The Importance of The ISO 19770 Certification

In this article Anglepoint’s President and Chairman Ron Brill explains what the ISO 19770 certification is about, where it can fit into your organization, and how to leverage it to maximize your results. You can also take our ISO Readiness Quiz to help you discover if your organization is ISO/IEC 19770-1 ready. As Chair of the ISO Committee for IT Asset Management and Vice Chair of the ITAM Forum, Ron is passionate about bringing this level of accountability and measurability to the ITAM industry. In internal ISO terminology these committees, where the international standards are actually being developed, are called working groups. The group dedicated to IT Asset Management is known as Working Group 21.

What is the importance of ITAM standards?

ITAM standards are significant in that they are a means to benchmark the industry, establish a proscribed level of maturity the ITAM function should meet and a best practice guide. The standards help organizations understand the key concepts that should be considered when running an effective ITAM program.

These standards provide:

1. Interoperability

Because ITAM does not operate in a silo and has interactions with several other functions within the organization, from Information Security to Finance and Legal, all ISO standards are designed with interoperability in mind. A big part of ISO is related to adopting a service-provider mindset—focusing on value while minimizing duplication of efforts, minimizing risks and maximizing benefits for the organization by ensuring that one process or system produces whatever another process or system requires at the time of requirement.

2. Common Language

ITAM standards provide a common language and terminology, which facilitates easier communication and knowledge sharing within the ITAM ecosystem, whether between ITAM and other functions within the same organization or among ITAM practitioners in different countries or in different companies. This knowledge sharing may also occur among software publishers, SAM tool vendors, consultants, and end-user organizations.

3. External Certifications

Having these external certifications means that a reputable third party (we will explore these later in this article) has determined that an organization is complying with the ISO standard. The availability of external certification for ITAM is still a work in progress. In principle, external certifications allow you to demonstrate to other parties such as software publishers, customers, business partners, or regulatory bodies and regulators that you have achieved the highest level of recognition possible for your SAM or ITAM program. This recognition can help satisfy legal requirements, help obtain better commercial terms, and allow your organization to participate in bids that stipulate such requirements. In the case of a security breach and resulting lawsuits, they allow your organization to demonstrate that you have taken IT governance seriously by implementing the acknowledged best-in-class management system for IT Asset Management. This should ultimately help to reduce any fines and penalties.

4. Benchmarking

Benchmarking data is incredibly useful in order to assess how your ITAM program is operating in comparison to your peer group in the industry. Are you doing the same things and are you getting the same results? This benchmarking can only be done effectively when you are comparing apples to apples. When comparing different organizations that follow the same standard, similar measures of performance can be referenced.

5. Management Assurance

Executives who are typically not experts in software asset management can be reassured that their organization is doing the right things around SAM, in line with recognized industry best practices. It demonstrates that the organization is not just implementing a project plan to improve but actually following best practices for SAM in order to realize increased levels of management maturity.

How are international standards in ITAM developed, and where do they come from?

There is only one global standards organization in the world, and that is ISO. It was established after the Second World War and is headquartered in Geneva, Switzerland. ISO is currently made up of about 165 member countries who all agreed not only to participate in the development of the work but also to adopt the approved standards. Each country appoints one national standards body to be its representative for ISO. In the U. S. that national standards body is the American National Standards Institute (ANSI). In the UK, it is the British Standards Institute (BSI), and so on. National bodies then delegate experts to participate in the various committees. All experts are volunteers, and they are the ones who actually write the standards. These standards normally need to be refreshed once every five years. That is ISO’s way of ensuring that all committees keep their standards current. Given that it takes about two years from start to finish to develop a standard, that means that about three years after a given standard is published, the committee needs to start working on the next edition. Each such committee has a chair (or a Convener in ISO terminology) who is elected by vote of the member countries for a three-year term. Within each working group, there could be multiple work streams for the different projects under development or for different study groups. It is important to state here that, while committee members come from different countries and different organizations and from different backgrounds, they all operate purely as independent experts, not representing the interests of any country or employer. There is no voting within the committee, and all decisions are reached by consensus. ISO, for its part, conducts global ballots at key stages of the development lifecycle where countries get to vote and provide comments on the work that is done within these committees.

