germany holds the chair responsible for the internation-al committee and the secretari-at is held by DIN, the German Institute for Standardization.

Experts representing profes-sional psychological organiza-tions, research institutes, serv-ice providers and technical publishers in the sector are involved.

The standard will focus on implementation and evaluation of psychological assessment procedures and will cover the interpretation of the results and requirements for qualifications

Until now, it has been diffi-cult to obtain comparable results, since there are no generally accepted standards for valuation.

It is expected that the stand-ard will be published in 2010.

Credit assessment servicesThe assessment of debtor sol-vency, particularly the evalua-tion of debt instruments in cap-ital markets, has been debated for decades. With new Europe-an regulations specifying a capital adequacy framework for credit institutions and investment firms (Basle II) and proposed regulations for insur-ance businesses across the EU (Solvency II), rating has become an obligatory part of the credit process. Defining the rating process and the quality of the rating is therefore increasingly important.

The first meeting of the ISO Project Committee, Rating services, took place in Berlin 19-20 March 2007, attended by representatives from financial service providers from numer-ous countries where a decision was taken to develop a stand-ard to lay down terms, defini-tions and service requirements for professional credit assess-ments and rating services. The chair and secretariat will be held by Germany. It is expect-ed that the standard will be published in 2010.

Azerbaijan : A growing attraction to international standardizationISO Secretary-General Alan Bryden visited AZSTAND, the ISO member for Azerbaijan on 1-2 March 2007. The country

Kick-off meeting of the ISO Project Committee, Psychological assessment procedures

is undergoing impressive development, due largely to oil and gas production. Azerbaijan is progressively opening its economy with the aim to join the World Trade Organization in the coming year.

International Standards are therefore particularly topical, not only for the oil sector but also for other sectors, to diversify its economy, such as machinery, food processing and tourism. Mr. Bryden met the Prime Minister, H.E. Rasi-Zade, with the Director General of AZSTAND, Mr. Ramiz Hasanov, as well as several ministers.

He met with other key stake-holders, including Mr. Rovnag Abdullayev, the President of SOCAR, the State Oil Compa-ny, and with the media and donor agencies operating pro-grammes related to capacity building in standardization and quality infrastructure. AZSTAND benefits from ISO training programmes for increased involvement in international standardization.

Left to right : Alan Bryden, ISO Secretary-General, H.E. Rasi-Zade, Prime Minister of Azerbaijan, and Ramiz Hasanov, Director General of AZSTAND.


mailto:[email protected]

Guest View

Nandan NilekaniMr . N a n d a n

Nilekani, CEO and Managing

Director, Infosys Technol-og ies , rece ived h i s Bachelor’s degree in electrical engineering from the Indian Institute of Technology (IIT), Bombay, India, in 1978. He is one of the founders of Infosys and has served as a director on the company’s board since its inception in 1981. He has been the Chief Executive Officer and Managing Director of Infosys since March 2002, having held other executive positions previous to 2002.

In January 2006, he became one of the youngest entrepreneurs to join 20 global leaders on the prestigious World Economic Forum (WEF) Foundation Board.

He has been on the Board of Reuters as a non-executive member since January 2007 and is Vice Chairman of The Conference Board, Inc., an international research and business membership organization. He is also a member of ASPEN Institute’s Business and Society Advisory Board. He serves as Co-chairman of the Advisory

“ ISO provided the basic foundation

for our quality system.”

Board of the IIT Bombay Heritage Fund and also serves on the London Business School’s Asia Pacific Regional Advisory Board.

In India, Mr. Nilekani is a member of the National Knowledge Commission and also part of the National Advisory Group on e-Governance. He is a member of the review committee of the Jawaharlal Nehru National Urban Renewal Mission and he co-founded India’s National

Association of Software and Service Companies (NASSCOM). He was the Chairman of the Government of India’s IT Task Force for power and has also served as a member of the subcommittee of the Securities and Exchange Board of India and as a member of the Reserve Bank of India’s Advisory Group on corporate governance.

A recipient of a number of awards, Mr. Nilekani, along with Infosys founder (and currently non-executive chairman) N. R. Narayana Murthy, was Forbes “ Businessman of the Year ” in 2007 and received Fortune magazine’s Asia’s Businessmen of the Year 2003 award. He was also awarded the Corporate Citizen of the Year award at the Asia Business Leader Awards (2004) organized by CNBC. In 2005, he was awarded the prestigious Joseph Schumpeter prize for innovative services in economy, economic sciences and politics. In 2006, he was conferred the Padma Bhushan, one of the highest civilian honors awarded by the Government of India.


from being PCMM (People Capability Maturity Model) Level 5, our practices are continuously benchmarked with some of the best global companies. Infosys initiatives like the Voice of Youth pro-gramme and our Women’s Inclusivity Network have helped to foster a healthy workplace. Last, but not the least, “ Cus-tomer Centricity ”. Every member of the Infosys community — we call ourselves Infoscions — believes that “ creating cus-tomer delight ” is the biggest goal.

ISO Focus : How did standardization contribute to the general framework for software development and outsourcing of IT services to allow integration into the global market of your products and services ?

Infosys has always been a pio-neer within the industry in adopting world-class quality systems and has led the way in their successful implementa-tion. At Infosys, we firmly believe that pursuit of excellence is one of the most critical factors for competitive success in the global market.

ISO Focus : Infosys is a great success story worldwide with global consultan-cy and IT services. Your company has certainly benefited from the “ flattening of the world ” resulting, i.a., from the exponential growth and interconnectiv-ity of information and communication technologies. To what key reasons and events do you attribute your success ?

A great corporation is built on a good foundation. Firstly, I would attri-bute our continued success to visionary leadership. Our founders and heads of different business units showed some of the finest examples of leadership. Secondly, our “ Execution Excellence ” and “ Quality Focus ”. We have adopt-ed various ISO standards and models like CMMI (Capability Maturity Model Integration). Our capabilities, captured in our business platform called PRidE, show our commitment to process stan-dardization.

Regular assessments and audits help to maintain quality focus and ensure that our process performance is compa-rable to the best-in-class. Next would be our “ People ”-related practices. Apart

Our process platform PRidE cap-tures business and operational processes. PRidE has evolved over a period of time and includes distilled knowledge and best practices, gained from our experi-ence of executing projects over the last 25 years.

PRidE has been systematically benchmarked against world-class stan-dards and models, namely the ISO 9001-TickIT quality-management certifica-tion program for software, the Software Engineering Institute’s CMMI process (SEI-CMMI), and the seven criteria of the Malcolm Baldrige National Quality Award (MBNQA) framework.

ISO provided the basic foundation for our quality system. Infosys was one of the early adopters of ISO 9000 stan-dards way back in the 1990s and was the first IT company to be certified in 1993. When Infosys went for ISO 9000 certifi-cation in 1993, we were operating only in one development centre with less than 1 000 employees. Today we have grown tremendously with more than 70 times that number of people.

Having a scalable and effective process framework helped us to grow at

Infosys Headquarters Bangalore – Building 44 of 48 in the campus (with one of the many food courts/recreation center on the right and a broadcasting studio on the left).


such a rapid rate and at the same time ensured superior and consistent perfor-mance.

I would also like to point out two key aspects when it comes to adopt-ing processes. One, we need to have an appropriate way of implementing them. Second, the process needs to be tailored depending on risks. We have tailored and adapted standard process frameworks to deliver for us. Managing change coupled with high growth has been a challenge which we have met.

Today our ability to deliver projects on time is 97 %, which is better than typ-ical IT companies providing solutions to Fortune 500 organizations, and our average delivered quality is at least six times better compared to companies worldwide.

ongoing basis. A case example is Chi-na. As we started in 2004, because of the perception of intellectual property rights there, we had to quickly demonstrate that security rights would be respected. ISO 27001 helped with this.

Infosys also invests strongly in corporate social responsibility. IT cannot be compared to a manufacturing industry, but we felt that ISO 14001 is the right approach to fulfill our commitment to protect the environment. ISO 14001 has helped in bringing good improvement in natural resource conservation and e-waste reduction.

ISO Focus : How does standardization contribute to the construction, mainte-nance and demonstration of quality and security within the field of software development, IT services and IT net-works, and what value do you see in the corresponding ISO standards focused on your industry, such as ISO 27001 on IT security management or ISO 20000 on IT service management ?

Today we offer a wide range of services : application development and maintenance, consulting, package imple-mentation, infrastructure, system inte-gration, product integration, testing and more to customers across the globe. To provide optimized solutions in a consis-tent way, process standardization is the key to ensure that you always deliver it faster, cheaper, better and with high predictability.

One of the imperatives within Info-sys is assurance of the security of infor-mation assets belonging to Infosys, and also the information that is entrusted to us by our employees, customers, vendors, investors and the public at large.

We have invested substantially in state-of-the-art hardware and soft-ware systems to reduce risk of data loss. Daily backups of data on systems are kept at remote storage sites to prevent loss of data due to accidents or calami-ties. We also have a dedicated disaster recovery centre in Mauritius to ensure business continuity in case of a coun-try-level disaster situation. This facility can accommodate around 1 350 people and has been operational since the first half of 2003.

ISO Focus : As Infosys works for many different sectors and ISO has many rel-evant committees and technical activi-ties, how do you view the role of Inter-national Standards in promoting the services you provide to various sectors and the customer-supplier relation-ship ?

There can be no doubt that stan-dards are a cohesive factor. Software developed by us will be used by some-one else and probably maintained by another vendor. While management stan-dards help in organizations being capa-ble, standards in specific technical areas help to improve quality and productivity. ISO has been a pioneer in creating stan-dards for specific areas. A case in point is standards such as ISO 24570:2005, Soft-ware engineering – NESMA functional size measurement method version 2.1 – Definitions and counting guidelines for the application of Function Point Analy-sis, and ISO 20926:2003, Software engi-neering – IFPUG 4.1 Unadjusted func-tional size measurement method – Count-ing practices manual. We have adopted some of the practices for evolving our estimation models and methodologies for application development and main-tenance projects. Some of the standards in design of software and coding have not been thoroughly exploited by com-panies today.

Adoption of these can lead to uni-formity in design of software applications, something that is very much required in this flattening world. The differentiat-ing factor between multiple IT compa-nies will be their quality and productiv-ity levels. Again, management standards help in accomplishing this.

“ There can be no doubt that

standards are a cohesive factor.”

We have a robust business conti-nuity plan. During the cyclone at Bhu-baneswar in 2000, our Development Cen-ter was affected. However, built-in redun-dancy and reliability of systems ensured that no data was lost and deliverables to clients were completed as planned.

“ A great corporation is built on a good

foundation.”

ISO Focus : Your Web site search engine identifies references to ISO in 135 pages, hinting that you make exten-sive use of our standards, starting with ISO 9001:2000 for quality manage-ment and ISO14001:2004 for environ-mental management. How do you value these management systems standards as components of your corporate man-agement practices worldwide ?

It’s heartening for us too to hear that our Web site is sending the right mes-sages ! We do pursue multiple ISO stan-dards like ISO 9001, ISO 27001, ISO 20000 and ISO 14001. We have been following these standards for almost 14 years.

As we grow larger, with opera-tions in multiple countries, subsidiaries in countries like China and Australia, standardization and uniformity in some of the critical functions is extremely important. Processes for execution need to be integrated.

Knowledge management and dis-semination of quality best practices have to be viewed as a critical aspect on an


ISO Focus : What are your views on the new areas and issues calling for international standardization in rela-tion to software development, business relations and IT services ?

Today we are certified to ISO 9001, ISO 27001, ISO 15000, ISO 14001 and other standards like TL 9000 and AS 9100. In addition, we have our CMMI certifica-tions. These have helped to build an execu-tion platform that has delivered consistent results. As I mentioned earlier, we would like to see more exploitation of standards in core software engineering.

For excellence in software deliv-ery, interaction between software devel-opment groups and business-enabling functions has to be strong. Currently we have standards and models address-ing the core area of IT, namely software development, and I feel we need more standards and processes around the busi-ness-enabling functions that lead to val-ue creation.

Some of the functions, for exam-ple human resource development or

leveraging an organization’s current IT assets. Infosys works with large global corporations and new generation technol-ogy companies to build new products or services and to implement business and technology strategies in today’s dynam-ic digital environment.

Infosys Foundation, the philan-thropic arm of Infosys Technologies Ltd., was founded in 1996 with the objective of fulfilling the social responsibility of the company by supporting and encour-aging the underprivileged. The Founda-tion has implemented numerous projects in its chosen areas, providing medical facilities to remote rural areas, orga-nizing novel pension schemes and aid-ing orphans and street children. It has undertaken a large rural education pro-gram titled “ A library for every school ” under which 5 500 libraries have been set up in government schools spread across many villages. Other activities include the reconstruction of old school build-ings, setting up of rural science centers and schemes to provide support to dying traditional art and culture forms.

training groups, are very strategic for the company.

Infosys Technologies Ltd. pro-vides consulting and IT services to cli-ents globally. With over 72 000 employ-ees worldwide, Infosys uses a low-risk Global Delivery Model (GDM) to accel-erate schedules with a high degree of time and cost predictability.

As one of the pioneers in strate-gic offshore outsourcing of software ser-vices, Infosys has leveraged the global trend of offshore outsourcing. Even as many software outsourcing companies were blamed for diverting global jobs to cheaper offshore outsourcing destina-tions like India and China, Infosys was recently applauded by Wired magazine for its unique offshore outsourcing strat-egy — it singled out Infosys for turning the outsourcing myth around and bring-ing jobs back to the US.

Infosys provides solutions for a dynamic environment where business and technology strategies converge focusing on new ways of business, combining IT innovation and adoption while also

Phase one of the Global Education Center, the largest corporate training center in the world – Infosys Campus in Mysore.


Main Focus

Information security is the key. The ISO/IEC 27000 family of Interna-tional Standards on information technol-ogy, security techniques and informa-tion security management systems were developed to address the topic of infor-mation security management.

The family will cover the follow-ing subjects :

• Information security management sys-tem (ISMS) requirements (ISO/IEC 27001:2005) ;

• Information security management code of practice (ISO/IEC 27002) – formerly designated ISO/IEC 17799, no change in content ;

• ISMS implementation guide (ISO/IEC 27003) – under development ;Managing

information security About the author

Professor Ted Humphreys has been leading British activities regarding the ISO/IEC 27000 family of ISMS standards and the British standards BS 7799 Parts 1

and 2 (which later became ISO/IEC 27001:2005 and will become ISO/IEC 27002) since 1990. He is also responsi-ble for many of the ISMS accreditation and certification activities as well as producing the standard EA 7/03. He is an ISMS consultant providing advice to organizations around the world. He is also Founder and Director of the ISMS International User Group, which pro-motes the global use of the ISO/IEC 27000 family for ISMS standards.

ISO/IEC 17799 renumbered as ISO/IEC 27002

In the interest of consis-tent numbering of the ISO/IEC 27000 series, ISO/IEC 17799 is being renumbered as ISO/IEC 27002 although the content remains unchanged.

Protecting information a critical and essential business asset

Professor Edward (Ted) Humphreys, ISO/IEC JTC 1/ SC 27/WG 1 Convenor, ISMS Standards, Visiting Professor of ISMS Studies and Research at Korea University, Seoul, South Korea

The world has become a far more risky place for business. The Inter-net is being used for on-line busi-

ness continues to grow, more business-es are outsourcing and using third party services , supply chains are getting larg-er and computer fraud is on the increase all risk areas to business. Also business dependence on IT, networks, wireless and mobile communications again rais-es the risk levels.

The driving force for a success-ful business is to have the right informa-tion at the right time in order to make well-informed decisions. Not only is information the key to business success but the protection of this information is equally important.


Risk management and ISO/IEC 27001 – A view from Australian business

John Snare, Editor of ISO/IEC 27001

R isk management has long been implicit in the way organizations make a wide variety of manage-

ment decisions. Recently, there has been increasing recognition that risk manage-ment activities need to be formalized so that the management of organizations can make considered decisions concerning a portfolio of risks using a common set of concepts.

The ISO/IEC Guide 73:2002, Risk management – Vocabulary – Guidelines for use in standards, provides definitions that form a common conceptual frame-work for considering different types of risk. ISO/IEC 27001:2005, Information technology – Security techniques – Infor-mation security management systems – Requirements, uses this common concep-tual framework and specifies a manage-ment system that can be used to ensure that information security risks can be well managed by organizations.

Using ISO/IEC 27001, infor-mation security risk management out-comes can be compared with outcomes of activities to manage other types of risk because it is based on the ISO/IEC Guide 73 definitions.

ISO/IEC 27001 recognizes that it is not possible to eliminate all infor-mation security risks. Instead, it allows

Information security controls and ISMS risk management

Dr Angelika Plate, AEXIS Germany, Secretariat of ISO/IEC JTC 1/SC 27/WG 1 and co-editor of ISO/IEC 27002

I SO/IEC 27002 (previously called ISO/IEC 17799:2005) will be a code of practice for information

security management. This Interna-tional Standard will support the Infor-mation Security Management System (ISMS) standard ISO/IEC 27001:2005, which is used world-wide for third par-ty management system audits and cer-tification.

