ISO Update

I’ve received several questions about ISO 19770, the international standard for Software Asset Management, over the past couple of months. Let’s review the landscape… First of all, ISO is an acronym for the International Organization for Standards (ISO) based in Geneva, Switzerland. It is a network of the national standards institutes of over 163 countries that, through many specialized committees, works to develop a consensus among member nations on standards that will be accepted by all countries. You have very likely heard or seen advertisements for companies that included a reference to their ISO 9000 certification, which is becoming a worldwide quality management requirement for companies that wish to become part of a supply chain for major global manufacturers or distributors. Standards are absolutely essential to the growth of the world economy because they provide the basis for development and adoption of, among other things, technologies that can be used in system components with a high degree of certainty that they will interface with components built by other countries’ manufacturers and will interact in predictable ways in the environment in which they are designed to perform. As each ISO member country has only one vote, the United States is sometimes at a disadvantage in standards deliberations that are contentious. For example, each European Union country also has one vote although the EU advances the notion that it is a single economic zone. So, it is critical that U.S. participation be vigorous and competent to ensure that the voices of American companies are heard and that our industries are not placed at a disadvantage during the technical and political maneuvering that often takes place during each progressive stage of standards development. The American National Standards Institute (ANSI), a private not-for-profit organization with over 100,000 government and private corporate members, is the official U.S. representative to ISO and is funded by member dues, sale of publications, and grants from the U.S. Department of Commerce National Institute of Standards and Technology (NIST). ANSI is responsible for coordinating U.S. participation on all of the committees that work in parallel on the various ISO standards, a process that usually takes several years for each standard. There is normally no compensation for participation in standards committees – government employees at NIST and elsewhere participate as a function of their job; corporations participate by both paying dues to ANSI and contributing the time and expenses of key employees. Over the ten years that ISO 19770 has been in development, the Business Software Alliance and later the International Business Software Managers Association (IBSMA) have been the primary movers in ISO Working Group 21 which developed the ISO 19770 group of standards. IBSMA membership includes Oracle, Symantec, BDNA and other major software companies. During the development of ISO 19770 standards, additional companies including IBM, Adobe, CA, and Microsoft participated in the technical meetings leading to the final documents. For these companies ISO 19770 is ‘a Big Deal’. So what does ISO 19770 address? ISO 19770-1 addresses the process of Software Asset Management and provides a framework for organizations to use to show that processes are in place that will help to ensure that governance requirements are being met and that the goals of IT Service Management can be achieved. ISO-19770-1 reached final draft stage in 2006 and is now in the ‘Publication stage’. ISO 19770-2 provides a standard for software identification tags. The last version of 19770-2 was submitted for final review in 2007 and is currently in what is formally called ‘Stage 5′, the ‘Approval Stage’, which is one step from the ‘Publication stage’. Basically, ISO 19770-2 provides a uniform standard for embedding metadata in software that ‘exposes’ information such as the manufacturer, title, version number, and other key information that can be read by software inventory tools like BDNA Discover or Symantec Altiris Asset Management Suite. During Stage 5 a non-profit organization called TagVault is acting as the registration authority for Software Identification Tags (SWID tags). As noted on TagVault’s web site, the General Services Administration (GSA) is working with TagVault to develop U.S. Federal government certification requirements for SWIDs. ISO 19770-3 has not yet been prepared but is designed to be a standard for software entitlement tags. This standard will define what metadata is used to define the licensing rights for software. The first meeting of the ISO 19770-3 committee convened in 2008; already there are seven subcomittees working on this part of the 19770 standard. So it will also be — ‘a Big Deal’. Stay tuned. ISO standards are not freely distributed. ISO 19770-1, the only section in the ‘Publication stage’, can be purchased from the ISO catalog.