How to Achieve Strategic Software Asset Management Success with ISO ITAM Standards

Alex Benson: Welcome, everyone. We’re going to go ahead and get started on. Thanks for joining us today. I’m your host, Alex Benson, and I’m excited to welcome you. We’re grateful to Ron Brill, who is presenting today’s webinar before we get started. We’re going to have a few announcements. We want to go over on this webinar is being recorded and it will be shared at the follow up email that will go out in the next couple of days. And we also want to encourage participation, so if you have questions, please drop those in the Q& A option at the bottom of your screen, and Ron will get to those during the Q& A portion of the webinar at the end.

That it for me, I will hand it over to Ron to get started. Thank you.

Ron Brill: Great, thank you, Alex, and welcome everyone to our webinar about Achieving SAM Success with ISO Item Standards. By way of brief introduction, this is Ron Brill, and I’m the president of Anglepoint. And outside of Anglepoint, I chair the ISO Committee for IT Asset Management Standards, also known as Working Group 21.

This is the working group that owns the 19770 family of standards. I’m also vice chair of the ITAM Forum, which is a global nonprofit based in London working to promote ITAM education and organizational certification.

So, before we dive in, I’d like to briefly introduce Anglepoint as well. Anglepoint is the global leader in IT asset management and software asset management services. We have one global team of over 125 professionals in seven countries. And we specialize in over 60 software publishers, as well as the leading SAM tools.

Many of our team members have experience as former software auditors or have otherwise previously worked at the software publishers in which they now specialize. We utilize a unique platform called Elevate, which complements our client’s SAM tools and facilitates the project management data gathering and data analytics aspects of the work which SAM tools typically cannot address.

Also, as you might expect from my ISO role, Anglepoint SAM methodology is fully aligned with the ISO I 10 standards. Anglepoint serves hundreds of enterprise clients globally. Including about 20% of the fortune 100.

A couple of months ago, Gartner released their inaugural magic quadrant report on same managed service providers for Gartner to have initiated this level of coverage is in itself indication of the significant growth of the same managed services industry over the last few years in the trends that Gartner is seeing from their customers.

Gartner went through a rigorous process that included a review of methodologies and deliverables, review of financials, and detailed customer surveys. Only 11 firms met the minimal inclusion criteria related to scope of services provided, revenue, publishers covered, and geographical reach, amongst others.

Magic Quadrant reports measure the firms across two dimensions, ability to execute, and completeness of vision. Under each dimension, there are multiple different criteria that are then weighted to determine the overall score. The methodology is detailed in the report itself. The chart shown here is taken from the actual Gartner report, and as you can see, it’s divided into four quadrants.

Niche players, visionaries, challengers, and leaders. We are extremely proud to see Anglepoint place quite favorably within a leader’s quadrant. Anglepoint has secured reprint rights from Gartner to the full report, and we’re happy to make it available for download for anyone who wants it. Alex, could you please?

Let everyone know where they can get it.

Alex Benson: Yes. Thanks, Ron. So, I just dropped a link to that report in the chat box. You should see that on your screen. If you go to that link and just fill in the information, you’ll be able to download that report for free and then to be able to read that. So, thank you.

Ron Brill: Great. Thanks, Alex. All right. Today we will go over why ITAM standards exist and what purpose they fulfill. We’ll address how these standards are developed and what the ITAM standards are currently available. We will then Dive a bit deeper into 1, which is the main ITAM standard, and this is where we will spend most of our time. What the standard is about, where it fits, and how to leverage it.

So why have ITAM standards? There are several good reasons for ITAM standards to exist. ITAM standards are essentially does not operate in silo and has interactions with many other functions within the organization from information security to finance and legal all eyes of standards are designed with interoperability in mind. Thank you. This is a big part of what ISO is about. That’s certainly the case where these other domains follow ISO standards, but also when not interoperability is about minimizing duplication of efforts minimizing risks and maximizing benefits by ensuring that One process or system produces whatever another process or system requires whenever it requires it item standards provide the common language and terminology, which facilitates communication and knowledge sharing within the item ecosystem, whether between ITAM and other functions within the same organization or among ITAM practitioners in different countries or different companies.

