ISO Issues

A quick thanks to all who have commented and contributed to the blog site. To clarify some issues that have arisen, it is beyond the scope of this blog to provide detailed educational training. My vision with this is to get folks started off on a particular topic. Those who have expertise in the topic may not learn something new, but could (and should) contribute and add to what is presented by posting comments. On the other hand, those who are new to the topic can gain an introduction by reading the post and then further pursue the topic by obtaining the relevant study material if they are so inclined. With that stated, let’s move on to this week’s topic – ISO.

ISO (the International Organization for Standardization) has existed for a long time (Feb 23, 1947 to be exact) and caters to a lot of different industry domains and knowledge areas. Headquartered in Geneva, ISO is a non-governmental organization but is well known all over the world with significant influence and power. As its name implies, the organization is primarily concerned with the setting and maintenance of worldwide industrial and commercial standards. ISO provides guidelines for over 17,500 standards. While numerous standards exist that relate to technology, the standards most relevant to this blog site are the ISO 20000:2005 (IT Service Management) and the ISO 27000 (Information Security Management) standards.

As a consultant, I am passionately in favor of standards. One of the most frustrating things for me is to spend my time (and therefore the client’s money) in the attempt to understand the way things are setup and the terminology used at each organization that I consult at. What is fascinating is that each organization has its own “lingo” and way of defining items and resources. One might expect that their processes would differ but the very language they speak differs as well. This is not just inconvenient for a consultant or new employee but leads to confusion and problems/defects when interaction between other organizations is carried out. In today’s age of inter-dependency and outsourcing, it is important that all organizations speak the same language. Other benefits of implementing standards include compliance with governmental and regulatory requirements and the ability to enter global markets (some foreign countries require ISO certifications as a mandatory qualification to enter their market). Last but not least is the organizational efficiency and quality improvements inherent in improving the organization’s processes.

But for standards to work, they have to be implemented. So, how does one go about implementing an ISO standard? First, the decision must be taken and supported at the top management level and then accepted at the organizational level. I have observed too often the adaptation of some standard or methodology by the top brass while the cubicle level folks are dead-set against it. This almost always leads to the failure of the standard being employed. If not all at least a significant majority of the organization’s staff must be in favor of implementation of the standard.

Next, adequate resources must be planned for and set aside for the implementation of the standard. Training should be provide to key players in the implementation and outside consultants brought in as necessary.

If certification is desired, then an independent audit to assess and certify compliance to the standard’s requirements should be obtained.

ISO is a vast organization with a huge body of knowledge and my attempt to bring some of the IT aspects of it to light is a only but a first step in the right direction. Interested readers may pursue the subject in more detail via numerous resources available online.

Problem Management

In most IT organizations, a systematic process to handle problems does not exist. Rather, the functions of a problem management process are carried out by Project or Program Managers or some sort of committee or advisory board. A well thought out problem management process is only rarely setup unless the organization is under some sort of ISO 20000 certification program.

Problems are underlying reasons for incidents. Incidents being disruptions to expected levels of service experienced by customers. Problem management aims at resolving incidents and problems caused by end-user errors or IT infrastructure issues and preventing recurrence of such incidents. Therefore, there are two aspects to problem management: a proactive aspect and a reactive aspect. In the proactive aspect, the services are monitored for possible problems and steps are taken before thresholds are breached. In the reactive aspect, a problem has already occurred and steps must be taken to resolve it. Problem management then works with other processes to resolve the problem in question.

The major sub processes within Problem Management are:

• Problem and Error Control: To constantly monitor outstanding Problems with regards to their processing status, so that where necessary, corrective measures may be introduced.


• Problem Identification and Categorization: To record and prioritize the Problem with appropriate diligence, in order to facilitate a swift and effective resolution.
  Problem Diagnosis and Resolution: To identify the underlying root cause of a Problem and initiate the most appropriate and economical Problem solution. If possible, a temporary Workaround is supplied.


• Problem Closure and Evaluation: To ensure that - after a successful Problem solution - the record and prioritize the Problem contains a full historical description, and that related Known Error Records are updated.


• Major Problem Review: To review the resolution of a Problem in order to prevent recurrence and learn any lessons for the future. Furthermore it is to be verified whether the Problems marked as closed have actually been eliminated.


• Problem Management Reporting: To ensure that the other Service Management processes as well as IT Management are informed of outstanding Problems, their processing-status and existing Workarounds.

