Note: This article represents the personal opinion of the convener of the ISO SAM working group, ISO/IEC JTC1 SC7 WG21 (‘WG21’). It is based on personal experience, and cites some of that experience in justifying the opinions expressed here. This article is addressed to SAM and ITAM practitioners. © David Bicket 2012
There are two major and overlapping developments coming which will significantly shape the future of ISO standards for Software Asset Management (SAM) and IT Asset Management (ITAM). This article explains these developments and how SAM and ITAM practitioners can help to shape some of these developments.
Although these developments affect the future for SAM and ITAM, the work on them is happening now. Some of it is contentious, and it is an aim of this article to highlight these areas of contention to allow for informed debate.
What’s in it for Me?
Current developments are the beginning of a trend which you, the SAM or ITAM practitioner, need to understand because it will completely transform the relationship between yourself and the other management practitioners in your organization (or your client organizations). SAM and ITAM are becoming part of a larger community of management practitioners, with standards being the driver for this integration. Your membership in IAITAM gives you a voice in how the transition evolves, with an immediate opportunity to contribute to integration with the physical asset management practitioner community.
This article gives you topics of conversation you can use now with senior management and with those involved in finance, physical asset management, or management systems such as ISO 9001 for quality management, ISO/IEC 27001 for IT security management, or ISO/IEC 20000-1 for service management. In such conversations you can demonstrate your awareness of these longer-term issues, and you will have a further opportunity to sell the value of SAM or ITAM services to these other groups.
You can also use this information to start aligning strategic planning efforts to exploit these developments as they become available.
If you wish to contribute to these developments, you can help by reviewing the latest draft of the new ISO 5500x standard on (generic) asset management, with which ISO SAM will eventually be aligned. See the section below on “Opportunity for Participation and Review.” The deadline date for providing comments is 13 April 2012. People who may be particularly interested in helping are those who:
- Have some involvement in physical asset management
- Have some involvement in certifications for ISO 9001, ISO/IEC 27001, and ISO/IEC 20000-1
- Are responsible for or interested in long-term strategic planning for SAM and ITAM
Summary of Current Developments
There are two separate but overlapping developments which are important to the future of ISO SAM and ITAM standards. While these may initially not appear to be momentous, their impact on the future of SAM and ITAM certainly will be. The second one is the potentially more contentious, so this article addresses it in the most detail.
- Standardized approach for all Management Systems Standards. There is a popular type of international standards called a Management System Standard which includes ISO 9001 on quality management, ISO/IEC 27001 on IT security, ISO/IEC 20000-1 on service management, and ISO 14001 on environmental management. Although there is a fundamental consistency between all of these standards, they are sufficiently different to create headaches for organizations striving to implement multiple standards in a consistent manner. ISO’s Technical Management Committee has mandated that all Management System Standards in the future must be written (or re-written in their next update) using a standardized approach, with the same basic clauses, common text, and common terminology as specified by Guide 83, with limited scope for variation. ISO/IEC 19770-1 on Software Asset Management was originally written as a Management System Standard, but it is not currently structured in the usual manner. A rewrite is planned as part of the next edition which we are starting to work on now but which will not be published for several years. The proposed new ISO 5500x on (generic) asset management is also being written as a Management System Standard and follows the specifications of Guide 83.
