The design of process models for the ISO/IEC 17000 conformity

assessment standards
Dr Alastair Walker
SPI Laboratory (Pty) Ltd, Johannesburg, South Africa

Summary: Although the process approach features strongly in the published management systems
standards (e.g. ISO 9001), processes are not significantly part of the description of the CASCO ISO/IEC
17000 series of conformity assessment standards. The absence of an overt process approach creates
problems for implementers of management systems conformant to the ISO/IEC 17000 series
requirements. During 2013 a project has been undertaken under the auspices of SABS TC 175 (Process
Models) in liaison with SABS TC 180 (Conformity Assessment) to define process models for the ISO/IEC
17000 series standards. This technical paper summarises the key results of this project to-date.

1. Introduction

The project to develop processes models evolved out of a need in SABS Technical Committee for Conformity
Assessment (TC 180) for a graduated approach for the adoption of ISO/IEC 17025.

Although the process approach features strongly in the published management systems standards (e.g. ISO 9001),
processes are not significantly part of the description of the CASCO ISO/IEC 17000 series of conformity assessment
standards. The absence of an overt process approach creates problems for implementers of management systems
conformant to the ISO/IEC 17000 series requirements. During 2013 a project has been undertaken under the auspices
of SABS TC 175 (Process Models) in liaison with SABS TC 180 (Conformity Assessment) to define process models
for the ISO/IEC 17000 series standards.

The paper first defines the basis of the method used for describing processes. Such descriptions are based on the
applicable standard for this purpose, i.e. ISO/IEC 24774 (Guidelines for process definition). The normative elements of
such process descriptions include process names, process purpose statements, and process outcomes. ISO/IEC 15504-2
(Performing an assessment) elaborates the purpose outcomes to describe 'process outputs' or 'work products' that are the
direct result of the performance of the process.

The paper then considers the alignment of processes (i.e. names, purposes, outcomes) to the normative requirements in
ISO/IEC 17000 series. Traceability is developed between these requirements and the process outcomes as a key aspect
of verifying the integrity of the proposed process models. The purpose behind developing a detailed view of traceability
to the requirements in these standards is to:

a. determine the extent of the alignment of each outcome to the requirement in ISO/IEC 15504-2 6.2.4 c) (i.e. that
Level 1 process capability should not be exceeded); and to
b. identify any outcomes that are missing, or do not address the normative requirements of the ISO/IEC 17000 series.

Section 3 reviews the methodology applied to developing outcomes conformant to the Level 1 requirement of ISO/IEC
15504-2.

Section 4 examines the challenge of aligning the requirements of ISO/IEC 17000 series to process outcomes.

Section 5 discusses some of the key implications of the results of this work.

2. Creating process outcomes that are aligned to the requirements of the ISO/IEC 17000 series

2.1 ISO/IEC 15504-2 identifies normative requirements for the development of process outcomes

6.2.4 Process descriptions

The fundamental elements of a process reference model are the descriptions of the processes within the scope of the
model. The process descriptions in the process reference model incorporate a statement of the purpose of the process
which describes at a high level the overall objectives of performing the process, together with the set of outcomes

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 1

 The design of process models for the ISO/IEC 17000 conformity assessment
standards
which demonstrate successful achievement of the process purpose. These process descriptions shall meet the following
requirements:

a) a process shall be described in terms of its purpose and outcomes;

b) in any process description the set of process outcomes shall be necessary and sufficient to achieve the purpose of the
process;

c) process descriptions shall be such that no aspects of the measurement framework as described in Clause 5 of this
International Standard beyond level 1 are contained or implied.

An outcome statement describes one of the following:

production of an artefact;

a significant change of state;

meeting of specified constraints, e.g. requirements, goals etc.