The ITAM Standards Committee within ISO, (also known as Working Group 21,) was established in 2004 and now has over 175 members from over 25 countries. There are several liaison organizations that participate in the work of the committee and the members represent a cross-section of the ITAM ecosystem. There are representatives from all areas of the industry including end-user organizations, software publishers, SAM tool vendors, consulting firms, analysts, media firms, audit firms, and industry bodies.

What do the ISO Standards include?

Currently, there are six published ITAM standards that can be divided into three groups.

Firstly, the Management System standards address mostly the end-user perspective of SAM and are less relevant to non-end-user organizations. This group includes the ITAM flagship standard, 19770-1. The first edition of this standard was published in 2006 and was the first standard of this committee. Today they are on the third edition of this standard, originally published in 2017. Each new edition is demarcated by the addition of a dash followed by a number. The 19770–8 standard provides a mapping framework between -1 and other standards and governance frameworks. It was published in 2020, and the hope is to see organizations who own such other frameworks, pick up the mapping task using the—8 template.

Next, the Information Structure standards provide a schema for storing and exchanging ITAM-related information. They allow for more efficient and effective ways to exchange information within the ITAM ecosystem between software publishers, tool vendors and end users.

This includes the—2 standard which defines and provides Software Identification Tags (SWID tags), the—3 standard which provides an entitlement data schema and the—4 standard which is for resource utilization measurement. The nature of these standards (XML schemas) is that they are likely of more interest to software publishers and tool vendors.

There are creative ways that end-user organizations can utilize these information structure standards, and end-users certainly need to be aware of them. An example of this is—2 for SWID tags which have been adopted and are mandated by parts of the U.S. federal government for information security purposes. SWID tags allow for an XML tag to be digitally signed by the software publisher, and this in turn allows the organization to ensure software is genuine and has not been tampered with.

Finally, there is the Overview & Vocabulary standard -5 which is the only free standard.

The committee is currently working on updates to three of the standards mentioned here. Additionally, work has begun on six brand-new standards as well as technical reports. All these standards are available for purchase, either from the ISO web store or each country’s national body.

The 19770-1 standard

This is the ISO Management System Standard (MSS) and is based on the Deming Cycle of Continuous Improvement, also known as the Plan, Do, Check, Act method. This concept will be recognized by anyone familiar with Six Sigma and Lean Manufacturing as it utilizes the important aspects of a cycle that is iterative and continuous—constant adjustments and improvements. The organization changes by the day, and the SAM program must change with it or risk becoming irrelevant.

Plan, Do, Check, Act: Applying The Deming Cycle of Continuous Improvement

• The Plan phase is probably the most important as this determines the needs of the organization and the scope of ITAM required to satisfy those needs. Policies are developed, risks are assessed, and a detailed plan is created identifying all required resources.

• The Do phase is to execute/implement the plan that has been developed in the Plan phase.

• The Check phase is to perform continuous monitoring and review of the ITAM program to see if it is performing as expected and to follow up on exceptions.

• The Act phase is to remediate any nonconformity identified in the Check phase, as well as perform other activities such as taking preventative action to ensure future risks are proactively mitigated.

The IT Asset Management system is at the heart of this standard. All other ISO management system standards will have the exact same structure. The fact that the same management structure is used across all ISO management system standards is invaluable, particularly when you’re considering the joint implementation of two or more ISO standards, such as ITAM and Security.

The 19770-1 standard identifies 15 process areas for ITAM, and provides a suggested tiering structure for the order of implementation; this also allows for partial certification so that organizations can more quickly achieve their initial certification, implementing the processes that up Tier 1, then expand to Tiers 2 and 3 at a later stage.

Tier One—Trustworthy Data.

This is about getting to a point where you have trustworthy data. If you don’t have that first, there’s really nothing else you can do but return to the start and focus on understanding what comprises your IT estate.

Tier Two—Lifecycle Integration.

This is building on your trustworthy data to achieve management of the IT Asset lifecycle.

Tier Three—Optimization.

This focuses on continuous improvement and cross-functional optimization and leveraging data from IT Asset Management to add value to the wider organization.

