CMM vs. ISO

11 April 2007

CMM vs. ISODavid S. Craft CIRM, PMP

11 April 2007

CMM vs. ISO, Sarbanes Oxley

Agenda

Who Am I Software Systems DevelopmentISOCMMSarbanes Oxley

11 April 2007


Who Am I

VISTA Volunteer

Industrial Engineer

Chief Industrial Engineer

Manager Production Planning & Control

Inventory Control ManagerShift Supervisor

Materials ManagerConsultant

Project Manager

Team Leader

Managing Consultant, Engineering and Manufacturing Services

Internal ISO Auditor

11 April 2007


11 April 2007


ProcessTo Develop Software and Systems You Need A Process

• Anything goes• Defined• Structured

11 April 2007


11 April 2007


Process, people and technology are the major determinants of project cost, quality and schedule.

11 April 2007


Common MisconceptionsI don’t need defined processes I have:

– Really good people– Advanced Technology– An experienced manager

Defined Processes:– Interfere with creativity– Equals bureaucracy + regimentation– Isn’t needed when building prototypes– Is only useful on large projects– Hinders agility in fast moving projects– Costs too much

11 April 2007


Why We Need Standard Processes

Estimating (History)• Scope• Cost• Time • Tools

Deliver the Product to Estimate (Visibility)• Time• Cost• Quality

Handling/Controlling Changes• Planned• Unplanned• Scope Creep

11 April 2007


How to Achieve Quality Processes

ISO

CMM

11 April 2007


ISO – CMM DifferencesISO9001:2000 CMMI-DEV

International standard, applies to all types of organizations, supports both product and service oriented organizations

Written specifically for software development companies

A brief document – about 25 pages long, identifying the minimal requirements for a quality system

A detailed document – over 500 pages long

Emphasizes on a management of continuous improvement process, based on the PDCA (Plan-Do-Check-Act) model

Emphasizes on achieving “maturity” and improving its process continuously

One level of standard. The standard is based on recommendation

Defines 5 maturity levels of the organization, covering 25 process areas (PAs)

Netta Dotan, Quality Assurance & project management, Ronkal Office Technologies

11 April 2007


ISO – CMM Differences – My View

ISO 9000 SW-CMMIOutwardly focused Inwardly focused

Minimum requirements with implied continuous improvements

Explicit continuous quality improvement

Registration Document No documentation

Certification audit for a 50 employee organization will be executed by 1 -12 auditors during one day

Certification audit for a 50 employee organization will be executed by 4 auditors during 4-5 days

Netta Dotan, Quality Assurance & project management, Ronkal Office Technologies

11 April 2007


Both require the organization be explicit about what their processes and quality systems are

Say what you do; do what you sayThe organization records and tracks data for objective analysisRequire strong management support to succeedProvide a structured and measured approach to quality improvementRequire an outside audit for “certification”Both are refined/improved over time

ISO – CMM Similarities

11 April 2007


Meet ISOThe International Organization for Standardization (ISO) is a worldwide

federation of national standards bodies from some 162 countries, representing approximately 95% of worldwide production. ISO is a non-governmental organization established in 1947 to promote the development of standardization and related activities in the world with a view to facilitating international exchange of goods and services and development of cooperation in the spheres of intellectual, scientific, technological and economic activity

ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.

ISO is a non-governmental organization that forms a bridge between the public and private sectors. On the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations. Therefore, ISO enables a consensus to be reached on solutions that meet both the requirements of business and the broader needs of society.

11 April 2007


ISO’s ImpactIn the global economy ISO 9001:2000 and ISO 14001:2004 have become thoroughly integrated with

the world economy. ISO 9001:2000 is now firmly established as the globally accepted standard for

providing assurance about the quality of goods and services in supplier-customer relations.

The positive roles played in globalization by ISO’s standards for quality and environmental management systems include the following:

• a unifying base for global businesses and supply chains – such as the automotive and oil and gas sectors

• a technical support for regulation – as, for example, in the medical devices sector

• a tool for major new economic players to increase their participation in global supply chains, in export trade and in business process outsourcing;

• a tool for regional integration – as shown by their adoption by new or potential members of the European Union

In the rise of services in the global economy – nearly 33 % of ISO 9001:2000 certificates in 2005 went to organizations in the service sectors.