Or as well as among software publishers, SAM tool vendors, consultants, and end user organizations. External certifications means that a reputable independent third party had determined that an organization is complying with an ISO standard. The availability of external certification for ITAM is still a work in progress and as we’ll discuss however, in principle, external certifications allow you to demonstrate to other parties, such as software publishers, customers, business partners, or regulatory bodies and regulators that you have achieved the highest level of recognition for your SAM or ITAM program.

This can help satisfy legal requirements help obtain better commercial terms allow your organization to participate in bids that stipulate this as a requirement. And in the case of, say a security breach and resulting lawsuits, allows your organization to demonstrate that you have taken IT governance seriously and hopefully helping to reduce any fines and penalties.

Benchmarking data is incredibly useful to assess where you are as compared to your peer group in industry. Are you doing the same things and are you getting the same results? This can be done effectively only when you are comparing apples to apples, meaning… Comparing different organizations that follow the same standard and then finally, management assurance is about the executives at your organization who typically are not experts in Sam to say it kindly getting comfortable that the organization is doing the right things around SAM.

In line with industry best practices. So that meaning that the organization is not just implementing Joe, the item manager’s idea of what SAM should be about but following recognized industry best practices for SAM.

So, let’s spend a minute on how international standards are developed and where they come from. There is only one global standards organization in the world, and that is ISO. It was established after the Second World War and is headquartered in Geneva, Switzerland. Only countries can be members of ISO.

It has about 165 member countries now who all agreed not only to participate in the development of the work, but also to adopt the standards. Each country appoints one national standards body to be its representative for ISO. In the U. S., that national standards body is ANSI, the American National Standards Institute.

In the UK, that is BSI, the British Standards Institute, and so on. National bodies then appoint, delegate experts to participate in the various committees. All experts are volunteers, and they are the ones who write the standards. Standards normally need to be refreshed once every five years, and that is ISO’s way of ensuring committees keep their standards current.

Given that it takes about two years from start to finish to develop a standard, it means that about three years after a standard is published, we need to start working on its next edition. Committees where standards are being developed are called working groups in internal ISO terminology.

Each such committee has a chair or a convener in ISO terminology who is elected by vote of the member countries for a three-year term. Within each working group there could be multiple work streams for the different projects under development or for different study groups. And while committee members come from different countries and different organizations and different backgrounds, they all operate.

Purely as experts, not representing any country or employer, this is very important. There is also no voting within the committee and all decisions are reached by consensus. ISO for its part, conducts global ballots at key stages of the development lifecycle where countries get to vote and provide comments on the work that’s done within committees.

The ITEM Standards Committee, then within ISO, also known as Working group 21 or WG 21 for short was established around 2004 and now has over 175 members from over 25 countries. We also have several liaison organizations who participate in the work of the committee. Our members represent the cross section of the ITAM ecosystem.

We have representatives from end user organizations, software publishers, SAM tool vendors, consulting firms, analysts, and media firms, audit firms, industry bodies, and others. And on the screen here, you can see our committee logo for 19 770. At this point in time, there are six published ITAM standards which can be divided into three groups. Management system standards address mostly the end user perspective of SAM and are probably less relevant to non-end user organizations. This group includes our flagship standard, 19 770 1, or simply DASH 1 for short.

The first edition of this standard was published in 2006, and it was the first standard of this committee. We’re now on its third edition, published in 2017. We’ll discuss the standard a bit more shortly. DASH 8 provides a mapping framework between DASH 1 and other standards. governance frameworks.

It was published earlier this year, and we hope to see organizations who own such other frameworks pick up the mapping task using the Dash 8 template. Information structure standards provide a schema for storing and exchanging item related information. This should allow for a more efficient and effective way to exchange information within the ITAM ecosystem between software publishers, tool vendors and end users.

We have Dash 2 for software identification tags or SWID tags, now on its second edition. Dash 3 for entitlement schema and Dash 4 for resource utilization measurement. Now, the nature of these standards essentially XML schemas, is that they may appear to be more of an immediate interest to software publishers and tool vendors only.

