The ISO/IEC 19770 series is an international set of standards for Software Asset Management (SAM), providing a framework for the processes of managing, monitoring, controlling and optimising software assets. The relationship of this series with other ISO and IEC standards relates to how to manage software assets within a broader framework of information technology (IT) management, security, quality management and licensing. The first version was published in 2006 and the latest revisions were made in 2017 and 2024.
In general, its structure focuses on 15 process areas and recommends a 3-level implementation approach. It ensures legal compliance in software licence management, reduces IT risks and costs, improves security and can be applied to all types of IT assets, organisations of all types and sizes, especially cloud-based technologies.
- Level 1: Trusted Data Management
- Level 2: Life Cycle Integration
- Level 3: Optimisation
With updates in 2024, the ISO/IEC 19770-1 standard focuses on new requirements related to climate change. Important changes in energy efficiency, equipment management and environmental compliance are as follows:
- Energy Efficiency: Climate change makes it imperative to improve the energy efficiency of IT equipment and data centres. This necessitates a shift towards more environmentally friendly and low energy consumption technologies.
- Hardware Selection and Management: Eco-friendly and sustainable hardware options help organisations reduce their environmental impact. This plays an important role in the lifecycle of IT assets.
- Compliance and Reporting: To comply with climate-related environmental legislation, IT asset management systems need accurate data and reporting. This requires creating environmental impact reports and management strategies.
The standard is generally based on the principle of continuous improvement (Plan, Do, Control, Act – PDCA Cycle) used in ISO Management systems and is compatible with many standards.
1) ISO/IEC 20000 – Information Technology Service Management
ISO/IEC 20000 is a standard that defines and improves information technology service management. This standard specifies requirements for the effective delivery of services, and software assets are an important part of these services. ISO/IEC 19770 addresses software asset management and works with ISO/IEC 20000 to integrate software assets into service management processes.
2) ISO/IEC 27001 – Information Security Management System
ISO/IEC 27001 is a standard that enables an organisation to establish an information security management system. Software asset management is critical to security because proper licensing, updating and monitoring of software is an important part of preventing security vulnerabilities.
ISO/IEC 19770 can be integrated with information security management to securely manage and audit software. Software assets, security vulnerabilities and licence incompatibilities are important risks that need to be addressed in information security management processes.
3) ISO/IEC 9001 – Quality Management System
ISO/IEC 9001 is a standard for organisations to establish a quality management system. This standard helps organisations to improve the quality of their products and services. While software assets are included in these quality processes, correct and compliant software management directly affects quality.
ISO/IEC 19770 improves the quality of software by properly managing and monitoring software assets. This contributes to improving the quality of products and services.
4) ISO/IEC 12207 – Software Life Cycle Processes
ISO/IEC 12207 specifies life cycle management for software development and maintenance processes. The management of software assets is critical in the design, development, testing and maintenance phases of software.
Software asset management in software development and maintenance processes: ISO/IEC 19770 tracks licences, version management and asset inventory throughout the entire life cycle of software. This is essential for the compliance and management of software throughout its lifecycle.
5) ISO/IEC 27018 – Privacy of Personal Data in Cloud Computing
ISO/IEC 27018 provides guidance for protecting the privacy of personal data in cloud computing services. Software assets and their use in a cloud environment must comply with these privacy standards.
ISO/IEC 19770 audits the licence compliance and security of software used in cloud environments, while ISO/IEC 27018 can fulfil a critical function to ensure the protection of personal data in cloud computing assets.
6) ISO/IEC 31000 – Risk Management
ISO/IEC 31000 is a general risk management standard for organisations. Software assets can represent a significant area of risk for organisations, as software licences can give rise to risks of incompatibilities or vulnerabilities.
ISO/IEC 19770 helps to minimise these risks by organising the management of software assets. This is particularly important for managing potential risks such as software incompatibilities and licence violations.
The ISO/IEC 19770 series enable effective management of software assets, improving efficiency and security within a broader framework in areas such as organisations’ information technology processes, security, quality management and licence compliance. These relationships with other ISO and IEC standards form an important building block for organisations to ensure both internal and external compliance by structuring software asset management practices on a more solid foundation.
For more detailed information, training and certification services, please contact us at sales@cfecert.co.uk.
