CMM vs. ISO David S. Craft CIRM, PMP Engineering & Manufactuing Services 11 April 2007 CMM vs. ISO, Sarbanes Oxley 1 / 10 April 2007 / EDS INTERNAL Agenda Who Am I CMM ISO Similarities And Differences Sarbanes Oxley 11 April 2007 CMM vs. ISO, Sarbanes Oxley 2 / 10 April 2007 / EDS INTERNAL Who Am I Managing Consultant Engineering and Manufacturing Services Applications Service Delivery Shift Supervisor Team Leader Inventory Control Manager Industrial Engineer Internal ISO Auditor Materials Manager Information Specialist, Senior VISTA Volunteer Consultant Manager Production Planning & Control Chief Industrial Engineer Project Manager 11 April 2007 CMM vs. ISO, Sarbanes Oxley 3 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 4 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 5 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 6 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 7 / 10 April 2007 / EDS INTERNAL CMMI History Federal government cannot distinguish between competing bids for software development Early 1980’s - Federal Government (Congress) awards a contract to establish the Software Engineering Institute (SEI) at Carnegie Mellon University (sponsored by the DOD) 1988 - SEI begins work on a Process Maturity Framework for judging a company’s capability to produce software The Process Maturity Framework evolves into the Capability Maturity Model (CMM) August 1991 – SW-CMM Version 1 released SE-CMM developed by the Enterprise Process Improvement Collaboration (EPIC) 1992 - CMM Version 1.1 released 11 April 2007 1999 - Begin developing CMMI (CMM Integrated) CMM vs. ISO, Sarbanes Oxley 2002 – CMMI SE/SW/IPPD/SS Version 8 / 10 1.1 April 2007introduced / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 9 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 10 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 11 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 12 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 13 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 14 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 15 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 16 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 17 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 18 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 19 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 20 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 21 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 22 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 23 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 24 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 25 / 10 April 2007 / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 26 / 10 April 2007 / EDS INTERNAL ISO History Began with British Military standards ISO organization was established in 1947 Headquartered in Geneva, Switzerland Currently composed of 148 National Standard Bodies and 2,981 technical bodies As of 12/31/05 there are 15,649 International Standards embodied in 573,494 pages of English text 11 April 2007 CMM vs. ISO, Sarbanes Oxley 27 / 10 April 2007 / EDS INTERNAL What are standards? Standards are documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose. For example, the format of the credit cards, phone cards, and "smart" cards that have become commonplace is derived from an ISO International Standard. Adhering to the standard, which defines such features as an optimal thickness (0,76 mm), means that the cards can be used worldwide. International Standards thus contribute to making life simpler, and to increasing the reliability and effectiveness of the goods and services we use. Last modified 2002-07-17 11 April 2007 CMM vs. ISO, Sarbanes Oxley 28 / 10 April 2007 / EDS INTERNAL Where are the Standards (12/31/05) Sector Standard s Generalities, Infrastructure and Sciences Pages 1,406 49,761 658 20,252 Engineering Technologies 4,099 169,843 Electronics, Information Technology and Telecommunications 2,447 161,132 Transport and Distribution of Goods 1,710 44,918 954 20,335 3,943 93,121 311 11,068 121 3,064 15,649 573,494 Health, Safety and Environment Agriculture and Food Technology Materials Technology Construction Special Technologies 11 April 2007 Total CMM vs. ISO, Sarbanes Oxley 29 / 10 April 2007 / EDS INTERNAL Which ISO Standards The ISO family includes: • ISO 9000:2000 – Quality Management Systems – Fundamentals and vocabulary • ISO 9001:2000 – Quality Management Systems Requirements • ISO 9004:2000 – Quality Management Systems – Guidelines for performance improvement • ISO 19011 – Guidelines on quality and/or environmental management systems auditing. • ISO 10012 Measurement control system 11 April 2007 CMM vs. ISO, Sarbanes Oxley 30 / 10 April 2007 / EDS INTERNAL Quality System Documentation Level 1 Quality Manual Defines Approach and Responsibility Level 2 Procedures Defines Who, What, When Level 3 Work/Job Instructions Answers How Level 4 Records/Documentation 11 April 2007 Results: shows that the system is operating CMM vs. ISO, Sarbanes Oxley 31 / 10 April 2007 / EDS INTERNAL ISO 9001:2000 Structure 4. 5. 6. Quality Management System 4.1 General requirements 4.2 Document requirements Management Responsibility 5.1 Management commitment 5.2 Customer focus 5.3 Quality policy 5.4 Planning 5.5 Responsibility, authority, communication 5.6 Management review Resource Management 6.1 Provision of resources 6.2 Human resources 6.3 Infrastructure 6.4 Work environment 7. Product realization 7.1 Planning of product realization 7.2 Customer-related processes 7.3 Design and development 7.4 Purchasing 7.5 Production and service provision 7.6 Control of monitoring and measuring devices 8. Measurement, Analysis & Improvement 8.1 General 8.2 Monitoring and measurement 8.3 Control of nonconforming product 8.4 Analysis of data 8.5 Improvement 11 April 2007 CMM vs. ISO, Sarbanes Oxley 32 / 10 April 2007 / EDS INTERNAL Similarities Both require the organization be explicit about what their processes and quality systems are Say what you do; do what you say The organization records and tracks data for objective analysis Require strong management support to succeed Provide a structured and measured approach to quality improvement Require an outside audit for “certification” Both are refined/improved over time 11 April 2007 CMM vs. ISO, Sarbanes Oxley 33 / 10 April 2007 / EDS INTERNAL Differences ISO 9000 SW-CMMI Outwardly focused Inwardly focused Minimum requirements with implied continuous improvements Explicit continuous quality improvement Not specific to any one industry or service Software focus Registration Document No documentation Continual Audits No follow up audits 11 April 2007 CMM vs. ISO, Sarbanes Oxley 34 / 10 April 2007 / EDS INTERNAL Sarbanes-Oxley Implications With its more than 300 discrete points of enforceable law, this is the most significant piece of account legislation passed since the formation of the SEC in 1933 SOX was passed with the specific intent of increasing accountability and attempting to install ethical behavior in financial reporting and business operations. With this increase spotlight on reporting, companies must invest resources and focus into their internal control process The Act created the Public Company Accounting Oversight Board (PCAOB) to oversee the activities of the auditing profession and mandated reforms to enhance corporate and criminal fraud accountability. 11 April 2007 A goal of SOX legislation is to continually improve the transparency of financial and business events that can CMM vs. ISO, Sarbanes Oxley impact the accuracy and future validity 35 / 10 Aprilof 2007financial / EDS INTERNAL 11 April 2007 CMM vs. ISO, Sarbanes Oxley 36 / 10 April 2007 / EDS INTERNAL