ISO/IEC 19770

Last updated

International standards in the ISO/IEC 19770 [1] family of standards for IT asset management address both the processes and technology for managing software assets and related IT assets. Broadly speaking, the standard family belongs to the set of Software Asset Management (or SAM) standards and is integrated with other Management System Standards.

Contents

ISO/IEC 19770 day-to-day management comes under ISO/IEC JTC 1/SC 7/WG 21, or Working Group 21 (WG21) chaired by Ron Brill [2] as convener and Trent Allgood [3] as secretary. It is WG21 that is responsible for developing, improving and ensuring market needs are met when developing these standards.

Purpose

The ISO 19770 standard is a concept of ITAM standardization within an organization incorporating ISO/IEC standards.

The objective of the standard is to give organizations of all sizes information and assistance to assist at the risk and cost minimization of ITAM assets. Through implementation, these same organizations will acquire a competitive advantage through:

The major parts of this ITAM standard are detailed below.

  1. ISO/IEC 19770-1 is a process framework to enable an organization to prove that it is performing ITAM to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall.
  2. ISO/IEC 19770-2 provides an ITAM data standard for software identification tags ("SWID").
  3. ISO/IEC 19770-3 provides an ITAM data standard for software entitlements, including usage rights, limitations and metrics ("ENT").
  4. ISO/IEC 19770-4 provides an ITAM data standard for Resource Utilization Measurement ("RUM")
  5. ISO/IEC 19770-5 provides the overview and vocabulary.


ISO/IEC 19770-1: Processes

ISO/IEC 19770-1 is a framework of ITAM processes to enable an organization to prove that it is performing software asset management to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall. ISO/IEC 19770-1:2017 specifies the requirements for the establishment, implementation, maintenance and improvement of a management system for IT asset management (ITAM), referred to as an “IT asset management system” (ITAMS).

While ISO 55001:2014 specifies the requirements for the establishment, implementation, maintenance and improvement of a management system for asset management, referred to as an “asset management system”, it is primarily focused on physical assets with little provision for the management of software assets. There are a number of characteristics of IT assets which create additional or more detailed requirements. As a result of these characteristics of IT assets, the 19770-1 management system for IT assets has explicit additional requirements dealing with:

Updates to 19770-1

The first generation was published in 2006.

The second generation was published in 2012. It retained the original content (with only minor changes) but splits the standard up into four tiers which can be attained sequentially. These tiers are:

ISO 19770-1 Edition 3 (current version)

The most recent version, known as ISO 19770-1:2017 and published in December 2017, specifies the requirements for the establishment, implementation, maintenance, and improvement of a management system for IT asset management (ITAM), referred to as an IT asset management system. ISO 19770-1:2017 was a major update and rewrote the standard to conform to the ISO Management System Standards (MSS) [4] format. The tiered structure from 197701:2012 was moved to an appendix within the updated standard.

Intended Users

This document can be used by any organization and can be applied to all types of IT assets. The organization determines to which of its IT assets this document applies. This document is primarily intended for use by:

ISO/IEC 19770-2: software identification tag

ISO/IEC 19770-2 provides an ITAM data standard for software identification (SWID) tags. Software ID tags provide authoritative identifying information for installed software or other licensable item (such as fonts or copyrighted papers).

Overview of SWID tags in use

There are three primary methods that may be used to ensure SWID tags are available on devices with installed software:

Providing accurate software identification data improves organizational security, and lowers the cost and increases the capability of many IT processes such as patch management, desktop management, help desk management, software policy compliance, etc.

Discovery tools, or processes that utilize SWID tag data to determine the normalized names and values that are associated with a software application and ensure that all tools and processes used by an organization refer to software products with the same exact names and values.

Standards development information

This standard was first published in November 2009. [5] A revision of this standard was published in October 2015. [6]

Steve Klos [7] is the editor of 19770-2 and works for 1E, Inc as a SAM Subject Matter Expert.

