ISO19770-1 has gone through something of a substantial overhaul since its last iteration in 2012. Dave Bicket, Jintaro Shinoda and Yoshinori Takahashi have grasped the nettle, and with the support of the WG21 community, have sought to make the revised standard fit for adoption and integration with other ISO standards.
ISO19770-1 seeks to focus on the processes required to manage IT Assets – and this is the first change the standard has undertaken: no longer are we looking to purely manage software assets, but rather the hardware (or elements of it) that can support the concept of value in IT asset utilisation.
The following analysis of ISO19770-1: 2017 will seek to highlight the structural changes of the latest revision, alongside some tips and tricks from SAM Charter that will help you achieve those goals.
ISO19770-1: 2017 – A Component-Level Breakdown
The most significant change undertaken by the latest revision is to move away from the service-management driven approach to achieving SAM, and to start following in the foot-steps of an ISO-led approach. Accordingly, ISO19770-1: 2017 has been re-written as a Management Systems Standard. What does this mean? Well, if you compare ISO 27001, ISO 9001 and ISO 14001, the principle headings in all of the Standards will be the same:
Terms and Definitions
Context of the Organisation
I am conscious of possibly replicating the contents of ISO19770-1: 2107 within this blog (which is available for purchase here: https://www.iso.org/obp/ui/#iso:std:iso-iec:19770:-1:ed-3:v1:en) but by adopting these headings to offer information and guidance on ITAM, it then means that the culture of management system standards should be less invasive at the point of implementation if a former management system standard has already been adopted. It also makes points of overlap easier to spot if a standardised and methodical approach is adopted between varying business and IT disciplines covered by ISO.
To that end, the new instance of ISO19770-1: 2017 appears to be a good deal slimmer, as the content is keener to offer definitions on specific terms within the ITAM discipline, than it is to detail what outcomes should be sought to achieve a given level of ITAM maturity on a weekly, quarterly or annual timescale. After all, is it reasonable to apply timescales to all organisations regardless of size or ITAM resource at their disposal?
If you wish to adopt a “SAM 101” approach SAM, then please get hold of an old copy of ISO19770-1 – the content here seeks to map outcomes against maturity, and could provide you with pointers that you might not have thought about when it comes to including steps in your SAM/ITAM processes.
Being a management system standard, the new ISO19770-1 looks for you to set your own “ITAM bar” and to plot your own road to get there – albeit shrouded by the headings above.
How can SAM Charter help with ISO19770-1: 2017?
SAM Charter takes the view that processes are the glue of SAM/ITAM. The market to date (particularly in the UK) has been obsessed with applying technology to SAM, and expecting the problem of ITAM to disappear: would you expect a thermometer to cure you of your cold? As if to reinforce this point, we have created a very simply scripted video in our awesome explainer video entitled the Bermuda Triangle of SAM. This serves to highlight, how, if the varying processes involved in SAM fail to communicate with each other, then you are leaving yourself exposed to the perfect storm of a Vendor audit – either with or without a SAM tool.
ISO19770-1: 2017 – Scope
Many SAM functions spring up from a resulting (painful) software vendor audit. The knee-jerk reaction is to get the software of that vendor into a “just-so” position, with a view to not being stung by a vendor audit in the future. However, such a view point doesn’t allow for the waves of change resulting from the IT estate in the intervening time between the audit just gone and the next time an Effective Licence Position (ELP) is called for. A more holistic approach concerning why the last ELP was so bad will invariably highlight an absence of control in either deployment or purchase – which is applicable to ALL vendors – hence why setting a scope to remediate a just-passed audit is retrospective and takes away time and effort that could be applied to other vendors, whose audits will be coming into view on your horizon in the near future.
Take a risk-based approach in determining the business and IT issues your ITAM Management system is seeking to address. This will ensure that your ITAM Management System is scalable, flexible and knows which Key Performance Indicators (KPIs) can be used to represent a picture of “What Good Looks Like”.
Your scope can be informed by:
Start small and grow big; unless you are well resourced with systems and staff, attempting to throw your arms around the entire IT estate from day one is going to prove challenging to say the least.
Your scope should be defined in your Corporate Governance Process, from which you produce an ITAM Policy document, and a statement of applicability. These two documents should help define what your initial scope is, and what plans you have to widen it in the fullness of time.
Once an ITAM Policy and Statement of Applicability is in place, then and Organisation can set about creating an ITAM Operations Plan – which should seek to bind people, process and technology in coordinated goals supporting the ITAM Policy Document and Statement of Applicability.
Unless you are asked to implement an ITAM management system on a green-field site, you will find that some processes will already be in place. But just how good are those processes? An ITAM Maturity Assessment should be taken so that if existing acceptable practice is already in place, then this can be used as a foundation for continuing good ITAM practice. This helps an organisation by lessening the cultural shock that could ensue in implementing an ITAM management system, and also helps in identifying stakeholders that could contribute to the running of the ITAM management system that is to be created.
