CHAPTER 3: WHAT IS ISO/IEC 19770?

Oh no! Not another standard!

It may be apparent that I have avoided using the term SAM to a large extent in this book. This is deliberate on my part since, as I have mentioned earlier, I regard SAM as only one component of software life cycle management, a component largely in the domain of the software consumer.

While ISO/IEC 19770 came about largely as a result of the problems faced by SAM practitioners, from my own point of view the impact of the standards is greater and their use can benefit many aspects of the software life cycle. I hope that, overall, this book starts to show this and allows the reader to look for further benefits outside the SAM domain.

There are those, quite correctly, that make the point that SAM has been around for many years and, while not necessarily constituting a roaring success, the tools in use allow for the most part a satisfactory level of management. There are others that maintain, possibly also equally correctly, that SAM is more black magic than it is science.

So given common arguments against forming standards, such as ‘standards constrain innovation’ or ‘standards evolve as a result of common practices and are not predefined’, why attempt to introduce a proposed set of standards that may be used for SAM?

Earlier I spoke of the ‘two-handed clapping’ metaphor where software usage is matched against entitlement. If you re-examine my metaphor in the context of past entitlement and SAM tool technologies, you will notice:

1. There has never been any agreement between those building tools to detect product presence and/or usage and software publisher/OEMs on the validity of the information derived and reported upon by these tools.
2. The process of reconciliation, especially for audit purposes, always requires the participation of the publisher/OEM in order to validate any entitlement information used as part of the reconciliation process against product usage.

In defining this standard, for the first time, publishers/OEMs are explicitly agreeing to:

1. a quantitative definition of software product structure and components, thus defining the basic elements required from inventory management that are needed for software life cycle management;
2. a quantitative definition of an entitlement that may be unambiguously used in attempting to understand the terms of software and/or service use.

If for no other reason, these two pieces of functionality provided by the standard form the foundation for my goal as stated in the introduction to this book:

Quantifying the value delivered by software/SaaS and removing the ‘us versus them’ framework between publisher and customer in enterprise software commerce.

In addition, the standards relate to all aspects of the software life cycle with co-operation between all parties involved, both on the publisher side and the consumer side. The standards also allow participation of third parties, such as OEMs and third-party independent software vendors (ISVs), in the life cycle process.

Figure 4: Software/SaaS product life cycle

This very powerful paradigm enables a coherent approach to software (and service) life cycle management that has never been possible before.

A quick view of the ISO/IEC 19770 standard

Overview

The home of the ISO/IEC 19770 standard can be found at www.19770.org. This is the website for the working group known as ISO/IEC JTC1 SC7 WG21.

The standard consists of multiple parts, currently five, although it is not clear at any particular time which of all the parts are actively being worked upon. The reason I say currently is that it seems that as we all learn more about the science of this standard, the more complex the topic becomes and thus the architecture of the standard needs to evolve in the name of simplicity.

Part one defines the processes of SAM. The second defines software product and component identification and is intended to support the processes defined in the first part. The third part identifies entitlements, which are ultimately balanced against software usage when attempting to ensure that what is entitled is actually used; no more, no less. The fourth is once again about processes, and attempts to break down the processes in the first part in a tiered fashion in order to make multiple levels of compliance available. There is also a fifth project that is destined to supply an overall introduction and glossary for ISO/IEC SAM standards:

• ISO/IEC 19770-1:2006
  • SAM best practices
• ISO/IEC 19770-2:2009
  • Software ID tagging standard
• ISO/IEC 19770-3 (under development)
  • Software entitlements tagging standard
• ISO/IEC 19770-4 (under development)
  • Phased approach to adoption of -1 best practices
• ISO/IEC 19770-5 (under development)
  • Glossary for the overall standard.

ISO/IEC 19770-1:2006

There are two parts to this standard:

1. This contains the processes as applied to the SAM control environment, including those specific to corporate governance, organisational roles and responsibilities, policies and procedures, and finally assurance of competence with respect to SAM.
2. This contains the processes of SAM planning and implementation, together with the monitoring and evolution/improvement of SAM.