Non-profit organizational support

As of November 28, 2022, TagVault.org looks like a product review page. However, if you search for SWID, you will find articles about it. In 2009, a non-profit organization called TagVault.org [8] was formed under IEEE-ISTO [9] to press for using SWID tags. TagVault.org acts as a registration and certification authority for ISO/IEC 19770-2 software identification tags (SWID tags) and will provide tools and services allowing all SAM ecosystem members to take advantage of SWID tags faster, with a lower cost and with more industry compatibility than would otherwise be possible. SWID tags can be created by anyone, so individuals and organizations are not required to be part of TagVault.org to create or distribute tags.

Commercial organizational support

Numerous Windows installation packaging tools utilize SWID tags including:

Many software discovery tools already utilize SWID tags, including Altiris, Aspera SmartCollect, DeskCenter Management Suite, Belarc's BelManage, Sassafras Software's K2-KeyServer, Snow Inventory, CA Technologies discovery tools, Eracent's EnterpriseAM, Flexera Software's FlexNet Manager Platform, HP's Universal Discovery, IBM Endpoint Manager, Microsoft's System Center 2012 R2 Configuration Manager, Loginventory, and Raynet's Rayventory.

Adobe has released multiple versions of their Creative Suites and Creative Cloud products with SWID tags.

Symantec has also released multiple products that include SWID tags and is committed to helping move the software community to a more consistent and normalized approach to software identification and eventually to a more automated approach to compliance. [10]

Microsoft Corporation has been adding SWID tags to all new releases of software products since Windows 8 was released. [11]

IBM started shipping tags with some software products in early 2014, but as of November, all releases of IBM software include SWID tags. This equates to approximately 300 product releases a month that include SWID tags.

Governmental support

The US federal government has identified 19770-2 SWID tags as an important aspect of the efforts necessary to manage compliance, logistics and security software processes. The 19770-2 standard is included on the US Department of Defense Information Standards Registry (DISR) as an emerging standard as of September 2012. The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) in 2015 discussed the need for SWIDs in the marketplace. [12]

Standards development organization support

The Trusted Computing Group (TCG) is developing a standard TNC SWID Messages and Attributes for IF-M Specification [13] that utilizes tag data for security purposes.

The National Cybersecurity Center of Excellence (NCCoE) has documented the Software Asset Management Continuous Monitoring building block [14] that specifies how SWID tags are used for the near real-time identification of software.

The National Institute of Standards and Technology (NIST) is in the process of creating documentation that specifies how SWID tags will be used by governmental organizations including the Department of Homeland Security. David Waltermire presented information describing the NIST Security Automation Program [15] and how SWID tags can support that effort.

The National Institute of Standards and Technology (NIST) published "Guidelines for the Creation of Interoperable Software Identification (SWID) Tags", NISTIR 8060, April 2016.

ISO/IEC 19770-3: software entitlement schema (ENT)

This part of ISO/IEC 19770 provides a technical definition of an XML schema that can encapsulate the details of software entitlements, including usage rights, limitations and metrics.

The primary intentions of 19770-3 are:

  1. To provide a basis for common terminology to be used when describing entitlement rights, limitations and metrics
  2. To provide a schema which allows effective description of rights, limitations and metrics attaching to a software license.

The specific information provided by an entitlement schema (ENT) may be used to help ensure compliance with license rights and limits, to optimize license usage and to control costs. Though ENT creators are encouraged to provide the data that allow for the automatic processing, it is not mandated that data be automatically measurable. The data structure is intended to be capable of containing any kind of terms and conditions included in a software license agreement.

This part of ISO/IEC 19770 supports ITAM processes as defined in ISO/IEC 19770-1 [16] It is also designed to work together with software identification tags as defined in ISO/IEC 19770-2. [17] Standardization in the field of software entitlements provides uniform, measurable data for both the license compliance, and license optimization, processes of SAM practice.

This part of ISO/IEC 19770 does not provide requirements or recommendations for processes related to software asset management or ENTs. The software asset management processes are in the scope of ISO/IEC 19770-1.

Standards development information

The ISO/IEC 19770-3 Other Working Group ("OWG") [18] was convened by teleconference call on 9 September 2008.

