CMM and ISO The ISO 9000 standards developed by the International Standards Organization are both concerned with quality and process management. The specific ISO standard of concern to software organizations is ISO 9001. Questions frequently asked are: • At what CMM level is an ISO compliant organiza-tion? • Can a Level 2 or (3) organization be considered ISO compliant? • Should SPI be based on CMM or ISO?ISO Series - 1 The ISO series of standards is a set of documents dealing with quality systems that can be used for external quality assurance purposes. They specify quality system requirements for use where a contract between two parties requires the demonstration of the supplier’s capability to design and supply a product. The two parties could be an external client and a sup-plier, or they could both be internal.ISO Series - 2 ISO 9000 is a guideline that clarifies the distinctions and interrelationships between quality concepts and provides guidelines for the selection and use of a series of international standards on quality systems that can be used for internal quality management pur-poses (ISO 9004) and for external quality purposes (ISO 9001, 9002, and 9003).ISO Series - 3 The quality concepts addressed by these standards are: • An organization should achieve and sustain the qual-ity of the product or service produced to continually meet the purchaser’s stated or implied needs • An organization should provide confidence to its own management that the intended quality is achieved • An organization should provide confidence to the purchaser that the intended quality is being achieved in the delivered product or service providedSoftware and ISO 9001 ISO 9001, “Quality systems-Model for quality assur-ance in desig.development, production, installation, and servicing,” is the ISO standard that applies to software development and maintenance. There is a guideline, ISO 9000-3, for applying ISO 9001 to soft-ware processes. A British guide [TickIT] for 9001 provides additional guidelines on using ISO9000-3 and 9001 in the software area.Mapping ISO 9001 to the CMM - 1 Here, twenty clauses of ISO 9001 are mapped to practices of CMM 1. Clause 4.1 - Management responsibility Addressed primarily by SQA and partly by SPP and SPTO (Level 2) 2. Clause 4.2 - Quality system Addressed primarily by SQA and SPP (Level 2)Mapping ISO 9001 to the CMM - 2 Clause 4.3 - Contract review Addressed primarily by RM and SPP (Level 2) Clause 4.4 - Design control Addressed primarily by SPE, SPP, SPTO, and PR (Levels 2 and 3) Clause 4.5 - Documentation and data control Addressed primarily by SCM (Level 2)Mapping ISO 9001 to the CMM - 3 Clause 4.6 - Purchasing Addressed by SSM (Level 2) Clause 4.7 - Control of customer-supplied product Addressed weakly by ISM (Level 3). CMM change request written Clause 4.8 - Product identification and traceability Addressed primarily by SCM and by SPE (Levels 2 and 3)Mapping ISO 9001 to the CMM - 4 Clause 4.9 - Process control Addressed by SPP, SPE, and SQA (Levels 2 and 3) Clause 4.10 - Inspection and testing Addresses by SPE and in PR (Level 3) Clause 4.11 - Control of Inspection, Measuring, and Test Equipment Addressed by SPE (Level 3)Mapping ISO 9001 to the CMM - 5 Clause 4.12 - Inspection and test status Addressed by SPE and SCM (Levels 2 and 3) Clause 4.13 - Control of nonconforming product Addressed by SPE and SCM (Levels 2 and 3) Clause 4.14 - Corrective and preventive actions Addressed by SCM and SQA (Level 2)Mapping ISO 9001 to the CMM - 6 Clause 4.15 - Handling storage, packaging, and pres-ervation delivery Addressed partly by SCM, but actual delivery and installation not covered in present CMM (CMM change request written) (Level 2) Clause 4.16 - Control of quality records Addressed by SPE, SCM, and PR (Levels 2 and 3)Mapping ISO 9001 to the CMM - 7 Clause 4.17 - Internal quality audits Addressed by SQA (Level 2) Clause 4.18 - Training Addressed by TP (Level 3) Clause 4.19 - Servicing Not really addressed by CMM since maintenance is not a separate issue in CMM. Will be addressed in next version of CMMMapping ISO 9001 to the CMM - 8 Clause 4.20 - Statistical techniques Practices described throughout CMM. Perhaps spe-cifically addressed by OPD, QPM, and SQM (Lev-els 3 and 4)Contrasting ISO 9001 and CMM - 1 Some issues in ISO 9001 are not covered in CMM, and vice versa. The levels of detail differ. Chapter 4 in ISO 9001 is 5 pages long, sections 5, 6, and 7 in ISO 9000-3 comprise 11 pages; CMM is over 500 pages long. The ISO 9001 clauses with no strong relationship to CMM KPAs are control of customer-supplied prod-ucts and handling, packaging, preservation and deliv-eryContrasting ISO 9001 and CMM - 2 The clause in ISO 9001 that is addresses in CMM in a completely distributed fashion is servicing. There is significant debate about the exact relationships to CMM for corrective and preventive action and statis-tical techniques. The biggest difference is the emphasis in CMM on continuous process improvement. ISO only addresses minimum criteria for an acceptable quality system.Contrasting ISO 9001 and CMM - 3 CMM focuses strictly on software, while ISO 9001 has includes hardware, software, processed materials, and services. For both CMM and ISO 9001, the bottom line is “Say what you do; do what you say.”Contrasting ISO 9001 and CMM - 4 Every Level 2 KPA is strongly related to ISO 9001 Every KPA is at least weakly related to ISO 9001 A CMM Level-1 organization can be ISO 9001 certi-fied; that organization would have significant Level-2 process strengths and noticeable Level-3 strengths.Contrasting ISO 9001 and CMM - 5 Given a reasonable implementation of the software process, a ISO 9001 certified organization should be at least close to CMM Level-2. Can a CMM Level-3 organization be considered ISO 9001 compliant? Even a Level-3 organization would need to ensure that delivery and installation are addressed, but even a Level-2 organization would have comparatively little difficulty in obtaining ISO 9001 certification.How ISO 9001 Fits into the Software World (F. Coallier, IEEE Software, Janu-ary 1994) ISO 9001 has a strong emphasis on traditional manu-facturing quality control. It assumes products are pur-chased in a formal, contractual environment with detailed specifications that are correct. Such an envi-ronment is not the case for consumer or mass-market