There are a total of 27 process areas divided into the categories listed above.

ISO/IEC 19770-2:2009

This portion of the standards, the focal point of this book, defines the structure of SWID tags. Quoting from the standard:

The software identification tag is an XML file containing identification and management information about a software product, which is installed onto a computing device together with the software product. The tag may be created as part of the installation process, or added later for software already installed without tags. However, it is expected more commonly that the tag will be created when the software product is originally developed, and then be distributed and installed together with the software product.

The goal of the SWID tag standard is to provide information about a software installation that:

• is cross-platform
• is cross-publisher
• provides application lineage
• provides an application footprint
• has standard structure
• uses XML-based data
• is easily discovered
• is authoritative and accurate.

ISO/IEC 19770-3 (under development)

ISO/IEC 19770-3 will provide a software life cycle management data standard for SWEID tags that:

• is cross-platform
• is cross-publisher
• has a direct link to SWID tags
• has licence metrics defined
• has standard structure
• uses XML-based data
• is easily incorporated into tools
• automates compliance.

The goals are all very laudable, but rather idealistic in the real world. For instance, in some cases it might be possible to link SWEID tags with SWID tags. However, as explained in an earlier chapter, the rules of business and the delicate balance of compliance may obscure these mappings.

In step with this wrinkle, I am not convinced that automated compliance will ever be achievable, although in some cases the possibility of reaching an approximation with automated processes is greater.

ISO/IEC 19770-4 (under development)

This is the most elusive of the standards and proposes a multi-tiered approach to ISO/IEC 19770-1:2006. The work probably should not be considered a new standard, i.e. -4, but more appropriately a restructuring of -1. The tiers proposed are:

• Tier One – Trustworthy Data – building an accurate inventory of all items to be managed
• Tier Two – Practical Management – implementing basic management processes and controls
• Tier Three – Operational Integration – implementing SAM as a part of daily operations
• Tier Four – Full ISO Conformance – ensuring SAM can become a strategic enabler to business.

Below is an overview of the achievements to date:

• May 2006: ISO releases first SAM processes standards – ISO/IEC 19770 Part 1 – Processes.
• October 2007: Extensive industry survey by ISO to understand market needs for SAM standards.
• March 2008: ISO receives submissions proposing stages for evolutionary adoption of SAM.
• May 2008: Berlin meeting of ISO/IEC Working Group 21 (ISO/IEC JTC 1/SC 7/WG 21). When the results were released, they showed strong market demand for Tiers.
• May 2009: Hyderabad meeting of Working Group 21 (ISO reference as above) gave:
  • agreement to base stages upon submitted and tested tiers
  • agreement to base draft staged SAM standard on processes and format of 19770 Part 1.
• October 2009: Reading (UK) ISO/IEC Working Group for SAM (ISO/IEC JTC 1/SC 7/WG 21) created an Other Working Group (OWG):
  • It was to develop the ISO/IEC 19770-4 standard with the goal to agree its normative text at the Niigata Plenary.
  • David Phillips, of SAM leaders, was appointed as the convener of the (formerly designated 19770-4) Staged SAM OWG.
  • The OWG convened with 12 SAM industry professionals in attendance.
• February 2010: New work item for Part 4 is circulated by ISO for worldwide member-body voting.
• April 2010: New work item is passed for worldwide member-body voting.
• September 2010: Acting on the supporting resolution of the ISO/IEC Technical Committee on Software and Systems Engineering (ISO/IEC JTC1/SC7), work is completed on a revision of the 19770-1:2006 standard, as described above.

The OWG successfully submitted all working document materials on time to SC7 Interim meeting in Gaithersburg MD, USA in November 2010. The next step is a CD-ROM release of the standards document and several annexes providing guidance requested in industry trials.

More recently, as part of the evangelism of ISO/IEC 19770-1, the first tiered document, which is the revision of the original standard, has been circulated for review by Working Group 21. The revision work has been led by ISO/IEC JTC1/SC7/WG21 Convener, David Bicket, and a group that is drawn upon from all over the world.

A good place to see the latest status of this work is at www.19770.org/.