Inside the 2024 Update to ISO/IEC 19770-1

Ron Brill:

So, we’ve decided to just adopt the FinOps terminology to make it easier for organizations that are planning to execute FinOps and ITAM together. Gartner predicted that I believe it was by 2025 or 2026, over 50 percent of organizations will have converged their ITAM and FinOps functions. And we’re certainly seeing that kind of trend. Having one standard that’s aligned with both methodologies would I believe go a long way to doing that.

Kris Johnson:

Welcome to another episode of the ITAM Executive. I’m Kris Johnson, Chief Product Officer at Anglepoint. With me is someone who needs little introduction in the ITAM industry, Ron Brill not only President and Chairman of Anglepoint, but convener of WG21 that writes the 19770 family of standards within ISO/IEC. Ron is also the vice chair of the ITAM Forum as well as the co-lead for the FinOps Foundation Special Interest Group for FinOps and ITAM.

Have I got those right, Ron? Yeah, you got those right. All right. Great to be here. I thought we’d spend some time today talking about something that you and I have worked very heavily on and that was just presented by you, Ron, to the interim WG21 meeting hosted here at Anglepoint in Lindon, Utah. And that is the 2024 update to 19770-1. And there’s a lot of new evolutions to the standard. We’ve certainly seen a lot of evolution since its first iteration many years ago that we both worked on and many others, of course.

And one of the fundamental changes that we saw in the last update was an evolution from a SAM standard to an ITAM standard, but also the adoption of the ISO construct of a management system, which exists in many other ISO standards now formally adopted into dash one, and now updated in the 2024 edition which will come out for initial ballot within WG21 here fairly shortly.

But I thought we’d spend some time talking about the management system because the management system is an ISO construct and how it’s written is an ISO speak. It’s a little bit of an esoteric language, if you will, that certain words have operative meanings that aren’t necessarily obvious to a casual reader of the ISO standard.

And to really understand it, you really have to understand how the management system works, which is becoming more and more relevant now that we have certification authority against the ISO standard and organizations that may have some desire to certify against the standard that you have to know what the management system is and how it works and what it means.

Ron, maybe you can start by. giving our listeners an introduction to the management system.

Ron Brill:

Sure. Of course. So, management system standards or MSS for short is a concept that ISO has adopted a number of years ago and that they use across a wide range of standard types.

It’s based on the Deming cycle of continuous improvement: plan, do, check, act or PDCA. Deming was an industrial engineer, I believe, who in the middle of the last century, he helped the Japanese economy a lot after the second world war. And people who are familiar with concept like Six Sigma and so forth are very familiar with that concept and plan, do, check, act.

It’s really about how do you continuously improve anything any kind of structure or set of processes and so forth. And the reason why ISO started moving to management system standards that use the PDCA concept is because the alternative, what is the alternative to that?

The alternative would be to have standards that are very prescriptive. So, if ITAM was not a management system standard then the ITAM standard would’ve had to specify. Very specifically, what organizations do or not to and for example, you shall reconcile your Oracle licenses once a quarter or whatever.

And there are two problems with that. One problem is that each organization is different, right? So, you can’t really have a one size fits all what’s right for one organization may be insufficient for another. And it would be an overkill for a third organization that’s much smaller, right? So, you can’t really do that.

And then it also does not allow for change, continuous improvement, right? So, if there’s a new technology that comes out tomorrow that represents new risks if you’re set to be compliant with the rigid standard, then you’re not going to be able to respond to it as much as you can. It’s a good analogy is the saying, give a man a fish, you feed him for a day, teach a man how to fish, you feed him for a life.

So, it’s based on a similar structure where instead of being prescriptive, to an organization, tell them exactly what they need to do. We’re telling them how to think about what they need to do, how to arrive at their own conclusions of what they need to do, and then how to make sure that they actually do it in a way that is verifiable, and that they check that it’s operating as expected, that they correct if it’s not operating as expected, and so forth.

So, in the, PDCA cycle you have four phases. In the plan phase you would essentially understand the context of the organization, the objectives of the organization, who the stakeholders are, what their requirements are. You can conduct a risk assessment. And then based on that whole thing, you will understand what your scope is.

Scope as far as what assets should be in scope for the ITAM management program, not just types of assets, but like what business units, divisions, locations and so forth. And then you also decide what processes need to be in scope. And again, that scope of the assets and the processes is really based on your risk assessment on the requirements of your stakeholders and the needs of your organization.

And so, you do that in the plan phase. Again, it’s very tailored to the organization. And then the next phase is the do phase. Where you essentially execute the processes. And the third stage is the check – you’re checking that the processes are operating as you expected, essentially, you’re doing monitoring, you’re doing auditing and so forth.

And then finally, the act phase is where you take steps to correct any deviations or nonconformity that you’ve identified in the check phase, right? If there’s an issue, you fix it and then you go back, you go right back to planning, right? It’s a continuous improvement cycle. You’re never really done, right?

