CMM vs. ISO

diligentdeputyManagement

Nov 8, 2013 (3 years and 7 months ago)

83 views


1

/ Spring 2008 / EDS INTERNAL

11 April 2007

CMM, ISO, Sarbanes

Oxley

CMM vs. ISO

David S. Craft CIRM, PMP

Engineering &
Manufacturing Services


2

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Agenda

Who Am I
-

EDS

ISO

CMM

Sarbanes Oxley


3

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Who Am I

VISTA Volunteer

Industrial Engineer

Chief
Industrial

Engineer

Manager Production Planning & Control

Inventory Control Manager

Shift Supervisor

Materials Manager

Consultant

Project Manager

Team Leader

Managing Consultant



Engineering and Manufacturing Services



Applications Service Delivery



EDS

Internal ISO Auditor


4

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


5

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Process

To Develop Software and Systems You Need A
Process



Anything goes


Defined


Structured


6

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


7

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


8

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


9

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Common Misconceptions

I don’t need defined processes I have:


Really good people


Advanced Technology


An experienced manager

Defined Processes:


Interfere with creativity


Equals bureaucracy + regimentation


Isn’t needed when building prototypes


Is only useful on large projects


Hinders agility in fast moving projects


Costs too much


10

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Why We Need Standard Processes

Estimating (History)


Scope


Cost


Time


Tools

Deliver the Product to Estimate (Visibility)


Time


Cost


Quality

Handling/Controlling Changes


Planned


Unplanned


Scope Creep


11

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

How to Achieve Quality Processes

ISO


CMM


12

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

ISO


CMM Differences

ISO9001:2000

CMMI

International standard, applies to all
types of organizations, supports both
product and service oriented
organizations

Written specifically for software
development companies

A brief document


about 25 pages
long, identifying the minimal
requirements for a quality system

A detailed document


over 500 pages
long

Emphasizes on a management of
continuous improvement process,
based on the PDCA (Plan
-
Do
-
Check
-
Act) model

Emphasizes on achieving “maturity”
and improving its process continuously

One level of standard. The standard is
based on recommendation

Defines 5 maturity levels of the
organization, covering 25 process
areas (PAs)

Netta Dotan, Quality Assurance & project management, Ronkal Office Technologies


13

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

ISO


CMM Differences


My View

ISO 9000

SW
-
CMMI

Outwardly focused

Inwardly focused

Minimum requirements with
implied continuous
improvements

Explicit continuous quality
improvement

Registration Document

No documentation


Certification audit for a 50
employee organization will be
executed by
-
12 auditors
during one day

Certification audit for a 50
employee organization will be
executed by 4 auditors during
4
-
5 days

Netta Dotan, Quality Assurance & project management, Ronkal Office Technologies


14

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Both require the organization be explicit about what
their processes and quality systems are

Say what you do; do what you say

The organization records and tracks data for objective
analysis

Require strong management support to succeed

Provide a structured and measured approach to quality
improvement

Require an outside audit for “certification”

Both are refined/improved over time

ISO


CMM Similarities


15

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Meet ISO


ISO (International Organization for Standardization) is the world's
largest developer and publisher of International Standards.


ISO is a network of the national standards institutes of 157
countries, one member per country, with a Central Secretariat in
Geneva, Switzerland, that coordinates the system.


ISO is a non
-
governmental organization that forms a bridge
between the public and private sectors. On the one hand, many
of its member institutes are part of the governmental structure
of their countries, or are mandated by their government. On the
other hand, other members have their roots uniquely in the
private sector, having been set up by national partnerships of
industry associations.


Therefore, ISO enables a consensus to be reached on solutions that
meet both the requirements of business and the broader needs
of society.



16

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

What are
standards
?


Standards are documented agreements containing technical
specifications or other precise criteria to be used consistently as
rules, guidelines, or definitions of characteristics, to ensure that
materials, products, processes and services are fit for their
purpose.


For example, the format of the credit cards, phone cards, and
"smart" cards that have become commonplace is derived from an
ISO International Standard. Adhering to the standard, which
defines such features as an optimal thickness (0,76 mm), means
that the cards can be used worldwide.