But there are creative ways that end user organizations can utilize these information structure standards as well, and end users certainly need to be aware of them. One example for this is Dash 2 here for Swift tags it has been adopted by are mandated by parts of the U. S. federal government and for information security reasons.

Sweet tags allow for a tag to be digitally signed by the software publisher, and this in turn allows the organization to ensure software is genuine and has not been tampered with. We also have our overview and vocabulary standard, Dash 5, which is our only free standard. The committee… currently is working on updates to three of the standards that you see here.

And in addition, we also have initiated work on six brand new standards and technical reports that I would really love to tell you about, but we won’t have time to discuss today. All standards are available for purchase, either from the ISO web store or each country’s national body. To me, it is very unfortunate that standards cost money as the whole intention should be to make standards available.

It’s a public resource, but that is ISO’s current funding model as established by its member countries.

So, let’s take a closer look at dash one now. I know this is a bit of an eye chart, but we’ll go over the main points together. 1977 is what ISO calls a management system standard or MSS. Essentially, management system standards are loosely based on the Deming Cycle of Continuous Improvement, also known as the Plan, Do, Check, Act, or PDCA.

Those of you familiar with the concepts of Six Sigma and Lean Manufacturing are probably going to recognize this structure. The most important aspect to remember here is that the cycle is iterative and continuous. You never stop adjusting and improving. The program must change literally by the day, and the SAM program must change with it, or else it risks becoming irrelevant.

The plan phase is probably the most important and is covered by sections 4 through 7 in the standard. Here, you are determining the needs of the organization and the scope of ITAM. You develop policies, you perform risk assessment, you create a detailed plan, and you identify whatever resources are required.

The Do phase corresponds to Section 8 in the standard, and here you essentially implement the plan that you developed in the first phase. The Check phase corresponds to Section 9 in the standard, and here you essentially perform monitoring and review of your ITAM program to see if it is performing as expected and follow up on exceptions.

The act phase corresponds to section 10 in the standard, and here you remediate any nonconformity identified in the check phase, as well as perform other activities such as taking preventative action. The IT asset management system we just discussed is at the heart of the Dash 1 standard. All other ISO management system standards will have the exact same structure.

For example, sections 4 through 7 are always going to be the plan. Section 8 is always going to be the do. and so forth. This is true for ISO 27, 001 for information security, ISO 20, 000 for IT service management, or even other management system standards as ISO 9, 001 for quality assurance. The fact that the same management structure is used across all ISO management system standards is invaluable particularly when you’re considering joint implementation of two or more of these standards. And we’ll touch on this a bit later. Dash one also identifies 15 process areas for ITAM in its annex A. And it provides a suggested tier structure for their order of implementation. Another reason for the tier structure is to allow for partial certification so that organization can more quickly achieve their initial certification, implementing the processes which make up Tier 1, then expand to Tiers 2 and 3 at a later stage.

Tier 1 is about getting to a point where you have trustworthy data. If you don’t have that first, there’s really nothing else you can do. Tier two is about lifecycle integration, building on your trustworthy data to achieve management of their lifecycle. And then finally, once you have achieved the first two tiers, you’re ready to take on Tier 3 which is about optimization.

And while the specific ITAM processes that are mentioned in Dash 1, and we’re going to go over the next, the actual processes are not part of the body of the standard. They only appear in an annex, and almost no details are given about them, other than, a very short description of one or two sentences.

This is because we had to follow ISO’s template for management system standards. The concept is that if a management system is effective the management system that uses effective, which is the plan to check act, the resulting processes can’t help, but be effective. On the other hand, if the management system is ineffective, there’s no point in even going down to the process level.

This focus on the management system was the main change that was introduced in this third edition of the standard.

So here you can see the 15 process areas that are listed in Annex A of the standard. There are 8 IT Asset Functional Management process areas, which are the top and bottom rows, and 7 IT Asset Lifecycle Management processes which in the middle row there. The main difference between those two groups is that functional management processes, which again are the top and bottom rows, are applicable across all stages of the asset’s lifecycle, whereas the lifecycle management processes, which is the middle row, each applies only to one specific phase in the asset lifecycle.

