ISO 19770-1 has had a makeover, but has anyone noticed?

There’s a new update to the ISO 19770-1 international standard for Software Asset Management (SAM) with many new changes. The launch has been fairly low profile, but that’s probably a reflection on the SAM community and the fact that the standard is developed by volunteers (unpaid, in their own time) who are ITAM professionals rather than marketing experts.

There’s a new update to the ISO 19770-1 international standard for Software Asset Management (SAM). The launch has been fairly low profile, but that’s probably a reflection on the SAM community and the fact that the standard is developed by volunteers (unpaid, in their own time) who are ITAM professionals rather than marketing experts. 

Snow has been involved with the standard since work began on it in 2001 (represented by CEO, Axel Kling), and continues to be with both Axel and more recently myself (I joined Working Group 21 (WG21), the group responsible for all the standards in the ISO 19770 portfolio, late last year just prior to the publication of the 2017 edition of the standard) as part of the group of volunteers. We encourage the SAM community to support this work by leveraging the material and engaging with the group where appropriate.

The latest iteration of the ISO SAM standard has seen many changes made. It has evolved from the 2006 process standard through the 2012-tiered standard which helped organizations understand how to build a SAM competency in a structured way, into the current management standard which provides governance-based rather than process-based view of the discipline. The remit of the standard has also been expanded from SAM to ITAM – a logical step given the indisputable fact that you cannot today manage software without managing the hardware that it runs on (and for the avoidance of doubt, cloud is hardware – possibly someone else’s hardware, but still hardware).

Although I’ve looked at various elements of it over the last few months, I hadn’t sat down and read the entire document from cover to cover (thankfully it is only 37 pages as opposed to the previous version’s 86) so took advantage of a recent flight to Austin to focus on it.

The good news – I didn’t fall asleep.

The bad news – it did take me the best part of 10 hours to fully absorb it.

OK, so a flight may not have been the best place to attempt to read an ISO standard, but I had very few interruptions or distractions. So why did it take so long? Well, first off, I wasn’t just reading, I was reviewing it – trying to understand the implications of the move to a management standard, marking up my queries and making a note of my comments. I was working on hard copy, which is now covered in semi-illegible scribbles. 

However, a number of these scribbles do relate to how hard it was to read. This is in part due to the copious notes that are attached to each section (in some cases there are more notes than body text), and the references to other standards.

This new iteration of the standard has in large part been adapted from ISO 55001:2014 (Asset Management) which was itself developed from PAS 55 to provide a management standard for the management of physical assets. While the alignment and synergies are clear, this does lead to the inclusion of a lot of references that risk disrupting the flow of the document. There are also copious references to other standards, which again, are helpful in many ways but distracting when trying to read and absorb the document (I noted references to nine other standards, and I know there were some mentions that I didn’t include in these notes). Most IT organizations will be familiar with the IT-related standards (particularly 27000 and 20000) as well as 9000 & 14000 and may well already be compliant or aligned with them. However, others – such as 55000 and 31000 (risk management) may not be familiar. While it isn’t essential to read these alongside 19770, the references within the text mean that they may be helpful for context.  On a positive note, the standard retains the concise bulleted structure that made the previous versions so accessible to software asset managers trying to get a SAM discipline off the ground where other available best practice guidance was overly wordy and detailed, focused on procedures and tasks rather than high-level processes and outcomes. 

THE ANALYST’S VIEW

While shifting the primary focus of 19770-1 from process to governance is a good move to ensure that the necessary mechanisms are in place to support effective SAM – including executive sponsorship, stakeholder buy-in, strategy, policy, plans and reporting – the content of this standard and the documentation it requires for conformance may be overwhelming for many organizations and SAM practitioners for whom getting a basic SAM capability off the ground is a major challenge.

The introduction of a management standard by WG21 makes sense, as the need for more robust ITAM governance is clear. However, it is a pity that the process standard has been retired. If you don’t already have a copy of the 2012 version of the standard, it is still available from some sources, and would be a useful reference document and companion to the current version when planning your ITAM implementation. I hope that WG21 will consider republishing or updating the process documentation (which is a significant and valuable piece of work) to provide supporting material for IT asset managers addressing the challenge of building ITAM capability. 

GUIDANCE FOR USE

We’re going to be looking at the standard in more detail later in the year and will be providing further guidance to our SAM community and customers, however, below are a few key points to consider. When reading through the material, make notes and divide requirements and actions into three buckets:  • ‘IT Asset Management System’ – what capability, documentation, processes etc. you need to build to help with ITAM governance• ‘IT Asset management’ – best practices for those doing the hands-on day-to-day care and feeding of the asset (system owners, application owners, support engineers etc.)• ‘IT Asset’ – what you need to know or do about the IT asset itself. There are six main sections to the document once the introductory elements and appendices are accounted for: Understanding the organization: This is about putting ITAM in the context of the business and aligning it to business objectives and stakeholder needs. Planning: this sets out a risk-based approach and is about building ITAM objectives and working out how to achieve them. Support: this section covers the need to ensure that appropriate resources are in place (lack of resource is a key element in ITAM failure), and that internal and external awareness and communications are in place as well as all the relevant documentation. Operation: how ITAM is going to work in practice. Particularly useful is the section on third parties and shared responsibilities which reflects the realities of today’s multi-sourced IT environments. Performance evaluation: this is an aspect of ITAM that is generally neglected, whether it’s the performance of the governance function, the efficacy of the processes or the performance of the assets themselves (the latter is a key focus for physical asset management, and an area that ITAM can learn a lot from). Both internal audit and management reviews are highlighted here. Effective implementation of performance evaluation will make a significant difference to the perception of ITAM. Improvement: how we deal with issues and failures across all levels of ITAM and use the experience to keep making things better. Did you know about the launch of the update to ISO 19770-1? If so, have you read it yet, and what do you think about the move to a management standard? Let us know what you think – join the conversation over on Snow Globe, Snow’s SAM community site.