CSA - CAN/CSA-ISO/IEC 19770-1:13
Information technology - Software asset management - Part 1: Processes and tiered assessment of conformance
|Publication Date:||1 January 2013|
|ICS Code (Software):||35.080|
This part of ISO/IEC 19770 establishes a baseline for an integrated set of processes for Software Asset Management (SAM), divided into tiers to allow for incremental implementation, assessment and recognition.
Field of application
This part of ISO/IEC 19770 applies to SAM processes and can be implemented by organizations to achieve immediate benefits. ISO/IEC 19770-2 provides a corresponding specification for software identification tags, which requires implementation by software manufacturers (external and internal) and by tool developers for its full benefits to be achieved
It is intended that this part of ISO/IEC 19770 be an implementation standard for organizations. Future editions may provide a measurement framework that is aligned to the requirements in ISO/IEC 15504-2:2003 or the future International Standard ISO/IEC 330031.
This part of ISO/IEC 19770 applies to all organizations of any size or sector. For the purposes of conformance, this part of ISO/IEC 19770 can only be applied to a legal entity, or to parts of a single legal entity. It may also be applied to multiple legal entities (e.g. the parent and subsidiaries of a multinational organization) where there is a legal controlling relationship between them, so that one entity may exercise control over the others. It applies only where such a controlling entity exercises control over the entire scope (as defined for purposes of conformance) and the assessor of conformance accepts this definition of organizational scope.
NOTE The definition of organizational scope is documented as part of the Corporate governance process for SAM (4.2.2). This part of ISO/IEC 19770 may be applied to an organization which has outsourced SAM processes, with the responsibility for demonstrating conformance always remaining with the outsourcing organization.
This part of ISO/IEC 19770 can be applied to all software and
related assets, regardless of the nature of the software, where
related assets are all other assets with characteristics which are
necessary to use or manage software. For example, it can be applied
to executable software (such as application programs, operating
systems and utility programs) and to non-executable software (such
as fonts, graphics, audio and video recordings, templates,
dictionaries, documents and data). It can be applied to all
technological environments and computing platforms (e.g.,
virtualized software applications, on-premises or
NOTE The definition of software asset scope (software types to be included within the scope) is documented as part of the SAM Plan developed in the Planning for SAM process. It may be defined in any way considered appropriate by the organization, such as for all software, for all program software, for all software on specific platforms, or for the software of specified manufacturers, as long as it is unambiguous. See also explanations following in this subclause and in Table 1.
With the exception of the requirements of 4.7.4 Software development process, it is not required for this part of ISO/IEC 19770 to be applied to software development in the sense of the development and maintenance of code. It is intended that it be applied to all software in a live environment and precursor activities, such as configuring software and creating and controlling production builds and releases. The exact dividing line between what is considered pure development, and therefore excluded, and what is related to the live environment, and therefore included, may be defined making use of the unambiguous formal statements of organizational scope or software scope.
NOTE Software used to develop other software is considered part of the live environment, i.e. the software used by software developers must itself be controlled.
The following forms of software assets are within the scope of this part of ISO/IEC 19770:
a) software use rights, reflected by full ownership (as for in-house developed software) and licenses (as for most externally sourced software, whether commercial or open-source);
b) software for use, which contains the intellectual property value of software (including original software provided by software manufacturers and developers, software builds, and software as installed and otherwise provisioned, consumed or executed); and
c) media holding copies of software for use.
NOTE From a financial accounting point of view, it is primarily category (a) which may be considered an asset, and even then it may have been completely written off. From a financial accounting point of view, category (b) may be viewed as actually creating a liability (rather than an asset) with commercial software if it is not properly licensed. This part of ISO/IEC 19770 considers categories (b) and (c) proper assets to be controlled as well as (a). Licenses may have bookkeeping value, but software in use in particular should have business value and needs to be treated as a business asset.
Related assets within the scope are all other assets with characteristics which are necessary to use or manage software in scope. Any characteristics of these related assets which are not required to use or manage software are outside of the scope. Table 1 provides examples of these.
This part of ISO/IEC 19770 does not detail the SAM processes in terms of methods or procedures required to meet the requirements for outcomes of a process.
This part of ISO/IEC 19770 does not specify the sequence of steps an organization should follow to implement SAM, nor is any sequence implied by the sequence in which processes are described. The only sequencing which is relevant is that which is required by content and context. For example, planning should precede implementation.
This part of ISO/IEC 19770 does not detail documentation in terms of name, format, explicit content and recording media.
Details of certification and recognition schemes are outside of the scope of this part of ISO/IEC 19770.
This part of ISO/IEC 19770 is not intended to be in conflict with any organization's policies, procedures and standards or with any national laws and regulations. Any such conflict should be resolved before using this part of ISO/IEC 19770.
1 ISO/IEC 33003, Systems and software engineering - Requirements for process measurement frameworks.