ISO/IEC 19770
International standards in the ISO/IEC 19770[1] family of standards for IT asset management address both the processes and technology for managing software assets and related IT assets. Broadly speaking, the standard family belongs to the set of Software Asset Management (or SAM) standards and is integrated with other Management System Standards.
ISO/IEC 19770-1: Processes
ISO/IEC 19770-1 is a framework of ITAM processes to enable an organization to prove that it is performing software asset management that meets corporate governance standards. ISO/IEC 19770-1:2017 specifies the requirements for the establishment, implementation, maintenance and improvement of a management system for IT asset management (ITAM), referred to as an “IT asset management system” (ITAMS).
While ISO 55001:2014 specifies the requirements for the establishment, implementation, maintenance and improvement of a management system for asset management, referred to as an “asset management system”, it is primarily focused on physical assets with little provision for the management of software assets. There are a number of characteristics of IT assets which create additional or more detailed requirements. As a result of these characteristics of IT assets, the 19770-1 management system for IT assets has explicit additional requirements dealing with:
- controls over software modification, duplication and distribution, with particular emphasis on access and integrity controls;
- audit trails of authorizations and of changes made to IT assets;
- controls over licensing, underlicensing, overlicensing, and compliance with licensing terms and conditions;
- controls over situations involving mixed ownership and responsibilities, such as in cloud computing and with ‘Bring-Your-Own-Device’ (BYOD) practices; and
- reconciliation of IT asset management data with data in other information systems when justified by business value, in particular with financial information systems recording assets and expenses.
Updates to 19770-1
The first generation was published in 2006.
The second generation was published in 2012. It retained the original content (with only minor changes) but splits the standard up into four tiers which can be attained sequentially. These tiers are:
- Tier 1: Trustworthy Data
- Tier 2: Practical Management
- Tier 3: Operational Integration
- Tier 4: Full ISO/IEC ITAM Conformance
ISO 19770-1 Edition 3 (current version)
The most recent version, known as ISO 19770-1:2017 and published in December 2017, specifies the requirements for the establishment, implementation, maintenance, and improvement of a management system for IT asset management (ITAM), referred to as an IT asset management system. ISO 19770-1:2017 was a major update and rewrote the standard to conform to the ISO Management System Standards (MSS)[2] format. The tiered structure from 197701:2012 was moved to an appendix within the updated standard.
ISO/IEC 19770-2: software identification tag
ISO/IEC 19770-2 provides an ITAM data standard for software identification (SWID) tags. Software ID tags provide authoritative identifying information for installed software or other licensable item (such as fonts or copyrighted papers).
Overview of SWID tags in use
Providing accurate software identification data improves organizational security, and lowers the cost and increases the capability of many IT processes such as patch management, desktop management, help desk management, software policy compliance, etc.
Discovery tools, or processes that utilize SWID tag data to determine the normalized names and values that are associated with a software application and ensure that all tools and processes used by an organization refer to software products with the same exact names and values.
ISO/IEC 19770-3: software entitlement schema (ENT)
This part of ISO/IEC 19770 does not provide requirements or recommendations for processes related to software asset management or ENTs. The software asset management processes are in the scope of ISO/IEC 19770-1.
Standards development information
The ISO/IEC 19770-3 Other Working Group ("OWG")[6] was convened by teleconference call on 9 September 2008.
John Tomeny[7] of Sassafras Software Inc served as the convener and lead author of the ISO/IEC 19770-3 "Other Working Group" (later renamed the ISO/IEC 19770-3 Development Group). Mr Tomeny was appointed by Working Group 21 (ISO/IEC JTC 1/SC 7/WG 21) together with Krzysztof Bączkiewicz[8] of Eracent who served as Project Editor concurrent with Mr. Tomeny's leadership. In addition to WG21 members, other participants in the 19770-3 Development Group served as "individuals considered to have relevant expertise by the Convener".[9]
Jason Keogh[10] of 1E and part of the delegation from Ireland is the current editor of 19770-3.
ISO/IEC 19770-3 was published on April 15, 2016.
Principles
This part of ISO/IEC 19770 has been developed with the following practical principles in mind:
Maximum possible usability with legacy entitlement information
The ENT, or software entitlement schema, is intended to provide the maximum possible usability with existing entitlement information, including all historical licensing transactions. While the specifications provide many opportunities for improvement in entitlement processes and practices, they must be able to handle existing licensing transactions without imposing requirements which would prevent such transactions being codified into Ent records.
Maximum possible alignment with the software identification tag specification (ISO/IEC 19770-2)
This part of ISO/IEC 19770 (entitlement schema) is intended to align closely with part 2 of the standard (software identification tags). This should facilitate both understanding and their joint use. Furthermore, any of the elements, attributes, or other specifications of part 2 which the ENT creator may wish to utilize may be used in this part as well.
ISO/IEC 19770-3: Entitlement Management
ISO 19770-3 relates to Entitlement tags - encapsulations of licensing terms, rights and limitations in a machine-readable, standardized format.[11] The transport method (XML, JSON, etc.) is not defined, rather the meaning and name of specific data stores is outlined to facilitate a common schema between vendors and customers and tools providers.
The first commercial SAM tool to encapsulate ISO 19770-3 was AppClarity by 1E. Since then K2 by Sassafras Software has also encompassed 19770-3. As of the time of writing (February 2018) although other tools vendors have indicated interest in the standard but have not implemented same.
It is of note that Jason Keogh, Editor of the released 19770-3 works for 1E and John Tomeny (initial Editor of 19770-3) worked for Sassafras Software.
ISO/IEC 19770-5: overview and vocabulary
ISO/IEC 19770-5:2015 provides an overview of ITAM.
References
- ISO/IEC 19770
- "ISO MSS Standards". ISO.org. Retrieved 8 July 2019.
- ISO/IEC 19770-2:2009(en)
- "ISO/IEC 19770-2:2015 - Information technology -- Software asset management -- Part 2: Software identification tag". www.iso.org. Retrieved 18 March 2018.
- "Steve Klos". linkedin.com. Retrieved 18 March 2018.
- "Web site from the working group developing the 19770-3 standard". Archived from the original on 2009-01-05. Retrieved 2008-09-16.
- "John Tomeny". linkedin.com. Retrieved 18 March 2018.
- "Krzysztof Bączkiewicz". Archived from the original on 2007-11-16.
- "W21N0805 (revision 2): Terms of Reference for ISO/IEC 19770-3 Software Entitlement Tag Other Working Group" (PDF). Archived from the original (PDF) on 2011-07-16. Retrieved 2008-09-16.
- https://www.linkedin.com/in/keoghj/
- "ISO/IEC 19770-3:2016". International Organization for Standardization. Archived from the original on 16 February 2018. Retrieved 14 June 2018.
ISO/IEC 19770-3:2016 establishes a set of terms and definitions which may be used when discussing software entitlements (an important part of software licenses). It also provides specifications for a transport format which enables the digital encapsulation of software entitlements, including associated metrics and their management.
External links
- ISO/IEC 19770-1:2017
- ISO/IEC 19770-2:2015
- ISO/IEC 19770-3:2016
- ISO/IEC 19770-4:2017
- ISO/IEC 19770-5:2015
- Official WG21 web site
- Business Software Alliance
- International Association of Information Technology Asset Managers
- National Cybersecurity Center of Excellence
- National Institute for Standards and Technology
- Trusted Computing Group
- ITAM.ORG - Organization for IT Asset Management Professionals and ITAM Providers
- Australian Software Asset Management Association (ASAMA)