As you can see, the graphic also shows the relationship between processes and tiers. The first four functional management processes make up What the standard calls to one representing the minimal threshold that needs to you need to achieve to get any certification against the standard. For this reason, these four processes are the only ones that are also named.

In section 8, it’s part of the main body of the standard. Change management, data management, and license management probably come as no big surprise. But as you can see, security management is also part of the first tier because of its critical importance to ITAM, as we will discuss in a bit. Then Tier 2 is essentially made up of the seven life cycle processes and achieving them means you have integrated ITAM within the asset life cycle.

And Tier 3 is then made up of the remaining four functional management processes and achieving them means you have achieved optimization. As you can see, this group includes a catch all process for other risk management that could be tailored to each organization. One other point to bring up is that the definition of an IT asset in dash one is broad.

The standard is applicable to traditional on-prem software as well as to software as a service and infrastructure or platform as a service as well. And we can spend days on dash one and the very brief overview we had time for today.

Now, Dash 1 is an organizational certification however, for individuals, there is one professional SAM certification that is fully aligned with the Dash 1 standard, and which discusses the standard in a lot more detail. This is the certified SAM professional offered by BSA. And in the interest of full disclosure this self-paced online training course was developed by Anglepoint for BSA.

However, the course is now owned by BSA and run by them, and Anglepoint does not benefit when people take it.

And as discussed Dash One has… Significant benefits to organizations even unrelated to actual certification, such as with respect to best practices, interoperability, and the other benefits we discussed. Now that said, let’s spend a minute on external certification. Any organization can self-certify against any ISO standard.

And self-declare their conformity with it. Now, of course, that has somewhat of a limited value. And in most cases, if you determine that you need certification, then you would probably want to get external certification. That’s done by an accredited and independent third party. There are specialized firms who are accredited to perform ISO certification audits.

These would be the same firms who perform ISO 27, 001 certifications. It’s just one example. Now, unfortunately, today, this is mostly unavailable in the marketplace. These certifications firms are running a for profit business. Historically, they have not seen sufficient demand for dash one certifications, which is why for the most part they don’t offer it today.

And there are a number of efforts underway to change that at the ISO level were getting close to publication of dash 11, which would provide audit guidance to these certification bodies and hopefully make it easier for them to pick up this task. And in addition, we have initiated work on Dash 10, which would provide guidance on ITAM implementation and include many of the best practices, which we were not allowed to include in Dash 1 due to the need to comply with ISO’s template for management system standards.

Dash 10 would hopefully make it easier for organizations to implement and certify against the Dash 1 standard. And outside of ISO, the effort to bring about organizational certifications against Dash 1 is mostly led now by the ITAM Forum. This is a global nonprofit based in London and led mostly by end user organizations that is looking to Promote the ITAM industry through education, awareness, and you guessed it organizational certifications.

Specifically, the ITAM forum is reaching out to certification bodies to get this started, and we’ll be working on detailed guidance to enable Dash 1 certifications. And again, in the interest of full disclosure, I am currently serving as vice chair of the ITEM Forum, and I’m on its board of trustees and I would encourage you all to check out the ITEM Forum’s website to see who is involved and some of the thought leadership that’s already been produced there and to become members.

So now that we got to know Dash 1 a bit better, we’re better equipped to continue the discussion we started earlier about the benefits of ITIM standards and specifically how Dash 1 can be leveraged strategically. This is a broad discussion, but in the time, we have left, I’d like to touch on interoperability for two reasons.

This is probably the less intuitive benefit to understand how it works in our experience. And at the same time, interoperability is arguably the benefit with the most potential value for organizations.

At the end of the day, ITAM has three objectives or rather groups of objectives. Reduce costs. Address, mitigate risk, and enable other IT functions. Which by the way, in turn, then would typically reduce costs or mitigate risks. If you think about it, any objective of ITAM falls under one of the three buckets.

The ITAM standards the next benefit of interoperability is, as you can imagine, more relevant to the third objective here of enabling other IT functions, as we’ll discuss next.