- Umbrella standard for asset management. The world of physical asset management is populated by numerous professional associations, many with their own standards and bodies of knowledge. There are also a number of national generic standards, and sector-specific national and international standards, but there is significant inconsistency between these, and no ISO standard for many sectors. As a result, proposals to develop a generic ISO standard for physical asset management were well received. The goal is to provide an ISO standard for those sectors without one and provide an umbrella standard for, but not replace, existing sector-specific standards. It was recognized during the initial discussions that the scope could not be limited to physical assets, but must also be applicable to assets such as software. The resulting draft standard, ISO 5500x, is “particularly intended to be applied to the management of physical assets but this does not limit application of the principles to other asset types.” Software assets are specifically covered by this formulation. Although we refer to the ISO 5500x standard, there are actually three separate standards for numbering purposes which are being developed as a cohesive whole:
- ISO 55000 Asset Management — Overview, Principles and Terminology
- ISO 55001 Asset Management — Management Systems — Requirements
- ISO 55002 Asset Management — Management Systems — Guidelines for the Application of ISO 55001
These documents are now in their second Committee Draft versions, with the deadline for collected comments from all sources on 26 May 2012. IAITAM is a liaison organization with the ISO SAM Working Group and can submit comments into this review and revision process until the 19th of April. It is likely that the next stage for the standard will be at the Draft International Standard level, in autumn of 2012. The best possible opportunity for ensuring that ISO SAM dovetails well into this umbrella framework is now.
Understanding the Context: the Effect of Living in Silos
I often find that understanding the context for a discussion can be as important as the discussion itself, because people bring to the discussion their respective mindsets and vocabularies which are sometimes incompatible. The context for this article is the recognition that we have many disparate worlds – or silos – of people working in the disciplines of SAM, ITAM, and physical asset management, and their differences create major problems which we can ignore if we wish to continue working in our own silos, but which we need to resolve if we want to work together effectively.
It is also important for the purposes of this article to understand my personal context. I am the convener of the ISO working group responsible for international SAM standards, and had a role in the development of the original ISO SAM process standard (ISO/IEC 19770-1:2006). Before that, I project-managed and wrote part of the original ITIL SAM Guide, published in 2003. Prior to the ITIL SAM Guide there had been virtually no agreement about what SAM included, with a myriad of diagrams in the market showing various pyramid, cycle wheel, or block visions of what was included in SAM. Both ITIL SAM and ISO SAM helped to generate consensus within the SAM and ITAM practitioner communities about what SAM is, but it was an evolutionary process, and in my view the evolution is not complete.
In 2010 I became involved in an ISO committee (ISO PC251) set up to develop a new international standard for asset management, with most of its membership representing different national communities of practitioners of physical asset management disciplines, such as plant and equipment management, building and land management, and water and wastewater management. My experience in this committee has helped form the views expressed in this article. The feedback I received from some SAM practitioners to what was happening in this committee convinced me of the need to write this article.
I have deep respect for the practitioners involved in the areas of SAM and ITAM, and also in the many varied areas of physical asset management. It was eye-opening for me to see how deeply immersed most of these practitioners are in the particular sets of concepts and terminology with which they have learned their trades, and how passionately they argue for particular focuses or wording when the underlying concepts are essentially the same. Positions do change, but it takes time and open minds. The work in PC251 has been a case in point: the initial positions held by many people and delegations were quite dogmatic about the rightness of their respective approaches, but over the course of the last year, as they worked intensively with each other, most in my view have come to realize that there is a shared professionalism which sees no existing approach winning but something better coming out of it for everyone. Within the SAM and ITAM communities there has not been as significant a challenge as this in the past, with only the recent work on software entitlement tags starting to generate a similar level of passion from differing viewpoints. But I expect that we in the SAM and ITAM worlds will have more challenges of this type as we progress professionally, and as we start to cooperate more with other professions and not just with ourselves.
I believe there are a number of additional factors affecting the state and direction of development of the different worlds of SAM, ITAM, and the various physical asset management disciplines. In particular:
- Period of existence: Professional associations involved in physical asset management disciplines have been in existence far longer than ones involved in SAM and ITAM. Commercial IT didn’t exist until after WWII, and SAM and ITAM didn’t start to be widely recognized until the 1990s. The predominant professional association for SAM and ITAM is the International Association of IT Asset Managers (IAITAM), which now in 2012 is celebrating only its 10th anniversary. On the other hand, associations like the Institute of Public Works Engineering Australia were founded as long ago as 1905, the American Public Works Association in 1937, and the National Property Management Association in the US was formed in 1970.