ISO/IEC 27002 will contain help-ful guidelines and advice for the secu-rity controls that are needed to initiate, implement, maintain and improve ISMS in an organization. However, it is impor-tant to understand that ISO/IEC 27002 will contain only guidance and will not be suitable for certification.

The holistic set of security con-trols in the code of practice will pro-vide business with an important tool to manage its information security risks, to enhance its ability to manage its inci-dents and to support its business conti-nuity capability.

The key objective of this future International Standard is to enable busi-ness to protect the confidentiality, integ-rity and availability of its sensitive and critical information. In addition, it will offer security controls in the follow-ing areas :

• Information security policy

• Organizing information security

• Asset management

• Human resources security

• Physical and environmental security

organizations to establish information security risk criteria that balance busi-ness opportunities, regulatory and con-tractual requirements, the costs of infor-mation security controls, and informa-tion security risks.

Using criteria that support orga-nizational objectives, the ISMS require-ments specified in ISO/IEC 27001 can be used to establish confidence that information security risks are managed to meet acceptability criteria on an on-going basis, even if risks or business needs change over time.

ISO/IEC 27001 is unique in that it places requirements to understand infor-mation security risks into an operational context, where action is taken to ensure that actions found necessary by a risk assess-ment are actually taken and are effective. This differs from other information secu-rity risk management approaches that place great emphasis on risk assessment and producing a good risk management plan, but give little attention to follow-up to ensure that the plan is implemented and achieves the required outcomes.

“ ISO/IEC 27001 allows organizations to establish

information security risk criteria.”

About the author

John Snare is currently National Man-ager, DMO Security and Privacy in the Telstra Customer Solutions divi-sion. John’s pro-fessional back-ground includes

20 years working in Telstra’s research laboratories and, more recently, 7 years managing aspects of security implemen-tation in other Telstra divisions. He is currently chairman of the Standards Aus-tralia subcommittee IT/124 working on data security techniques.

• Information security management measurements (ISO/IEC 27004) – under development ;

• ISMS risk management (ISO/IEC 27005) – under development ;

• ISMS accreditation requirements (ISO/IEC 27006:2007).


Main Focus

• Communications and operations man-agement

• Access control

• Information systems acquisition, devel-opment and maintenance

• Information security incident man-agement

• Business continuity management

• Compliance with legal requirements and security standards

The code of practice will use a risk-based approach, and the security con-trols in this International Standard should be selected and implemented to meet the requirements that have been identified by a risk assessment as per the require-ments specified in ISO/IEC 27001.

Another International Standard under development in the ISO/IEC 27000

About the author

Dr Angelika Plate runs the German based information security consult-ing company ÆXIS Security Consultants. She has been involved in ISO activities for

many years, as the editor of several Inter-national Standards, including being co-editor of the revised version of ISO/IEC 17799, and she also edited the new accreditation requirements standard ISO/IEC 27006. She is chairing the ISMS IUG Germany, which she founded in 2002, and has recently been appointed as the secre-tary and vice-chair of SC 27 WG 1.

family will be ISO/IEC 27005, Informa-tion technology — Information Securi-ty Risk Management. This International Standard provides further explanation about how to carry out a risk assess-ment and how to successfully implement the resulting controls to achieve overall sound risk management.

It is expected to be published in 2007, and it is important to understand that this International Standard will only provide guidelines for an organi-zation ; it will not specify a particular methodology for information security risk management. It is the organization’s responsibility to define an approach to risk management that is most suitable to their business.

Significance of ISO/IEC 27006

by Toshio Takatori, Director, ISMS Promotion Office, Japan Information Processing Development Corporation, Japan

The International Standard ISO/IEC 27006:2007 Information tech-nology — Security techniques —

Requirements for bodies providing audit and certification of information security management systems, specifies require-ments for bodies providing certification of information security management sys-tems. It is intended to ensure their cred-itability as well as their competence to perform audits.

As an accreditation body, espe-cially in IT-related fields in Japan, the Japan Information Processing Develop-ment Corporation (JIPDEC) has oper-ated the ISMS conformity assessment scheme since April 2002, with the aim to promote a high level of information security in Japan.

Under the scheme, JIPDEC accred-its certification bodies based on ISMS accreditation criteria, which have been


developed based on ISO/IEC Guide 62, General requirements for bodies operat-ing assessment and certification/registra-tion of quality systems, and the European Standard EA 7/03, and those certification bodies conduct audits of organizations seeking ISMS certification.

These certified organizations are now in the process of transferring their certificates from ISO/IEC 17799 to ISO/IEC 27001:2005.

The ISMS enables an organization to clarify its business processes, estab-lish an effective framework for managing information security, and provide con-fidence to its customers. In addition, it helps the organization to raise its business competitiveness, and plays an important role in IT governance.

In Japan, both public and private sector organizations have increasing-ly recognized the importance and ben-efits of the ISMS, which has led to the increase in the number of certified orga-nizations in our country.

In the future, it will be important for the sound development of the ISMS to ensure that the ISMS audits and certi-fications are internationally credible. As such, the issue of ISO/IEC 27006 will help the increase of ISMS implementa-tion in many parts of the world.

Applying ISO/IEC 27006

by Eisaku Takeda, ISMS Lead Auditor, IS Certification Division, Japan Audit and Certification Organization for Information Security

As a certification body with certi-fication to ISO/IEC 27001, Infor-mation technology — Security

techniques — Information security man-agement systems — Requirements, the Japan Audit and Certification Organiza-tion for Information Security (JACO-IS) is also the first company to be accred-ited in Japan by The United Kingdom Accreditation Service (UKAS) with EA 7/03, Guide 62, General requirements for bodies operating assessment and certi-fication/registration of quality systems, and International Accreditation Forum (IAF) guidance.

The new ISO/IEC 27006:2007, Information technology — Security tech-niques — Requirements for bodies pro-

viding audit and certification of informa-tion security management systems (the replacement for EA 7/03), important for ISMS certification bodies and auditors because it is easier to integrate with the existing management systems for certi-fication and auditing (which were based on EA 7/03) and it is possible to simpli-fy and refine the documentation.

The new International Standard establishes the foundation of ISMS certi-fication and auditing method of ISO/IEC 27001. The biggest advantage of ISO/IEC 27006 is that it is an ISO/IEC standard ; it is therefore recognized international-ly and applied as the requirements and guidance for ISMS certification bodies and the auditing method. As EA 7/03 is a European standard for ISMS accredi-tation, there have been such cases that quality of certification and audit.

We are convinced that accredita-tion to the International Standard raises the profile of certification bodies, such as JACO-IS, and gives variable assur-ance to certification clients that the cer-tification body is following the require-

About the author

Toshio Takatori is Director of the ISMS Promotion Office, Information Technology Management Center of the Japan Informa-tion Processing Development Corporation.

“ The ISMS enables an organization to establish an effective framework

for managing information security.”


Main Focus

ments and best practice. Accreditation to ISO/IEC 27006:2007 is particularly important for international certification based on conformance to the require-ments ISO/IEC 27001.

Finally, we look at sector specific requirement for ISO/IEC 27001 and the future ISO/IEC 27002, which is discussed in the next article on the telecommuni-cations sector. Other sectors that JTC 1/SC 27 is considering are the automo-tive industry and the regulated domain of world lotteries.

Information security management for telecom-munications

by Koji Nakao, Director of Information Security in KDDI Corporation, Leader of the Institute of National Information Communication Technology

About the author

Eisaku Takeda is the ISMS Lead Auditor of the Information Systems Certification Division of the Japan Audit and Certification Organization for Information Security. Previously he was the Manager of the Information Security Technology Department, of the Mitsubi-shi Electric Corporation, in the Research and Development Division. Mr. Takeda holds an MS in computer science from the University of Denver, US and a BS in mathematics from Hokkaido University.

Telecommunications organizations especially those that have partici-pated in ITU-T have been interest-

ed in providing a requirements document on information security management for telecommunications since 2003.

In 2004, ITU-T decided to pub-lish an initial Recommendation X.1051, Requirements for Telecommunications of Information Security Management System (T-ISMS), based on BS 7799-2. ITU-T SG17, the group responsible for telecom security, decided to revise the existing Recommendation X.1051 to conform to the ISO/IEC 17799, Informa-tion technology — Security techniques — Code of practice for information secu-rity management, and ISO/IEC 27001


About the author

Koji Nakao is Director of Information Security in KDDI Corpora-tion, Leader of NICT (Institute of National Information Communication Technology),

Special Rapporteur of ITU-T SG 17 Question 7 (Security Management) and visiting professor at Waseda University in Japan.

ty standards (the proposed number is ISO/IEC 27011) by providing a guide-line for the design, development and implementation of information securi-ty management in telecommunications with a view towards better protecting the telecommunications organization’s information assets.

This is expected to be one of sev-eral sector specific International Stan-dards that would be published jointly between ISO/IEC and ITU-T. This Inter-national Standard aims to assist telecom-munications organizations in particular to more effectively achieve an appropri-ate level of information security man-agement and to support the implemen-tation of ISO/IEC 27001.

In ISO/IEC 27011 (designation reserved, development not yet launched), telecommunications organizations will have to take into account the following security features in addition to the secu-rity objectives and controls described in the future ISO/IEC 27002.

1) Confidentiality The confidentiality of communica-tions being handled by telecommu-nications organizations should not be violated. In addition, any person engaged in telecommunications organizations should maintain the confidentiality of others that have come to be known with respect to communications being handled by telecommunications organizations.

2) Integrity The installation and use of tele-communications facilities should be controlled, ensuring the accura-cy and completeness of information transmitted, relayed or received by wire, radio or any other electromag-netic method.

3) Availability Only authorized persons should have access, when necessary, to tele-communications facilities and the means of communication services whether by wire, radio or any other electromagnetic methods.

Furthermore, telecommunica-tions organizations should give priority to essential communications in case of emergency, and comply with the regu-latory requirements.

“This is to be one of several sector specific

International Standards to be jointly published by ISO/IEC and ITU-T.”

(the replacement of BS 7799-2) and to work collaboratively with JTC 1/SC 27 towards this goal.

Revision work is now in prog-ress on the draft Recommendation X.1051 that was entitled, Informa-tion Security Management Guidelines for telecommunications, to bring it in line with ISO/IEC 17799 (future des-ignation ISO/IEC 27002). This activ-ity is directly connected to that of the ISO/IEC 27000 family of International Standards on sector-based guidelines and/or requirements for telecommu-nications.

The new ISO/IEC standard will complement the ISO/IEC 27000 family of ISMS information securi-

The need for effective informa-tion security management in telecom-munications organizations is made all the more urgent through increasing use of wireless, Internet and broadband technologies.

If information security manage-ment is not implemented properly, the use of these technologies will contain increasing telecommunications risks regarding confidentiality, integrity and availability.

Such is the current status of the future International Standard related to the telecommunication sector, which is expected to be an identical ISO/IEC standard and ITU-T recommendation by 2008.


Main Focus

Electronic commerce and identity access management

Privacy and identity management – a glimpse of the future

by Edward (Ted) Humphreys, Convenor of ISO/IEC JTC 1/SC 27/WG 1, and Dick Brackney, ISO/IEC JTC 1/SC 27/WG 5 Expert and ITU-T Expert

In 2027 and beyond, the world will be a different place. We can only estimate what advances science and technologi-

cal will offer us, and how these might shape our private and business worlds.

One thing is certain : it will still be risky but we are uncertain what these risks will be. As Benjamin Franklin once said, “ In this world nothing is certain but death and taxes.”

ISO/IEC JTC 1/SC 27 has, over the years, built up its committee as a centre of international expertise for all things concerning information and infor-mation and communications technology (ICT) security.

“ The standards SC 27 has delivered over the years are being

used around the world.”

It has established itself as an international leader in information and ICT security standards responding to the needs of commerce and industry, deliv-ering the right standards to meet their business requirements.

The process entails engaging with business to understand their requirements and to take those requirements into account when developing standards.

The standards SC 27 has deliv-ered over the years are being used around the world. However, SC 27 is not waiting until 2027 to take action ; it is taking steps now since risks are always present and


Technologies for privacy, identity management and biometrics

by Dr. Kai Rannenberg, ISO/IEC JTC 1/SC 27/WG 5 Convenor, Professor of Mobile Commerce and Multilateral Security, Goethe University Frankfurt (Germany)

IT security is becoming more and more of a people’s problem ”, is not only a quote from IT security pioneer

Roger Needham (Cambridge Universi-ty, United Kingdom), but a trend with major business relevance and a dual-faced challenge.

Enterprises need to get more effi-cient in identifying and addressing users and customers, for example, by mak-ing sure that a competent point within the organization knows which user has which access rights to which corporate resources.

Nowadays, employees very often have a historically grown plethora of identifiers and access rights. Often it is difficult to know and manage who has the authorization to do what. So when someone leaves an organization it is usu-ally difficult to revoke authorizations, accounts and access rights to avoid lat-er misuse of corporate systems and cor-porate information. Establishing an effi-cient framework for corporate access management with reliable accountabil-ity is not a trivial task.

A popular trend here is “ single sign-on ”, basically the unification of all accounts and access rights on one system per enterprise, to which users authenti-cate themselves and which then provides access to the resources needed, for exam-ple a customer database or a printer.

A similar unification approach is popular in dealing with customers, e.g. when a telecom unifies customers’ accounts to provide a single bill for dif-ferent but related services.

Currently, very often a provider offers a landline telephone, a mobile tele-phone, and Internet access – and sends a different bill for each. Whereas this may cause unnecessary costs and complexity, the unification of those accounts that refer to the same customer also offer the chance to provide more customized and personalized bundled services while raising the security, service quality and customer satisfaction.

A related instrument to bind accounts to a single person and to enhance the assurance for user authentication are biometric techniques which use unique characteristics of a person, e.g. finger-prints or iris scan information to secure-ly identify that person.

For users and service providers uni-fication of accounts and access rights can be a double-edged sword. Users usually like

constantly changing and SC 27 togeth-er with business need to keep up and be prepared for the risks of tomorrow.

So let’s take a glimpse at future projects and developments. We have already seen in previous articles that work is starting on cyber-security, ICT readiness and Web applications, and busi-ness specific requirements for ISMS stan-dards : telecoms, the automotive industry, the highly regulated business of world lotteries and many others.

Here we take another look at work for the future that addresses some of the immediate concerns of business and cit-izens : protecting privacy and protecting against identity theft.

The following two articles look at standards work that started on one of the security mechanisms for iden-tification, authentication and access : the use deployment of biometrics. Now I pass you over to two of the interna-tional specialists to explain more of what is in the pipeline.

“


Main Focus

the added convenience of single sign-on systems, using one single password for a number of log-ins and access accounts.

Enterprises on the other hand see the benefit of single sign-on systems in a better control and management of access rights. However, as the number of appli-cations for one individual increases, add-ing numerous mobile devices or new Web services to their daily life, the risk of data misuse increases as well.

Also, for a customer to be able to simply enjoy several communication services with one login can make life easier, not only in telecommunication, but in all aspects of Internet life : shop-ping, using Web 2.0 services and com-municating in general.

The idea of just having to pro-vide a fingerprint instead of typing a complicated password every morning is fascinating. However, the more sensi-tive information gets possibly accessed with this one identifier, the higher the risk for the user to fall victim to identi-ty fraud and ultimately experience loss or damage.

The more information on users gets unified, the higher the risk of mis-use of this information. It may well be useful for a citizen to have an account with the tax office to deal with annual tax declarations online, and it may be use-

ful to link this with some information on the costs paid for medical services, but a complete unification of all the data and profiles stored by the tax office, the hospital, and the health insurance com-panies needs to be managed closely is unacceptable in many cultures – and may well violate privacy regulations.

At the same time, biometric infor-mation can be useful to make login more secure and more convenient, but assessing such information is the subject of inten-sive research. Biometric information may contain sensitive medical information, which should remain confidential within the private and medical realms.

As a result, users want more con-trol over what and where information on them and on their identity is stored and to whom it is transferred and for what purpose. They also want to be able to use technologies for “ anonymity ” to manage in which contexts they are identified.

Considering these promising pos-sibilities and important challenges, SC 27 established its new WG 5, Identity man-agement and privacy technologies. Cur-rently WG 5 is active in six projects with more being expected.

A framework for identity manage-ment (Working Draft 24760) addresses the secure, reliable, and privacy-respect-ing management of identity information considering that identity management is important for individuals as well as for organizations, in any environment and regardless of the nature of the activities in which they are involved.

