Documente Academic
Documente Profesional
Documente Cultură
assessment standards
Dr Alastair Walker
SPI Laboratory (Pty) Ltd, Johannesburg, South Africa
Summary: Although the process approach features strongly in the published management systems
standards (e.g. ISO 9001), processes are not significantly part of the description of the CASCO ISO/IEC
17000 series of conformity assessment standards. The absence of an overt process approach creates
problems for implementers of management systems conformant to the ISO/IEC 17000 series
requirements. During 2013 a project has been undertaken under the auspices of SABS TC 175 (Process
Models) in liaison with SABS TC 180 (Conformity Assessment) to define process models for the ISO/IEC
17000 series standards. This technical paper summarises the key results of this project to-date.
1. Introduction
The project to develop processes models evolved out of a need in SABS Technical Committee for Conformity
Assessment (TC 180) for a graduated approach for the adoption of ISO/IEC 17025.
Although the process approach features strongly in the published management systems standards (e.g. ISO 9001),
processes are not significantly part of the description of the CASCO ISO/IEC 17000 series of conformity assessment
standards. The absence of an overt process approach creates problems for implementers of management systems
conformant to the ISO/IEC 17000 series requirements. During 2013 a project has been undertaken under the auspices
of SABS TC 175 (Process Models) in liaison with SABS TC 180 (Conformity Assessment) to define process models
for the ISO/IEC 17000 series standards.
The paper first defines the basis of the method used for describing processes. Such descriptions are based on the
applicable standard for this purpose, i.e. ISO/IEC 24774 (Guidelines for process definition). The normative elements of
such process descriptions include process names, process purpose statements, and process outcomes. ISO/IEC 15504-2
(Performing an assessment) elaborates the purpose outcomes to describe 'process outputs' or 'work products' that are the
direct result of the performance of the process.
The paper then considers the alignment of processes (i.e. names, purposes, outcomes) to the normative requirements in
ISO/IEC 17000 series. Traceability is developed between these requirements and the process outcomes as a key aspect
of verifying the integrity of the proposed process models. The purpose behind developing a detailed view of traceability
to the requirements in these standards is to:
a. determine the extent of the alignment of each outcome to the requirement in ISO/IEC 15504-2 6.2.4 c) (i.e. that
Level 1 process capability should not be exceeded); and to
b. identify any outcomes that are missing, or do not address the normative requirements of the ISO/IEC 17000 series.
Section 3 reviews the methodology applied to developing outcomes conformant to the Level 1 requirement of ISO/IEC
15504-2.
Section 4 examines the challenge of aligning the requirements of ISO/IEC 17000 series to process outcomes.
Section 5 discusses some of the key implications of the results of this work.
2. Creating process outcomes that are aligned to the requirements of the ISO/IEC 17000 series
2.1 ISO/IEC 15504-2 identifies normative requirements for the development of process outcomes
The fundamental elements of a process reference model are the descriptions of the processes within the scope of the
model. The process descriptions in the process reference model incorporate a statement of the purpose of the process
which describes at a high level the overall objectives of performing the process, together with the set of outcomes
b) in any process description the set of process outcomes shall be necessary and sufficient to achieve the purpose of the
process;
c) process descriptions shall be such that no aspects of the measurement framework as described in Clause 5 of this
International Standard beyond level 1 are contained or implied.
production of an artefact;
2.2 ISO/IEC 24774 identifies criteria by which to judge the quality of process outcomes
a) The list of outcomes associated with a process shall be prefaced by the text, "As a result of successful
implementation of this process...".
b) An outcome shall be phrased as a declarative sentence using a verb in the present tense. For example, if the
preceding sentence was phrased as an outcome, it might read, "Outcomes are phrased as declarative sentences using
verbs in the present tense." Typically, the verb is "is" or "are" although others may be used when appropriate.
c) Outcomes should be expressed in terms of a positive, observable objective, e.g. the production of an artefact, the
provision of a service, a significant change of state, the successful maintenance of a desired state (e.g. safety), or the
meeting of specified constraints (such as requirements, goals, etc).