2.2 ISO/IEC 24774 identifies criteria by which to judge the quality of process outcomes

Outcomes should abide by the following criteria:

a) The list of outcomes associated with a process shall be prefaced by the text, "As a result of successful
implementation of this process...".
b) An outcome shall be phrased as a declarative sentence using a verb in the present tense. For example, if the
preceding sentence was phrased as an outcome, it might read, "Outcomes are phrased as declarative sentences using
verbs in the present tense." Typically, the verb is "is" or "are" although others may be used when appropriate.
c) Outcomes should be expressed in terms of a positive, observable objective, e.g. the production of an artefact, the
provision of a service, a significant change of state, the successful maintenance of a desired state (e.g. safety), or the
meeting of specified constraints (such as requirements, goals, etc).
d) Outcome statements should be no longer than two lines of text, about twenty words.
e) The number of outcomes for a process should fall within the range 3 to 7.
f) Although an outcome should express an observable result, it is not necessary to express the outcome as the
production of a document, record of other item of information.
g) An outcome should express a single result. Hence, the use of the word "and" or "and/or" to conjoin clauses should be
avoided; such constructions are better expressed as multiple outcomes.
h) Outcomes should be written so that it should not require the implementation of a process at any capability level
higher than 1 to achieve all of the outcomes, considered as a group.

3. Verifying process outcomes against requirements

This section explains the method used to verify the process outcome statements in the light of requirements associated
with the ISO/IEC 17000 standards.

To do this, we need to first consider the nature of the requirements as they appear in the CASCO standards. In most
instances, such requirements are what may be referred to as 'compound requirements'. To create traceability of a
requirement to an outcome, it must be considered to be 'singular' i.e. have only one 'shall' requirement.

3.1 Compound and singular requirements

A compound requirement identifies more than one obligation (i.e. 'shall') to be satisfied. Singular requirements are
created from compound requirements by separating out the distinct requirements.

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 2

 The design of process models for the ISO/IEC 17000 conformity assessment
standards
By way of example, the following sub-clause fragment is taken from ISO/IEC 17020 7.1.9: 'The inspection body shall
have documented instructions for carrying out inspection in a safe manner.' Two singular requirements can be identified
in this compound requirement:

1 The inspection body shall have [documented] instructions for carrying out inspection in a safe manner.

2 [The inspection body shall have] documented instructions [for carrying out inspection in a safe manner.]

These requirements each address distinctly different aspects of the compound requirement. Different processes are
required to support each of these singular requirements.

3.2 The different processes implied by each singular requirement

Requirement 7.1.9 1 is associated with the process, Test Methods and Validation, while requirement 7.1.9 2 is
associated with the Information Management process.

These considerations are summarised in Table 1.

Table 1 Associations between singular requirements and process outcomes

Reference Singular requirement Enabling Process

7.1.9 1 The inspection body shall have [documented] instructions for Test Methods and Validation
carrying out inspection in a safe manner.

7.1.9 2 [The inspection body shall have] documented instructions [for Information Management
carrying out inspection in a safe manner.]

3.3 Process views allocating requirements to different processes

With reference to Figure 1, one consequence of the actions referred to in Table 1 is that all singular requirements can be
allocated to process outcomes. From an ISO/IEC 15504-2 perspective, we also need to ensure that Level 1 (i.e. process
performance) process capability is also satisfied.

Sub-clause 1 Process 1
1.1 Singular requirement 1.1 Outcome
1.2 Singular requirement 1.2 Outcome
1.3 Singular requirement 1.3 Outcome

Process 2
2.1 Outcome
2.2 Outcome
Sub-clause 2 2.3 Outcome
2.1 Singular requirement
2.2 Singular requirement Process n
2.3 Singular requirement n.1 Outcome
n.2 Outcome
n.3 Outcome

Figure 1 A generalised view of associations between singular requirements and process outcomes

3.4 The extent to which the requirements in the ISO/IEC 17000 series can satisfy these criteria

Looking at Table 2, associated with each outcome is listed one or more sub-clauses from a CASCO standard.