About the author

Dr. Kai Rannenberg (www. whatismobile.de) has been active in SC 27 since 1992, mainly in WG 3. In 2005 he became co-edi-tor of WD

24760, co-rapporteur of the SC 27 study period on identity management and rap-porteur of the SC 27 study period on privacy. Since March 2007 he serves as Convenor of WG 5. In 2002, Kai was appointed as Professor for Mobile Com-merce and Multilateral Security, and serves as Director of the Department for Business Informatics at Goethe Univer-sity in Frankfurt (Germany).

Authentication assurance (Work-ing Draft 29115) aims at improving and enhancing the trust and confidence in authentication by providing objective and vendor-neutral guidelines for authentica-tion assurance, e.g. for assigning objec-tive and consistent values to the various components of authentication available in the market.

A privacy framework (Work-ing Draft 29100) is to provide a frame-work for defining privacy safeguarding requirements as they relate to person-ally identifiable information processed by any information and communication system in any jurisdiction.

A privacy reference architecture (Working Draft 29101) is to provide a reference architecture model that will describe best practices for a consistent technical implementation of privacy requirements in information and com-munication systems.

The project on Authentication context of biometrics (Committee Draft CD 24761) defines the structure and the data elements of authentication context for biometrics, by which service pro-viders (verifiers) can judge whether a biometric verification result is accept-able or not.

Working Draft 24745, Biomet-ric template protection, describes the security techniques for Biometric Tem-plate Protection focussing on privacy enhanced techniques for Biometric Template Generation.

2007-05-30 – Statut : onload – Identification statut : OK


http://www.whatusmobile.de



Identity Management (IdM), a compelling business case for standardization

by Dick Brackney, ISO/IEC JTC 1/SC 27/WG 5 Expert and ITU-T Expert

Identity Management (IdM) is a catch phrase that refers to processes and tech-nologies needed to create, maintain,

utilize and terminate the digital identity for people, devices, and services as well as to enable secure access to an increas-ing set of systems and applications.

IdM has strong links with the management of security, trust and the protection of personal information. Tra-ditionally, IdM has been a core security component that in the simplest form con-sists of an identifier (user name) and an authentication secret (password).

This user/password combination enables a network/system administrator to main ta in user account

About the author

Dick Brackney has worked in the information security field for nearly 20 years and has been active in SC 27 for over 12 years. He has contributed to many SC 27

network security standards and recently served as editor of an SC 27 Intrusion Detection System Standard that was published in 2006. He currently serves as the U.S. Head of Delegation to ISO/IEC JTC 1 SC 27/WG 5 and is an active contributor to many WG 5 standards projects as well as standards within ITU-T. He works for the National Secu-rity Agency as a senior research analyst and is responsible for promoting stand-ards that support the US Department of Defence, Global Information Grid (GIG).

information as well as restrict and monitor user login and access to an organization’s resources. Consequently, access control has been the historical focus of IdM.

Over the past several years, a rev-olution has been occurring on a large-scale worldwide basis that is significant-ly expanding the role of IdM far beyond its original roots.

This revolution involves the rapid merging of the current independent and separately managed voice, data, wireless and video networks into a very flexible, general-purpose IP-enabled telecommu-nications infrastructure called Next Gen-eration Networks (NGNs).

Such NGNs can globally support a vast array of public, private and gov-ernment needs for flexible public com-munications, commercial transaction, and utility/transportation based SCADA (Supervisory Control and Data Acquisi-tion) activities.

Many of these needs are extreme-ly dependent on IdM and require digital identities to be as secure, complex, friend-ly and flexible in use as physical face-to-face human transactions are today.

Furthermore, users expect an IdM quality of experience in cyberspace that is equivalent to the physical world. This telecommunications revolution coupled

with regulatory compliance require-ments has been a major force for

change in IdM.

H o w e v e r , everyone and everything are

becoming increasingly vulner-able on today’s IP-enabled

networks to exponential-ly rising cyber-crime,

identity theft and computer hack-

ing.

At the same t ime, independent-ly developed, non-standard-ized IdM capa-

bilities are cre-ating significant

user and network admin i s t r a t ive

management frus-trations.

Also, in a world where end-users, providers, and even enterprises are increasingly ‘always-on’ and nomadic, it is no surprise that many experts have noted that the entire emerging NGN infrastructure is at risk without effec-tive IdM capabilities.

Today, IdM is a lot more than a traditional security component. It is fun-damental to accountability in user and organization business relationships, crit-ical to the user’s experience, essential to protecting personal information, and adherence to regulatory controls.

This situation has created an urgent need for interoperability and harmoni-zation of IdM solutions that are based on International Standards.

“ Today IdM is fundamental to accountability in user

and organization business relationships.”


Main Focus

Protecting information a critical and essential business asset

Prof. Edward (Ted) Humphreys, Convenor of ISO/IEC JTC 1/SC 27/WG 1, and Meng-Chow Kang, Convenor of ISO/IEC JTC 1/SC 27/WG 4, Security controls and services

Organizations, government and cit-izens the world over are highly dependent on the use of infor-

mation and communications technology (ICT) to support their business needs as well as the needs of society, but there are risks involved with that dependence.

The Internet is used for on-line business, for outsourcing and third-par-ty services, managing business supply chains and many other areas of citizen use for buying, selling and auctioning items, as well as for making bookings for flights, theatre and concerts and hotels, to name but a few. For all these uses the risks are growing as well as the impacts : financial, theft of bank details and per-sonnel information, loss or damage to data, loss of operations and a long list of other examples.

This section brings together some of the standards work in ISO/IEC JTC 1/SC 27, IT Security techniques, that covers this important management busi-ness domain. This includes the ISO/IEC 18028 series of standards (five parts) on network security ; ISO/IEC 18043:2006, Selection, deployment and operations of intrusion detection systems (IDS) ; ISO/IEC 18044:2004, Information security incident management ; and ISO/IECFCD 24762, Guidelines for information and communications technology disaster recovery services, and future projects on cyber-security, ICT readiness and Web applications.

Incident handling and disaster recovery services


1. Erbschlof, M., Trojans, Worms, and Spyware : A computer security professional's guide to malicious code. 2005 : Elsevier. 212.

2. McMillan, R. Researcher posts Google-based malware – 'Malware Search' tool uses engine to find known viruses and worms. 2006 July 18 [cited 2006 July 20] ; Available from : http://www.infoworld.com/article/06/07/18/HNgooglemalware_1.html.

3. OECD. The OECD Anti-Spam Toolkit. 2006 June 12 [cited July 19 2006] ; Available from : http://www.safeinternet.org/ww/en/pub/insafe/news/articles/0606/oecd.htm.

4. Roberts, P. Companies team to reel in 'phishing'. InfoWorld 2004 June 16 [cited 2006 July 19] ; Available from : http://www.infoworld.com/article/04/06/16/HNphishing_1.html.

5. Mitnick, K. and W.L. Simon, The Art of Intrusion – The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers. 2005 : Wiley Publishing, Inc. 270.

6. Mitnick, K., W.L. Simon, and S. Wozniak, The Art of Deception – Controlling the Human Element of Security. 2002 : Wiley Publishing, Inc.

7. Ernst & Young, Global Information Security Survey 2005 : Report on the Widening Gap. 2005, Technology and Security Risk Services, Ernst & Young LLP. p. 26.

8. ISO/TMB, Final Report of ISO Advisory Group on Security. 2005, ISO Technical Management Board Advisory Group on Security. p. 42.

by Meng-Chow Kang, Convenor of ISO/IEC JTC 1/ SC 27/ WG 4, Security controls and services

In recent years, the open, seamlessly interconnected and highly interactive architecture of the Internet has increas-

ingly been exploited by cyber criminals and rogue individuals and businesses for financial gains and other criminal pur-poses, through the use of various forms of malicious software1, 2, SPAM3 , phish-ing4, network and systems intrusions5, and social engineering attacks6 on com-puting systems and end-users.

Such exploitations and related inci-dents have undermined users’ confidence in and trust of computing systems and the Internet, and, in some respects, slow down social and economic progress.

In many cases, hefty financial and reputation losses have been incurred from such attacks7. Developing security measures and countermeasures to protect and respond to such attacks are there-fore paramount to ensure the trustwor-thiness, including security and reliabil-ity of the Internet.

In a study report published by ISO Technical Management Board (TMB) in January 20058, it was recognized that security considerations must become an integral element in products, systems, and operations supporting the day-to-day functioning of society.

Cybersecurity was called out as one of the action items for JTC 1 to exam-ine whether standards could play a role in preventing new types of attack, such as viruses, worms, and phishing. Both the national and international standards-setting communities and organizations recognize that the need for security stan-dards is urgent and overwhelming.

At the ISO/IEC JTC 1 SC 27 meeting held in South Africa in Novem-ber 2006, it was resolved to proceed with work on the development of cyber-securi-ty standards, and a study team led jointly by Andrew Mason of the New Zealand NB and Koji Nakao of the Japan NB was established (for more information on the meeting report, please refer to SC 27 document N5483).

The key characteristic of SC 27 work on cyber-security relates to the cyber environment, i.e. cyber-security covers security specifically in the online environment. In this respect, it is differ-entiated from the more general topic of information security, particularly infor-mation security management systems (ISMS), which is the domain of ISO/IEC SC 27 WG 1, Requirements, secu-rity services and guidelines.

The public Internet is the main focus environment for the proposed standardization work, which excludes “ enterprise cyberspace ” (closed inter-nal networks specific to individual orga-nizations or groups of organizations).

Standards for cybersecurity


http://www.infoworld.com/article/06/07/18/HNgooglemalware_1.html

http://www.infoworld.com/article/06/07/18/HNgooglemalware_1.html

http://www.safeinternet.org/ww/en/pub/insafe/news/articles/0606/oecd.htm

http://www.safeinternet.org/ww/en/pub/insafe/news/articles/0606/oecd.htm

http://www.infoworld.com/article/04/06/16/HNphishing_1.html



Main Focus

About the author

Meng-Chow Kang is Regional Chief Security Advi-sor for Micro-soft Greater China. His busi-ness skills and experiences regarding the implementation

of information security are well recog-nized around the world and are greatly valued by his customers in the areas of cybersecurity, web applications security, IT networks, information risk manage-ment, and many other topics. He is the Convenor of ISO/IEC JTC 1/ SC 27/WG 4, Security controls and services, and Chair for Singapore IT Security and Pri-vacy Standards Technical Committee, ITSC, Singapore. Before this, Mr. Kang was the Regional Information Risk Officer of JP Morgan Chase responsible for managing the firm’s information risk in the Asia Pacific region.

Service providers on the Internet com-prise the main target audience for cyber-security standards, while primary bene-ficiaries will be both service providers and their end users (both enterprises and individuals).

End-user enterprises, includ-ing small and medium-sized enterpris-es (SMEs), and governments may use cyber-security standards for require-ments specification and potentially for assurance purposes.

While several new work items focusing on addressing the standards needs of cyber-security are now in devel-opment, it remains an ongoing challenge to ensure comprehensive coverage of the related issues. For example, the rapid growth of online communities through technologies such as instant messag-ing, blogging, podcasting, video cast-ing, peer-to-peer file sharing, and Voice over Internet Protocol (VoIP) have not been fully examined from a security standards perspective.

To ensure effective and effi-cient standards are being developed for addressing cyber-security needs, new contributions from researchers and prac-titioners are a critical success factor.

“ Internet service providers are the main target

audience for cyber-security standards.”

oped to address, the specific capability of each of these technologies may jus-tify different security standards either from the interoperability or baseline viewpoints. From a threat angle, phish-ing, viruses, denial of services and sim-ilar attacks should also be evaluated to determine whether and how standards might be used to minimize, if not fully address, these issues.

While new cyber-security relat-ed standards are being developed, it is important to note that a number of exist-ing ISO/IEC security standards remain applicable and important for addressing the various aspects of cyber-security.

Although the new developments share most of the threats that standards have been developed or are being devel-


Managing IT incidents

by Robin Moses, Head of the United Kingdom Delegation to ISO/IEC JTC 1/SC 27/WG 4, Security controls and services

No typical information securi-ty controls will guarantee total protection for information sys-

tems and associated information, ser-vices and networks. After controls have been implemented, residual weakness-es are likely to remain that may make security ineffective and thus informa-tion security incidents possible, poten-tially with adverse impacts on an organ-ization’s business operations.

Furthermore, inevitably, new previ-ously unidentified threats will occur. Insuf-ficient preparation by an organization to deal with information security incidents will make any actual response less effec-tive, and potentially increase the extent of adverse business impacts.

Therefore, it is essential for any organization serious about information security to have a structured and well-planned scheme in place for the manage-ment of information security incidents. Such a scheme must be able to :

• Detect and efficiently deal with infor-mation security events, in particu-lar identifying whether they need to be categorized as information secu-

rity incidents or not (an information security event alone may not mean that an attempt to breach security has occurred, i.e. not all events will be categorized as incidents),

• Confirm, report on and assess infor-mation security incidents,

• Respond to information security inci-dents in the most appropriate and efficient manner, including by acti-vating controls to prevent, reduce, and recover from adverse business impacts,

• Ensure that lessons are quickly learnt from information security incidents and their management, over time making improvements to the imple-mentation and use of controls and the overall scheme (thereby increas-ing the chances of preventing future incidents occurring).

ISO/IEC 18044, Information secu-rity incident management, provides guid-ance for organizations on how to implement and maintain quality information security incident management schemes.

Having described the objectives and the processes to achieve those objec-tives, it provides detailed guidance to enable organizations to implement and maintain such schemes, covering :

• Benefits and key issues associated with having an information securi-ty incident management scheme in place ;

• Examples of information security inci-dents and their causes ;

About the author

Robin Moses has worked in the information security field for 27 years and has extensive knowledge and experience both in the United Kingdom and abroad, being

widely recognized as one of Britain’s leading experts. He has been actively involved in the development of interna-tional security standards for some 17 years, and is currently the principal expert and Head of the United Kingdom Delegation to ISO/IEC JTC 1/SC 27/WG 4, and coordinator for the revision of network security standards and the production of new ones. He has been project editor for a number of published security standards, including on infor-mation security incident management and network security.

• Planning and preparation for informa-tion security incident management, including document production ;

• Operational use of an information secu-rity incident management scheme ;

• Review phase of information security management, including the identifi-cation of lessons learnt and improve-ments to security and the informa-tion security incident management scheme ;

• Improvement phase, i.e. making iden-tified improvements to security and the information security incident man-agement scheme.

Annexes to the standard contain example information security event and incident report forms, and example out-line guidelines for assessing the adverse consequences of information security incidents.


Main Focus

Standardization in disaster recovery services

by Philip Sy, Project Co-editor for ISO/IEC 24762, and Co-chair for Singapore Information Security Management Standards Working Group, IT Security and Privacy Standards Technical Committee, ITSC, Singapore

Information security management aims to achieve effective confiden-tiality, integrity and availability of

information. To address the availability aspect, an organization should identify and manage the risks of interruptions to business activities. In light of terrorism, malicious hacking, geopolitical tension and natural catastrophes, business con-tinuity management (BCM) has become a day-to-day concern for businesses and management.

In planning for BCM, the fall-back arrangements for information pro-cessing and communication facilities become essential for ensuring informa-tion availability during disaster and for the complete recovery of activities over a period of time.

Many organizations are at a loss whether they should set up ICT disaster recovery (ICT DR) capability in-house or select from the many DR service pro-viders in the market. The basis of such decision and/or selection varies from organization to organization, as current-ly there is no benchmark for the provi-sion of ICT DR services.

This standard will be based on a multi-tier framework comprising ele-ments including policies, performance measurement, processes and people, which are key in building up the required supporting infrastructure and services capability. It will also recommend that service providers improve their capabil-ities and keep relevant by going through recommended continuous improvement practices. A guideline for selection of recovery sites will also be included in the standard.

Though the standard is new, the standard on which it is based, SS 507:00 1, has been used and tested in the industry as a basis for certification of DR service providers since 2004.

A number of renowned service providers, both international and region-al, have been certified against the stan-dard. The standard and certification have been well accepted by the industry and the organizations using the DR services. It is foreseen that with the input from all other SC 27 members, the new Interna-tional Standard will be able to cater to the need of different countries and receive more recognition and adoption.

1 SS 507:200 Singapore Standard for Business continuity/disaster recovery (ICT DR) service providers

About the author

Philip Sy is the Principal Consultant for e-Cop.net (S) Pte Ltd, Project Co-editor for ISO/IEC 24762, and Co-chair for Singapore Information Security

Management Standards Working Group, IT Security and Privacy Standards Technical Committee, (ITSC), Singapore.

“ An organization should manage the risks

of interruptions to business activities.”

In order to address the market demand on the standardization of ICT disaster recovery services, ISO/IEC JTC 1/SC 27 has been developing the stan-dard ISO/IEC FCD 24762, Guidelines for Information and Communication Technology Disaster Recovery Scena-rio. It has been developed to support the requirements in ISO/IEC 27001:2005, Information technology – Security tech-niques – Information security manage-ment systems – Requirements, and ISO/IEC 27002, currently under development related to business continuity.