d) Outcome statements should be no longer than two lines of text, about twenty words.
e) The number of outcomes for a process should fall within the range 3 to 7.
f) Although an outcome should express an observable result, it is not necessary to express the outcome as the
production of a document, record of other item of information.
g) An outcome should express a single result. Hence, the use of the word "and" or "and/or" to conjoin clauses should be
avoided; such constructions are better expressed as multiple outcomes.
h) Outcomes should be written so that it should not require the implementation of a process at any capability level
higher than 1 to achieve all of the outcomes, considered as a group.
This section explains the method used to verify the process outcome statements in the light of requirements associated
with the ISO/IEC 17000 standards.
To do this, we need to first consider the nature of the requirements as they appear in the CASCO standards. In most
instances, such requirements are what may be referred to as 'compound requirements'. To create traceability of a
requirement to an outcome, it must be considered to be 'singular' i.e. have only one 'shall' requirement.
A compound requirement identifies more than one obligation (i.e. 'shall') to be satisfied. Singular requirements are
created from compound requirements by separating out the distinct requirements.
1 The inspection body shall have [documented] instructions for carrying out inspection in a safe manner.
2 [The inspection body shall have] documented instructions [for carrying out inspection in a safe manner.]
These requirements each address distinctly different aspects of the compound requirement. Different processes are
required to support each of these singular requirements.
Requirement 7.1.9 1 is associated with the process, Test Methods and Validation, while requirement 7.1.9 2 is
associated with the Information Management process.
7.1.9 1 The inspection body shall have [documented] instructions for Test Methods and Validation
carrying out inspection in a safe manner.
7.1.9 2 [The inspection body shall have] documented instructions [for Information Management
carrying out inspection in a safe manner.]
With reference to Figure 1, one consequence of the actions referred to in Table 1 is that all singular requirements can be
allocated to process outcomes. From an ISO/IEC 15504-2 perspective, we also need to ensure that Level 1 (i.e. process
performance) process capability is also satisfied.
Sub-clause 1 Process 1
1.1 Singular requirement 1.1 Outcome
1.2 Singular requirement 1.2 Outcome
1.3 Singular requirement 1.3 Outcome
Process 2
2.1 Outcome
2.2 Outcome
Sub-clause 2 2.3 Outcome
2.1 Singular requirement
2.2 Singular requirement Process n
2.3 Singular requirement n.1 Outcome
n.2 Outcome
n.3 Outcome
Figure 1 A generalised view of associations between singular requirements and process outcomes
3.4 The extent to which the requirements in the ISO/IEC 17000 series can satisfy these criteria
Looking at Table 2, associated with each outcome is listed one or more sub-clauses from a CASCO standard.
We note that ISO/IEC 17020 has requirements that address outcomes 1, 2 and 3. The fact that it does not have
requirements that address outcomes 4, 5 and 6 does not imply that these outcomes can be ignored when this process is
implemented in the context of this standard. All it means is that the requirements to support these outcomes were not
considered by the technical committee responsible for this standard. (In other words, omission of a requirement does
not imply that the requirement is not important.)
In contrast to ISO/IEC 17020, ISO/IEC 17025 has requirements that support all of the described outcomes for this
process.
4. Processes and their association with the ISO/IEC 17000 standard series
We noted that with reference to Table 3, not all the CASCO standards have requirements that can be associated with
process outcomes for a given process. There are some processes (13 in the first group) that have outcomes that are
supported by singular requirements for all the CASCO standards. On the other hand, there are some processes (7)
where the outcomes are traceable to a single standard. Although these processes may be important to the context of
operating the other CASCO standards, the technical experts who crafted the requirements clearly did not deem it
essential to draw specific attention to the concerns implied by these processes.