John Tomeny [19] of Sassafras Software Inc served as the convener and lead author of the ISO/IEC 19770-3 "Other Working Group" (later renamed the ISO/IEC 19770-3 Development Group). Mr Tomeny was appointed by Working Group 21 (ISO/IEC JTC 1/SC 7/WG 21) together with Krzysztof Bączkiewicz [20] of Eracent who served as Project Editor concurrent with Mr. Tomeny's leadership. In addition to WG21 members, other participants in the 19770-3 Development Group served as "individuals considered to have relevant expertise by the Convener". [21]

Jason Keogh [22] of 1E and part of the delegation from Ireland is the current editor of 19770-3.

ISO/IEC 19770-3 was published on April 15, 2016.

Principles

This part of ISO/IEC 19770 has been developed with the following practical principles in mind:

Maximum possible usability with legacy entitlement information

The ENT, or software entitlement schema, is intended to provide the maximum possible usability with existing entitlement information, including all historical licensing transactions. While the specifications provide many opportunities for improvement in entitlement processes and practices, they must be able to handle existing licensing transactions without imposing requirements which would prevent such transactions being codified into Ent records.

Maximum possible alignment with the software identification tag specification (ISO/IEC 19770-2)

This part of ISO/IEC 19770 (entitlement schema) is intended to align closely with part 2 of the standard (software identification tags). This should facilitate both understanding and their joint use. Furthermore, any of the elements, attributes, or other specifications of part 2 which the ENT creator may wish to utilize may be used in this part as well.

Stakeholder benefits

It is intended that this standardized schema will be of benefit to all stakeholders involved in the creation, licensing, distribution, release, installation, and ongoing management of software and software entitlements.

The ITAM Review developed a podcast with the 19770-3 project editor how end-user organizations can leverage this standard to their benefit. The link to the podcast is here.

ISO/IEC 19770-3: Entitlement Management

ISO 19770-3 relates to Entitlement tags - encapsulations of licensing terms, rights and limitations in a machine-readable, standardized format. [23] The transport method (XML, JSON, etc.) is not defined, rather the meaning and name of specific data stores is outlined to facilitate a common schema between vendors and customers and tools providers.

The first commercial SAM tool to encapsulate ISO 19770-3 was AppClarity by 1E. Since then K2 by Sassafras Software has also encompassed 19770-3. As of the time of writing (February 2018) although other tools vendors have indicated interest in the standard but have not implemented same.

It is of note that Jason Keogh, Editor of the released 19770-3 works for 1E and John Tomeny (initial Editor of 19770-3) worked for Sassafras Software.

ISO/IEC 19770-4: Resource Utilization Measurement

This document provides an International Standard for Resource Utilization Measurement (RUM). A RUM is a standardized structure containing usage information about the resources that are related to the use of an IT asset. A RUM will often be provided in an XML data file, but the same information may be accessible through other means depending on the platform and the IT asset/product.

This document contains information structures that are designed to align with the identification information defined in ISO/IEC 19770-2, and with the entitlement information defined in ISO/IEC 19770-3. When used together, these three types of information have the capability to significantly enhance and automate the processes of IT asset management.

This document supports the IT asset management processes defined in ISO/IEC 19770-1. This document also supports the other parts of the ISO/IEC 19770 series of standards that define information structures.

The RUM is specifically designed to be general-purpose and usable in a wide variety of situations. Like other information structures defined in the ISO/IEC 19770 series of standards, the consumer of a RUM may be an organization and/or a tool or other consumers. In contrast to the other information structures in the ISO/IEC 19770 series, the entity creating a RUM data on a periodic basis will likely be an IT asset or an automation tool monitoring an IT asset.

The definition of a RUM will benefit all stakeholders involved in the creation, licensing, distribution, releasing, installation, and on-going management of IT assets. Key benefits associated with a RUM for three specific groups of stakeholders include:

IT asset users — RUM data will typically be generated and processed by IT assets and automation tools, within the consumers enterprise boundary, for purpose of IT asset compliance and optimization; — RUM data is human readable and can provide improved visibility into resource utilization within IT assets independent of vendor or third-party supplied tools; — the ability to combine identification, entitlement, and resource utilization information together to perform quantitative and authoritative IT asset management, for example, to meet compliance requirements; — a much-improved ability to perform IT asset management in support of green data center strategies such as optimization of the use of power and air conditioning;