The new ISO/IEC 24762 standard will cover facilities and services capa-bility in providing fallback and recov-ery support to an organization’s ICT sys-tems and will apply to both in-house as well as outsourced ICT DR services. It aims to assist end-users in either setting up their own in-house ICT DR services capability, or selecting the best-fit ICT DR service providers by providing a basis to differentiate service providers.

The new standard will specify the requirements that service providers must possess so that they can provide a trusted operating environment and help compa-nies secure and recover critical data dur-ing a crisis. These requirements include the implementation, testing and execu-tion aspects of disaster recovery.


Trusting the technology — Confidence in products and technology

by Mats Ohlin, Convenor of ISO/IEC JTC 1/SC 27/WG 3, Security Evaluation Criteria

Security product and technology assurance

Threats from malicious activities on the Internet pose a well-doc-umented challenge to all users of

modern information and communication technology (ICT). Users and the many businesses that rely on Internet commu-nication are highly dependent upon effec-tive security in deployed systems.

Security requirements are typ-ically defined in terms of the need to address anticipated threats as well as various organizational policies.

Users need a number of functions to meet security requirements, includ-

ing policies for identification, access control and auditing, as well as security functions (technical controls) designed to address expected threats. In addition, users must have confidence that security systems function as intended.

The term “ assurance ” is used when expressing the level of confidence. Assurance is seen as a way to reduce the likelihood that exploitable vulnerabilities will exist in a deployed system. Assess-ment activities include design analysis, functional and penetration tests, and anal-ysis of supporting documentation.

ISO/IEC JTC 1/SC 27, IT Security techniques, deals with evaluation criteria for assessing the conformance to speci-fied functional requirements, as well as requirements for assurance.

The requirements for assur-ance are expressed in terms of the doc-umentation and tests that the develop-er is expected to present, as well as the actions necessary to check and assess this evidence.

The basic notion of assurance is discussed in the Technical Report, Infor-mation technology – Security techniques – A framework for IT security assurance (ISO/IEC TR 15443). Assurance may be achieved by a variety of approaches applied during different stages, includ-ing development, integration and oper-ation. This report consists of three parts of which the last part is still under devel-opment.

The bulk of the work on SC 27 has focused on the ISO/IEC IS 15408, Infor-mation technology – Security techniques – Evaluation criteria for IT security ; also known as the Common Criteria.

This three-part standard, avail-able at no cost, offers structured librar-ies, which may be used when specifying both functional and assurance require-ments.

There has been close coopera-tion between SC 27 and the international Common Criteria project since the start of this work.

To support the assessment/evalu-ation phase, a supporting standard, ISO 18045, Information technology – Security


Main Focus

techniques – Methodology for IT security evaluation, has been developed, describ-ing in greater detail the expected activ-ities to be performed by the evaluators.

The description closely follows the structure of 15408 Part 3 : Security assurance requirements.

Other important standards that SC 27 addresses include :

• Security requirements for crypto-graphic modules (ISO/IEC 19790) ;

• Security assessment of operational systems (TR 19791) ;

• Security evaluation of biometrics (CD 19792—development is still in progress) ;

• System security engineering – Capa-bility maturity model, SSE-CMM (ISO/IEC 21827).

For the future, a new topic, respon-sible vulnerability reporting, is current-ly under study within SC 27.

ISO/IEC 15408/18045 : Know what you buy

by Miguel Bañón, SC 27 Head of Delegation for Spain

The need for secure ITC is no longer a bizarre and expensive requirement limited to defence systems or spy

movies. Today’s society, businesses and citizens rely on ITC for any number of critical services, and market awareness is driving the need for a “ secure ” label on every product that we use.

It is not easy to determine the pre-cise security requirements that a prod-uct must fulfil, and it is even harder to determine whether the available prod-ucts meet these requirements. ITC ven-dors are raising the security flag to dif-ferentiate their products, and we are see-ing how the major vendors make secu-rity claims for their products a primary marketing strategy.

Historically, consumers had no mechanisms to ensure that products were secure, other than the self-declaration of features from the vendors.

The standard ISO/IEC 15408, initially published in 1999, and later revised and published in 2005 along with ISO/IEC18045, has set a bench-mark in the development, evaluation and later certification of the security of ITC products.

The actual market trend is shifting to require an ISO/IEC 15408 or “ Com-mon Criteria ” certification to endorse the security of ITC products.

Key players in this shift are the public administrations of those coun-tries with a greater sensitivity toward information security, “ user groups ” that have enough economic relevance for ITC vendors, and overall markets with their awareness of ITC security breaches increasing through extensive media coverage.

The number of ISO/IEC 15408 or “ Common Criteria ” certified prod-ucts is steadily increasing. The devel-opment of secure products is a complex and expensive task.

The certification of the achieve-ment of the aimed security is also com-plex and expensive, but the ISO/IEC 15408 and 18045 standards have start-ed down a path with no return.

In a few years, security certi-fication will be as common as safety certification, and this commoditization is expected to bring improvements in the assurance gained in ITC develop-ment methods, reduction of certifica-tion costs, greater efficiency in evalu-ation methods, and a broader aware-ness of security requirements and ITC countermeasures. About the author

Mats Ohlin as been active in SC 27 since its start in Stock-holm in April 1990 and has been the Con-venor of WG 3 since 1999. Mr. Ohlin is employed by the

Swedish Defence Materiel Administra-tion (FMV), the procurement agency for the Swedish Defence. At FMV he holds the position of Chief Engineer/Strategic Specialist in the area of Information and IT Security.

About the author

Miguel Bañón is a well-known expert working in WG 3. He is also the SC 27 Head of Delega-tion for Spain.

“ Users must have confidence that security

systems function as intended.”


Software and system engineering

Shaping the software agenda

by Peter Kay, Director of Services at FAST Corporate Services Ltd.

S tarting out on a software asset management project can feel like a journey into the unknown … but

it doesn’t have to be a high risk venture.

A bit of shrewd project planning and a best practice approach, based on the new ISO/IEC standard for software asset management, will give you all the con-fidence you need to manage your risks, control your costs and achieve compet-itive advantage.

Why standards matterIn any field of business, standards

are a powerful tool. They define important aspects of safety, reliability and quality, and they enable organizations to oper-

ate in global markets. Standards deliver market credibility and integrity by dem-onstrating an organization’s commitment to “ product ” and customer service excel-lence. They also help reduce costs and strengthen the competitive edge.

In the fast-moving world of IT, standards are essential, and impartial bodies like the British Standards Insti-tution (BSI) play a critical role in shap-ing the agenda. By offering access to knowledgeable IT experts who are able to counsel on the key issues governing technology today, BSI is able to repre-sent the interests of the United King-dom across the full range of European and international standards organizations and their working groups.

Rolling out an IT standard from inception to resolution is a thought-pro-voking process that takes time, effort and focus. In order to ensure that the end prod-uct is fair and just, international standards development follows a highly regulated structure that must conform to rigorous processes and methodologies.

Those lucky enough to be invit-ed to join a standards decision-making forum receive a fascinating insight into the intricacies of cross-cultural trade. Three years ago, when I was asked by Roger Wittlock, the Convenor of Work-ing Group 21 and representative of the Swedish Standards Institute, to join the Working Group responsible for oversee-ing the development of the new standard for software asset management (ISO/IEC 19770), I jumped at the chance.

Managing risk, reducing costs

If you’re in business, you’ll already know that software asset man-agement (SAM) matters. According to the market intelligence firm IDC, soft-ware piracy currently accounts for USD 34 billion in lost revenues. A drop of 25 % in the global piracy rate would create as many as 2,4 million new jobs, along with USD 400 billion in econom-ic growth and USD 67 billion in tax rev-enues worldwide.


Main Focus

Yet, while an effective and smooth-running IT environment is essential for optimum business performance and staff productivity, it can be tricky to gain (and then maintain) control over IT assets unless a company has a clear strategy and the support of rigorous policies and procedures.

Just two years on, more than 3 000 FAST member organizations are now moving towards accredita-tion. Of course, this is great news in its own right, but for those mem-bers making the FSSC-1 investment, last year’s launch of ISO/IEC 19770 Part 1, and the forthcoming release of Part 2, offer an exciting opportunity to have their investment recognized on a global stage.

Understanding ISO/IEC 19770-1

Crafted by ISO and the Inter-national Electrotechnical Commission (IEC), who together create the frame-work for worldwide standardization, ISO/IEC 19770 is all about helping organi-zations to achieve a high degree of con-fidence about their ability to manage risks, control costs and achieve com-petitive advantage.

ISO/IEC 19770 Part 1 (launched in May 2006) helps businesses prove that they are performing SAM to a standard sufficient to satisfy corporate governance

requirements, and ensure effective sup-port for IT service management overall. Part 2, which is currently at “ discussion document ” stage, will simplify and sup-port the software inventory process by standardizing and formalizing how soft-ware is labelled, enabling easier identifi-cation and reconciliation when it comes into force in either 2007 or 2008.

By providing an international-ly recognized benchmark for organi-zation-wide software asset manage-ment, ISO/IEC 19770-1 enables orga-nizations to :

• increase awareness of the importance of standardized IT (environment and processes) ;

• improve IT environment and purchase volume control ;

• enhance internal processes for mon-itoring and administrating installed software and licenses ;

• strengthen software forecasting and budgeting ;

• minimize over-licensing and remove under-licensing ;

“ In any field of business, standards are

a powerful tool.”

In January 2005, FAST Corporate Services and BSI Professional Services teamed up to launch the FAST Standard for Software Compliance v1 (FSSC-1). Created in the wake of research show-ing that nearly half of all companies in the United Kingdom were vulnerable to legal action (unlimited fines and up to 10 years in prison for company directors) due to software non-compliance, FSSC-1 was designed to eliminate legal risks and improve business profitability.


• guard against prosecutions, lawsuits and fines ;

• prepare software inventories in advance of potential mergers, de-mergers or acquisitions.

However, the journey towards ISO/IEC 19770-1 compliance is not without challenges. To be as prudent as possible with the financial and human resources that have been allocated to software compliance projects, companies are well advised to find out more about introducing a best practice approach to SAM project planning before beginning the process.

Expedition unknown !Many organizations consider-

ably underestimate the full scope of the software compliance challenge and rush into SAM programmes without tak-ing the time to conduct proper risk ana-lysis and contingency planning – and that’s when it can get both expensive and frustrating.

Coping with a company-wide SAM programme – especially one that will eventually lead to ISO/IEC 19770-1 certification – is a bit like preparing for a long-haul expedition into unknown

About the author

Peter Kay, Director of Services, FAST Corporate Serv-ices Ltd was a member of ISO/IEC JTC 1/SC 7/WG 21 – the Working Group responsi-ble for the

development of ISO/IEC 19770-1, Information Technology – Software asset management – Part 1 : Processes. He has spent the past 20 years involved in the delivery of services and training concerning International Standards such as ISO 9000, EN 46001 and ISO 14000 and for the last six years in his role as Director of Services, The FAST Stand-ard for Software Compliance (FSSC-1).

territory. To succeed on a journey that may well throw up some complicated team challenges along the way, manag-ers need to prepare thoroughly and then put in place a carefully constructed jour-ney plan with clear milestones.

“ ISO/IEC 19770 is about helping organizations achieve confidence about their ability to manage risks.”

analysis will ensure that your company stays on target to achieve a fully com-pliant software position that is ISO/IEC 19770-1 ready.

Achieving a competitive edge

Over the last five years, United Kingdom companies have paid more than GBP 1.8 million in fines to the Business Software Alliance for using unlicensed software, and more than GBP 7.3 mil-lion has been recovered as a result of FAST’s activities. Yet, in the same period, FAST research has revealed that 41 % of United Kingdom businesses are annual-ly wasting thousands of pounds through over-licensing.

The release of the ISO/IEC 19770-1 standard is great news for organizations that want to reduce their risks and increase their competitive advantage, but it needs to be carefully combined with a best prac-tice approach to project planning to get to your end-destination as quickly and cost-effectively as possible.

If reducing SAM project stress and increasing the odds of software com-pliance success is high on your agen-da, you would be well advised to find out more.

About FAST Corporate Services

FAST Corporate Services exists to help businesses of all sizes identify and eliminate the risks of software man-agement. FAST’s programme of educa-tion, advice and support has been spe-cially designed to help organizations meet their software legislation require-ments, reduce their licensing costs, and achieve excellence in IT and software management. For more information on conducting a SAM gap analysis or the FAST Standard for Software Compli-ance (FSSC-1), please visit : www.fastcorporateservices.com.

In essence, the key steps in shrewd SAM project planning are simply good business sense ; to be sure of reaching the destination, you first need to be clear about where you want to get to – and then build a detailed project plan that considers the disciplines involved at every stage, as well as the potential pitfalls and obsta-cles that may occur. That way, you’ll be minimizing the potential risks involved, making sure you keep to your business aims and project objectives as you go, and giving yourself the best chance of sidestepping any problems that do arise before they have a chance to negatively impact goals.

A SAM gap analysis is the ideal tool for making sure that your project towards ISO/IEC 19770-1 compliance stays on track. Properly conducted, it should pinpoint the essential steps to success by :

• carrying out a high-level review of your existing IT infrastructure ;

• identifying the critical vulnerability points and areas of unmanaged risk in your business ;

• assessing the potential gaps in your resources, budget, or management information armoury.

By providing you with a perfect understanding of your organization’s software compliance starting point and then mapping this analysis across into a bespoke project plan (which can be reviewed at regular intervals against your business goals), a risk-based SAM gap


http://www.fastcorporateservices.com

Main Focus

ISO/IEC 90003 – The quality improvement tool for software engineering

by Witold Suryn, Victoria A. Hailey, Andy Coster

ISO/IEC 90003:2004, Software engi-neering – Guidelines for the appli-cation of ISO 9001:2000 to comput-

er software, is an ISO/IEC standard for applying ISO 9001:2000 quality man-agement to software engineering that offers a roadmap to quality software worldwide.

This comprehensive standard cov-ers all aspects of software quality, from acquisition to supply, including devel-opment, operation and maintenance of computer software, and provides guidance

on how to implement the highly success-ful ISO 9001:2000 process approach in a software environment.

It provides the software engi-neering community with a consolidated approach to the development and applica-tion of software engineering standards.

For quality to be built into soft-ware, the necessary processes that are part of the software life cycle must be identified and developed. The guidance contained in ISO/IEC 90003 is struc-tured to match each and every require-ment of ISO 9001.

The guidance information sup-ports the processes identified in ISO/IEC 12207 and builds on ISO/IEC 12207’s fundamental process structure to iden-tify where quality is critical.

The structure of the guidance aligns with other software engineering standards that support various aspects of quality, such as ISO/IEC 15504 (process assessment), ISO/IEC 25000 (software product quality, including product quality evaluation and software package requirements and test-ing), ISO/IEC 15939 (measurement pro-cess), ISO/IEC 14764 (software mainte-

nance), and ISO/IEC 14143 (functional size measurement), among others.

ISO/IEC 90003 makes extensive use of these other documents by cross-ref-erencing, where available, the applicable supporting standards rather than repeat-ing these software best practices.

This approach provides guidance where needed and offers detailed sources from which to better incorporate quality practices. The combined purposes of all these standards support the fundamental objectives of ISO/IEC 90003 : to build quality into software products.

Content and structureThe best description of the con-

tent of ISO/IEC 90003 is a direct quote from its Scope clause :

This International Standard spec-ifies requirements for a quality manage-ment system where an organization :

• needs to demonstrate its ability to con-sistently provide product that meets customer and applicable regulatory requirements, and

ISO/IEC 90003

Quality management

systemManagement responsibility

Resource management Product realization

Measurement, analysis and improvement

• General requirements (for quality system)

• Documentation requirements

• Management commitment

• Customer focus

• Quality policy

• Planning

• Responsibility, authority and communication

• Management review

• Provision of resources

• Human resources

• Infrastructure

• Work environment

• Planning of product realization

• Customer related processes

• Design and development

• Purchasing

• Production and service provision

• Control of monitoring and measuring devices

• General

• Monitoring and measurement

• Control of nonconforming product

• Analysis of data

• Improvement

Figure 1 – The structure of ISO/IEC 90003.


ISO/IEC 90003 software guidance

ISO/IEC 15504 Process assessment + improvement

• aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the sys-tem and the assurance of conformity to customer and applicable regulato-ry requirements.

From the perspective of the user, both the content and structure of this standard offer practical guidance through the application of a quality system (ISO 9001:2000) that is dedicated to software engineering.

This particular approach has well-founded merit : software engineering rap-idly gains its value as a socially critical engineering discipline, and as such requires appropriate regulations and support in the form of dedicated standards.

The first glance at the structure of the standard (Figure 1) demonstrates the completeness of perspectives from which the application of quality in soft-ware engineering is being discussed.

The systematic perspective (qual-ity management system) helps the user in verifying and/or establishing the struc-ture and type of processes together with necessary documentation, required and appropriate for the organization to build an effective quality system.

