A third version of the ISO standard for SAM is being developed. This article provides an overview of updates and how you can review the latest drafts and provide your feedback. If you have any questions please contact me.
New ISO/IEC 19770-1 Draft Updates
The ISO SAM process standard is being revised to cover full ITAM and to integrate with the standards for Information Security, Service Management, Quality Management and others.
This will be edition 3 of ISO/IEC 19770-1. The expectation is that the revised ITAM standard will formally be published in early 2017, but that it will be usable before then. The latest draft is available for public review and comment through 12 February.
Some notable features of this proposed revision are:
- The revision maintains continuity with the principles of edition 2, i.e. with the 2012 edition of ISO/IEC 19770-1. Any organization which has used edition 2 for self-assessment, improvement, or certification should find it easy to transition to edition 3.
- Improved Tiers. The revision continues the use of tiers, but has revised them to be more intuitive. There are now just three tiers, which are trustworthy data (as with edition 2); life-cycle integration; and optimization.
- Integrated Use with Other Standards. The revision is being rewritten using a new high-level structure and common wording required by ISO for every ‘Management System Standard’ (MSS). ISO 9001 (Quality Management), ISO/IEC 27001 (Information Security Management) and a number of others have already been revised and re-issued. ISO/IEC 20000-1 (Service Management) is also being revised at present. This new approach will facilitate the Integrated Use of Management Systems (IUMS – another ISO acronym). Particular focus is being given to ensure easy integration with Information Security Management and Service Management.
- Leveraging on Physical Asset Management. The revision uses as its basis a new standard for generic asset management (ISO 55001) which was developed primarily for physical asset management, but with the involvement of SAM/ITAM experts to ensure it was a suitable basis for ITAM as well.
- Addressing Additional Requirements for SAM and ITAM. The revision adds to ISO 55001 requirements to meet the special or more demanding characteristics of SAM and ITAM. In particular, these include controls over:
- Software, which has major exposures relating to possible unauthorized modification, duplication and distribution
- Complex organizational ownership/responsibility scenarios, such as for cloud computing
- Mixed organizational/personal responsibility scenarios, such as for BYOD
How to review and provide feedback
There are multiple ways of reviewing the draft and of submitting comments.
- The ‘Committee Draft’ is available for public review at http://isotc.iso.org/livelink/livelink/Open/17495669. The technical specification for it is available at http://isotc.iso.org/livelink/livelink/Open/17496551.
- Members of the public may review the draft and submit comments through 12 February via the British Standards Institution’s web site, using this URL: http://drafts.bsigroup.com/Home/Details/55799. This website requires registration, but otherwise anyone may submit comments using it.
- If you are a member of a national standards body (such as the BSI, ANSI, or DIN) or if you are a member of a liaison organization with the responsible ISO committee SC7WG21 (such as ISACA, itSMFI, IAITAM, SAMAC or TCG) you can submit comments via them. Such comments should be provided using the template that is available from http://isotc.iso.org/livelink/livelink/Open/16689282. Please note that recommendations for change need to be include specific replacement text; it is not sufficient simply to say that something should be ‘considered’ or ‘reviewed’.