And the next time you do the risk assessment, you may conclude that you need to add certain types of assets to your scope, or you need to add a process or remove a process that’s not relevant or modify an objective for one of your processes, right? So, it’s a continuous improvement cycle.

And the idea is that you go through that cycle with each iteration of that cycle, you get a little bit better, a little bit better, a little bit better. You’re spiraling towards continuous improvement. And that’s the concept of a management system. And again, I believe it’s much better because you’re not prescribing what you can do for ITAM. You’re teaching them how to think through that and how to execute on that. And the content is going to be different for each organization.

There are many ISO standards that follow that structure. Like 27000-1 for information security, 20000-1 for service management, 9000-1 for quality management, 14000-1 for environmental management system.

And there’s many of them. And the nice thing about it is, if you understand how one of them is structured, you understand all of them because it’s all the same that I’ve mentioned and many others the sections are exactly the same. So, sections four through seven, or it was going to be the plan section eight.

So, it’s going to be to do section nine. There’s always been in the check. Section 10 is always going to be the act. So, if you know how to read one of them, you can read all of them. And so that’s one advantage. The other advantage is that they’re meant to be jointly implemented. So, you can have one management system that addresses the needs of multiple standards. And in fact, when the current version of Dash 1 was written, the use case that was anticipated is a joint implementation with 27000-1 for information security.

Kris Johnson:

Yeah. I remember when I first understood this concept of a management system and how it works, it really resonated with me because it’s been probably over 10 years now.

I remember speaking at a conference on, at that time, it was an early version of the definition of software asset management, according to an early version of ITIL. And it was something to the effect of all the people, process, and technology necessary to manage all assets through all phases of their life cycle.

And on the surface of it, it sounds all fine and good, but when you really think about it nobody, under that definition, is doing software asset management because no one is doing all the people, process, and technology necessary to manage all software assets through all stages of their life cycle. And they probably shouldn’t, right?

Because that’s such a high bar. It’s very prescriptive. Like you said that there’s a point of diminishing marginal returns, right? Where an organization needs to decide what is important for them. To manage which assets and which stages of the life cycle and which processes and which parts are relevant for them and the management system gives that flexibility.

Where you align it to your organizational objectives, as you mentioned ,to your stakeholder objectives, define what’s important for you, the processes that you have in scope. It provides a framework for you to select processes from, to have on your radar but isn’t overly prescriptive that to do. IT asset management, you have to do these things, right? It’s more create a system that prioritizes effective management of the things that your organization values, and then put that in a system of incremental improvement to make sure that it’s functioning.

Ron Brill:

Yeah, absolutely. Organizations can find a lot of value in the standard, even if they’re not going for certification. Just because it’s a really good structure and it’s a framework that’s proven itself, many times over across many different disciplines to be highly effective.

But if you are going through a certification process, then, what the auditor would look for is to see evidence that you’ve actually went through the process to plan, do, check, act, right? So, they’ll want to see your risk assessment. They’ll want to see what the conclusions from my risk assessment is.

They want to see that those conclusions and that risk assessment was signed off by management. They want to see how you’ve defined your scope and that it matches the risk assessment that’s in line with it. They want to see that you’ve selected the right processes. Based on that, and they don’t want to see if you’re executing them, that you’re checking that they’re operating.

So, show me how you’re checking that they’re operating effectively and so forth. Again, they don’t, they won’t care about what the content is, whether you’ve decided that whatever publisher XYZ should be in scope or not. They don’t care about that, but they will care is that you have a process to determine that.

And that you’ve actually followed your own process.

Kris Johnson:

Not focusing on what you’re choosing to manage, but focusing on do you have a system and a process to effectively manage what you choose to manage?

Ron Brill:

Yes. Yes. That’s a good way to describe it.

Kris Johnson:

What can our listeners anticipate with the 2024 release, what advancements are coming to the ISO standard?

Ron Brill:

Yeah, there’s a number of exciting changes that we’re working on that we just discussed with the committee. One of them is we’re aligning the IT asset management standard with FinOps, with the FinOps methodology. For those of you who remember the current version of the standard, the 2017 version, it had three tiers – trustworthy data, lifecycle integration, and optimization.

And for those of FinOps methodology, that one has three phases as well, but they’re worded a little differently, right? It’s inform, optimize, and operate. And you can see that they’re similar, right? So, inform is like trustworthy data. Operate is like lifecycle integration. And optimization is like optimize, right?

So, it’s similar, but they’re using different terminologies and so forth. So, we’ve decided to just adopt the FinOps terminology to make it easier for organizations that are planning to execute FinOps and ITAM together. Gartner predicted that, I believe it was by 2025 or 2026, over 50 percent of organizations will have converged their ITAM and FinOps functions.

And we’re certainly seeing that kind of trend. And so having one standard, that’s aligned with both methodology would I believe go a long way to doing that. So that’s one change that we’ve done.