It is important to note here that in early 2024 there will be a FinOps update to the ISO 19770-1 Standard. This will see a change in this tiering structure and incorporate FinOps processes.

This diagram shows these 15 process areas within the current 3 Tiers and the continuous loop of Plan, Do, Check, Act to achieve improvement.

While there are specific ITAM processes that are mentioned in the 19770-1 standard, the actual processes are not part of the body of the standard, they only appear in an annex. Almost no details are given about them in the standard because the ISO’s template for management system standards needs to be followed. The concept is that if a management system is effective the resulting processes can’t help but be effective. On the other hand, if the management system is ineffective, there’s no point in even going down to the process level. This focus on the management system was the main change that was introduced in this third edition of the standard.

Annex A of the Standard

The 15 process areas are listed in Annex A of the standard. There are 8 IT Asset Functional Management process areas that fall under Tier 1 & 3, and 7 IT Asset Lifecycle Management processes under Tier 2. The main difference between these two groups is that functional management processes are applicable across all stages of the assets lifecycle, whereas the lifecycle management processes apply only to one specific phase in the asset lifecycle.

The first four functional management processes in Tier 1 make up the minimal threshold that the standard requires you to achieve in order to get any certification against the standard—Change Management, Data Management, License Management and Security Management.

Tier 2 is made up of the seven life cycle processes and achieving them means you have integrated ITAM within the asset life cycle—Specification, Acquisition, Development, Release, Deployment Operation and Retirement.

Tier 3 is made up of the remaining functional management processes—Relationship/Contract Management, Financial Management and Service Level Management. Achieving them means optimization has been accomplished. This group includes a catch-all process for Other Risk Management that can be tailored to each organization.

It’s worth noting that the definition of an IT asset in the 19770-1 standard is pretty broad and is applicable to traditional on-prem software as well as to Software as a Service (SaaS) infrastructure and Platform as a Service (PaaS).

How Do You Get Certified?

The 19770-1 standard is an organizational certification; however, for individuals, there is one professional SAM certification that is fully aligned with this standard, the Certified Software Asset Manager (CSAM) professional offered by BSA. This self-paced, online training course was developed by Anglepoint for BSA. The course is now owned and operated by BSA and Anglepoint does not benefit financially from participants.

Any organization can self-certify against any ISO standard and self-declare their conformity with it. Of course, that has a limited value, which is why external certification is recommended. This will be performed by an accredited and independent third party. There are specialized firms who are accredited to perform ISO certification audits—these will be the same firms that perform the ISO 27001 certifications.

Unfortunately, due to the low uptake in certification, many of these organizations do not offer the 19770-1 certification. The publication of 19770-1 now provides audit guidance to these certification bodies to make it easier for them to perform these accreditations. In addition, the 19770-1 standard now in development will provide guidance on ITAM implementation and include many of the best practices that were not able to be included in 19770-1 due to the need to comply with ISO’s template for management system standards. This will make it easier for organizations to implement and certify against the 19770-1 standard.

Where does The ITAM Forum come in?

Outside of ISO, the effort to bring about organizational certification against 19770-1 is mostly led now by the ITAM Forum, a global nonprofit based in London. The ITAM Forum is led by end-user organizations and promotes the ITAM industry through education, awareness, and organizational certifications. They are working with certification bodies to drive and enable 19770-1 certifications. You can visit their website to see which organizations are involved, read some of the thought leadership articles that have been produced and become a member.

How ISO 19970-1 benefits be leveraged strategically?

We have explored the 19770-1 standard, but now it’s important to understand the benefits it offers in relation to the five key provisions mentioned earlier and how these can be leveraged strategically. Although less intuitive to grasp, Interoperability is arguably the most valuable benefit for organizations. ITAM has three groups of objectives – reduce software costs, mitigate risks and enable IT functions. The enablement of IT functions will in turn drive much larger risk mitigation and cost reduction in the organization. Any objective of ITAM falls under one of these three buckets. The ITAM standards benefit of Interoperability is more relevant to the third objective of enabling other IT functions.