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 3

 The design of process models for the ISO/IEC 17000 conformity assessment
standards
So, for example, for outcome 3 (non-standard methods are identified), are the associated sub-clauses:

17020 7.1.3; and

17025 5.04.4 Non-standard methods.

We note that ISO/IEC 17020 has requirements that address outcomes 1, 2 and 3. The fact that it does not have
requirements that address outcomes 4, 5 and 6 does not imply that these outcomes can be ignored when this process is
implemented in the context of this standard. All it means is that the requirements to support these outcomes were not
considered by the technical committee responsible for this standard. (In other words, omission of a requirement does
not imply that the requirement is not important.)

In contrast to ISO/IEC 17020, ISO/IEC 17025 has requirements that support all of the described outcomes for this
process.

Table 2 Linkages from requirements

Name Test Methods and Validation
Purpose The purpose of the Test methods and validation process is to select and validate the
methods used for tests and calibrations.
Outcomes As a result of successful implementation of this process:
1. the standard methods used for test and calibration are identified;
2. methods developed for own use are identified;
3. non-standard methods are identified;
4. methods validation activities are identified;
5. the range and accuracy of the selected methods is determined;
6. estimates of uncertainty in measurement are obtained.
Requirements 17020 7.1.1 [1,2]
traceability 17020 7.1.2 [1]
17020 7.1.3 [3]
(sub-clause 17020 7.1.9 [1]
view) 17025 5.04.1 General [1]
17025 5.04.2 Selection of methods [1,4]
17025 5.04.3 Laboratory-developed methods [2]
17025 5.04.4 Non-standard methods [3]
17025 5.04.5.2 (Scope of validation) [4]
17025 5.04.5.3 (Data arising from validation methods) [5]
17025 5.04.6.2 (Procedure - Testing Laboratory) [6]
17025 5.04.6.3 (Selection of uncertainty components) [6]

4. Processes and their association with the ISO/IEC 17000 standard series

We noted that with reference to Table 3, not all the CASCO standards have requirements that can be associated with
process outcomes for a given process. There are some processes (13 in the first group) that have outcomes that are
supported by singular requirements for all the CASCO standards. On the other hand, there are some processes (7)
where the outcomes are traceable to a single standard. Although these processes may be important to the context of
operating the other CASCO standards, the technical experts who crafted the requirements clearly did not deem it
essential to draw specific attention to the concerns implied by these processes.

Table 3 Processes and their associations with the ISO/IEC 17000 standard series
Process name 17020 17021 17024 17025 17065
Processes that affect all the standards
1. Appeals/complaints/disputes X X X X X
2. Audit X X X X X
3. Certificate design X X X X X
4. Certification service fulfillment X X X X X
5. Communication X X X X X
6. Confidentiality management X X X X X

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 4

 The design of process models for the ISO/IEC 17000 conformity assessment
standards
Table 3 Processes and their associations with the ISO/IEC 17000 standard series
Process name 17020 17021 17024 17025 17065
7. Human resource management X X X X X
8. Information management X X X X X
9. Management review X X X X X
10. Non-conformity elimination X X X X X
11. Non-conformity prevention X X X X X
12. Organisational leadership X X X X X
13. Process definition X X X X X
Processes that affect four standards
14. Certification evaluation X X X X
15. Certification scheme design X X X X
16. Impartiality management X X X X
Processes that affect three standards
17. Certification application X X X
18. Certification monitoring and control X X X
19. Certification planning X X X
20. Improvement X X X
21. Information item management X X X
22. Process deployment and monitoring X X X
23. Subcontractor management X X X
Processes that affect two standards
24. Certification quarantine X X
25. Equipment management X X
26. Non-conformity resolution X X
27. Process validation X X
28. Sampling X X
29. Supplier evaluation, selection and monitoring X X
30. Supplier management X X
31. Test item management X X
32. Test Methods and Validation X X
Processes that affect a single standard
33. Certification evaluation co-ordination and X
review
34. Certification renewal X
35. Customer relationship management X
36. Infrastructure X
37. Product procurement X
38. Product verification X
39. Work environment X

5. Discussion

5.1 Why is a process perspective of the CASCO standards important?

In the first instance, it must be said that the requirements view presented in each of the CASCO standards is simply that
a view from a certain perspective, notably the 'conformity assessment' or 'audit' view i.e. the minimum expectation.
These requirements do not imply that these are sufficient for implementing the systems required to support these
objectives.