- Geographic and functional specialization: The professional associations involved in physical asset management disciplines have tended to have national focuses, or specialist area focuses, or both. They tend to be well organized and reasonably well funded, with their own qualifications, standards, and bodies of knowledge, and with paid memberships typically in the low thousands or less. There are relatively few associations for SAM and ITAM, and only one with a significant membership base, which is IAITAM. It started in the US, but is now international.
- Maturity of practices: The SAM/ITAM worlds may be more mature than the physical asset management worlds in some areas of complexity and rapid change, such as license management and patch management. However, the physical asset management worlds are more mature in my opinion in terms of the professional associations they have established and the bodies of knowledge they have built up, and the way that they link what they do into strategic business objectives.
- Number of practitioners involved, and coherence of the practitioner communities: I do not have good statistics on which to base this set of observations, but nonetheless my view is that there are significantly more people involved in SAM and ITAM than in physical asset management disciplines since virtually every organization needs to manage its software and IT assets for operational reasons, whereas less organizations have sufficient investment in physical (non-IT) assets to justify a strong focus on that area. Nonetheless, as a group SAM and ITAM practitioners do not have the visibility or credibility of their physical asset management brethren. Consistent with this view, from a membership perspective IAITAM possibly has nearly as many members as most of the physical asset management associations put together, but it probably does not yet have a professional impact equivalent to the impact of the many physical asset management associations on their members and member organizations.
As a result of the above, it is my view that physical asset management practitioners as a whole have “their act together” better than SAM/ITAM practitioners as a whole. SAM/ITAM practitioners need to recognize that we have some natural maturing to do, with the pace being accelerated because of the opportunity/need to integrate into the world of all Management System Standards, and in particular with ISO 5500x for generic asset management.
Why Revise ISO SAM to be a Management System Standard?
ISO/IEC 19770-1 was always intended to be a Management System Standard, and still contains the essential elements of a Management System Standard. However, it was restructured into an alternative format which was acceptable to ISO/IEC JTC1 SC7 while under development.
The plan within WG21 is to rewrite ISO/IEC 19770-1 in its next version to be a formal Management System Standard conforming to Guide 83 as all other Management System Standards must now do. There are still some hoops through which WG21 needs to jump. In particular, ISO requires a Guide 72 justification study which must be approved before ISO SAM can formally be accepted as a Management System Standard. This remains to be done, but is already being coordinated with ISO.
There are three main reasons for wanting to rewrite ISO/IEC 19770-1 as a formal Management System Standard conforming to Guide 83 in its next edition:
- To allow ISO SAM to benefit from the accumulated knowledge of all other Management Systems Standards as to how such standards are best written, without excesses or omissions in particular areas
- To ease implementation of ISO SAM with other Management System Standards such as ISO 9001 and ISO/IEC 27001, increasing implementation rates for ISO SAM
- To ease implementation of ISO SAM with ISO Asset Management, another Guide 83-conforming Management System Standard, and therefore increasing cooperation between SAM/ITAM practitioners and physical asset management practitioners. (See below for more on the relationship between SAM and physical asset management.)
Why Include SAM in the Scope of the New ISO Asset Management Standard?
The big question is why we should include SAM in the scope of the new ISO asset management standard. This topic can generate quite heated discussions.
Before exploring some of the objections, consider the two major arguments for including SAM in the primary scope of the new ISO Asset Management standard:
Pro Argument 1: It is virtually impossible to consider the management of physical assets in today’s world without including the management of software assets, since most physical assets rely increasingly on software for their monitoring if not for their actual operation. Furthermore, most physical equipment is increasingly network addressable. The skills of the SAM and ITAM practitioner are needed in the physical asset management world and need to be explicitly within the primary scope of the ISO asset management standard.
