The ISO/IEC 19770-1 Standard And Its Latest 2017 Revision

Many of you will have heard of the ISO/IEC standards under the banner 19770 series – there are several entries, but 19770-1 is probably the most familiar one as it relates to Software Asset Management best practices.

If you do not already have it, you can purchase a single-user copy of the Standard at one of these sites:

ANSI Store
ISO Store

The ISO/IEC 19770-1 Standard can be used by any organization and can be applied to all types of IT assets, but is primarily intended for use by:

  • those involved in the establishment, implementation, maintenance, and improvement of an IT asset management system;
  • those involved in delivering IT asset management activities, including service providers;
  • internal and external parties to assess the organization’s ability to meet legal, regulatory and contractual requirements and the organization’s own requirements.

ISO/IEC 19770-1 has just been revised - so what is the impact for those who wish to make use of it? Here is a high-level overview of the Standard and how it has changed since inception.

Originally launched in 2006, the 19770-1 Standard was first revised in 2012. It seems the primary focus was to address user concerns that an organization had to demonstrate conformance to the all of the requirements defined in the Standard at once – which was a burden and impractical even for large organizations. So the major improvement in this revision was the restructuring of the conformance requirements into four successive tiers which allowed companies to attain each tier separately in manageable pieces, rather than as a single requirement. These tiers were:

Tier 1: Trustworthy Data
Tier 2: Practical Management
Tier 3: Operational Integration
Tier 4: Full ISO/IEC ITAM Conformance

As of December 2017, the ISO/IEC 19770-1 Standard has been revised again, and there are some significant changes:

  • It has been reworked to align with and reference other ISO/IEC Standards - in particular the ISO 55001 Standard (2014)
  • It has been positioned as an extension or refinement of this ISO 55001:2014 Standard, which is primarily focused on physical assets – the ISO/IEC 19770-1 adds the details for the improved management of IT assets and in particular for software and licensing
  • The ISO/IEC 19770-1 Standard has been reorganized into 3 tiers:
    • Tier 1: Trustworthy Data
    • Tier 2: Life Cycle Integration
    • Tier 3: Optimization
  •  The conformance requirements have been rewritten and re-categorized to fit the new tiers – they have also been classified as either functional or life-cycle process requirements
  • The requirements now cover actual IT concepts such as outsourcing, cloud computing and BYOD
So what are our first impressions? The document is very heavy on definitions of terms and references in other standards and there are still some inconsistencies in examples behind some of the requirements – e.g. there are specific descriptions of what is expected from senior management, but very generic “determine what is required” when talking about Communication, for example.

Overall though, it looks like the revised ISO/IEC 19770-1 Standard is much more practical, covers topics and is more in line with current IT/ITAM needs than previous versions.

Have you looked at ISO/IEC 19770-1 before? What do you think of this latest update?