The management perspective (management responsibility) allows for identifying, defining and setting up the corporate policy and culture that sup-ports the overall objective of producing quality products.

The resource perspective (resource management) focuses on dedicated qual-ity resources (a pioneering approach) indicating to users of the standard those specific issues that should be taken into consideration when building a profes-sional team of quality specialists.

The product perspective (product realization) goes into exhaustive details in establishing the matrix of processes that support the creation of the software product (generic development process, purchasing), the planning and manage-ment of the realization process, the rela-tionship with the customer, and produc-tion and post-delivery support.

Finally, the improvement per-spective (measurement, analysis and improvement) helps identify the moni-

toring, measurement and analysis activ-ities required to maintain and improve the quality of products.

For each of these perspectives, ISO/IEC 90003 provides guidelines on the topics that are important to software engineers, including planning, configu-ration management and software testing, supported by cross references to other ISO/IEC standards. This is illustrated in Figure 2 below.

The graphic in Figure 2 shows how the standards interrelate : ISO/IEC 12207 software life cycle processes are the core of the software engineering model since they typify the processes and best practices that should be used to develop good software.

ISO/IEC 12207

Software life cycle processes

Available guidance

ISO/IEC 14598 Software product

evaluation

ISO/IEC 25000 Software product

quality

ISO/IEC 15910 Software user

documentation

ISO/IEC 14764 Software maintenance

ISO/IEC 14102 Evaluation and

selection of CASE tools

ISO/IEC 14143 software measurement

ISO/IEC 15504 Process assessment

ISO/IEC 15846/10007 Configuration management

(now withdrawn)

ISO/IEC 15504 Supplier selection

management

ISO/IEC 16326 Project management

ISO/IEC 15939 Software measurement process

ISO 9001 REQUIREMENTS

Figure 2 – Model showing the relationships between ISO/IEC software engineering standards and ISO 9001. (© Victoria A. Hailey – reprinted with permission)

“ ISO/IEC 90003 offers a roadmap to quality software worldwide.”

The above five perspectives give the user a complete and relatively simple analysis mechanism, allowing for rath-er precise definitions of quality-related process requirements that, when satis-fied, should result in an effective cor-porate quality system for high quality software products.


ISO/IEC 12207 processes are then supported by the available stan-dards’ best practices guidance, such as ISO/IEC 15939, ISO/IEC 14143, ISO/IEC 15504, and so on. A measurement program can be established for ongo-ing monitoring of products, processes and services to ensure each process is achieving its objectives.

The ISO/IEC 15504 process assessment model provides a repeatable framework for determining the maturi-ty or capability of the entire set or of individual processes. ISO/IEC 90003 in turn provides the overall software guid-ance needed to “ interpret ” and meet the requirements of ISO 9001 as the overall generic quality model.

Applicability areas

ISO/IEC 90003 is applicable to software that forms part of either a com-mercial contract or of a product’s devel-opment (including where it is embed-ded in systems), as well being useful as guidance for process improvement and service delivery.

For software that is part of a com-mercial contract with another organiza-tion, ISO/IEC 90003 is clearly applica-ble, since ISO 9001 was originally con-ceived to fit this requirement.

This was one of the main intended applications of ISO/IEC 12207 as well. Both ISO/IEC 12207 and ISO/IEC 90003

are oriented toward software projects. ISO/IEC 90003 has helped the software organization focus on software require-ments and customer satisfaction by pro-viding detailed guidance for the require-ments of ISO 9001:2000.

For software being developed as a product available for a market sector, since the ISO/IEC 90003 standard is life cycle independent, it is equally appli-cable to projects and product acquisi-tion, development, operation, and main-tenance.

For software embedded in a hard-ware product, ISO/IEC 90003 can be used for the software development since the relationship to ISO 9001 is strong and provides linkages to the system in which the software may be embedded.

Additionally, ISO/IEC 90003 may be used to support, develop and improve the processes of an organiza-tion, especially since the requirements of ISO 9001 place such a heavy focus on these aspects of a quality manage-ment system.

Guidance is provided in the core process areas of software realization and in measurement, analysis, and improve-ment, together with the software aspects

About the authors

Dr Witold Suryn is a Pro-fessor at the École de Tech-nologie Supérieure, Montreal, Cana-da (engineering school of the Université du Québec network

of institutions), where he does research and teaches software engineering. Dr Suryn is also the principal researcher and the director of GELOG : IQUAL, the Software Quality Engineering Research Group at École de Technologie Supérieure. He is the ISO/IEC SC 7 International Secretary. He can be con-tacted at : [email protected] and http://www.ele.etsmtl.ca/prof/wsuryn/

Victoria A. Hailey is a Cer-tified Manage-ment Consultant and Senior Con-sultant of The Victoria Hailey Group Corpora-tion which focuses on help-ing the soft-

ware, systems and service industries manage risk. Actively involved in Inter-national Standards, she was ISO/IEC JTC 1/SC 7 Working Group 18 Conven-or of Quality Management for ISO/IEC 90003. She is also a member of ISO/IEC/SC 27 and SC 27-SC 7 liaison as well as the Canadian delegate to ISO/IEC/SC 7/WG 10 developing the SPICE standard (ISO/IEC 15504), and ISO/IEC JTC 1/SC 7’s liaison to TC/176 for ISO 9000. She can be contacted at : www.vhg.com.

Andy Coster is Process Control Manager at Samsung Elec-tronics in the United King-dom. He was Chair of the British Stand-ards Institute Software Engi-

neering Committee (IST/15) and chair of the United Kingdom Computing Soft-ware and Services Association Quality Committee. He was international project editor for the ISO 90003 Software engi-neering project and also participated in the development of ISO/IEC 12207 Software life cycle processes and ISO/IEC 15288 System life cycle processes projects. He can be contacted at : [email protected].

Main Focus



of human and infrastructure resources, which should all be of benefit in defin-ing or refining business processes.

ISO/IEC 90003 has some appli-cability to service delivery in providing guidance about software development useful in the provision of software ser-vices and also specific advice around operation and maintenance services. Ser-vice development and delivery aspects are not specifically covered in the guid-ance in ISO/IEC 90003.

management, integrated with ISO/IEC 12207’s software life cycle management and other SC 7 software standards, offers the mechanisms to improve the process-es of quality for software design, devel-opment, operations and maintenance and helps an organization improve customer focus and satisfaction.

New addition to ISO/IEC 90003 – ISO/IEC TR 24783 – Guidelines for systems

This year will see the publication of a companion document to ISO/IEC 90003, this time providing advice on the implementation of systems (Technical Report TR 24783). TR 24783 uses ISO/IEC 15288, Systems Engineering – Sys-tem life cycle processes, as the basis for guidance rather than ISO/IEC 12207.

The treatment of advice is slight-ly different from ISO/IEC 90003 in that the guidance explains each paragraph of ISO/IEC 15288 in tabular format and shows how it relates to ISO 9001. ISO/IEC 15288 and ISO/IEC 12207 are undergoing major revisions this year so the standards “ challenge ” is to keep the advice up to date to reflect these revi-sions and to continue to provide best advice to users.

ConclusionsThe complexity of software

demands rigor in the approach to its development as well as a higher bench-mark toward which organizations must strive as they work their processes.

As users of software become more demanding, more sophisticated and less forgiving of defects, the benchmarks will continually be raised as reflected in the increasingly mature demands ISO 9001 places on adherents of its philosophy.

ISO/IEC 90003 must indeed fol-low suit to provide evidence that the soft-ware industry is capable of meeting the demands of its customers. ISO/IEC 90003 offers an important perspective on soft-ware engineering quality since it shows the integration of the various aspects of software engineering that must be con-sidered to build quality into software.

As users’ demands increase, so too must more emphasis be placed on the determination and satisfaction of customers’ requirements. The quality of software processes must continually improve if customers’ increasing demands are to be met. With ISO/IEC 90003 as a guide, the task is made just that much easier.

“ ISO/IEC 90003 covers all aspects

of software quality.”

Among the many uses for ISO/IEC 90003, the following should be rec-ognized as the most important :

• Guidance in the interpretation of ISO 9001:2000, particularly to sup-port the certification process for an organization ;

• Process improvement programme, as a model to compare the organiza-tion’s processes against organizational development (similar to improvement but for organizational aspects such as resources and infrastructure) ;

• Professional development, to gain an appreciation of good practice and the factors affecting quality software development, operation, and mainte-nance.

The benefits of both using and applying the ISO/IEC 90003 standard are multiple, with some being of spe-cial importance.

Among them, the interpretation of ISO 9001:2000 for software that is in the language of software specialists ; a process framework that can be tailored to suit business needs, while fitting all styles of business ; and a basis for com-munication and coordination of software development, operation and maintenance that reduces development risk, should all gain tremendous appreciation from the standard’s users.

A world-class approach to soft-ware engineering and software quality


Main Focus

Organizational Management Processes for Software Asset Management (SAM)

4.2 Control Environment for SAMCorporate Governance Process for SAM

Roles and Responsabilities for SAM

Policies Processes and Procedures for SAM

Competence in SAM

4.3 Planning and Implementation Processes for SAMPlanning for SAM Implementation of SAM Monitoring and Review

of SAMContinual Improvement of SAM

Core SAM Processes

4.4 Inventory Processes for SAMSoftware Asset Identification

Software Asset Inventory Management

Software Asset Control

4.5 Verification and Compliance Processes for SAMSoftware Asset Record Verification

Software Licencing Compliance

Software Asset Security Compliance

Conformance Verification for SAM

4.6 Operations Management Processes and Interfaces for SAMRelationship and Contract Management for SAM

Financial Management for SAM

Service Level Management for SAM

Security Management for SAM

Primary Process Interfaces for SAM

4.7 Life Cycle Process Interfaces for SAMChange Management Process

Software Development Process

Software Deployment Process

Problem Management

Acquisition Process Software Release Management Process

Incident Management Process

Retirement Process

Figure 1 – Organizational Management Processes for Software Asset Management (SAM)

ISO/IEC 19770 and the software industry

by Roger Wittlock, Convenor of ISO/IEC JTC 1/SC 7/WG 21, Software asset management

ISO/IEC 19770-1:2006, Information tech-nology – Software asset management – Part 1 : Processes, is a new Interna-

tional Standard for administration of assets such as software and software licenses. The standard is intended to align closely to, and to support, ISO/IEC 20000, issued in two parts under the general title, Information technology – Service management.

The standard is an excellent tool for private and public organizations of any size to implement efficient software han-dling procedures, which leads to a variety of improvements, including a controlled IT environment and reduced risks.

Figure 1 shows the conceptual framework for the Software Asset Man-agement (SAM) processes, and is broken down into three main categories :

• Organizational management pro-cesses ;

• Core processes ;

• Primary process interfaces.

Licenses and agreements Adhering to all licenses and

agreements reduces the risk of revi-sions from suppliers or their organiza-tions. Implementation of the standard also strengthens competitive advantag-es through faster and better decisions based on improved data.

In addition, the standard provides improved financial control, better position-ing in negotiations and lower cost for soft-ware management. Risk management will be improved with decreased exposure to legal and regulatory risks as well as decreased risk for bad will. An issue of Computer Sweden (6 October 2006) notes that three companies will pay damages to the industry group Business Software Alliance (BSA) for using software without valid licenses. The names of two of the three companies are published in the article. The implemen-tation of ISO/IEC 19770-1 will eliminate this problem, as BSA will not even knock on the door for auditing purposes.

IT assetsMore complex license agreements

– often with annual updates – can cause licensees to buy more copies than required simply to be on the safe side. ISO/IEC 19770-1 implementation will make such inefficiency unnecessary.

Software asset management prin-ciples apply to the media, installations, licenses, proof of license, and intellectu-al property associated with the software.

Until now, the application of these busi-ness processes has been arbitrary and rela-tively few organizations have been able to implement a comprehensive strategy.

The implementation of ISO/IEC 19770-1 will standardize the framework, making it possible for companies to inte-grate SAM into their other compliance and best practice models.

MethodsMany people are surprised when

experts say that administration of IT assets is 20 % tools and 80 % method. A com-mon misunderstanding is that everything related to software asset management can be solved with the right mix of tools.

But if an organization cannot dem-onstrate evidence of a purchase, they may have to pay more than once for the software. Many organizations have spent a consider-able amount of money after failing to prop-erly administer proof of purchase.

The implementation of a soft-ware asset management system elimi-nates these shortages in software asset management methods.


ControlA managing director should nev-

er sign a paper saying that all financial accounting within an organization is cor-rect (for example, as required by the Sar-banes-Oxley Act) unless software man-agement is under full control.

Without this assurance, no orga-nization can be sure that there will be no future costs due to erroneous licensing, and it will also be impossible to know how much is spent on unused software.

The importance of a quality management system

Several important areas within a management system for quality involve information handling, for example commun-ication, security and documentation. An organization infrastructure consists of such elements as buildings, machines, internal services, hardware and software.

Hardware and software increas-es in importance as more information is stored, handled and communicated electronically. Software is a part of IT assets, and ensuring its validity has inter-nal importance as well.

About the author

Roger Wittlock holds a Bach-elor of Science in System Ana-lysis from the University of Linköping in Sweden. He is Convenor for the working group responsi-

ble for developing ISO/IEC 19770. ISO/IEC 19770 is developed under ISO/IEC JTC 1/SC 7, Software and sys-tem engineering. He is also Convenor for the Swedish mirror working group for ISO/IEC 19770. He and Mr. Mårten Främback are the originators of ISO/IEC 19770. Roger Wittlock has held global positions in several international compa-nies. Currently he is working for Astra-Zeneca as Global IS Security Manager and lives south of Stockholm, Sweden. Roger Wittlock can be contacted at : [email protected]

Software asset management in the future

The next step for ISO/IEC 19770 will be the release of Part 2, a SAM “ tag ” or data standard. Part 2 could have a major impact on the IT industry, but its progress will require substantial industry interest. With the intensive efforts of the major players in the software industry, a well-supported Part 2 could be released as a standard by late 2008.

The SAM tag will be a standard-ized way to define license information and other data about a file. Some years ago I was involved in a project in which it was important to find all licensed applications installed on 1 800 PCs and laptops.

Using traditional inventory tools and runner, we developed a database with 78 000 unique files, some with license relevance, and spent 42 working days manually finding all 440 licensed appli-cations in the database.

Thanks to Part 1 and Part 2 of ISO/IEC 19770, the same exercise should require only minutes in the future. Devel-opers of software inventory tools will align their tools to the SAM tag, mak-ing the tools very efficient.

New services will be built around the standard. There are already certifi-cation schemes available for those who want to certify against ISO/IEC 19770-1 (processes) and many powerful services and tools will be developed around ISO/IEC 19770-2 (tag).

Figure 2 describes the tagging life cycle.

The Swedish Ministry of Indus-try, Employment and Communication is investigating how standards can be utilized to make public administration more effective. The Swedish ISO/IEC 19770 mirror working group will attempt to influence Sweden to make ISO/IEC 19770-1 a mandatory standard in pub-lic administration. As a first step, the standard is translated into Swedish and was published as a Swedish Standard in October 2006.

But remember, it doesn’t matter how good the tools are if you don’t have proper processes in place.

Tag consumption• Implement asset tag information for SAM purposes

• Rely on asset tag information as in compliance with ISO standards

Figure 2 – Tagging Life Cycle

Tag Creation• Create asset tag to identify software and origin, creators furnishing most

mandatory identity tag elements

• Create optional identity tag elements to facilitate identification and SAM

• Create asset tag when none is provided by manufacturer, modifiers or consumers furnishing tag data in such an instance

Tag Modification• Modify asset tag information, particularity incomplete mandatory

tag elements

• Provide additional asset tag information, such as those identity elements pertaining to release management

• Ensure consistent and uniform values in tag data



Main Focus

The first year : An update on ISO/IEC 20000

by Jenny Dugmore, Convenor ISO/IEC TC 1/ SC 7/ WG 25

S tarting in 1989, the British Stan-dards Institution (BSI) commit-tee published codes of practice

on service management as the result of industry demand. It was recognized that there should be alignment between the standards and the United Kingdom’s best practice advice on service management. This advice is the IT Infrastructure Library (ITIL® 1). The alignment influenced the development of the standard. In turn, ISO/IEC 20000, Information technology – Service management, has influenced the most recent edition of ITIL.

In the year 2000, the first specifi-cation for use in certification audits was published as BS 15000. Following feed-back from an early adopters’ scheme, Edition 2 became a management sys-tem standard.

Both parts of BS 15000 were submitted for fast-tracking and became ISO/IEC 20000-1 and -2, in December 2005. The standard is now managed by SC 7, as shown in Figure 1.

What is ITIL ?ITIL is a framework developed

by the United Kingdom Office of Gov-ernment Commerce (OGC), but it is now used extensively in the private sector and has been adopted in more than 40 coun-tries. ISO/IEC 20000-1 is often consid-ered to be the distillation of the must do practices of ITIL.