On the other hand, process descriptions (name, purpose, outcomes) are also in themselves insufficient as an
implementation model of a workable system.

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 5

 The design of process models for the ISO/IEC 17000 conformity assessment
standards
If a workable system is to be implemented, the following essential steps needs to be taken:

a. Information items (i.e. required documented information elements) need to be identified that result from each
outcome (i.e. what the process actually delivers);
b. A business process specification needs to be assembled that identifies the temporal (i.e. timing, triggers)
relationship that describe the behaviour of the process from the human (or user) perspective;
c. The information to be stored and managed in the information repository (i.e. database) needs to be defined,
together with the relationships between the elements in the repository; and
d. The functions and features of the system need to identified and described.

Only when these steps have been taken is it possible to begin the actual work of designing the 'nuts of bolts' of a
workable IT system to implement the required processes.

5.2 Who is likely to find the process perspective helpful?

The primary users of the process perspective are role players who are called upon to develop, implement and maintain
the working systems that implement the intent of the requirements of the CASCO standards.

With reference to a very simple analogy, a packet of flower seeds usually contains a number of nondescript little brown
objects (i.e. seeds). These seeds in themselves bear no obvious visual relationship to the plant that will result from the
planting and nurturing of the seeds. Modern packets of seeds most often also support a colourful picture of the plant
likely to represent the end result of planting the seeds. Most purchasers of seeds will choose the seed variety based on
the picture on the packet. It is taken on faith that the little brown objects in the packet contain the DNA that will give
rise to a living plant that will be a reasonable replica of the picture presented on the seed packet.

To sum up, the process perspective is much closer to the user perspective than the requirements, bearing in mind that
the requirements perspective is essentially a view that meets the particular needs of the conformity assessment
community i.e. the management system auditors.

5.3 What is the future of this study project?

The SABS Technical Committee (TC175 Process Models) has undertaken the work of defining a new multipart series
on the topic 'Process benchmarking framework: Conformity assessment' based on the ISO/IEC 17000 series of
conformity assessment standards.

The series will contain the following parts:

1. Part 1: Concepts and overview
2. Part 2: Generic process model for conformity assessment entities
3. Part 3: ISO/IEC 17020 mapping to the Generic Process Model
4. Part 4: ISO/IEC 17021 mapping to the Generic Process Model
5. Part 5: ISO/IEC 17024 mapping to the Generic Process Model
6. Part 6: ISO/IEC 17025 mapping to the Generic Process Model
7. Part 7: ISO/IEC 17065 mapping to the Generic Process Model
This work is being undertaken in close liaison with SABS Technical Committee for Conformity Assessment (TC 180).
Parties who are interested in participating in the development and review of these emerging standards should take steps
to contact the relevant SABS project officers, namely:
a. Mrs Petro Du Plessis (petro.duplessis@sabs.co.za); and
b. Mr Vuyo Dokoza (vuyo.dokoza@sabs.co.za)

6. References
[1] ISO/IEC 17020, 2012, Conformity assessment Requirements for the operation of various types of bodies
performing inspection