ITAM is a foundational IT competency. Many IT functions rely on ITAM or should rely on ITAM, either directly or indirectly. On the chart here, you see a very partial list of these functions. We can spend days on each one and its relationship with ITAM. For now, let’s take a quick look at the relationship specifically between ITAM and information security.

Essentially you can’t secure what you don’t know. For example, you can’t. Ensure that no unauthorized software or hardware is being used if you don’t even know what’s running on your network, and if you don’t maintain a list of authorized software. Similarly, when a vulnerability comes out and a new patch is made available you need to know where to apply it.

A good example for this is the Equifax breach from about three years ago, which was a big wake up call for many people about the dependency between ITAM and information security. In the Equifax breach, personal sensitive information of 150 million Americans was stolen by hackers. The issue there was a vulnerability in a certain open-source product used by Equifax.

As this was one of the worst security breaches in U. S. history, and probably world history it was followed by a congressional investigation. The congressional report concluded that at the time Equifax got hacked, the vulnerability was not only already well known and documented in the marketplace, but also that a patch had already been available to Equifax for quite some time.

And the reason Equifax did not apply that patch was simply because they were running tens of thousands of servers without effective IT asset management, and they had no idea which of their servers were running that product and version that required the patch. The congressional report, which is publicly available, by the way, concluded that ineffective IT asset management was the main factor leading to the security breach. Many organizations rely on ISO 27001 standard for information security, either because they are required to or because they choose to adopt it for its own merits. And even where organizations are using a different security framework, there’s a very good chance that framework is at least indirectly based on ISO 27001.

One of our committee members had analyzed that organizations who are compliant with 27001 for information security have already met more than 50% of the requirements for 19. 770 1. In any case, there could be no doubt that there’s a very significant overlap between the two domains. For this reason, Gartner had predicted that by 2022, 50% of ITAM initiatives would be primarily driven by information security needs and concerns.

As you can see, interoperability is key for ITAM.

Where do you begin? The good news is that if you’re taking a standards-based approach to ITAM, much of the work has already been done for you. Dash 1 was designed from the start for joint implementation with 27001. This is reflected in several ways. First, both standards are management system standards, meaning they not only follow the same structure, but the implementation can share the same management system, which is the Plan, Do, Check, Act framework.

And that is very significant consideration. Beyond this, the two standards share several common approaches, including with respect to risk management, selection of objectives, documentation requirements, and many other. Taking a step back, if you ask CIOs about their top five priorities, nine out of ten times they will list information security, but will not list ITEM.

However, when ITEM is positioned as enabling information security, and particularly with a standards-based approach that facilitates joint implementation, you could be having a much more strategic conversation with your CIO.

And organizations are typically subject to a whole spectrum of laws, regulations, and governance requirements as those relate to IT beyond ISO 27001 that we discussed before. In many cases, such governance requirements will have varying degrees of overlap with IT asset management. Let’s touch on just three quick examples out of this list.

NIST, which is the National Institute for Standards and Technology in the U. S., is part of the U. S. Department of Commerce. Their publications are widely used across the U. S. federal government, but also more broadly in industry and the world. One of their main publications is the Cybersecurity Framework, or CSF.

That framework identifies five main security functions. Identify, Protect, Detect, Respond, and Recover. And ITAM is named as the first category under the Identify function. Another example is SAMS, which together with CIS, which is the Center for Internet Security. Publish the what’s called the 20 critical security controls and a few of these controls are talk about inventory of hardware and software, the ability to distinguish between authorized software and unauthorized software and so on.

Also, another example COVID stands for control objectives for information technology, and it is an IT governance framework published by ISACA. The Information Systems Audit and Control Association, COBIT is commonly used around the world by both internal and external audit functions to assess IT controls.

COBIT 2019 identifies 40 of what it’s called governance and management objectives. And one of these 40 is what’s called managed assets, which calls for a proper accounting and optimization of all IT assets.

Again, the taking a step back, the advantage in taking a standards-based approach is that you will not be reinventing the wheel about how to map what you’re doing to the regulatory requirements. You will be able to follow best practices and more easily demonstrate that you’re doing the right things.

And specifically, you will be in a much better spot in case of any investigation or litigation having relied on industry standards.

