ISO 19770-1 – dead duck or just a cygnet awaiting full maturity?

dead duckThis article has been contributed by Jelle Wijndelts, SAM consultant at Snow Software.

Many vendors and consultants have actively supported the adoption of standards amongst the SAM community and been members of the WG21 working group responsible for the creation of ISO 19770-1 since its inception. Achieving this certification was originally intended to facilitate the management and review of software licensing and to provide ongoing support for organisations battling with increasingly complex licensing agreements.

That’s not been the case in practice and many would argue that having an international standard for SAM processes and design is actually a bit of a ‘dead duck’. Perhaps it is a bit harsh, but regardless of how worthy the intentions behind this standard are, uptake levels so far are not exactly impressive.

Certfication is perceived as hard work for little gain

To my knowledge, not a single organisation has actually achieved full ISO 19770 certification yet. This is most certainly because it is simply too much hard work. To try and stimulate greater activity on this front, the WG21 revised its original standards and now allows organisations to take a phased approach to level 1 ISO certification, which is predominantly concerned with SAM processes. Yet even now, after separating the different tiers, levels of uptake continue to be low and the initiative has failed to be effective in inspiring organisations to pursue full certification.

Instead, it has become more common for organisations to informally achieve part certification, because they have used a SAM tool designed around ISO 19770 principles.

Based on certification having a tiered approach, if using a SAM tool to its full extent can potentially get them through tier 2 and possibly even tier 3 of ISO 19770, plus deliver commercial benefits then what’s the point in completing the full ISO certification and having defined processes for every stage, from procurement to disposals?

It means a lot of hard work for no additional benefit – or at least, that is the perception.

This is the stumbling block for ISO 19770-1. Although companies put a lot of effort into creating SAM lifecycle processes and applying them to their organisations, they don’t believe that going the extra mile to getting the ISO certification adds any value. Is ISO certification for SAM is a ‘dead duck’ then? I would argue that some aspects are, but not all, so perhaps ‘cygnet’ is a kinder metaphor.

What aspects of ISO 19770 are working?

The best part of the ISO initiative is software tagging (ISO 19770-2 and ISO 19770-3), which is aimed at making a piece of installed software more easily identifiable both from a usage and entitlement perspective. This is commercially valuable and the onus for compliance is focused on vendors having to provide a SAM data standard for software identification (SWID) tags. Apart from easier management of software assets and a better understanding of entitlements to support negotiations, software tags also benefit other functions by ensuring platform stability, improving security management and disaster recovery planning.

Adobe and Microsoft now support software tagging at the identification and entitlement level and many other vendors allow users to create their own tags and add in extra information, such as details of the business unit that originally bought the license and unique identifiers for specific locations to verify whether the software installation was completed according to official processes. This aspect of ISO is critical because one of biggest challenges in SAM is accurately identifying all the software installed without having to utilise multiple tools and manual methods.

In the enterprise space, full compliance with software tagging is lower, because the products, i.e. Oracle, SAP etc, have extremely complicated licensing rules and there are other variables to consider when flagging entitlements. In addition, some are developing their own SWID tags that may not comply with the established ISO 19770-2 standard. To illustrate how complexity hampers the ability to use entitlement tags, in some instances future revenue levels or numbers of employees working at a division over a specific time period can also be added into a license contract, which makes tagging more difficult to introduce. To counter this, SAM tools are offering additional functionality to support enterprise users’ compliance with complex licensing entitlements.

Jelle Wijndelts

Jelle Wijndelts

So, do we need a quality standard for SAM?

Yes we do, and ISO 19770-1 is a good option but it needs to be much easier to implement if we are to see greater levels of uptake.

ISO certification is traditionally associated with developing processes and procedures to make an organisation a safer place e.g. health and safety, security, which isn’t really transferable to SAM. It goes back to my earlier point that if you can eliminate the business risks of non-compliance utilising a SAM tool, which gets you to tier 2 and 3 ISO 19770-1 certification anyway, why would you go the extra mile? There is no additional commercial value in achieving the remaining level of compliance through process transformations since the important stuff is already taken care of. When a manufacturer achieves ISO health and safety certification and tells his customers, it gives his business an advantage. If the same organisation tells its customers it has ISO certification for SAM, they will probably say ‘so what?’ because there is no benefit to the company or clients.

As a maturing profession, standards are important because they provide a means of defining success and communicating our achievements. But we need to be more realistic about the different motivations for achieving certification, because SAM is such a unique, hybrid function. ISO 19770 in its current form is also probably a little out of date again, and we are expecting revisions to be announced imminently. Let’s see if the WG21 will finally announce something that’s pragmatic enough to encourage a few organisations at least to pursue full certification.

Image Credit

email

Share this post:

Related Posts

7 Comments

  1. Jason Keogh says:

    Wow… there are any number of simple misunderstandings in the article above. I’m quite stunned really!

    First issue: This article is all about Certification… Jelle says in it that he doesn’t know of a single organization which has been certified against it… ONE CANNOT CERTIFY AGAINST 19770-1. It is not a “Management Standard” there is no “Certification body”… Not all ISO standards work like that!