Other changes are for example, we are adding a lot of process areas. And the way it works, it’s in an annex that the organization can, based on the risk assessment, choose from. But the list is much, much longer. So, we went up from 15 process areas in the current version to nearly 30 in the 2024 version. And we’ve been able to add a lot more granularity for things that ITAM and FinOps functions do every day which we believe will really help a lot to get a better tailor fit to what organizations actually need to implement.

Yeah. And one other example is that we were able to add things like sustainability. So, because we’re this process is a process area. So, for the first time again, that’s a very hot topic within IT Asset Management and FinOps nowadays, and we are adding. This is its own separate process area.

Yeah, we also streamline the standard a bit more. There are some, observations and feedback that we’ve received from the first organizations that went through certification. So, we actually received feedback from the auditing firm that has done these audits and certified those organizations say this here is not very clear, or can you clarify that? Or this and this looks duplicate. Can you clarify if they are in fact duplicate or not?

So, we got some good feedback just by organizations going through the certification that we have incorporated into this new version.

So, I’m really excited about this new version being much better aligned to support the future trends we’re seeing in the industry.

Kris Johnson:

Something else that I think is worth mentioning from a standard standpoint is the inclusion of cloud resources as an IT asset, which again further creates alignment with the FinOps methodology. So, I think this is a great if we look at the first iteration of the standard going back many years, right?

Starting with software asset management, then under your leadership. It grew to include IT asset management and now has grown again and aligned to ISO 27000 like you mentioned, and that was grown to include cloud resources as an IT asset management to almost be more technology asset management more broadly.

So, I think that it’s a great evolution of the standard that it’s evolving with the industry and not staying stagnant and living in obscurity. I think it helps take it out of obscurity to align it to 27000 to align it to the financial methodology and so forth.

Ron Brill:

Yeah, absolutely. The current version that was 2017 actually does include cloud assets. However, I know that hasn’t been very clear to a lot of people. And certainly the 2024 version is more specific about the IT assets can really be any technology that either paid for by your organization or deployed by the organization or used for their organization. And it doesn’t matter if it’s on prem or off prem or in the cloud, it doesn’t matter if it’s licensable or not. CapEx or OpEx. None of these things really matter. Operational or informational. Exactly. None of these things really matter. All these things are all IT assets that need to be managed. And so, we clarified that a bit. But it was already in the intention of the current 2017 version. It just wasn’t perhaps very clear for some people.

Kris Johnson:

Yeah.

When do we anticipate the standard being available for public review for the second ballot?

Ron Brill:

So, we’re finalizing the draft within the committee. Then it goes to a first ballot. So, it goes to all the ISO member countries to vote on. We take their feedback. And then we do a second ballot and that’s the process that sometimes in some cases, depending on the results of the second ballot, we may need to go to the third ballot a lot it really depends on how the voting goes.

I believe the first ballot should be ready within I would say Q1 2024, the second ballot, maybe six months after that, we’re going to try to do what we can to accelerate it, but it’s not always possible in the ISO universe.

Kris Johnson:

Yeah, I mean, you’ve presented your first draft at this interim WG21 meeting and you’re mid-November 2023.

I think that just speaks to kind of the time that it takes to go through the proper approvals and gain consensus within the industry. So hopefully we can get it into publication by the end of 2024.

Ron Brill:

Yeah, that’s our goal. It’s doable.

Kris Johnson:

But that’s having submitted it a year in advance.

Ron Brill:

Yeah, that’s right. Yeah, ISO definitely they operate in certain ways. There are a lot of standards for writing standards. There it’s a country membership organization. So, all countries need to vote on it. And then they need to be able to have time to disseminate. drafts to their members and receive the drafts in time and so forth.

So, each round of ballots takes months, right? And I want to give everyone a chance to review and write comments and then either needs to get the results and aggregate them and so forth. Yeah, those things take time.

Kris Johnson:

If one of our listeners is interested in participating in that ballot process and even in that first ballot process as a member of WG 21, what do they need to do?

Ron Brill:

Yeah. Anyone who has an interest to join WG 21 feel free to just reach out to me. And I will point them to the right place. Essentially, the way it works, only countries can nominate delegates to participate in ISO committees. The person will need to be nominated as a delegate by the country where they live and work.

Not necessarily the country where they have citizenship, but it’s really where they live and work. I can point the person to the National Standards Body in that country and provide the contact information and they can work from their different countries have different processes for accepting delegates and so forth.

So sometimes some of them require a membership within the local national standards body. Some of them don’t so it really varies, but if you have an interest to be part of this work of creating standards for the industry that’s absolutely great. We’re always looking for more people, more perspectives, just reach out to me and I’ll connect you with the right people so you can find out what that means for you.

Kris Johnson:

Sounds good. Thank you Ron for taking this time. And hopefully this has been beneficial to our listeners and lots of good things on their way from a development standpoint and evolving the standard and continuing to make it relevant within an ever evolving industry. Thank you.

Ron Brill:

Thanks, Kris.