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 6

 The design of process models for the ISO/IEC 17000 conformity assessment
standards
[2] ISO/IEC 17021, 2011, Conformity assessment Requirements for bodies providing audit and certification of
management systems
[3] ISO/IEC 27024, 2012, Conformity assessment General requirements for bodies operating certification of
persons
[4] ISO/IEC 17025, 2006, General requirements for the competence of testing and calibration laboratories
[5] ISO/IEC 17065, 2012, Conformity assessment General requirements for bodies operating certification of
persons
[6] ISO/IEC 24774, 2010, System and software engineering - Life Cycle Management - Guidelines for process
definition
[7] ISO/IEC 15504-2, 2003, Software engineering Process assessment Part 2: Performing an assessment

7. Author Contact Details

Dr Alastair Walker is the founder and chief executive officer of the Software Process Improvement
Laboratory. He holds the degrees of B Sc (Engineering) (1969), M Sc (Engineering) (1972), and Doctor
of Philosophy (1979). He lectured for 30 years at the University of the Witwatersrand, Johannesburg. In
2001 he established the Software Process Improvement Laboratory (SPI-LAB) in order to focus on
promoting software process improvement fulltime in local industry. He is a Fellow of the South African
Institute of Electrical Engineers.

He is a member of the Standards South Africa Information Technology Committee (TC 71), and chair
of SABS National Committee for Software Engineering Standards (SC 71C). He is the South African representative on
the international ISO/IEC JTC1/SC7 Software Engineering Standards Committee Advisory Board since 1994. He has
been a member since 1993 of the international team of experts tasked with the development of the standard for software
process assessment and capability determination (ISO/IEC 15504).

He is presently editor for ISO/IEC 20000-4 (Information technology Service management Part 4: Process
Reference Model), and ISO/IEC 15504-8 (Information Technology Process assessment Part 8: An exemplar
assessment model for IT service management).

Contact details: Dr Alastair Walker, SPI Laboratory (Pty) Ltd, P O Box 44041, Linden, 2104, Johannesburg, South
Africa, Office: +27-(0)11-888-9881; Mobile: +27-(0)82-452-0933; E-mail: office@spilab.co.za; Web:
http://www.spilab.co.za; Skype address: spilab

Appendix A Test Methods and Validation detailed view

This table shows the lower level detail implied by Table 2. The detailed associations of each singular requirement is
shown with reference to each process outcome.

Name Test Methods and Validation

Purpose The purpose of the Test methods and validation Process is to select and validate the methods used for
tests and calibrations.
Outcomes As a result of successful implementation of this process:
1. the standard methods used for test and calibration are identified;
2. methods developed for own use are identified;
3. non-standard methods are identified;
4. method validation activities are identified;
5. the range and accuracy of the selected methods is determined;
6. estimates of uncertainty in measurement are obtained.
Practices 1. the standard methods used for test and calibration are identified;
17025 5.04.1 1. The laboratory shall use appropriate methods and procedures for all tests
and/or calibrations within its scope. These include sampling, handling,