    Second issue: There is no requirement to get through all of the tiers in 19770-1:2012 in order to be “Certified” (as there is no certification…). The fact that tooling can only help you get to tier 2 or 3 is irrelevant…

    I could go on… in short, the entire basis is incorrect.

    The goal of the standard is to provide a guide to help organizations implement a sensible SAM/ITAM management function. The tiers help organizations of different sizes aim for appropriate levels of maturity (rather than trying to eat an elephant in a single bite) and measure themselves against these levels of maturity.

    There are two versions of 19770-1, the first one (released in 2006) and the latest revision (released in 2012). Many people are unfamiliar with the new version.

    The issue of certification is a large one. I joined ISO/IEE SC7 WG21 2 years ago (just before the 2012 revision was published). WG21 is responsible for the 19770 ITAM body of standards as a whole.

    I had a lot of issues with the 2006 version, most especially that one could never be measured against it. In the 2012 revision the tiers really helped with this. Here for the first time is a 19770-1 that COULD become a Management Standard and allow for Certification. Currently there are no “Certification bodies” for 19770-1. The BSA has a 19770-1 aligned certification of organizations (covered by Martin here: https://www.itassetmanagement.net/2011/11/15/vendor-audit-forbearance/) – that’s as close as one can come right now.

    19770-1 is an excellent starting place for an organization to find sensible advice on implementing SAM. If an organization has already implemented SAM, they can use 19770-1 as a measuring stick to see how far they have come (what “Tier” they have reached). There is no independent examining external body which can give you a shiny certificate for it right now… but it’s still very useful!

    The future of the standard DOES see the group working towards restructuring 19770-1 as a Management standard to allow for simple certification. Implement 19770-1 now, move through the tiers and you’ll be in a great position to get a shiny certificate at some stage in the future. In the meantime, pat yourself on the back if you’ve got to the end of Tier-1 🙂

  2. Rory Canavan says:

    Hi Jason, perhaps if this is the intention of ISO 19770-1 (more to be advisory than a management standard as per ISO 27001 (as an example)) then some sort of communique or abstract is required from the steering group – or even a forward in the standard itself? Statements like the one below in the introduction of the latest revision are not helpful:

    “This allows for free-standing independent certification which correspond to natural levels of development and management priority” (in reference to the tiered approach in going through the various levels of maturity).

  3. Jason Keogh says:

    I agree that certification would be wonderful. The lack of certification and the lack of the ability to even aim to be certified against the 2006 version were my biggest criticisms of it.

    The 2012 version at least provides a set of measurable approaches (tiers) which make assessment and ergo certification possible.

    The BSA have created a certification around this revision (it is only promoted in some countries, initially India, now Mexico and some others – but any organization world wide can volunteer for it I believe).

    Later versions will be structured similarly to ISO 9001 to allow accredited certification bodies to support 19770 with ease.

  4. Rory Canavan says:

    Someone needs to grasp the nettle and adopt this Standard. Free-standing certification is not the future.

  5. I don’t know enough about 19770-1 and certification but the work I’ve seen around 19770-3 would greatly help reduce confusion around enterprise license agreements and the multitude of definitions that differ not only from vendor to vendor but contract to contract.

    I actually think 19770-3 has the greatest chance of adoption as it will be the customers and SAM tool providers who will push for it’s adoption which will drag the vendors kicking.

  6. Paul Sheehan says:

    Hey Jelle, long time no speak. Have to agree with Jason on the certification. Also, as feedback, I’ve just finished two engagements using the ISO standard as a checkpoint against the clients current service. It worked very well to show them that its not all about tools, and to trigger the governance and transition activities needed to really get their service going. From my perspective, the standard is therefore doing its job, not as a process definition, but as a service framework.

  7. Anonymous SAM bloke says:

    Is ISO19770 a dead duck in the water? Yes it most certainly
    is.

    Firstly, just to muddy the water with regards to Jason’s point on certification for ISO. Yes, you can certify for ISO or at the very least that is what we end user organisations are lead to believe (e.g. that’s how consultants sell it to end users). Furthermore, a now defunct UK public sector organisation was actually the first to be certified for ISO19770. However, the argument for certification vs non-certification is an academic one and you need to concentrate on whether it can even be used as a framework. In short, no and it’s simply not fit for purpose. If you take a look into what Gartner and Microsoft publish on SAM then you can distil from there the key priorities to take into account if implementing SAM as a discipline in an organisation.

    Why do I think it’s a dead duck? Having gone through a benchmarking
    exercise for ISO19770 I don’t see any real tangible benefits it delivered to
    the organisation. It certainly benefits revenue for consultants who charge for assessing against ISO but again I struggle to see where it has left any real impact and benefits.

    In conclusion, ISO needs a radical overhaul, it needs simplification. The tiered approach has gone some way in doing that but still falls short.

    OK, so I’ll finish on a positive note: Software tagging. That would be nice as it would help all SAM practitioners make ‘lighter’ work of understanding a vendors footprint on their estate but as the article suggests that is not going to be easy.

Leave a Comment