In conclusion today we discussed at a very high level what the benefits are in having I TIME standards and how standards are developed. We had an overview of published I TIME standards and we took a closer look at the main I TIME standards main standard 1977 0 1. And how that one could be strategically leveraged, particularly with respect to interoperability with information security.

And with that let’s open it up for a Q& A in the time that we have left. I also invite all of you to connect with me over LinkedIn and reach out with any other questions that we won’t be able to get to today.

Alex Benson: Wonderful. Thank you so much, Ron. We do have a few questions here.

The first question is, do you have any engagement with III TAM? And if so, is there a path to grandfather those with CCM certification to CSP status with BSA?

Ron Brill: That’s a good question. III TAM is a, is one of the liaison organizations to the ITEM Standards Committee and Patsikala, who represents III TAM in our committee.

They have a different body of knowledge I believe it’s called IITEM360. It was dependent, developed independently. We have reached out to IITEM and asked them to create a mapping between IITEM360 and the DASH1 standard using the DASH8 template for that purpose. And we really hope to see that happen.

Because I think it’ll be incredibly valuable for individuals. Now, as far as the CSAM certification, again, it’s a different certification that’s based on a different body of knowledge. I am not aware of any plans to grandfather those certifications and so forth. But again, that’s more of a question to ITAM.

But thanks, that was a good question.

Alex Benson: Awesome, thank you. Next question is, how can we get involved in ISO?

Ron Brill: Yeah, that’s a great question. And we’re always looking for good people to join the committee, and I always have my recruiting hat on. And if you have a potential interest, please do reach out to me either by email or through LinkedIn, and I’ll give you more details.

At the high level, you will need to be nominated as a delegate to ISO by the National Standards Body in the country. Or your side, but I can walk you through some of those details for those who have the interest.

Alex Benson: Wonderful next question. When will 1970 dash 1 certification be available?

Ron Brill: Yeah, and I assume the question is about organizational certifications. Yeah, that’s a very good question. As we mentioned, organizations can self-certify at any point, but external independent certification is being actively worked on now by the ITAM forum and others, and we hope to see that become commercially available very soon.

But that is dependent on several factors and a number of third parties over which we have no control. We can just say that we’re working to make that happen as soon as possible.

Alex Benson: Great. Just want to remind everyone. If you have any questions, please drop them into the Q& A option box on your Zoom panel.

And the last question we have right now is, Will software publishers recognize and reward customers who become 1970 1 certified?

Ron Brill: First I have to say, I really cannot speak for any software publisher, but that said, I hope they will provide benefits because it is absolutely in the publisher’s best interest to see more and more customers certified against the standard and thereby Bye. Demonstrate that they have good controls in place over their software assets.

So, we really hope to see that happen.

Alex Benson: Great. What is the best approach to self-certify?

Ron Brill: With self-certification there’s really no set requirements for that. You will need to essentially Have documentation to support that your SAM or ITAM program conforms with the ISO standard. And again, depending on the tiered certification that you choose, if you choose to self-certify against tier 1, it should just be applicable to tier 1.

If you. Choose to self-certify against all tiers. You need to include everything. And so, you just need to be able to demonstrate with internal documentation that you’re conforming with a standard that you have the documentation to support the various components that are required in the standard that you’ve assessed your conformance and what the assessment results were and so forth.

But again, that is for self-certification, there aren’t any strict rules. And I think, you can probably expect varying degrees of rigor around self-certification, which is unfortunately why they’re probably less, a bit less valuable in the marketplace. It still makes a very strong statement when you say you are self-certified, it shows that you care and that you’re placing high importance on being compliant with the ISO standards for ITAM.

But again, in many cases, third parties are probably not going to be able to rely on that much beyond that. But again, there’s no set approach.

Alex Benson: Great. Thank you, guys, so much for all your questions. And thank you, Ron, for that wonderful presentation. I’m not seeing any more questions come through, so I think that we will wrap up now. Just a quick reminder that we will be sending out a follow up email. in the next few days. Again, thank you for joining us, and we hope to see you all next time, and we hope you have a great rest of your day.