IT asset manufacturers — the ability to consistently and authoritatively generate resource utilization information for consumption by a central facility that is maintained by the creator, or one or more third-party tools, or by the IT asset users; — the ability to support multiple instances and types of third-party tools with a single set of functionality within the IT asset; — the ability to offer a service to track real-time IT asset usage in the field and, when combined with identification and entitlement information, the ability to give advance warning as resource limits are approached; — the ability to offer an alternative approach to asset utilization measurement to traditional techniques that employ key-based, or platform-restricted licenses;

Tool vendors — the ability to support multiple IT assets, and types of IT asset, without having to create and maintain unique instrumentation that is associated with each asset; — the ability to more easily aggregate usage information across multiple instances of an asset; — a much-improved ability to track resource utilization and IT assets in near real-time.

ISO/IEC 19770-5: overview and vocabulary

ISO/IEC 19770-5:2015 provides an overview of ITAM, which is the subject of the ISO/IEC 19770 family of standards, and defines related terms. [24] ISO/IEC 19770-5:2015 is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations).

ISO/IEC 19770-5:2015 contains:

  1. an overview of the ISO/IEC 19770 family of standards;
  2. an introduction to SAM;
  3. a brief description of the foundation principles and approaches on which SAM is based; and
  4. consistent terms and definitions for use throughout the ISO/IEC 19770 family of standards.

ISO/IEC 19770-8: Guidelines for mapping of industry practices to/from the ISO/IEC 19770 family of standards

ISO/IEC 19770-8 defines requirements, guidelines, formats and approaches for use when producing a mapping document that defines how industry practices map to/from the ISO/IEC 19770 series. The 19770-8:2020 edition is focused solely on mappings to/from both the second edition of ISO/IEC 19770-1 that was published in 2012, or the third edition of ISO/IEC 19770-1 that was published in 2017. [25]

There are currently three mappings publicly available using the 19770-8:2020 standard: [26]

Related Research Articles

<span class="mw-page-title-main">Configuration management</span> Process for maintaining consistency of a product attributes with its design

Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. The CM process is widely used by military engineering organizations to manage changes throughout the system lifecycle of complex systems, such as weapon systems, military vehicles, and information systems. Outside the military, the CM process is also used with IT service management as defined by ITIL, and with other domain models in the civil engineering and other industrial engineering segments such as roads, bridges, canals, dams, and buildings.

A software licensing audit or software compliance audit is an important sub-set of software asset management and component of corporate risk management. When a company is unaware of what software is installed and being used on its machines, it can result in multiple layers of exposure.

ISO/IEC/IEEE 12207Systems and software engineering – Software life cycle processes is an international standard for software lifecycle processes. First introduced in 1995, it aims to be a primary standard that defines all the processes required for developing and maintaining software systems, including the outcomes and/or activities of each process.

ISO/IEC 15504Information technology – Process assessment, also termed Software Process Improvement and Capability dEtermination (SPICE), is a set of technical standards documents for the computer software development process and related business management functions. It is one of the joint International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standards, which was developed by the ISO and IEC joint subcommittee, ISO/IEC JTC 1/SC 7.

Information technology service management (ITSM) is the activities that are performed by an organization to design, build, deliver, operate and control information technology (IT) services offered to customers.

<span class="mw-page-title-main">IT security standards</span> Technology standards and techniques

IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Asset management is a systematic approach to the governance and realization of all value for which a group or entity is responsible. It may apply both to tangible assets and to intangible assets. Asset management is a systematic process of developing, operating, maintaining, upgrading, and disposing of assets in the most cost-effective manner.

Software asset management (SAM) is a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization. According to ITIL, SAM is defined as “…all of the infrastructure and processes necessary for the effective management, control, and protection of the software assets…throughout all stages of their lifecycle.” Fundamentally intended to be part of an organization's information technology business strategy, the goals of SAM are to reduce information technology (IT) costs and limit business and legal risk related to the ownership and use of software, while maximizing IT responsiveness and end-user productivity. SAM is particularly important for large corporations regarding redistribution of licenses and managing legal risks associated with software ownership and expiration. SAM technologies track license expiration, thus allowing the company to function ethically and within software compliance regulations. This can be important for both eliminating legal costs associated with license agreement violations and as part of a company's reputation management strategy. Both are important forms of risk management and are critical for large corporations' long-term business strategies.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and promote standards in the fields of information and communications technology (ICT).