The advantages of Problem Management are:

• Reduction in service disruptions to the customer


• Proactive identification and prevention of failures which leads to fewer defects experienced by the customer


• Quicker resolution of an existing problem


• Better communication and information management regarding problems and known errors


• Better problem analysis and understanding of trends that could be utilized in a proactive manner

Therefore, it is clear that Problem Management provides significant benefits to an organization and should be implemented with the seriousness that it deserves.

Supply Stability

Supplier management in the past was usually handled by the departmental secretary who chose which corner shop to buy the paper clips and pads from. Advanced version of this function also included choosing the best take-out joint for lunch or snacks. Nowadays, however, supplier management is a major process that is becoming more and more crucial in an organization’s ability to function efficiently and remain competitive due to the increasing complexity of inter-dependency between organizations.

The products or services that are being supplied by the supplying organization are numerous and complex. Consulting, material, equipment, information, knowledge and people are a few examples of resources and capabilities that are exchanged between organizations. While products need to be monitored for quality, price, delivery punctuality etc., the more intangible resources such as consulting and knowledge require further specialized skills in the management of its suppliers and delivery.
Suppliers can be broken down into the following categories by importance:

• Strategic Suppliers: Where goods and services are hard to obtain and require adequate stockpiling for safety. The goods and services being supplied are crucial to the operation of the organization.


• Tactical Suppliers: Less difficulty in obtaining goods and services. The items are not as crucial to the successful workings of the organization.


• Operational Suppliers: Goods and services are relatively easy to obtain and there are alternatives to choose from. The items are not so crucial to the running of the organization.


• Commodity Suppliers: Goods and services are easy to obtain and there are many supplying organizations to choose from. The items being supplied are not crucial to the opration of the organization.

Supplier Management is the process that ensures that external services and configuration items, which are necessary for the service delivery, are available as requested and as agreed at the service level. Some of the responsibilities of this process are:

• To ensure that the supplies are made as per the pre-defined requirements and service levels.


• To ensure that every supply runs through a set of standardized steps and procedures in order to ensure repeatable and predictable results every time.


• To manage the risk to normal service operation due to lower control levels and accessibility inherent in using external suppliers. This involves the periodic assessment and testing of supply quality and service levels provided with the supplying organization.


• To document analyze and review every supply decision and activity.

The best way to handle all this is to implement a well defined and formal Supplier Management process complete with a Supplier and Contracts database and Supplier Manager. The basic sub processes within the Supplier Management process are:

• Supplier Request Recording


• Supplier Selection


• Supplier Evaluation


• Supplier Negotiation


• Supplier Service Delivery


• Supplier Renewal /Termination

The proper execution of these sub processes will ensure the smooth and efficient function of the Supply chain. The act of receiving supplies from another organization is, therefore, seen to be an important one and should be given the importance and respect it deserves by proper planning and execution of a formal process for it.

Testing Maturity & Improvement

Testing is an important and significant part of the product or service lifecycle. This is true of any industry but more so in the case of IT where the sheer complexity of the trillions of bits and bytes zipping around bring about an incredible permutation and combination of possible ways things could go wrong. To counter for this complexity the implementation of a high level of testing maturity is essential within the IT organization.

For overall organizational maturity, organizations can avail of CMMI and its 5 maturity levels. Testing also has 5 levels of maturity within the Testing Maturity Model (TMM) that integrates well with CMMI and other methodologies. Furthermore, the Test Process Improvement model also exists that has been developed based on practical experiences and knowledge of test process development.

TMM was developed in 1996 at the Illinois Institute of Technology, and was designed to be a counterpart to the CMMI model. The 5 maturity levels are similar in definition to CMMIs levels which can be easily viewed online. TMM advocates the implementation of various test processes that increase testing maturity within the organization.

Similarly, TPI offers 20 Key areas with increasing levels of implementation for each area. Some of the key areas (not all) include:

• Test Strategy


• Moment of Involvement


• Estimating and Time Planning


• Metrics


• Test Tools


• Evaluation


• Communication


• Reporting

As may be deduced, this is a far more structured approach than the old fashioned write a few test cases at the last minute and frantically test till midnight strategy that some organizations are utilizing to this day. Moving beyond simply preparing for testing by creating test cases and test plans is simply not enough. It is now imperative to be optimizing the test processes and continuously improving to be at the right combination of efficiency and quality.

Simply put, organizations should make themselves aware of the latest in testing techniques and methodologies like TMM and TPI and implement the recommended processes before the competition does. Not doing so will only put the organization at an unnecessary disadvantage that is a great handicap in today’s difficult times.