Pro Argument 2: An even stronger argument for including SAM in the scope of the new ISO Asset Management standard is a technical one, but with huge implications. If software assets were not accepted as being in the primary scope of the new ISO Asset Management standard, then we would end up with a situation where two separate ISO standards, with potentially different approaches, would each claim to cover the same scope of IT assets, i.e.:
|ISO Asset Management Standard
||ISO SAM Standard
|Would apply to all physical IT assets and related software assets. Physical assets would be the primary focus
||Would apply to all software assets and the related physical IT assets on which they run. Software assets would be the primary focus
From the physical asset practitioner community there have been a number of objections. The following are two of the main arguments which have been given, and a personal response to each: This would result in directly competing standards for the same scope of IT software and physical assets, which would be untenable. We could never expect the real world to accept a separate but contradictory standard for SAM when organizations are controlling all other assets using a different standard. The two must instead dovetail together and that cannot happen unless the umbrella standard clearly allows for software assets to be part of the primary scope.
Physical Objection 1: The practitioners involved in ISO PC251 are mostly from the physical asset management world, and cannot validate the applicability of the standard being developed to anything more than physical assets.
Response: It is not realistic for each expert to be competent in all areas in which a standard could be applied. There will almost always be domains where a standard can be applied that are not familiar to all experts. In any case, other domains are represented in PC251 directly and indirectly, such as software asset management and air traffic control. It is not realistic to expect the experts from other domains, already involved in ISO-level committees or working groups, to all participate directly in ISO PC251 which doubles the demands on their time and finances. The ISO commenting process provides the avenue for all of the experts to have a voice. SAM/ITAM practitioners in particular can contribute through the commenting process made possible by IAITAM and WG21.
Physical Objection 2: Physical asset management practitioners for practical reasons want an ISO-level standard to replace the national-level and association-type standards they have at present. But they do not want to “boil the ocean” by creating a global standard for all types of assets which will be less specific than what they really want.
Response: The sentiment behind this objection is understood, but the problem for such objectors would still exist even if software assets were excluded from the scope of the ISO asset management standard. There are already so many variations in detailed requirements for different sector-specific physical asset management standards and bodies of knowledge that generalization is inevitable even for a standard focused just on physical assets. The level of generalization required just for all physical assets is sufficient to also cover software assets. It just prevents the word physical from being a normative part of the standard (i.e. in the requirements of ISO 55001). For overview and guidance purposes (i.e. in ISO 55000 and ISO 55002), extensive examples can be included from various sectors of the physical asset management world, and likewise some examples can be included from the software asset management world.
From the software asset management practitioner community there have also been a number of objections. The following are some of the arguments which have been given, and a personal response to each:
SAM Objection 1: We already have a standard for SAM, and considerable effort has been invested by industry in understanding and implementing it. We don’t need a more generic standard to cover the same requirements.
Response: The ISO 5500x generic asset management standard will not replace the ISO SAM standard, but rather provide a common framework so that SAM and ITAM practitioners can work effectively with physical asset management practitioners. The overall scope statement for ISO 5500x states that “The International Standards do not specify financial, accounting, or technical requirements for the management of specific asset types.” The ISO SAM standard will be needed to address the specific requirements of Software Asset Management.
SAM Objection 2: Software assets, particularly software licenses, are so different from physical assets that a standard largely intended for physical assets can never properly cover the relevant requirements such as for license management.
Response: In the worlds of SAM and ITAM we justifiably are quite proud of our need to deal with incredible complexity in the area of software licensing. However, we are not the sole owners of this issue. Licensing is a reality in much of the physical asset world as well (even if ignoring software licensing now increasingly used in that world). For example, much manufacturing/production is based on the licensing of patents or trademarks which need to be controlled, and there is a significant likelihood of audits from IP owners. Also, all regulated industries are effectively licensees to their respective governments or regulatory bodies. In some cases, there is a single license to operate, in other cases a number of licenses are purchased through competitive tenders, e.g. for communications spectrum. There are differences of scale – from a single license underpinning an electrical grid’s entire business – to large numbers of licenses for small job manufacturers, both for manufacturing royalties and for the software used in the machines. There are likewise rights which are truly assets which need to be controlled, such as water rights, mineral rights, carbon emission rights (credits), etc. SAM and ITAM can contribute our expertise on these subjects to the physical asset management world, but we do not have a monopoly on all such expertise. Industries which are highly regulated probably have a better focus on the complexities of license compliance for their limited number of licenses than we do in SAM and ITAM for our many licenses.