For example, invitations to tender and contracts previously referenced the

adoption ITIL best practices ; certifica-tion under ISO/IEC 20000 is now required instead. The relationship between ITIL and the standard is shown in Figure 2.

ISO/IEC 20000 and ITIL v2 were not fully aligned, largely because ISO/IEC 20000-1:2005, Information technology – Service management – Part 1 : Spec-ification, is a specification that defines best practice principles, i.e. what has to be achieved. In contrast, ITIL covers how it can be achieved.

There are also some differenc-es due to the nature of the development and publication timetables, but the dif-ferences have presented no barrier to ISO/IEC 20000 being considered the ITIL standard.

ISO/IEC 20000 is intentionally less prescriptive about the how of best practice service management so that the standard remains widely applicable to all sizes and types of organization.

Figure 1 – Where does ISO/IEC 20000 fit ?

Figure 2 – − A working relationship

ISO/IEC 20000 -1

ISO/IEC 20000 -2

ITIL

In-house policies, processes and procedures

Part 1 – Specification of compulsor y requirements

Part 2 – Code of practice advice and explanations of Part 1

Practitioners detailed best practice guidance

Implementation

1 ITIL® (IT infrastructure library) is a registered trade mark of OGC (the Office of Government Commerce), Rosebery Court, St. Andrew’s Business Park, Norwich, Norfolk, NR7 0HS.

SC 1 SC 2 SC 3 SC n SC 8 SC n SC n SC 27 SC

WG 2 WG 3 WG n WG 21 WG 22 WG n WG 25 WG n WG nICT

Governance Study Group

ISO/IEC

SC 7

ISO IEC


Certification auditsIn response to industry demands

in 2003, the IT Service Management Forum (itSMF) established a registration scheme for accredited certification bod-ies to conduct audits under BS 15000-1, which has now been converted to a scheme for ISO/IEC 20000-1.

itSMF is a global, independent, internationally recognized not-for-prof-it organization dedicated to IT service management. It consists of more than 40 national chapters and an umbrella orga-nization, itSMF-International. itSMF is actively involved in industry best practic-es such as ITIL and standards, including the development of ISO/IEC 20000.

itSMF’s scheme is compatible with the International Accreditation Forum’s (IAF) guidance for manage-ment system audits. Currently based on Guide 62, they are being converted to ISO/IEC 17021:2006, Conformity assess-ment – Requirements for bodies provid-ing audit and certification of manage-ment systems. The scheme has more than 20 registered certification bodies, with auditors and consultants trained under an itSMF-managed scheme.

itSMF are now actively supporting the assessment and accreditation of their registered certification bodies by national accreditation bodies such as the United Kingdom Accreditation Service (UKAS), and are in discussion with IAF.

The impact of ISO/IEC 20000

Service management (and ISO/IEC 20000) are applicable to delivery and support of services, the activities considered to be the largest part of the total cost of ownership (TCO). This does not apply only to an individual orga-nization ; improvements in efficiency brought about by adopting best practice service management can have a signifi-cant impact on gross domestic product, a measure of the economic activity of an entire country.

This emphasizes the importance of improvements in service management, where a 50 % reduction in unit costs of activities such as resolving failures or of implementing changes may be achieved.

The potential for improvement in the service while also reducing underlying costs has accelerated the uptake of ISO/IEC 20000.

For most organizations audited under BS 15000, the change to ISO/IEC 20000 has already occurred as part of a normal surveillance audit. Many new organizations have adopted ISO/IEC 20000. Some were interested in a stan-dard for service management, but wait-ed for an International Standard for rea-sons of policy or regulation.

Starting from the base of BS 15000, which was consistently in the BSI’s best seller list, there are approxi-mately 300 organizations certified under ISO/IEC 20000, either under the itSMF scheme or under one of the other schemes that have been established world-wide. Many more audits are planned. Some orga-nizations have been audited against an “ Extension to scope of ISO 9001:2000, ”

with the scope of registration referring to the organization’s compliance to the ISO/IEC 20000 standard.

The standard has appeared reg-ularly on ISO and national bodies’ best seller lists. Approximately 3000 copies of the original English language ISO/IEC 20000-1 have been sold in the first year since publication, with sales of ISO/IEC 20000-2:2005, Information technology – Service management – Part 2 : Code of practice, at the same level. Several national implementations and transla-tions have also been published and sold, with more being planned.

Much of the popularity of the stan-dard, certification audits, training and qualifications is due to the close rela-tionship between the standard and ITIL. In effect, the ubiquitous ITIL and itSMF have helped generate a market that is even larger than that for BS 15000.

ISO/IEC 20000-based training courses have been developed for audi-tors, consultants and practitioners. Orga-nizations such as the Examination Insti-tute for Information Science (EXIN), the Information Systems Examination Board (ISEB), APM Group (the official accred-itor for ITIL), International Register of Certificated Auditors (IRCA) and com-mercial training organizations are active-ly involved worldwide.

Training, examinations and quali-fications are available in local languages. An auditor certification programme for ISO/IEC 20000 has also recently been launched by IRCA, in conjunction with the Japan Information Processing Devel-opment Corporation (JIPDEC).

The future plans for ISO/IEC 20000 are a balance between a period of stability for ISO/IEC 20000 users and a commitment to improving the standard that was made during fast-tracking.

A new ISO/IEC 20000-3WG 25 has drafted a new ISO/IEC

20000-3 and sent this out to the rest of SC 7 for comment. Part 3 provides advice to service providers on applicability, scop-ing and scope statements and is based on

“ The potential for improvement in service

while reducing costs has accelerated uptake of ISO/

IEC 20000.”


Main Focus

Customer B

Internal service provider (ISO/IEC 20000 certificated)

Customer A

External service provider (ISO/IEC 20000 certificated)

Lead supplier Supplier

Sub-contracted supplier



Lead supplier Supplier




Figure 3 − Simple cases for scoping

Part 1

Requirements based on

normative verb “ shall ”

Part 2Interpreting Part 1

Guidance shown by informative verb “ should ”

Part 3Applicability/scope

ISO/IEC 20000

Figure 4 − How Part 3 fits in

documents originally developed as part of the BS 15000 series. It is also based on practical experience gained with actu-al service improvement programmes and certification audits and includes materi-al contributed by itSMF.

Part 3 is comprised mainly of practical examples that illustrate appli-cability, scoping and scope statements. Examples of simple cases for scoping are shown in Figure 3.

This new code of practice has been produced in response to applicability, scoping of service management for plan-ning and acceptable scope statements for an audit generating more questions than any other aspect of ISO/IEC 20000. The respective roles of each part of ISO/IEC 20000 are illustrated in Figure 4.

WG 25 currently has no plans for a standard for certification schemes or audit guidelines and intends that the advice in Part 3 should not duplicate International Accreditation Forum (IAF) or Commit-tee on Conformity Assessment (CASCO) publications. WG 25 has opted to provide input to IAF for guidance on conduct-ing audits under ISO/IEC 20000-1. The IAF is represented on WG 25.

The third edition of ITILThe programme developing the

new edition of ITIL is based on views collected during consultations with many people in the service management industry, in many countries. It included OGC’s support for continuation of the relationship between ITIL and the stan-dard. Although at the time of this writ-ing details of the ITIL v3 contents were still subject to a non-disclosure agree-ment, information in the public domain outlines the five stages of ITIL v3’s ser-vice management lifecycle :

• service strategy ;

• service design ;

• service transition ;

• service operation ;

• continual service improvement.

ITILv3 includes management involvement, accountability, responsibili-ties, policies and continual improvements, which are all essential to achieving a man-agement system standard. ITIL v3 is not


20000ITIL

expected to have a major impact on the interpretation and use of ISO/IEC 20000, nor on the associated ISO/IEC 20000 cer-tificates, certification schemes or train-ing and qualifications.

However, the size of the ITIL user base will inevitably mean that any dif-ferences between the two sets of docu-ments will be the subject of lively debate. The service management industry is also expected to seek reassurance from a map-ping across ITIL v 3 and ISO/IEC 20000, as was produced for ITIL v2.

Improvements to parts 1 and 2

Since BS 15000 was aligned to ISO 9001 in 2002, understanding of what is required for an effective inte-grated management system has evolved and improved. The benefits of an inte-grated management system have already triggered the first stage of re-draft-ing of ISO/IEC 20000-1 by WG 25. This is important as many audits are done in combination with ISO 9001 or ISO/IEC 27001 audits.

All improvements to Part 2 have been scheduled for a slightly later stage, when there is clarity on what changes will be made to Part 1.

Harmonization of standards and ISO/IEC 20000

The majority of WG 25’s discus-sion on changes to ISO/IEC 20000 has been linked to SC 7’s overall programme of harmonization. While it is generally considered self-evident that a harmonized approach to IT standards would be an advantage to the IT industry as a whole, there is not yet a consensus on what this means for ISO/IEC 20000.

Areas for harmonization that are being debated are shown in Figure 5. These include aligning ISO/IEC 20000 and the ISO 9000 series, the links between ISO/IEC 20000 and the IT security series, harmonization of terms in standards and best practice materials, and harmo-nization of ISO/IEC 20000 and SC 7’s standards for software and systems engi-neering. WG 25 is also considering the output from an SC 7 study on ICT gov-ernance standards.

Harmonization of SC 7 standards, has been described by Francois Coallier, the SC 7 Convenor : “ …the harmoniza-tion process we have initiated for ISO/IEC 20000 is a two-way street and…we are looking forward to the contribution of the ICT operation community to our standardization work — like the sys-tems engineering community did and is still doing ”.

Because ISO/IEC 20000 is close-ly aligned to ISO 9001, the two have a similar approach to management respon-sibilities and continual improvements. ISO/IEC 20000 is also based on prin-ciples that define what to achieve, with relatively few requirements on how the service provider does this. This approach was used so that service providers could adapt best practices to their own circum-stances and business needs. The flexi-bility of how to achieve ISO/IEC 20000 also means that ISO/IEC 20000 is wide-ly applicable.

In contrast, SC 7 standards such as ISO/IEC 12207 and ISO/IEC 15288 have been developed with a rigorous approach to structure and consistency of how requirements are stated. This includes a common structure of purpose, outcomes, and activities/tasks. For exam-ple, this type of standard requires the number of activities/tasks to fall with-in defined limits for each process. The requirements cover more of the how to for each process, with the how to being more prescriptive than the equivalent in ISO/IEC 20000.

The history of ISO/IEC 20000 also affects the harmonization of terms across standards and other best practice mate-rial. Special terms were avoided wher-ever possible during the development of BS 15000 ; the standard includes 15 special terms, an unusually small num-ber for this type of document. Instead,

9000 series

Terms or “ Oxford English Dictionary ”

IT security “ 27000 series ”

Governance standards

15504

15288

15289

19770

24774

12207

Figure 5 – Harmonization : many options

Soft

war

e an

d sy

stem

s en

gine

erin

g

“ ISO/IEC 20000 also affects the harmonization

of terms across standards.”

This statement reflects the chal-lenge already encountered by SC 7 when harmonizing standards for the originally separate disciplines of software engineer-ing and systems engineering. This also reflects the complexity of harmonizing standards that significantly differ in their approach, such as ISO/IEC 20000 com-pared to ISO/IEC 12207, ISO/IEC 15288 and the multi-part ISO/IEC 15504.


Main Focus

words in ISO/IEC 20000 are used with the meaning given in commonly used English language dictionaries (as also used by ISO editors).

Analysis during fast-tracking of BS 15000 showed there were actually relative-ly few conflicts between the terms used in ISO/IEC 20000 and other standards.

However, those that do conflict are expected to be considered relative-ly fundamental differences.

Updating the mapping of terms in ISO/IEC 20000 and those used in SC 7 standards, the ISO 9000 series and the ISO/IEC 27000 series is part of the WG 25 work plan. The map-ping may be an interim stage before more changes are made to SC7 stan-dards. Alternatively, the mapping could become part of ISO/IEC 20000.

About the author

Dr. Jenny Dugmore is Director of Service Matters, a service man-agement consul-tancy company. Her career spans operational sen-ior manage-ment, service

management and consultancy. Dr. Dug-more chairs the British Standards Insti-tution (BSI) committee that produced BS 15000, on which ISO/IEC 20000 was based. She was the Project Editor for the drafting of ISO/IEC 20000 and is now the Convenor of the working group responsible for ISO/IEC 20000. Dr. Dugmore is on the United King-dom’s ITIL Refresh Management Board. She is also the UKAS technical expert on service management, working on assessment of certification bodies for accreditation of ISO/IEC 20000 certifi-cation schemes. In 2005 itSMF awarded her the Paul Rappaport Lifetime Achievement Award for her contribution to service management. She can be con-tacted at : jenny.dugmore@ service–matters.com

ISO/IEC 25000 SQuaRE series of standards

by Motoei AZUMA, Convenor of ISO/IEC JTC 1/SC 7/WG 6 and SQuaRE Series Project Editor, and Professor, Department of Industrial and Management Systems Engineering, Waseda University

This article gives an overview of the concepts and architecture of SQuaRE (Software Product Qual-

ity Requirements and Evaluation). The ISO/IEC 25000 SQuaRE series of Inter-national Standards covers software qual-ity requirements and evaluation. In addi-tion, the series recommends measures of software product quality attributes that can be used by developers, purchasers, and evaluators.

Developing and selecting high quality software products is critical, as society depends on computers in so many ways, including large scale infrastructure


mailto:jenny.dugmore@service�matters.com

mailto:jenny.dugmore@service�matters.com

facilities like electric power plants, city traffic control systems, online banking systems, air traffic control systems and telecommunications.

Information systems essential for business in a global economy include production control systems, supply chain management systems and e-commerce systems, and for research and education, for example, e-Learning, and computer aided design (CAD). Computers are also used as parts of embedded systems and if these systems fail or do not operate as intended, the impact can be enormous, so software quality is crucial to a com-puterized society.

The SQuaRE series of Interna-tional Standards is dedicated to software product quality only. The SQuaRE ISO/IEC 25000 series of standards addresses software product quality requirements, measurement and evaluation, and is sep-arate and distinct from the quality man-agement of processes, defined in the ISO 9000 family of standards.

“User needs should be identified and transformed into

requirement specifications in the design.”

How to improve software product quality

Needs and requirements Products

• Assess and improve process.

Process

Resources and environment

• Develop better corporate culture, environment and supporting function.

• Assign better Human-resources.

• Use better tools and techniques.

• Define quality requirement for all quality characteristics using measures.

• Measure and evaluate product quality at every possible stage.

Figure 1 − How to improve software product quality

SC 7Architecture management

Business planning group

Secretariat

WG 20Software engineering body of knowledge

WG 22Vocabulary

WG 23System quality management

WG 24SLC profiles and guidelines for VSE

WG 19ODP and modeling langages

WG 4Tools and environment

WG 25IT service management

WG 7Life cycle management

WG 10Process assessment

WG 21Asset management

WG 2System software documentation

WG 6Software product measurement and evaluation

WG 12Functional size measurement

WG 9System assurance

How to improve software product quality

Figure 2 − JTC 1/SC 7 structure (JTC 1/SC 7 N3511)

Improving software quality and International Standards

Improving software quality involves professionals in software engi-neering and quality assurance and appli-cation of quality assurance standards such as the ISO 9000 series.

ISO/IEC JTC 1/SC 7 has contrib-uted to the development of International Standards on ICT systems and software since SC 7 was established in 1987, cov-

ering definitions, resources, process, and product standards. Figure 2 shows the structure of SC 7.

Currently one of the most active and largest working groups, SC 7/WG 6 is responsible for software product quality standards, which are integrated as SQuaRE series of standards.

International Standards for software quality

In order to develop high quality software products, it is necessary that quality requirements for software prod-ucts are defined and that integrated tech-nologies for quality requirements, mea-surement and evaluation are developed and standardized. With these technologies and standards, continuous improvements of software product quality throughout its life cycle should be done.

The ISO/IEC 25000 SQuaRE series of standards, Software Engineer-ing – Software product Quality Require-ments and Evaluation (SQuaRE), provides a quality model and associated measure-ment methods, as well as requirements and guides for quality requirements, description and evaluation.


Main Focus

The first International Standard on software product quality evaluation, ISO/IEC 9126, was published in 1991, and later was expanded to include other standards and guides in metrics and eval-uation, quality characteristics and mea-surement and rating. Because there was another closely related series of Inter-national Standards, the ISO/IEC 14598 series on software engineering, project evaluation and planning and manage-ment, it was decided to reorganize the two series into one with the acronym SQuaRE. The Information Technology Task Force (ITTF) accepted this pro-posal and the ISO/IEC numbers 25000 to 25099 were assigned to the SQuaRE series of standards.

SQuaRE architectureWG 6 established a study group

to develop the SQuaRE architecture. The ISO/IEC 25000 SQuaRE series of stan-dards can be applied to almost all types and categories of software products, includ-ing large scale systems, enterprise infor-mation systems, interactive off-the-shelf software, and embedded systems.