International Standards thus contribute to making life simpler, and
to increasing the reliability and effectiveness of the goods and
services we use.


Last modified 2002
-
07
-
17



17

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

The ISO 9000 and ISO 14000 families are among ISO's best known
standards ever.
ISO 9001:2000 and ISO 14001 (1996 and 2004
versions) are implemented by over 1,000,000 organizations in
161 countries.



The

ISO 9000
family addresses
"quality management"
. This means
what the organization does to fulfill:


the customer's quality requirements and


applicable regulatory requirements, while aiming to


enhance customer satisfaction, and


achieve continual improvement of its performance in pursuit
of these objectives.


The
ISO 14000

family addresses
"environmental management"
.
This means what the organization does to:


minimize harmful effects on the environment caused by its
activities, and to


achieve continual improvement of its environmental
performance.

ISO 9000 and ISO 14000 (
Management Systems
)


18

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

ISO’s Impact

In the global economy


ISO 9001:2000 and ISO 14001:2004 have become thoroughly
integrated with the world economy.

ISO 9001:2000 is now firmly established as the globally accepted
standard for providing assurance about the quality of goods
and services in supplier
-
customer relations.

The positive roles played in globalization by ISO’s standards for
quality and environmental management systems include the
following:


a unifying base for global businesses and supply chains


such as the automotive and oil and gas sectors


a technical support for regulation


as, for example, in the
medical devices sector)


a tool for major new economic players to increase their
participation in global supply chains, in export trade and in
business process outsourcing;


a tool for regional integration



as shown by their adoption
by new or potential members of the European Union

In the rise of services in the global economy


nearly 33 % of
ISO 9001:2000 certificates in 2005 went to organizations in
the service sectors
.



19

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Sector

Standards

Pages

Generalities, Infrastructure and Sciences

1,482

54,929

Health, Safety and Environment

684

24,062

Engineering Technologies

4,659

202,370

Electronics, Information Technology and
Telecommunications

2,739

181,455

Transport and Distribution of Goods

1,835

49,435

Agriculture and Food Technology

997

22,495

Materials Technology

4,166

101,731

Construction

341

12,447

Special Technologies

138

3,416

Total

17,041

652,340

Where are
the

Standards (12/31/07)


20

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

The ISO family includes:


ISO 9000:2000


Quality Management Systems


Fundamentals and vocabulary


ISO 9001:2000


Quality Management Systems
-

Requirements


ISO 9004:2000


Quality Management Systems


Guidelines for performance improvement


ISO 19011


Guidelines on quality and/or
environmental management systems auditing.


ISO 10012 Measurement control system

Which
ISO

Standards


21

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Quality System Documentation

Quality

Manual

Level 1

Defines

Approach and

Responsibility

Procedures

Level 2

Defines

Who, What, When

Work/Job

Instructions

Level 3

Answers
How


Records/Documentation

Level 4

Results: shows that
the system is
operating


22

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

ISO 9001:2000
Structure

4.
Quality Management System

4.1 General requirements

4.2 Document requirements

5.

Management
Responsibility

5.1 Management
commitment

5.2 Customer focus

5.3 Quality policy

5.4 Planning

5.5 Responsibility, authority,
communication

5.6 Management review

6.
Resource Management

6.1 Provision of resources

6.2 Human resources

6.3 Infrastructure

6.4 Work environment

7.
Product realization

7.1 Planning of product realization

7.2 Customer
-
related processes

7.3 Design and development

7.4 Purchasing

7.5 Production and service provision

7.6 Control of monitoring and
measuring devices

8.
Measurement, Analysis &
Improvement

8.1 General

8.2 Monitoring and measurement

8.3 Control of nonconforming product

8.4 Analysis of data

8.5 Improvement


23

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Meet CMM

CMM


Capability Maturity Model


The Capability Maturity models have been developed by
the Software Engineering Institute (SEI)


The Carnegie Mellon SEI is a federally funded (US
Department of Defense) research and development
center that provides the technical leadership to advance
the practice of software engineering so that software
intensive systems can be acquired and sustained with
predictable and improved cost, schedule and quality.


