Many vendors and consultants have actively supported the adoption of standards amongst the SAM community and been members of the WG21 working group responsible for the creation of ISO 19770-1 since its inception. Achieving this certification was originally intended to facilitate the management and review of software licensing and to provide ongoing support for organisations battling with increasingly complex licensing agreements.
That’s not been the case in practice and many would argue that having an international standard for SAM processes and design is actually a bit of a ‘dead duck’. Perhaps it is a bit harsh, but regardless of how worthy the intentions behind this standard are, uptake levels so far are not exactly impressive.
Certfication is perceived as hard work for little gain
To my knowledge, not a single organisation has actually achieved full ISO 19770 certification yet. This is most certainly because it is simply too much hard work. To try and stimulate greater activity on this front, the WG21 revised its original standards and now allows organisations to take a phased approach to level 1 ISO certification, which is predominantly concerned with SAM processes. Yet even now, after separating the different tiers, levels of uptake continue to be low and the initiative has failed to be effective in inspiring organisations to pursue full certification.
Instead, it has become more common for organisations to informally achieve part certification, because they have used a SAM tool designed around ISO 19770 principles.
Based on certification having a tiered approach, if using a SAM tool to its full extent can potentially get them through tier 2 and possibly even tier 3 of ISO 19770, plus deliver commercial benefits then what’s the point in completing the full ISO certification and having defined processes for every stage, from procurement to disposals?
It means a lot of hard work for no additional benefit – or at least, that is the perception.
This is the stumbling block for ISO 19770-1. Although companies put a lot of effort into creating SAM lifecycle processes and applying them to their organisations, they don’t believe that going the extra mile to getting the ISO certification adds any value. Is ISO certification for SAM is a ‘dead duck’ then? I would argue that some aspects are, but not all, so perhaps ‘cygnet’ is a kinder metaphor.
What aspects of ISO 19770 are working?
The best part of the ISO initiative is software tagging (ISO 19770-2 and ISO 19770-3), which is aimed at making a piece of installed software more easily identifiable both from a usage and entitlement perspective. This is commercially valuable and the onus for compliance is focused on vendors having to provide a SAM data standard for software identification (SWID) tags. Apart from easier management of software assets and a better understanding of entitlements to support negotiations, software tags also benefit other functions by ensuring platform stability, improving security management and disaster recovery planning.
Adobe and Microsoft now support software tagging at the identification and entitlement level and many other vendors allow users to create their own tags and add in extra information, such as details of the business unit that originally bought the license and unique identifiers for specific locations to verify whether the software installation was completed according to official processes. This aspect of ISO is critical because one of biggest challenges in SAM is accurately identifying all the software installed without having to utilise multiple tools and manual methods.
In the enterprise space, full compliance with software tagging is lower, because the products, i.e. Oracle, SAP etc, have extremely complicated licensing rules and there are other variables to consider when flagging entitlements. In addition, some are developing their own SWID tags that may not comply with the established ISO 19770-2 standard. To illustrate how complexity hampers the ability to use entitlement tags, in some instances future revenue levels or numbers of employees working at a division over a specific time period can also be added into a license contract, which makes tagging more difficult to introduce. To counter this, SAM tools are offering additional functionality to support enterprise users’ compliance with complex licensing entitlements.
So, do we need a quality standard for SAM?
Yes we do, and ISO 19770-1 is a good option but it needs to be much easier to implement if we are to see greater levels of uptake.
ISO certification is traditionally associated with developing processes and procedures to make an organisation a safer place e.g. health and safety, security, which isn’t really transferable to SAM. It goes back to my earlier point that if you can eliminate the business risks of non-compliance utilising a SAM tool, which gets you to tier 2 and 3 ISO 19770-1 certification anyway, why would you go the extra mile? There is no additional commercial value in achieving the remaining level of compliance through process transformations since the important stuff is already taken care of. When a manufacturer achieves ISO health and safety certification and tells his customers, it gives his business an advantage. If the same organisation tells its customers it has ISO certification for SAM, they will probably say ‘so what?’ because there is no benefit to the company or clients.
As a maturing profession, standards are important because they provide a means of defining success and communicating our achievements. But we need to be more realistic about the different motivations for achieving certification, because SAM is such a unique, hybrid function. ISO 19770 in its current form is also probably a little out of date again, and we are expecting revisions to be announced imminently. Let’s see if the WG21 will finally announce something that’s pragmatic enough to encourage a few organisations at least to pursue full certification.