Examples of target users are sys-tems and software product planners, requirements analysts, software designers, software developers, testing engineers, and quality assurance specialists.

SQuaRE architecture consists of five divisions : a software quality gener-al division, a quality model division, a quality measurement division, a quality requirement division, and a quality eval-uation division, shown in Figure 3.

The first division in the middle of the square states the general require-ments for a software product quality, explains the overview of the SQuaRE and how to manage technologies necessary for improving software product quality by using the SQuaRE and the other four divisions surround it with their support-ing function.

Life cycle and quality model

It is very important that software products meet user needs. SQuaRE rec-ommends the use of a quality model, which refines the required quality into characteristics and clarifies the relation among them.

In order to develop, acquire or use a software product of satisfactory qual-ity, it is necessary that quality be eval-uated throughout the life cycle of the product using the quality model. User needs should be identified and trans-formed into requirement specifications in the design.

The quality model is the set of characteristics and the relationships among them and generally depends on the category of target product. If a new quality model is developed each time a product is developed or acquired, it takes time, and therefore a standard quality model is useful.

ISO/IEC 9126:1991, Software engineering – Product quality, was developed for this reason in 1991, rec-ommending the use of the quality mod-el as a default model, and modifying it when necessary. SQuaRE will inherit the model ; however, the issue of clarifying the relation between the model and pure internal attributes remains unsolved.

MeasurementThe properties of software prod-

ucts can be difficult to measure, so quality characteristics are used. In order to define quality requirements and evaluate product quality, each quality characteristic should be measurable ; however, quality character-istics are not measurable by their nature. Therefore, it is suggested that some attri-butes be measured and the resulting val-ues (variables) be transformed into mea-sures that indicate a characteristic, using a formula as part of a quality measure. Measurable attributes vary with the stage of the product quality lifecycle.

In the case of software measure-ment, the value for the same measure, for example lines of code (LOC), may be quite different, if measurement is done using different measurement methods. Therefore, the metric is defined as “the defined measurement method and mea-surement scale ”. Most of the quality mea-sures are for indirect measurement.

ManagementRequirements for the support-

ing function and guides are in Part 11 : Planning and management. The role of managers is to acquire new standards, techniques and tools for quality assur-ance, as well as to carry out technolo-gy assessment, technology transfer and technology management.

As information systems and tech-nologies change so rapidly, it is impor-tant for SQuaRE users to keep up with

ISO/IEC 2503n

Quality requirement division

ISO/IEC 2504n

Quality evaluation division

ISO/IEC 2501n

Quality model division

ISO/IEC 2501n

Product quality general division

ISO/IEC 2501n

Quality measurement

Figure 3 − Architecture of the SQuaRE series

ISO/IEC 25050-25099, SQuaRE Extension Division


the advances in related technologies and assess them and transfer them to rele-vant projects.

Because SQuaRE is aimed at a wide audience, it is necessary that suf-ficient information be provided before people purchase the standards. SQuaRE is a 14-part standard, most of which are closely related to each other. SC 7/WG 6 is investigating the possibility of publish-ing the SQuaRE as a set of hyper-media documents. It is also proposed to provide headline information of each part on the Internet. If this plan is realized, prospec-tive users can download the necessary information with no charge and study them, and then they can purchase only the necessary parts of the standards.

SQuaRE ExtensionRevision of ISO/IEC 12119 is

included in the extension division as ISO/IEC 25051, Software engineering – Software product Quality Requirements and Evaluation (SQuaRE) – Requirements for quality of Commercial Off-The-Shelf (COTS) software product and instructions for testing, because it provides require-ments for the quality of commercial off-the-shelf (COTS) software products and requirements for test documentation for the testing of COTS software products.

Common industry format

ISO/IEC 25062:2006, Software engineering – Software product Quality Requirements and Evaluation (SQuaRE) – Common Industry Format (CIF) for usability test reports, is also included in the extension division. It is used by software manufacturers to test software for usability testing at various stages of product development, and some com-panies also test products for usability before purchasing it.

The CIF is intended to replace the proprietary formats employed by compa-nies that perform usability testing, both vendors and purchasers of software. Until now, there has been no standard format for reporting usability test results. Advantag-es of using a standardized reporting for-mat include a reduction in training time and enhanced communication between vendors and purchasing organizations,

since CIF reports provide a common language and expectations.

The purpose of this International Stan-dard is to facilitate incorporation of usabili-ty as part of the procure-ment decision-making process for interactive software products so that it is easier to judge whether a product meets usability goals. The CIF is meant to be used by usability professionals within supplier orga-nizations to generate reports that can be used by customer organiza-tions, and it is also meant to be used by customer organizations to verify that a particular report is CIF-compliant.

Guides to SQuaRE SQuaRE can be utilized by var-

ious users, for different purposes and products. Examples of SQuaRE users would be software product developers and users, as well as quality assurance staff and managers. The guides for using SQuaRE is contained in ISO/IEC 9126-10, Software Engineering – Software qual-ity – Part 10 : General overview, refer-

ence models and guide to software prod-uct quality requirements and evaluation (SQuaRE), which explains the relation among quality in use (QIU) character-istics, external characteristics, internal characteristics, and software lifecycle (see Figure 5).

This model is a modified version of a similar model in ISO 9126-1:2004, Software engineering – Product quality – Part 1 : Quality model, showing the

Quality subcharacteristics

Quality characteristics

Software product quality

composed of

Software quality measures

Measurement function

Quality measure elements

composed of

indicate

indicate

generates

are applied to

Figure 4 − Software product quality measurement reference model

Figure 5 − Software quality lifecycle

Requirements Products

Quality in use Quality in useValidation

Used for

Quality in use measures

Needs

External quality External qualityExternal quality

measures

Internal quality Internal qualityInternal quality

measures

Validation

Validation

Implementation

Verification

Verification

Used for

Used for


Main Focus

concept of software life cycle and asso-ciated quality. Design quality can be specified and assessed by internal qual-ity measures.

Needs analysis for design and implementation

As requirements do not always reflect user needs, a needs analysis is an important process of the software life-cycle. The definition of Quality In Use (QIU) varies depending on the context. QIU scenarios or use case scenarios may be useful for identifying the con-text and then the scenarios listed must be classified, selected and transformed for the context.

The next step is to categorize each context of use, using such crite-ria as target task, method of use, envi-ronment, and frequency of use. Final-ly, needs can be specified for each QIU scenario. Indicators should be defined for each context and at least one indi-cator should be defined for each QIU characteristic.

The next activity is to specify external quality requirements based on the defined user quality needs. There is no automated procedure for the conver-sion from identified needs to requirement specification. Each context and associ-ated level of satisfaction for each QIU characteristic must be examined when the conversion is done.

Before designing software, the designer should develop a design strategy in order to satisfy requirements, which includes selecting appropriate design methods and tools as well as defining architecture.

For example, good architecture can improve maintenance, and object-oriented techniques can improve usability. How-ever, as SQuaRE focuses on the product side, SQuaRE may not directly help prod-uct design and implementation.

Formal review may vary depend-ing on the life cycle model and process design ; software product evaluation should be done iteratively depending on the previous design and implemen-tation stage. The review can be catego-

About the author

Motoei Azuma has been a Pro-fessor in the Department of Industrial and Management Systems Engi-neering, Waseda University, Tokyo, Japan, since 1987.

Before joining Waseda University, as the head of the Department of Software Management Technologies, he contributed to establishing the NEC Software Prod-uct Engineering Laboratory in 1980. He is a member of IEEE, ACM and the Information Processing Society of Japan. His research includes software engineering, office information systems, and software quality. He has been the Convenor of ISO/IEC JTC 1/SC 7/WG 6 (Software Evaluation and Metrics) since JTC 1/SC 7 was established. He was also the prime project editor of ISO/IEC 9126 (Software product quality) series, 14598 (Software product evaluation) series, and the SQuaRE project.

rized into design review and code review. The former uses the design documents as the target, and the latter uses the source code for review.

At the system test stage, external quality measures are mainly used. The measured values are compared with those criteria that are defined in the require-ment specifications.

ConclusionThe development of SQuaRE

has just started and SC 7/WG 6 invites more contributions to improve SQuaRE. It may be modified and should be con-tinuously improved, because both tech-nologies for SQuaRE and target software are changing very rapidly, and usually, the work for developing standard is time consuming because of formal balloting procedures.


Developments and Initiatives

Commentators talk of the ubiquity of the Web, while discussions else-where concern the digital divide

and the lack of content in a majority of the world’s languages.

Although the predominance of use of the English language in read-able Web content is gradually chang-ing, a variety of studies demonstrate that the Web does not present a reli-able surrogate for the use of languages in the world. This is possibly because the capability for representing these languages and dialects within these lan-guages has been lacking.

Developments are currently beginning to emerge from ISO/TC 37, Terminology and other language and content resources, in respect of a sig-nificant expansion of the well-known series of International Standards, ISO 639, Codes for the representation of names of languages.

This is intended to provide a build-ing block of basic identifiers (metadata) with which to index and retrieve the poten-tial content of a truly diverse and multilin-gual information society. Previously, stan-dards ISO 639-1 and ISO 639-2 provided for around 400 language identifiers.

Various estimates placed the num-ber of languages in the world between 6 000 and 8 000, and the recently issued ISO 639-3 expands on the existing 400 to produce a set of over 7 500 language identifiers.

Languages are used in different ways, and some languages have a num-ber of different ways in which they can be written, spoken or signed. Identifica-tion of these different ways pushes the total number of identifiers upwards of 30 000, and it becomes clear that until now the ISO 639 series has catered for a very small proportion of the true diver-sity of “languages ”.

The 639 series of ISO standards is generically titled Codes for the repre-sentation of names of languages, and is expected soon to be divided into parts sim-ilar to those shown in the table below.

At its most basic, the expansion from 400 metadata identifiers to upwards of 30 000 would provide support for a global thesaurus of names of languages, in every language of the world − some 400 million potential names, although the true figure is initially likely to be significantly lower.

The developments in the ISO 639 series offer the potential for the reuse of research materials which document the languages, the sum of which − the world’s knowledge of the languages of the world − could be significantly great-er than its parts.

ISO 639 forms a basic standard for many of the application areas for which ISO/TC 37 develops standards, and within which the ISO/TC 37 stan-dards are used.

Work is already in progress in the Internet community through the Internet Engineering Task Force (IETF) to make use of these emerging standards, with a newer version of the IETF’s language identification, incorporating ISO 639-3, expected shortly.

Historically, use of the IETF’s output has been made by the eXtensible Markup Language (XML) – this devel-opment will eventually allow for new

Title of standard Status Registration authority

Number of identifiers

(approx.)

ISO 639-1, Part 1 : Alpha-2 code Published (2002) InfoTerm 150

ISO 639-2, Part 2 : Alpha-3 code Published (1998) Library of Congress (LoC) 400

ISO 639-3, Part 3 : Alpha-3 code for comprehensive coverage of languages

Published (2007) Summer Institute of Linguistics (SIL) 7 000

ISO 639-4, Part 4 : Implementation guidelines and general principles for language coding

Expected late 2007 n/a n/a

ISO 639-5, Part 5 : Alpha-3 code for language families and groups

Expected late 2007 TBC 100

ISO 639-6, Part 6 : Alpha-4 representation for comprehensive coverage of language variation

Expected early 2008 GeoLang 25 000

TC 37, Terminology and language



contributors to make good quality identi-fication within their XML documents.

There is interest, also, in the “Mul-tilingual Internet ” – described by some as a major element of the Next Generation Internet – being able to support domain names, e-mail addresses and other types of publicly readable protocol content in character sets other than ASCII.

The need for international coun-try codes has been identified and a New Work Item Proposal submitted to ISO/TC 46/WG 2, Coding of country names and related entities. The project, pro-posed by BSI, aims to establish a joint working group between ISO/TC 37 and ISO/TC 46 and to set up liaisons with interested external organizations.

Further potential exists for these standards to support future generations of current Web-based technologies. For example, a future generation of search engines along the lines of Accoona, that already allows specialization of search by language identifier, might enable searches to be specialized for specif-ic written forms of languages. Future versions of the video sharing website YouTube might allow for searches to

accurately index the languages spoken in the video clips, and other so-called Web 2.0 applications could similar-ly benefit.

Developments within the ISO 639 series were discussed at the Standards for Global Business Conference held in Vienna 14-15 November 2006, at which developers involved with the ISO 639 series discussed collaboration with the OmegaWiki project, a community-based website for the documentation of infor-mation about languages.

OmegaWiki will support the collection and collation of information about languages by the communities that use them.

This process will assist the verifi-cation and validation of language infor-mation by the newly-formed World Lan-guage Documentation Centre (WLDC), enabling the registration authority of ISO 639 part 6, GeoLang Ltd, to ensure the application of a full verification and vali-dation methodology for the identifiers.

The collaboration has been agreed initially for ISO 639-6, the most ambi-tious of these standards yet, having to map to the existing parts of ISO 639,

About the authors

Dr. Lee Gillam is a Research Fellow in the Department of Computing at the University of Surrey and Director of GeoLang. Involvement with ISO/TC 37

comes through the British Standards Institution (BSI), efforts supported, in part, by the European Union’s eContent programme of research under the Lin-guistic Infrastructure for Interoperable Resources and Systems (LIRICS). Research interests and publications encompass metadata and ontology, knowledge understanding, and high per-formance computing.

Debbie Garside is Managing Director of Geo-Lang Ltd and CEO of the World Language Documentation Centre. Ms. Garside is also a member of the Multilingual

Internet Names Consortium (MINC) Board and a member of its Secretariat as well as a WikiMedia Foundation Adviso-ry Board Member. She is Convenor of ISO/TC 37/SC 2/WG 1/TG 2, Editor of ISO 639-6 and Chair of BSI mirror com-mittee TS/1/-1. She is a member of the Country Code Names Supporting Organi-zation and Government Advisory Com-mittee for Internationalized Domain Names (ccNSO-GAC IDN) Joint Work-ing Group. Ms. Garside’s research inter-ests encompass internationalization, mor-phology and human genetic linguistics.

take account of existing systems and support the interoperability with such systems.

The World Language Documenta-tion Centre has been formed as an asso-ciation of world experts and will act as a gatekeeper between language com-munities and the ISO 639-6 Registry, GeoLang Ltd.

The schedule for publication of ISO 639-6 should enable its availability during 2008, a year proposed as the UN International Year of Languages.

For further reading see :

Dr. Lee Gillam, Debbie Garside, and Chris Cox, (2007) “Developments in Language Codes Standards ”. In Georg Rehm, Andreas Witt, Lothar Lemnitzer (eds.) Datenstrukturen für linguistische Ressourcen und ihre Anwendungen. Proceedings der GLDV 2007, Tübingen : Gunter Narr Verlag. Tübingen University, April 11.13, 2007, pp. 281.289. http://www.gldv.org/2007.

Dr. Lee Gillam, Debbie Garside, and Chris Cox, (2006) “Information vol-umes and linguistic diversity : meet-ing the challenges for content manage-ment ”. 3rd International Conference on Terminology, Standardization and Tech-nology Transfer (TSTT), 25-26 August, Beijing, People’s Republic of China.

Accoona : http://www.accoona.com

YouTube : http://www.youtube.com

OmegaWiki : http://www.omegawiki.org/

WLDC : http://www.thewldc.org/

GeoLang : http://www.geolang.com/

ISO/TC 37 Annual meetingThe annual meeting of ISO/TC 37 will be held August 11-18 2007 in Provo, Utah. There will a one-day conference on August 13 on the “Pragmatic Appli-cations of Standards ” to look at the wide variety of applications of stan-dards terminology to fields such as information technology, e-commerce and a wide variety of other fields.

For more information on the meeting, please contact : Sue Ellen Wright, [email protected]


http://www.gldv.org/2007/

http://www.accoona.com

http://www.omegawiki.org/

http://www.thewldc.org

by Annette Reilly, ISO/IEC 24765 Project Editor

S tandard software and systems engineering terminology is now freely available in an online data-

base, SEVOCAB. The SEVOCAB data-base includes over 4 100 authoritative definitions taken from over 100 Inter-national Standards. Hosted by the IEEE Computer Society, a liaison organization to ISO/IEC JTC 1/SC 7, Software and Systems Engineering, this web-acces-sible vocabulary offers current termi-nology for software developers, project managers, engineers, students, and stan-dards developers. Definitions in SEVO-CAB may be freely reprinted with credit to the copyright holders.

Use of consistent terminology will support the development of appli-cation practice and international stan-dards. Standards developers can use SEVOCAB to identify redundancies, discrepancies, and gaps in terminolo-gy and to harmonize vocabulary among related standards.