Table 3 Processes and their associations with the ISO/IEC 17000 standard series
Process name 17020 17021 17024 17025 17065
Processes that affect all the standards
1. Appeals/complaints/disputes X X X X X
2. Audit X X X X X
3. Certificate design X X X X X
4. Certification service fulfillment X X X X X
5. Communication X X X X X
6. Confidentiality management X X X X X
5. Discussion
In the first instance, it must be said that the requirements view presented in each of the CASCO standards is simply that
a view from a certain perspective, notably the 'conformity assessment' or 'audit' view i.e. the minimum expectation.
These requirements do not imply that these are sufficient for implementing the systems required to support these
objectives.
On the other hand, process descriptions (name, purpose, outcomes) are also in themselves insufficient as an
implementation model of a workable system.
a. Information items (i.e. required documented information elements) need to be identified that result from each
outcome (i.e. what the process actually delivers);
b. A business process specification needs to be assembled that identifies the temporal (i.e. timing, triggers)
relationship that describe the behaviour of the process from the human (or user) perspective;
c. The information to be stored and managed in the information repository (i.e. database) needs to be defined,
together with the relationships between the elements in the repository; and
d. The functions and features of the system need to identified and described.
Only when these steps have been taken is it possible to begin the actual work of designing the 'nuts of bolts' of a
workable IT system to implement the required processes.
The primary users of the process perspective are role players who are called upon to develop, implement and maintain
the working systems that implement the intent of the requirements of the CASCO standards.
With reference to a very simple analogy, a packet of flower seeds usually contains a number of nondescript little brown
objects (i.e. seeds). These seeds in themselves bear no obvious visual relationship to the plant that will result from the
planting and nurturing of the seeds. Modern packets of seeds most often also support a colourful picture of the plant
likely to represent the end result of planting the seeds. Most purchasers of seeds will choose the seed variety based on
the picture on the packet. It is taken on faith that the little brown objects in the packet contain the DNA that will give
rise to a living plant that will be a reasonable replica of the picture presented on the seed packet.
To sum up, the process perspective is much closer to the user perspective than the requirements, bearing in mind that
the requirements perspective is essentially a view that meets the particular needs of the conformity assessment
community i.e. the management system auditors.
The SABS Technical Committee (TC175 Process Models) has undertaken the work of defining a new multipart series
on the topic 'Process benchmarking framework: Conformity assessment' based on the ISO/IEC 17000 series of
conformity assessment standards.
6. References
[1] ISO/IEC 17020, 2012, Conformity assessment Requirements for the operation of various types of bodies
performing inspection
Dr Alastair Walker is the founder and chief executive officer of the Software Process Improvement
Laboratory. He holds the degrees of B Sc (Engineering) (1969), M Sc (Engineering) (1972), and Doctor
of Philosophy (1979). He lectured for 30 years at the University of the Witwatersrand, Johannesburg. In
2001 he established the Software Process Improvement Laboratory (SPI-LAB) in order to focus on
promoting software process improvement fulltime in local industry. He is a Fellow of the South African
Institute of Electrical Engineers.
He is a member of the Standards South Africa Information Technology Committee (TC 71), and chair
of SABS National Committee for Software Engineering Standards (SC 71C). He is the South African representative on
the international ISO/IEC JTC1/SC7 Software Engineering Standards Committee Advisory Board since 1994. He has
been a member since 1993 of the international team of experts tasked with the development of the standard for software
process assessment and capability determination (ISO/IEC 15504).
He is presently editor for ISO/IEC 20000-4 (Information technology Service management Part 4: Process
Reference Model), and ISO/IEC 15504-8 (Information Technology Process assessment Part 8: An exemplar
assessment model for IT service management).
Contact details: Dr Alastair Walker, SPI Laboratory (Pty) Ltd, P O Box 44041, Linden, 2104, Johannesburg, South
Africa, Office: +27-(0)11-888-9881; Mobile: +27-(0)82-452-0933; E-mail: office@spilab.co.za; Web:
http://www.spilab.co.za; Skype address: spilab
This table shows the lower level detail implied by Table 2. The detailed associations of each singular requirement is
shown with reference to each process outcome.