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.

The Health Industry Business Communications Council (HIBCC) is a primary standard-setting and educational organization for healthcare bar coding in the United States. It provides publications, trade shows, educational resources, conferences and training programs.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

ISO/IEC JTC 1/SC 7 Software and systems engineering is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of engineering of software products and systems. The international secretariat of ISO/IEC JTC 1/SC 7 is the Bureau of Indian Standards (BIS) located in India.

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed-upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS are aligned and the compatibility of these standards is enhanced.

ISO/IEC 5230 is an international standard on the key requirements for a high-quality open source license compliance program. The standard was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in late 2020. The standard is based on the Linux Foundation OpenChain Specification 2.1. It focuses on software supply chains, easier procurement and license compliance. Organizations that meet the requirements of the standard can self-certify to ISO/IEC 17021, from an accredited certification body or after successfully completing an audit.

References

  1. ISO/IEC 19770
  2. "Ron Brill". linkedin.com. Retrieved 18 March 2018.
  3. "Trent Allgood". linkedin.com. Retrieved 8 July 2019.
  4. "ISO MSS Standards". ISO.org. Retrieved 8 July 2019.
  5. ISO/IEC 19770-2:2009(en)
  6. "ISO/IEC 19770-2:2015 - Information technology -- Software asset management -- Part 2: Software identification tag". www.iso.org. Retrieved 18 March 2018.
  7. "Steve Klos". linkedin.com. Retrieved 18 March 2018.
  8. "Home - TagVault.org". www.tagvault.org. Retrieved 18 March 2018.
  9. "IEEE-ISTO". IEEE Industry Standards and Technology Organization. Retrieved 18 March 2018.
  10. see
  11. "Control. Optimize. Grow". www.microsoft.com. Retrieved 18 March 2018.
  12. A copy of that presentation is available here Archived 2015-04-02 at the Wayback Machine
  13. TNC SWID Messages and Attributes for IF-M Specification
  14. "NCCoE" (PDF). nccoe.nist.gov. Retrieved 18 March 2018.
  15. "information describing the NIST Security Automation Program" (PDF). nist.gov. Archived from the original (PDF) on 22 December 2016. Retrieved 18 March 2018.
  16. "ISO/IEC 19770-1:2012 - Information technology -- Software asset management -- Part 1: Processes and tiered assessment of conformance". www.iso.org. Retrieved 18 March 2018.
  17. "ISO/IEC 19770-2:2009 - Information technology -- Software asset management -- Part 2: Software identification tag". www.iso.org. Retrieved 18 March 2018.
  18. "Web site from the working group developing the 19770-3 standard". Archived from the original on 2009-01-05. Retrieved 2008-09-16.
  19. "John Tomeny". linkedin.com. Retrieved 18 March 2018.
  20. "Krzysztof Bączkiewicz". Archived from the original on 2007-11-16.
  21. "W21N0805 (revision 2): Terms of Reference for ISO/IEC 19770-3 Software Entitlement Tag Other Working Group" (PDF). Archived from the original (PDF) on 2011-07-16. Retrieved 2008-09-16.
  22. https://www.linkedin.com/in/keoghj/ [ self-published source ]
  23. "ISO/IEC 19770-3:2016". International Organization for Standardization . Archived from the original on 16 February 2018. Retrieved 14 June 2018. ISO/IEC 19770-3:2016 establishes a set of terms and definitions which may be used when discussing software entitlements (an important part of software licenses). It also provides specifications for a transport format which enables the digital encapsulation of software entitlements, including associated metrics and their management.
  24. Standardization, ISO - International Organization for (29 September 2006). "ISO - International Organization for Standardization". standards.iso.org. Retrieved 18 March 2018.
  25. Standards, ITAM (16 April 2012). "ITAM Standards". itamstandards.org. Retrieved 16 April 2020.
  26. Standardization, ISO - International Organization for (29 September 2006). "ISO - International Organization for Standardization". standards.iso.org. Retrieved 16 April 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.