You can try a light/free ITAM Maturity Assessment – as offered by SAM Charter. If, after going through this assessment, you would like a deeper dive for your SAM/ITAM maturity then please email: email@example.com to find out more about a surgical analysis of your ITAM processes.
ISO19770-1: 2017 – Performance Evaluation
Like all management system standards, ISO19770-1: 2017 is very keen to ensure that arriving at a given state of ITAM maturity is not a one-time affair – the one constant in life is change and IT is no different. Any ISO Management System created should be adaptable to the change in and around its environment. Your People, Processes and Technologies should all be subject to performance measurement so that if a value is discovered that does not support the ITAM Policy, then corrective action can be taken at a time when the defective value is discovered – not just when a vendor audit, true-up or contract renewal is called for. In respect of processes, the SAM Charter Process Kit seeks to offer suggested KPI’s against which management system performance can be measured. A top tip here would be to ensure that any KPI’s chosen are, a: Automated (wherever possible) and b: have meaning/ relevance to the company. As an example, a software request process (from a service management point of view) might determine that success is measured by the speed with which the requested is actioned. Whereas from a SAM/ITAM perspective, it might be the cost/ percentage of software from the licence pool that is used to action the request:
“Perspective is Subjective”
Once you have outlined the Processes that seek to propel your People and Technologies in the direction of what good ITAM looks like, then you will quickly come to realise that the red or black figure at the bottom of an ELP report is such a poor way of determining the ITAM health of your IT estate. It’s the difference between knowing you have a headache, and why your head is hurting in the first place. Your IT estate is comprised of multiple interactions and pulse-points. The best way to measure these pulse points is by attributing KPIs to your ITAM processes as mentioned above. If you are looking for guidance on where to start with your pulse-points, the findings of your ITAM Maturity Assessment would be a great place to look. Equally, SAM Charter has created a handy wall-chart demonstrating how your ITAM processes could fit together. Simply glide your cursor over the map to see the detail of how ITAM strategy links to ITAM operation and feeds back again. If you would like an e-copy ofthis Eco-system for yourself, then please go to our whitepapers page and download a copy for free.NB: The most important word on this Eco-System is “Template”. In the same way that ISO looks to offer you guidance on constructing an ITAM management system through processes, SAM Charter is seeking to offer you a suggestion of the manner in which your ITAM processes could fit together.
ISO19770-1: 2017 – Improvement
Measurement, management and improvement has long been a mantra SAM Charter seeks to weave into its SAM practices. So, it’s great to see that Working Group 21 have adopted a management system approach to the latest edition. Having an optimal idea of what value should be applied to performance measurement, then (by implication) suggests that a play-book needs to be written should process performance fall below or exceed acceptable bands of behaviour.
In our example of the software request process, if we place an arbitrary value of $xxxx against how much software is drawn down from the licence pool in satisfying software request demand, we might reasonably expect to see a downward curve as the licence pool is eroded. Three scenarios present themselves as a result:
The spend-curve is dwindling to zero licences held value. The organisation will want to retain a degree of licence reserves so that it isn’t seen to be operating in a “Just in Time” (JIT) capacity – i.e. we only order software when we need it (great for manufacturing, not so good for IT). The administrative overhead could prove tiresome and counter-productive to volume purchasing benefits.
The spend curve is consistent, but the quantity of licences held is going up. Here we might see that the business is rubber-stamping new software requests, rather than performing due-diligence and checking to see whether or not a licence exists to honour the software request.
Software in the licence pool has not been requested in the last X months. For those of us in the EU, we could consider reselling those licences back into the second-hand market, as this software could be viewed as “dead money”. A deeper examination as to why the software was requested and its quantity, might also follow.
So here we have an example of why trend analysis and monthly reporting would be of benefit to an organisation in a cost/benefit scenario. Having such “plans of attack” built into the ITAM management system demonstrates a proactive trimming of the sails and means that the ITAM function is not lost when it comes to deciding upon a course of action to correct ITAM performance.
Think of this too, from the C-Level point of view: if a quarterly report highlights a major compliance risk (over-installation) or an excess of shelf-ware (an overspend), then imagine how much easier their lives would be if they also saw a remediation plan in place to correct either eventuality?
ISO19770-1: 2017 – Summary
We hope you have enjoyed this introduction to ISO19770-1: 2017 and the newly formed approach it offers to tackling IT Asset Management. A final doffing of caps (once more) has to go to Dave Bicket, Jintaro Shinoda, Yoshinori Takahashi and the rest of the WG21 group. I appreciate the emotional investment in the former version of the 2012 standard could have resulted in seeking to put a light ISO wrapper around the 2012 instance of the standard, but the surgery with which they applied to the old version and re-write of this dearly held IT discipline means that readers have sufficient elbow room to be creative, and yet still have to justify the customisations needed for their respective institutions.
As ever, SAM Charter is well placed to guide an organisation through “what good looks like”.
Reach out today via: firstname.lastname@example.org and learn more on how SAM Charter can help you avoid The Bermuda Triangle of SAM and drive ITAM best practice into your organisation.