A project of the IEEE Computer Society and ISO/IEC JTC 1/SC 7, SEVO-CAB includes the terms and definitions compiled from all current ISO/IEC and IEEE software and systems engineering standards, as well as the Glossary of the Project Management Institute (PMI), A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Third

Edition. Including definitions from bal-loted standards shows the value of inter-national consensus developed through open processes.

Advance reviewers of SEVOCAB liked its search function, which finds and displays the term with its definitions, as well as its uses in all related terms and definitions. The search response gives the user a quick reference, along with a rich set for the comparison of related concepts, which can be pursued in the source standards.

Each definition shows its source, with hyperlinks to sites to purchase the source standards from ISO, IEEE, or PMI. SEVOCAB also includes graph-ics, examples, and notes from the origi-nal standard sources.

Until the release of SEVOCAB, it has been a challenge has been to find authoritative, consistent definitions in one convenient place.

SEVOCAB is the first complete compilation of standard terminology for software and systems engineering since IEEE 610.12, last updated in 1990.

The IEEE Computer Society con-tributed IEEE 610.12 as a source stan-dard for ISO/IEC 24765.

Other major sources were ISO/IEC 2382-1:1993, Information technology -- Vocabulary -- Part 1 : Fundamental terms, and ISO/IEC 2382-20:1990 Information technology -- Vocabulary -- Part 20 : Sys-tem development, which fall within the scope of ISO/IEC JTC 1/SC7.

About the author

Annette Reilly is the project editor for ISO 24765 and a senior manager with Lockheed Martin. She can be contacted at : [email protected].

SEVOCAB will be a living source, updated every three to six months as new standards containing new terms and def-initions are released.

After approval, the complete SEVOCAB database will be published in 2008 as ISO/IEC Standard 24765. SEVOCAB will be periodically updat-ed as an ISO/IEC database standard, as well as being contributed to the ongo-ing JTC 1 vocabulary project.

Working with ISO/IEC JTC 1/SC 7/WG 22, the IEEE Computer Society developed SEVOCAB in partnership with the IEEE Standards Association and the Project Management Institute.

SEVOCAB, the Systems and Soft-ware Engineering Vocabulary, is now publicly available at : www.computer.org/sevocab

ISO and IEEE – Standard software and systems engineering terminology



ISO/IEC structuring and designation standards – A framework for industry

by Rainer Ahleff and Zbynek Cihlar, Convenor of ISO/TC 10/SC 10/WG 10, Reference designation system

A consistent structure is key to the success of an industrial enter-prise — supported of course by

extensive product know-how, sound busi-ness processes, a clearly defined scope and rigid cost control. And the more complex a product, project or plant, the more important this structural consis-tency becomes.

For example, as complexity ris-es, the number of design and engineer-ing facilities, partners and companies can also increase dramatically. At the same time, levels of control and auto-mation, data generation and processing

can literally skyrocket. With such poten-tial for chaos, any industrial organiza-tion needs structure and discipline. But help is at hand with a series of IEC and ISO standards that provide the princi-ples and tools for structuring and refer-ence designations.

The way forwardThe IEC 61346 series of Inter-

national Standards provides structuring principles for all industrial products, sys-tems, installations and equipment. They can be applied broadly across industry, and are linked with IEC 60204-1, Safe-ty of machinery — Electrical equipment of machines — Part 1: General require-ments, and with EC Directive 98/37/EC, Machinery safety.

Such breadth of structuring and designation was achieved by further harmonizing the IEC 61346 series with other IEC standards — IEC 61175 (Des-ignation of signals), IEC 61666 (Con-nections) and IEC 61355 (Documenta-tion). Figure 1 illustrates the range of IEC structuring and designation stan-dards currently available.

However, it was evident that an efficient industrial structuring and refer-ence designation system could not operate with general principles and rules alone.

Instead, one which covered specific indus-try sector requirements, in compliance with generally valid concepts, became the internationally agreed solution.

IEC 61355

Classification and designation of documents for plants, systems and equipment

IEC 61346-1

Industrial systems, installations and equipment and industrial products – Structuring principles and reference designations – Part 1: Basic rules

IEC 61666

Industrial systems, installations and equipment and industrial products – Identification of terminals within a system

IEC 61346-2

Part 2: Classification of objects and codes for classes

IEC 61175

Industrial systems, installations and equipment and industrial products – Designation of signals

Figure 1 − IEC structuring and designation standards

“The IEC 61346 series provides structuring

principles for all industrial products, systems,

installations and equipment.”

As a result, the classification of objects in IEC 61346-2 was enhanced with the addition of main and subclass-es, published in 2005 as IEC/PAS 62400, Structuring principles for technical prod-ucts and technical product documenta-tion — Letter codes — Main classes and subclasses of objects according to their purpose and task (see Figure 2).

The user-friendly ISO/TS 16952 series

Development of a user-friend-ly reference designation system (RDS) culminated in the publication in 2006 of ISO/TS 16952:2006, Technical product documentation — Reference designa-tion system. Conceived as a multipart Technical Specification, it consists of Part 1: General application rules, fol-lowed by industry sector-specific parts. One of the main goals was to strengthen acceptance of the structuring and desig-nation rules in the non-electrical fields stipulated by IEC 61346.

Part 1 of ISO/TS 16952:2006 emphasizes :

• introduction of a “conjoint designa-tion” for higher-level objects with respect to the site, and not related to function, product or location ;

• the use of RDS as a basic tool for creating a process model of a plant, system, or machine, etc., covering all technical fields, and governed by gen-erally valid structuring principles ;

• description of the structuring and des-ignation process using a model project example following IEC PAS/62400 classifications ;


• precise communication by language-independent classification codes and clear alphanumeric designation struc-tures ;

• applicability to all involved in a project or product development — for example product design, civil engineering and lay-out planning — as well as electro, con-trol and instrumentation engineering ;

• clear and unified designation to sup-port the life cycle of plants, systems, objects and components ;

• creating modules for reuse and stand-ardization at any level by applying structuring principles ;

• fulfilling the requirements for ergonom-ics and occupational safety by consider-ing readability, memorability, and pre-cise interpretation of designations.

The first customer-specific refer-ence designation system for projects on high-tech medical facilities is currently under development, based on ISO/TS 16952-1 and IEC/PAS 62400.

With ISO/TS 16952-1 as the basis of a multipart standard, industry sector-specific parts are expected to follow. Development of the first of these — ISO/TS 16952:2006 Part 10: Reference desig-nation system for power plants (RDS-PP) — was voted on recently by ISO/TC 10, Technical product documentation.

IEC 81346 – An important milestone

The IEC 61346 series of Interna-tional Standards is currently under revi-sion to further its adoption, particular-ly in the non-electrical technical fields. One idea was to merge IEC 61346 with ISO/TS 16952 into a common Interna-tional Standard, IEC 81346, and this is now well under way.

It recognizes that the division of electrotechnical, I&C and “mechanical” systems does not correspond with actual industrial engineering practice. All sys-tems, including associated buildings and layout planning, are closely linked and executed concurrently in complex engi-neering processes. Therefore a common structuring and reference designation con-cept would support enormous quantities of information and navigation in extend-ed databases across all boundaries.

Due for publication by the end of 2008, IEC 81346 is expected to establish an important milestone in structuring and reference designation.

About the authors

Rainer Ahleff has been work-ing as a stand-ardization engi-neer for 36 years. He was responsible for the procedure and communica-tion standards (technical docu-

mentation, reference designation, draw-ings, graphic symbols, units in metrolo-gy, etc.) at Siemens AG, division Power Generation, since 1976. From 1996 to 2006, he was responsible for the com-plete standardization of Siemens PG. He has represented the interests of Siemens PG in national and international stand-ardization committees and in trade asso-ciations. Rainer Ahleff retired in July 2006, however he is still active in stand-ardization committees for Siemens PG.

Zbynek Cihlar of Switzerland is Convenor of ISO/TC 10/SC 10/WG 10, Ref-erence designa-tion system. He works as a sen-ior consultant at iXIT Engineer-ing Technology

GmbH. He has more than 46 years of experience in plant engineering, mostly in the power plant industry. For more than 30 years he was responsible for applying and mapping out the designa-tion systems in a leading power plant engineering enterprise. Since 1997 he has been involved in several internation-al panels on reference designation stand-ards. Currently he is a member of IEC/TC 3/MT 18, a team that is developing the International Standard IEC 81346 series. He can be reached at [email protected].

Figure 2 − Enhanced structuring and designation standards

IEC 61346-2IEC 61355

ISO/TS 16952-1

IEC 61666IEC 61175IEC 61346-1

IEC/PAS 62400

ISO/TS 16952-xx

Main classes and subclasses of objects

Structuring principles and reference designation

Designation of signals Identification of terminals within a system

Reference designation system General application rules

Classification and designation of documents

Classification of objects and codes for classes

Sector-specific parts e.g. power plants



New on the shelfISO 14065 – New tool for international efforts to address greenhouse gas emissions

By Roger Frost, Manager, Communication Services at the ISO Central Secretariat

ISO has launched ISO 14065:2007, a new addition to its toolbox of standards for addressing climate

change and supporting emissions trad-ing schemes.

In March 2006, ISO launched its greenhouse gas (GHG) accounting and verification standards – ISO 14064:2006. The complementary new standard, ISO 14065:2007, Greenhouse gases – Require-ments for greenhouse gas validation and verification bodies for use in accredita-tion or other forms of recognition, details requirements for GHG validation or ver-ification bodies for use in accreditation or other forms of recognition.

While ISO 14064 provides require-ments for organizations or persons to quantify and verify GHG emissions, ISO 14065 specifies accreditation require-ments for organizations that validate or verify resulting GHG emission asser-tions or claims.

GHG validation or verification bodies are responsible for completing an objective assessment of GHG assertions and providing a formal written declaration which provides assurance on the state-ments contained in the assertion.

The aim of GHG validation or verification is to give confidence to par-ties that rely upon a GHG assertion or claim, for example regulators or inves-tors, that the bodies providing the decla-

rations are competent to do so, and have systems in place to manage impartial-ity and to provide the required level of assurance on a consistent basis.

ISO 14065 provides requirements for bodies that undertake GHG valida-tion or verification using ISO 14064 or other relevant standards or specifica-tions. The objectives of the ISO 14064 and ISO 14065 standards are to :

• develop flexible, regime-neutral tools for use in voluntary or regulatory GHG schemes;

• promote and harmonize best practice;

• support the environmental integrity of GHG assertions;

• assist organizations to manage GHG-related opportunities and risks, and

• support the development of GHG pro-grammes and markets.

ISO 14065 was developed by a working group of some 70 international experts from 30 countries and several liai-son organizations, including the Interna-tional Accreditation Forum. In addition, the United Nations Framework Conven-tion on Climate Change (UNFCCC) has observer status. The working group com-bined expertise from ISO’s Committee on Conformity Assessment (CASCO) and technical committee ISO/TC 207, Environmental management.

ISO Secretary-General Alan Bryden commented: “The participants at the 2007 World Economic Forum in Davos agreed that climate change consti-tutes by far the greatest threat to the world economy. ISO 14064 and ISO 14065 are good examples of ISO’s ongoing efforts to develop and promote practical tools that contribute to the sustainable devel-opment of the planet.”

ISO 14065:2007, Greenhouse gases – Requirements for greenhouse gas validation and verification bodies for use in accreditation or other forms of recognition is available from ISO national member institutes and the ISO Central Secretariat.

2007 ISO Catalogue now available

The 2007 editions of the ISO Cat-alogue, in hard copy, and of the ISO CataloguePlus on CD-ROM

have been published.

The ISO Catalogue 2007 and the ISO CataloguePlus follow the same basic structure as the versions of previous years. Location of standards on a given subject is facilitated by the “Alphabeti-cal Index”, which is presented in key-word-in-context (KWIC) form and based on the titles of all subject groups con-tained in the International Classification for Standards (ICS).

Also, the CataloguePlus includes a list of ISO members and their address-

es, the titles of technical com-mittees, a list of withdrawn stan-dards and tech-nical corrigenda,

ISO maintenance agencies and reg-

istration authori-ties, as well as a list of ISO publications

and products.

T h i s C D - R O M comes with an intuitive navigation and

contains infor-mation on all pub-

lished ISO standards plus the ISO techni-cal work programme of draft standards. Lists in numerical order and in technical committee order are also given. In addi-tion, there is an alphabetical index and a list of withdrawn standards.

A more precise search of ISO standards based on the keywords con-tained in the titles of the standards them-selves, is possible through the electronic ISO Catalogue available on the ISO Web site “ISO Online”: www.iso.org.

The price of the ISO Catalogue 2007 is CHF 154 and that of the ISO CataloguePlus is CHF 48.


www.iso.org

Main Focus


The Societal and Economic Benefits of StandardsThe June issue of ISO Focus looks at the Economic and Societal Benefits of Inter-national Standards, with a portfolio of articles reflecting the global and regional importance of International Standards to economic development, as well as the societal benefits that such development can bring to countries and communities.

With contributions from leading econo-mists and experts, the June issue takes a look at the importance of standards to the global supply chain and international trade, and then gives highlights from diverse sectors like multimedia, building and freight containers.

ISO/DEVCO Chair, Mr. Iman Sudarwo, writes about global supply chains and the role that ISO plays in promoting develop-ment through its Action Plan for Devel-oping Countries.

The United Nations Industrial Development Organization (UNIDO) writes about the importance of developing the infrastructure for conformity assessment to International Standards and the capacity building that UNIDO does together with regional organi-zations to facilitate conformity assessment and therefore also facilitates trade and com-pliance with WTO agreements like the Agreement on Sanitary and Phyto-Sanitary Measures (SPS).

Also in this section, the British Standards Institution contributes an article on its standardization strategic framework for small and medium-sized enterprises with a practical example from industry.

With more than 30 years of experience in standardization, Swedish expert, Folke Hermansson Snickars shares his views on markets, conformity assessment and cer-tification.

The US National Institute of Standards and Technology (NIST) introduces the studies that it is carrying out in the field of standardization in order to better understand its benefits and to use stand-ards effectively in both the manufacturing and service sectors.

Leonardo Chiariglione, Convenor of the Moving Picture Experts Group (MPEG) of ISO/IEC JTC 1/SC 29/WG 11 pro-vides a fascinating glimpse into the world of audio and video digital representation and the challenges posed by patents and intellectual property rights.

ISO/TC 59 on building construction provides two interesting articles provid-ing an overview of this key sector in national economies looking at the con-tribution of International Standards in the building sector to sustainable devel-opment, examining issues like safety, stability, energy efficiency and the ben-efits the sector provides to society as one of the biggest employers world-wide.

A tribute to the inventor of the freight container, Malcolm Mclean, shows how the ingenuity of one man contributed to the development of the global economy.

The importance of standards to road and traffic safety is shown as one of the very important societal benefits of standards to the automotive sectors.

Finally in this section, Malaysia shares its experiences in developing a national standardization strategy with an article from the Department of Standards, Malaysia of the Ministry of Science, Technology and Innovation.

Read all about the myriad of the eco-nomic and societal benefits of Interna-tional Standards in the next issue of ISO Focus.

ISO/IEC information brochure on copyright Several years ago, ISO and IEC and their members introduced online sales in response to standard users’ requests for fast and convenient access to standards, but the side effect of this service was that it made illegal reproduction easier. ISO and IEC launched an action plan to pro-mote the fact that standards are protected by copyright and have produced a bro-chure on copyright. The issue of copy-right is profiled in the June ISO Focus.

ISO/COPOLCO meeting on fair trade in BrazilThe ISO Com-mittee on Con-sumer Policy (ISO/COPOL-CO) held a workshop, Can consum-ers rely on Fair Trade claims ? in Salvador de Bahia, Brazil, on 23 May 2007, at the invitation of the Associação Brasileira de Normas Técnicas (ABNT).

AFNOR (France), Consumers Internation-al and COPOLCO have just co-authored a study on fair trade for discussion at the workshop and plenary meeting.

One of the main aims of fair trade is ensure decent compensation to producers of goods and services, against a backdrop of trade liberalization and fluctuating commodity prices.

For this laudable goal, consumers are increasingly willing to pay a premium. However, in return, they wish to under-stand better how the fair trade process works, and how to avoid false claims by retailers for marketing purposes.

The workshop explored whether stand-ards could add credibility in the market-place for fair trade, and resolve consum-er confusion about fair trade claims. The workshop explores the scope for stand-ardization to meet the needs of existing fair trade actors and networks, as well as consumers.

Coming up


When the stakes are as high as global climate change, you need to be able to trust the figures.

ISO 14064 for greenhouse gas accounting and verification.

ISO 14065 for accrediting the verifiers.

Available from ISO national

member institutes

(l isted with contact details on

the ISO Web site at www.iso.org)

and ISO Central Secretariat Web

store at www.iso.org or

by e-mail to [email protected].

ISO Focus 5-2007...• ISO/IEC 90003 – The quality improvement tool for software engineering •...

Documents

Transcript of ISO Focus 5-2007...• ISO/IEC 90003 – The quality improvement tool for software engineering •...