11 April 2007


Sector Standards PagesGeneralities, Infrastructure and Sciences 1,601 64,568Health, Safety and Environment 734 29,491Engineering Technologies 4,937 223,394Electronics, Information Technology and Telecommunications

2,902 506,057

Transport and Distribution of Goods 1,957 55,646Agriculture and Food Technology 1,054 26,286Materials Technology 4,373 114,269Construction 380 14,632Special Technologies 145 3,602

Total 18,083 737,345

Where are the Standards (12/31/09)

11 April 2007


What are standards?

Standards are documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose.

For example, the format of the credit cards, phone cards, and "smart" cards that have become commonplace is derived from an ISO International Standard. Adhering to the standard, which defines such features as an optimal thickness (0,76 mm), means that the cards can be used worldwide.

International Standards thus contribute to making life simpler, and to increasing the reliability and effectiveness of the goods and services we use.

Last modified 2002-07-17

11 April 2007


ISO 9000 represents consensus on what requirements a quality system must meet but does no dictate how they should be met.

The ISO 9000 series addresses quality management and quality assurance standards. It is designed to assist organizations in implementing and operating an effective quality management system (QMS). ISO 9001 defines what quality standards should be followed. It does not tell how.

The ISO 9000:2000 series is based on 8 key principles: Customer Focus, Leadership, Involvement of People, Process Approach, System Approach to Management, Continual improvement, Factual Approach to Decision Making and Mutually Beneficial Supplier Relationships

Which ISO Standards

11 April 2007


Quality System Documentation

QualityManual

Level 1Defines

Approach andResponsibility

ProceduresLevel 2Defines

Who, What, When

Work/JobInstructions

Level 3Answers

How

Records/Documentation

Level 4Results: shows that

the system is operating

11 April 2007


ISO 9001:2000 Structure4. Quality Management System

4.1 General requirements4.2 Document requirements

5. Management Responsibility

5.1 Management commitment

5.2 Customer focus5.3 Quality policy5.4 Planning5.5 Responsibility, authority,

communication5.6 Management review

6. Resource Management6.1 Provision of resources6.2 Human resources6.3 Infrastructure6.4 Work environment

7. Product realization7.1 Planning of product realization7.2 Customer-related processes7.3 Design and development7.4 Purchasing7.5 Production and service provision7.6 Control of monitoring and

measuring devices

8. Measurement, Analysis & Improvement8.1 General8.2 Monitoring and measurement8.3 Control of nonconforming product8.4 Analysis of data8.5 Improvement

11 April 2007


Evaluation

ISO is a certification model. Typically, an internal quality system assessment (audit) is performed, repairs made and the organization may then submit to a formal system audit lasting for several days performed by one of the ISO certification Bodies. The certificate usually is valid for three years and also requires that a system of Quality Management be in place, including performance of regular internal audits and intermediate external audits.

11 April 2007


Meet CMMICMMI® (Capability Maturity Model® Integration) models are

collections of best practices that help organizations to improve their processes. These models are developed by product teams with members from industry, government, and the Software Engineering Institute (SEI). These models provides a comprehensive integrated set of guidelines for developing products and services.

The CMMI-DEV model provides guidance for applying CMMI best practices in a development organization. Best practices in the model focus on activities for developing quality products and services to meet the needs of customers and end users.

Other CMMI models: Acquisition and Services

11 April 2007


Scope of CMMICMMI is designed to help identify and prioritize process improvement opportunities and facilitate organizational change management. The model is used for internal process improvement, sourcing selection and benchmarking, rather than certification

CMMI is organized as a process framework that cluster related practices into process areas that, when performed collectively, satisfy a set of goals. It requires that you define specific practices to meet specific goals but does not define how they are to be implemented.

The CMMI provides two representations – staged and continuous. The staged view provides five maturity levels: Initial, Managed, Defined, Quantitatively Managed, and Optimizing and 22 process areas PAs). The PAs at each maturity level build on the previous level. Alternatively, continuous representation is used to focus on a process capability in a desired functional area (project management, process management, engineering and support) rather that maturity levels.

11 April 2007


Evaluation

This is not a certification model, but ratings may be announced and published. The SEI publishes ratings provided the company gives it permission. Formal appraisals are typically 5 – 10 days and led by SEI-authorized internal or external lead appraisers, using trained teams and a formal methods. The method is named SCAMPI (Standard CMMI Appraisal Method for Process Improvement).