SAM Objection 3: Software is not even an asset based on financial definitions if it does not have a balance sheet value. If you don’t consider software an asset, then clearly you cannot apply a regular asset management standard to it.
Response: The definition of an asset has been much discussed within PC251. The consensus definition for asset is “something that has potential or actual value to an organization”. Value is defined as being “tangible or intangible, financial or non-financial; and includes consideration of risks and liabilities. It can be positive or negative at different stages of the asset’s life.” Consequently, whether something shows up as an asset in the balance sheet does not change whether it is an asset or not: this is an issue both for physical assets (e.g. fully depreciated but still valuable assets which must continue to be managed), and for software assets (most of which are immediately expensed rather than being expensed gradually via depreciation).
The Benefits of Dovetailing ISO SAM into ISO 5500x
There are major benefits both to the SAM/ITAM communities, and to the physical asset management communities from dovetailing SAM into ISO 5500x, but without losing SAM’s unique identity and requirements as expressed in ISO/IEC 19770-1:
- Benefits to everyone: Firstly, we increase each other’s leverage with corporate management by presenting a common approach for all asset management disciplines and by working more effectively together. Secondly, if we do not dovetail SAM into ISO 5500x, then we will end up with two separate standards, using different terminology and concepts, each covering the same scope of IT assets, differing only in primary focus. Avoiding two such overlapping and effectively competing standards for the same scope is desirable for everyone.
- Benefits to the physical asset management world: We bring the ability to use the skills and approaches of SAM and ITAM into the physical asset management world in a fully aligned way, to deal with the increasing requirements for software asset management for physical assets. We can also share some of our specialist skills in licensing in the broader context of the licensing/royalty control requirements of physical asset management disciplines.
- Benefits to the SAM and ITAM world: SAM and ITAM will benefit from the collective and consolidated knowledge of all of the other areas of asset management which are contributing to the creation of ISO 5500x. Examples of areas where we can expect significant improvements are (1) driving SAM more effectively top-down to meet business requirements, rather than looking for justification after-the-event for activities which often may not be that easy to justify; and (2) providing better linkages with financial management and with the financial statements. As one specific example of the latter, the last ISO PC251 meeting included a presentation by a KPMG partner proposing how notes to financial statements could be used to provide transparency into the effectiveness of asset management. While this proposal was focused on capital assets, it should be possible to extend the principle to cover all asset types, including software assets, finally giving high-level visibility of this area to shareholders and investors. This would be a major benefit for SAM and ITAM.
Opportunity for Participation and Review
IAITAM members are able to download the current Committee Draft copies of ISO 5500x, together with the commenting forms and some guidance documents, from the member area of the IAITAM website. Comments must be returned by 19 April 2012 to the address given in the download pack.
We are looking in particular for the following types of comments:
- Any requirements specified in ISO 55001 that are formulated in a way which does not work well for software assets. Please suggest alternative formulations which do work
- Suggestions for examples using software assets to be included in the guidance standard (ISO 55002). Please suggest specific text.
Further Information about ISO SAM Standards
Further information about ISO SAM standards and the work of WG21 can be obtained from the group’s website at www.19770.org. The SAM process standard ISO/IEC 19770-1 is just one of several standards already published or in development. There is a published standard for Software Identification Tags (ISO/IEC 19770-2:2009) which is being adopted by the IT industry to overcome the problems of software management with better technology and not just with better processes. It has particular value in improving security controls, e.g. improved control over identification and authentication of software and its provenance, with linking to vulnerability databases for improved automation of security exposure monitoring and corrective action.