24

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


25

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


26

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


27

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Process Areas

Requirements Management

Organizational Process Definition

Project Planning

Organizational Training

Project Monitoring & Control

Integrated Project Management

Supplier Agreement Management

Risk Management

Measurement & Analysis

Integrated Teaming

Process & Product Quality
Assurance

Integrated Supplier Management

Configuration Management

Decision Analysis & Resolution

Requirements Development

Organizational Environment for
Integration

Technical Solution

Organizational Process Performance

Product Integration

Quantitative Project Management

Verification

Organizational Innovation & Deployment

Validation

Causal Analysis & Resolution

Organizational Process Focus


28

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


29

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


30

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


31

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


32

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


33

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


34

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


35

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


36

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


37

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


38

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley


39

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Staged

Process Area

Continuous

L2

Requirements Management

Engineering

L2

Project Planning

Project Mgmt

L2

Project Monitoring and Control

Project Mgmt

L2

Supplier Agreement Management

Project Mgmt

L2

Measurement and Analysis

Support

L2

Process and Product Quality Assurance

Support

L2

Configuration Management

Support

L3

Requirements Development

Engineering

L3

Technical Solution

Engineering

L3

Product Integration

Engineering

L3

Verification

Engineering

L3

Validation

Engineering

L3

Organizational Process Focus

Process Mgmt.

L3

Organizational Process Definition

Process Mgmt.

L3

Organizational Training

Process Mgmt.

L3

Integrated Project Management

Project Mgmt

L3

Risk Management

Project Mgmt

L3

Integrated Teaming

Project Mgmt

L3

Integrated Supplier Management

Project Mgmt

L3

Decision Analysis and Resolution

Support

L3

Organizational Environment for Integration

Support

L4

Organizational Process Performance

Process Mgmt.

L4

Quantitative Project Management

Project Mgmt

L5

Organizational Innovation and Deployment

Process Mgmt.

L5

Causal Analysis and Resolution

Support

CMM
Process

Areas


40

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Examples of CMMI Impact: ROI

5:1 ROI for quality activities (Accenture)

13:1 ROI calculated as defects avoided per hour spent in
training and defect prevention (Northrop Grumman
Defense Enterprise Systems)

Avoided $3.72 M in costs due to better cost performance
(Raytheon North Texas Software Engineering) as the
organization improved from SW
-
CMM level 4 to CMMI level
5

2:1 ROI over 3 years (Siemens Information Systems Ltd,
India)

2.5:1 ROI over 12st year, with benefits amortized over
less than 6 months (reported under non disclosure)


(reported by the American Society for Quality)


41

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Sarbanes
-
Oxley Implications

With its more than 300 discrete points of enforceable law, this is the
most significant piece of account legislation passed since the
formation of the SEC in 1933

SOX was passed with the specific intent of increasing accountability
and attempting to install ethical behavior in financial reporting and
business operations.

With this increase spotlight on reporting, companies must invest
resources and focus into their internal control process

The Act created the Public Company Accounting Oversight Board
(PCAOB) to oversee the activities of the auditing profession and
mandated reforms to enhance corporate and criminal fraud
accountability.

A goal of SOX legislation is to continually improve the transparency of
financial and business events that can impact the accuracy and future
validity of financial statements. Projects to improve processes and
regular review of controls will become common
-
place activities as
compliance evolves. Tools that simplify project completion and track
status will better enable organization to cost
-
effectively undertake
these projects.


42

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

SOX Major Section

302


Corporate Responsibility for Financial Reports


Requires Executives to certify the accuracy of corporate
financial reports

404


Management Assessment of Internal Controls


Requires executives and auditors to confirm the
effectiveness of internal controls for financial reporting

409


Real Time Issuers Disclose


Requires any material changes in financial state of issuer
be communicated quickly and with supporting data to
the public


43

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes

Oxley

Implications for IT

Configuration management is now a must

Change controls must be handled more carefully

Security, security, security

All system changes must be verifiable by a clear audit
trail

Reduce reliance on batch processing, update data
warehouse more frequently

Interfaces from any financial system must be
documented and controlled

IT activities must be aligned with the company’s
governance and risk policies