11 April 2007


11 April 2007


SCAMPI – Standard CMMI Appraisal Method for Process Improvement

11 April 2007


Process AreasRequirements Management Organizational Process DefinitionProject Planning Organizational TrainingProject Monitoring & Control Integrated Project ManagementSupplier Agreement Management Risk ManagementMeasurement & Analysis Integrated TeamingProcess & Product Quality Assurance

Integrated Supplier Management

Configuration Management Decision Analysis & ResolutionRequirements Development Organizational Environment for Integration

Technical Solution Organizational Process PerformanceProduct Integration Quantitative Project ManagementVerification Organizational Innovation & DeploymentValidation Causal Analysis & ResolutionOrganizational Process Focus

11 April 2007


11 April 2007


EIA – Electronic Industries Alliance Interim Standard

11 April 2007


11 April 2007


Staged Process Area ContinuousL2 Requirements Management EngineeringL2 Project Planning Project MgmtL2 Project Monitoring and Control Project MgmtL2 Supplier Agreement Management Project MgmtL2 Measurement and Analysis SupportL2 Process and Product Quality Assurance SupportL2 Configuration Management SupportL3 Requirements Development EngineeringL3 Technical Solution EngineeringL3 Product Integration EngineeringL3 Verification EngineeringL3 Validation EngineeringL3 Organizational Process Focus Process Mgmt.L3 Organizational Process Definition Process Mgmt.L3 Organizational Training Process Mgmt.L3 Integrated Project Management Project MgmtL3 Risk Management Project MgmtL3 Integrated Teaming Project MgmtL3 Integrated Supplier Management Project MgmtL3 Decision Analysis and Resolution SupportL3 Organizational Environment for Integration SupportL4 Organizational Process Performance Process Mgmt.L4 Quantitative Project Management Project MgmtL5 Organizational Innovation and Deployment Process Mgmt.L5 Causal Analysis and Resolution Support

CMM Process Areas

11 April 2007


Examples of CMMI Impact: ROI5:1 ROI for quality activities (Accenture)13:1 ROI calculated as defects avoided per hour spent in training and defect prevention (Northrop Grumman Defense Enterprise Systems)Avoided $3.72 M in costs due to better cost performance (Raytheon North Texas Software Engineering) as the organization improved from SW-CMM level 4 to CMMI level 52:1 ROI over 3 years (Siemens Information Systems Ltd, India)2.5:1 ROI over 12st year, with benefits amortized over less than 6 months (reported under non disclosure)

(reported by the American Society for Quality)

11 April 2007


Sarbanes-Oxley ImplicationsWith its more than 300 discrete points of enforceable law, this is the most significant piece of account legislation passed since the formation of the SEC in 1933SOX was passed with the specific intent of increasing accountability and attempting to install ethical behavior in financial reporting and business operations.With this increase spotlight on reporting, companies must invest resources and focus into their internal control processThe Act created the Public Company Accounting Oversight Board (PCAOB) to oversee the activities of the auditing profession and mandated reforms to enhance corporate and criminal fraud accountability. A goal of SOX legislation is to continually improve the transparency of financial and business events that can impact the accuracy and future validity of financial statements. Projects to improve processes and regular review of controls will become common-place activities as compliance evolves. Tools that simplify project completion and track status will better enable organization to cost-effectively undertake these projects.

11 April 2007


SOX Major Section

302 – Corporate Responsibility for Financial Reports• Requires Executives to certify the accuracy of corporate financial

reports

404 – Management Assessment of Internal Controls• Requires executives and auditors to confirm the effectiveness of

internal controls for financial reporting

409 – Real Time Issuers Disclose• Requires any material changes in financial state of issuer be

communicated quickly and with supporting data to the public

11 April 2007


Implications for IT

Configuration management is now a mustChange controls must be handled more carefullySecurity, security, securityAll system changes must be verifiable by a clear audit trailReduce reliance on batch processing, update data warehouse more frequentlyInterfaces from any financial system must be documented and controlledIT activities must be aligned with the company’s governance and risk policies

CMM vs. ISO

Documents

Transcript of CMM vs. ISO