ITAM Standards and Security

ITAM is a foundational IT competency meaning many IT functions rely on ITAM, either directly or indirectly. A great example of this is the relationship ITAM and IT Security. You can’t secure what you don’t know you have. For example, you can’t ensure that no unauthorized software or hardware is being used if you don’t know what’s running on your network, and if you don’t maintain an updated list of authorized software. Similarly, when a vulnerability is discovered and a new patch is made available, you need to know where to apply it as soon as possible to mitigate your potential risk.

The Equifax Breach in 2017 was a big wake-up call for many people and helped them consider the dependencies between ITAM and information security. Personal and sensitive information belonging to 150 million Americans was stolen by hackers due to a vulnerability in a certain open-source product used by Equifax. A U.S. Congressional report concluded that ineffective IT Asset Management was the main factor that led to the security breach. At the time Equifax was hacked, the vulnerability was not only well known and already documented in the marketplace, but a patch had been available to Equifax for quite some time. Equifax did not apply that patch, simply because they were running tens of thousands of servers without effective IT Asset Management, and therefore they had no idea which of their servers were running that particular product and version that required the patch.

Many organizations rely on the ISO 27001 standard for information security, either because they are required to or because they choose to adopt it for its own merits. Even where organizations are using a different security framework, there’s a very good chance that framework is at least indirectly based on ISO 27001. Analysis carried out by an ISO committee member showed that organizations who are compliant with 27001 for information security have already met more than 50% of the requirements for 19770-1. There is no doubt that there’s a very significant overlap between the two domains. For this reason, Gartner® predicted that by 2022, 50% of ITAM initiatives will be primarily driven by information security needs and concerns.

This is why we say that the Interoperability of ISO 19770 is key for ITAM.

If you’re taking a standards-based approach to ITAM, ISO 19770-1 was designed from the start for joint implementation with the ISO 27001 standard and this is reflected in a number of ways. Firstly, both standards are management system standards, meaning they not only follow the same structure, but the implementation can share the same management system (the Plan, Do, Check, Act framework). The two standards share a number of common approaches, including risk management, selection of objectives, documentation requirements, and many others. When asked about top priorities, nine out of ten CIOs will list information security, but will not list ITAM. However, when ITAM is positioned as enabling information security, and in particular with a standards-based approach that facilitates joint implementation, a much more strategic conversation can be initiated with your CIO.

Following Governance Requirements For The IT Industry

Organizations are typically subject to a whole spectrum of laws, regulations, and governance requirements as those relate to IT beyond ISO 27001. In many cases, such governance requirements will have varying degrees of overlap with IT asset management. Some examples of these include:

The National Institute for Standards and Technology (NIST) in the U.S. is part of the U.S. Department of Commerce. Their publications are widely used across the U.S. federal government, but also more broadly in industry and the world. One of their main publications is the Cybersecurity Framework (CSF). This framework identifies five main security functions—Identify, Protect, Detect, Respond, and Recover; ITAM is named as the first category under the Identify function.

SAMS and the Center for Internet Security (CIS) publish the 20 critical security controls and a few of these controls talk about the inventory of hardware and software, and the ability to distinguish between authorized software and unauthorized software.

Control Objectives for Information Technology (COBIT 2019) is an IT governance framework published by The Information Systems Audit and Control Association (ISACA). COBIT is commonly used around the world by both internal and external audit functions to assess IT controls. COBIT 2019 identifies 40 governance and management objectives, one of these being Managed Assets which calls for proper accounting and optimization of all IT assets.

The advantage of taking a standards-based approach is that you will not be reinventing the wheel on how to map what you’re doing for regulatory requirements. You will be able to follow best practices, demonstrate that you’re doing the right things and most importantly, be in the best position to defend any investigation or litigation.

How can Anglepoint help?

Positioned as Leaders in the Gartner^®Magic Quadrant^™ for SAM Managed Services, Anglepoint’s team of experts is here to support you at whatever stage you are in the process of gaining your ISO 19770-1 Certification.

If you would like to receive a customized report to discover if your organization is ISO/IEC 19770-1 ready, you can take Anglepoint’s Readiness Assessment Quiz. You will receive a personalized report with tailored feedback that includes needed improvements.