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 7

 The design of process models for the ISO/IEC 17000 conformity assessment
standards
Name Test Methods and Validation
transport, storage and preparation of items to be tested and/or calibrated,
and, where appropriate, an estimation of the measurement uncertainty as
well as statistical techniques for analysis of test and/or calibration data.
17025 5.04.2 1. The laboratory shall use test and/or calibration methods, including
methods for sampling, which meet the needs of the customer and which are
appropriate for the tests and/or calibrations it undertakes.
2. Methods published in international, regional or national standards shall
preferably be used.
3. The laboratory shall ensure that it uses the latest valid edition of a
standard unless it is not appropriate or possible to do so.
4. When necessary, the standard shall be supplemented with additional
details to ensure consistent application.
5. When the customer does not specify the method to be used, the
laboratory shall select appropriate methods that have been published either
in international, regional or national standards, or by reputable technical
organizations, or in relevant scientific texts or journals, or as specified by the
manufacturer of the equipment.
6. Laboratory-developed methods or methods adopted by the laboratory
may also be used if they are appropriate for the intended use and if they are
validated.
17020 2ED 7.1.1 1. The inspection body shall use the methods and procedures for inspection
which are defined in the requirements against which inspection is to be
performed.
17020 2ED 7.1.2 1. The inspection body shall have and shall use adequate [documented]
instructions on inspection planning [and on sampling and inspection
techniques, where the absence of such instructions could jeopardize the
effectiveness of the inspection process.]
4. Where applicable, the inspection body shall have sufficient knowledge of
statistical techniques to ensure statistically sound sampling procedures and
the correct processing and interpretation of results.
17020 2ED 7.1.9 1. The inspection body shall have [documented] instructions for carrying out
inspection in a safe manner.
2. methods developed for own use are identified;
17025 5.04.3 1. The introduction of test and calibration methods developed by the
laboratory for its own use shall be a planned activity [and shall be assigned
to qualified personnel equipped with adequate resources.]
2. [The introduction of test and calibration methods developed by the
laboratory for its own use shall be a planned activity and] shall be assigned
to qualified personnel equipped with adequate resources.
3. Plans shall be updated as development proceeds and effective
communication amongst all personnelinvolved shall be ensured.
17020 2ED 7.1.1 2. Where these are not defined, the inspection body shall develop specific
methods and procedures to be used (see 7.1.3).
3. non-standard methods are identified;
17025 5.04.4 1. When it is necessary to use methods not covered by standard methods,
these shall be subject to agreement with the customer [and shall include a
clear specification of the customer's requirements and the purpose of the
test and/or calibration.]
2. [When it is necessary to use methods not covered by standard methods,
these shall be subject to agreement with the customer and] shall include a
clear specification of the customer's requirements and the purpose of the
test and/or calibration.
3. The method developed shall have been validated appropriately before
use.
17020 2ED 7.1.3 1. When the inspection body has to use inspection methods or procedures
which are non-standard, such methods and procedures shall be appropriate
[and fully documented.]
4. method validation activities are identified;
17025 5.04.2 8. The laboratory shall confirm that it can properly operate standard

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 8

 The design of process models for the ISO/IEC 17000 conformity assessment
standards
Name Test Methods and Validation
methods before introducing the tests or calibrations.
9. If the standard method changes, the confirmation shall be repeated.
17025 5.04.5.2 1. The laboratory shall validate non-standard methods, laboratory-
designed/developed methods,standard methods used outside their intended
scope, and amplifications and modifications of standardmethods to confirm
that the methods are fit for the intended use.
2. The validation shall be as extensive as is necessary to meet the needs of
the given application or field of application.
3. The laboratory shall record the results obtained, the procedure used for
the validation, and a statement as to whether the method is fit for the
intended use.
5. the range and accuracy of the selected methods is determined;
17025 5.04.5.3 1. The range and accuracy of the values obtainable from validated methods
(e.g. the uncertainty of the results, detection limit, selectivity of the method,
linearity, limit of repeatability and/or reproducibility, robustness against
external influences and/or cross-sensitivity against interference from the
matrix of the sample/test object), as assessed for the intended use, shall be
relevant to the customers' needs.
6. estimates of uncertainty in measurement are obtained.
17025 5.04.6.2 3. In certain cases the nature of the test method may preclude rigorous,
metrologically and statistically valid, calculation of uncertainty of
measurement.
4. In these cases the laboratory shall at least attempt to identify all the
components of uncertainty and make a reasonable estimation, and shall
ensure that the form of reporting of the result does not give a wrong
impression of the uncertainty.
5. Reasonable estimation shall be based on knowledge of the performance
of the method and on the measurement scope and shall make use of, for
example, previous experience and validation data.
17025 5.04.6.3 1. When estimating the uncertainty of measurement, all uncertainty
components which are of importance in the given situation shall be taken
into account using appropriate methods of analysis.

HRD-104-PRD-02.ISO-17000-process-models.doc Updated: 2013-08-15 Page 9