ISO 9001 in IT companies

Now you rarely find a medium or large IT company that does not have an ISO 9001 certificate.

However, I believe that in the short term, ISO 9001 will die for the IT world. Why?

I will try to justify.

What is the problem?

People involved in the practical implementation of ISO 9001 in IT companies invariably ask interesting questions. For example - and what is this for “managing an inappropriate product” (see chapter 8.3 of the standard) .

And why so fiercely monitor the “procurement process” (7.4) . What else can be purchases in an IT company? The correct answer is desktops and laptops :)



It's simple. ISO 9001 is a standard primarily intended for manufacturing companies. Dairy plant for example. Or a tailoring factory. Imagine yourself as the head of these companies - and questions about claims and procurement immediately become very relevant :)

')

Of course, ISO 9001 is universal. With it, you can build a Quality Management System anywhere. In our country (Belarus), even all educational institutions have been forced to ISO 9001 certification.

The only question is the applicability and effectiveness of such certification.



But there are very worthy competitors ISO 9001 for the IT field. I see CMMI - Capability Maturity Model Integration as the main one.

CMMI - expands, improves. Recently there was an extension to the service part of the IT business. In fact - a competitor to ISO 20000 , and very serious. In reviews, CMMI-SVC v1.3 beats ISO 20000.

Comparison of ISO 9001 and CMMI

Definition

ISO 9001 - a standard developed by the International Organization for Standardization (International Organization for Standardization, ISO)



CMMI is a methodology or process approach developed by the Software Engineering Institute (SEI), mostly by IT professionals.



A standard is a set of requirements of a fairly high level. Methodology - a set of approaches, techniques - a more practical level.

ISO is a huge organization, more than 200 countries, dozens of functional areas. Naturally, for such volumes, a strict formalism is needed, because of which standards are developed and then changed on a very long time.

As for the SEI, it is, in fact, a research center based on the American Institute. There are many ambitions, money and, accordingly, the output is more alive.

Scheme

ISO 9001 is a set of high level requirements. Here is a notorious picture:



The picture is very common. But what it means in practice means only a select few will tell you.



In CMMI, the list of process areas should be familiar to any PM or developer developer.

So, CMMI is a framework of specialized best practices from the Software and Service Development domain. Only 5 levels, on each subsequent the new Process Area is added.

Volume

ISO 9001 - 33 pages of concise text. Common phrases, description of generalized functions existing in any organization. For example, resource management, management responsibility, and so on.

CMMI - more than 700 pages , three sections (CMMI-DEV, CMMI-SVC and CMMI-ACQ)

Suitable for IT organizations. Applicability to dairy plants is difficult :)

Thus, in ISO we have a short set of principles for any organization . CMMI - detailed practical methods for the IT sector .

Implementation

The implementation of ISO 9001 will take 6-8 months for an average organization of 100-300 employees.

Subjectively, the standard is easier and cheaper to implement than CMMI.

CMMI implementation will take 8-12 months for such an organization (set of projects) to level 3.

Implementing is more difficult compared to ISO 9001. More expensive, but somehow more convenient.

Certification

ISO 9001 has one-bit certification - that is, it is either certified or not, without indicating the level of the organization.

Further, once a year - confirming audits. Every 3 years - full re-certification.

Many have criticized ISO 9001 for the lack of maturity levels. Those. all are in the same position - that an advanced company with good processes, that a beginner is without processes.

In CMMI, there is a lot of room for certification combinations and further improvements.



CMMI applies a 5-level maturity model . You can be certified on any of the 5 levels (well, except for the first one; you also did not hear that they were certified on the second - they usually start from the 3rd).

In addition, you can choose different ways to assess the level.

Conclusion?

Well, I think the advantages of CMMI and the disadvantages of ISO 9001 for an IT company are obvious.



But not everything is so simple.

ISO 9001 does not give up

In a sense, the ISO 9001 clan is trying to fight, creating its own extensions for the IT field. In particular, http://www.tickitplus.org/

Also, there is a whole pack of ISO standards to help ISO 9001 to conquer the IT world:

ISO 10005: 2005 Quality management - Guidelines for quality plans

ISO 10006: 2003 Quality management - Guidelines for quality management in projects

ISO 10007: 2003 Quality management - Guidelines for configuration management



There are also special ISO standards for IT:

ISO / IEC 12207 Software Lifecycle Processes

ISO / IEC 15288 Life Cycle Management - System Life Cycle Processes

ISO / IEC 15504 Software Process Improvement Capacity Determination (better known as SPICE)



This list is not intended to be complete. In the depths of the ISO there are dozens, if not hundreds of documents. And everyone has the same problem - nobody knows about them , or a narrow circle of specialists knows it.

Also, an important limitation, you must pay for all these documents (as opposed to CMMI documentation, MSF, RUP, etc.).

And by the way, I have never heard anyone buy them. At least among the "from the Russians".



But it is generally about ISO 9001.

So why is ISO 9001 still alive in the IT environment?

The main reason for certifying an average IT company to ISO 9001 is historical . Customers wanted to have confidence that their order will be made at least not below a certain level.

And ISO 9001 guaranteed that. Customers saw (heard) the result of the implementation of ISO 9001 in other areas, and quite rightly assumed that it would work in the IT field.

All right, but as time passed, the IT world has changed, new models and techniques have appeared. CMMI, Agile and others appeared.

Now IT companies are certified to ISO 9001 in the overwhelming number only because of the pressure of the customer - in order to win the tender, etc.

What will happen next?

It will take time, and the customer will know (realize) that you need to demand more correct things from their performers. This process cannot be stopped. The Internet is doing its job. More and more IT firms are putting on the shelf the ISO 9001 formalism (to be fair, some offices have never gotten off the shelf ISO 9001 :). And more and more IT firms are introducing specialized methodologies, standards and practices.



Also, the process is on the part of the IT companies themselves. For example, in our company we are working on materials for the customer, in which we talk about the advantages of CMMI and that it does not need ISO 9001. Those. An IT company can and should influence customer requirements , especially in the areas of processes, development methods, and so on.



So, 10-15 years, and ISO 9001 for the IT world will die. Or reborn in something super-new. But I can not believe :)

Of course, this opinion is mine personally, it does not pretend to the ultimate truth.

Is this ISO 9001 so clear?

Does ISO 9001 still make sense for an IT company?

In certain conditions - yes.

For a small company with bad processes (or with missing processes).

Implementing ISO 9001 will help it establish the simplest sound processes, track and improve them. External certification may not be necessary - after all, it is enough just to implement the standard requirements. But nevertheless it is better to be certified - the price is small, and keeps in tone well.



But if a company already has a good system of processes, then there is no point in referring to ISO 9001. It is better to take something IT sharpened: CMMI for serious projects, Agile for simpler and so on.



I would welcome comments and discussion.

Links

- The official text is ISO 9001 , there is also a more convenient option.

- CMMI



PS Elderly jock on the photo - a very respected bodybuilder Ray Moon . He is already over 80, please do not pry at him. However, as well as above ISO 9001.