ISO IEC 16350-2015 Information technology - Systems and software engineering - Application management《信息技术 系统和软件工程 应用管理》.pdf

1、Information technology Systems and software engineering Application management Technologies de linformation Gestion dapplication Exigences pour la gestion dapplication INTERNATIONAL STANDARD ISO/IEC 16350 Reference number ISO/IEC 16350:2015(E) First edition 2015-08-01 ISO/IEC 2015 ii ISO/IEC 2015 Al

2、l rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the

3、internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 0

4、9 47 copyrightiso.org www.iso.org ISO/IEC 16350:2015(E) ISO/IEC 16350:2015(E)Foreword v Introduction vi 1 Scope . 1 1.1 General . 1 1.2 Applicability 4 1.2.1 Audience 4 1.2.2 Field of application 5 1.3 Limitations 5 2 Conformance . 6 2.1 Intended usage 6 2.2 Full conformance. 6 2.2.1 General 6 2.2.2

5、 Full conformance to outcomes . 6 2.2.3 Full conformance to tasks 6 2.3 Tailored conformance . 6 3 Normative references 7 4 T erms and definitions . 7 5 Application Management Processes .13 5.1 Application Support Processes 13 5.1.1 Use Support .13 5.1.2 Configuration Management .15 5.1.3 Applicatio

6、n Operation Management 18 5.1.4 Continuity Management .21 5.2 Application Maintenance and Renewal Processes 23 5.2.1 Impact Analysis 23 5.2.2 Software Design .26 5.2.3 Software Construction and Integration .29 5.2.4 Software Testing 33 5.2.5 Preparation of Transfer to Production .35 5.3 Connecting P

7、rocesses .37 5.3.1 Application Change Management 38 5.3.2 Software Control and Distribution 40 5.4 Management Processes 42 5.4.1 Agreement Management 42 5.4.2 Planning and Control.45 5.4.3 Quality Management .49 5.4.4 Financial Management .52 5.4.5 Supplier Management 55 5.5 Application Strategy Pro

8、cesses 58 5.5.1 Analysis of Developments in IT 58 5.5.2 Customer Organizations Analysis 59 5.5.3 Customer Environment Analysis 60 5.5.4 Application Life Cycle Management .62 5.5.5 Application Portfolio Management .63 5.6 Application Management Organization Strategy Processes .65 5.6.1 Account and Ma

9、rket Definition 65 5.6.2 Capabilities Definition 66 5.6.3 Technology Definition 68 5.6.4 Sourcing Definition .69 5.6.5 Service Delivery Definition 71 Annex A (informative) Explanatory statements 75 Annex B (normative) Tailoring Process .77 ISO/IEC 2015 All rights reserved iii Contents Page ISO/IEC 1

10、6350:2015(E)Annex C (informative) Process Reference Model for assessment purposes .79 Annex D (informative) Relationship to ISO/IEC 15504-8:2012 .81 Annex E (informative) References made to ISO/IEC 20000-1 and ISO/IEC 12207 82 Bibliography .85 iv ISO/IEC 2015 All rights reserved ISO/IEC 16350:2015(E

11、) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through tech

12、nical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take pa

13、rt in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different ap

14、proval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the sub

15、ject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

16、 Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles

17、in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information. The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 7, Software and systems engineering. Its contents are based on the Dutch national standard, NEN

18、3434, Information technology Application management Requirements for application management, which will be withdrawn after publication of this International Standard. ISO/IEC 2015 All rights reserved v ISO/IEC 16350:2015(E) Introduction Applications can live for decades. Applications that were devel

19、oped twenty or thirty years ago are still being used and most applications that have recently been developed will still be in use for the many years to come. During their life cycle, these applications and the related data structures will have to be monitored, enhanced, and sometimes renewed or reno

20、vated. This means that very often, in total, more money and work is needed for the stage of operation and use than for the initial development stage. But the emphasis very often lies at the initial development stage; there are various frameworks and (international) standards covering initial applica

21、tion development. For the stage of operation and use, there are little frameworks and standards. This International Standard has been developed to fill this gap. Stage of operation andu se initial development Figure 1 Stage of the lifecycle in scope The initial development of applications usually ta

22、kes place in a rather protected project environment with a relatively small amount of operational interaction with the business processes, as they are not yet s upp or t e d by t he appl ic at ion u nder de velopment . T he pr oje c t h a s it s ow n p ac e a nd r u le s , it s ow n gover n a nc e ,

23、 and a limited lifespan. In the final development stage, the application is transferred to operation then the rules change. The business processes of the user organizations become largely or fully dependent on the application. In that stage, the following two major types of actions will have to take

24、 place: a) supporting use and operation of the application; b) adapting the application based on changing demands or based on quality improvements (fixes, patches, and releases). These actions and all the responsibilities, activities, and tasks around it, we call application management and the stage

25、 in which a version of an application actually is in use and in operation is the subject of this International Standard. This International Standard aims to offer application management organizations a well-defined, directly applicable, and complete standard for their specific activities. Although t

26、his International Standard is partially overlapping with ISO/IEC 20000 and ISO/IEC 12207, this International Standard is a standard organized from the viewpoint of application management and contributes to the convenience of users who work in that area. This International Standard provides a common

27、framework for establishing the processes, tasks, and activities of service providers that enhance, maintain, and/or renew applications or application objects after the initial development (that is at the stage of exploitation and use) and that supports other service providers that run the applicatio

28、n in production environments and user organizations that use the applications. This International Standard also supports the definition, control, assessment, and improvement of such processes. These processes can be applied uniquely, in conjunction, sequentially, or in parallel.vi ISO/IEC 2015 All r

29、ights reserved Information technology Systems and software engineering Application management 1 Scope 1.1 General This International Standard establishes a common framework for application management processes with well-defined terminology that can be referenced by the software industry. It contains

30、 processes, activities, and tasks that apply during the stage of operation and use from the point of view of the supplier organization that enhances, maintains, and renews the application software and the software-related products such as data-structures, architecture, designs, and other documentati

31、on. This International Standard applies to the supply, maintenance, and renewal of applications, whether performed internally or externally with respect to the organization that uses the applications. Application management comprises all of the tasks, responsibilities, and activities with the aim th

32、at the support of business processes by applications continues to meet the requirements and needs of the organizations that use these applications throughout the entire life span of their business processes. This International Standard therefore focuses on the following: day-to-day management of app

33、lications (the software) and the related data structures and support of costumer organizations, including handling calls such as incidents and service requests; maintenance and renewal of applications and data structures in accordance with changing requirements and needs; opportunities, threats, and

34、 changes in the business and/or technology that influence the future of the applications and, based on that, the strategy for maintaining and renewing the applications; organization and strategy of application management organizations. Before retirement, the life cycle of an application consists of

35、two important stages: the stage of initial development of the application and the stage of operation and use (when the software is in use, in operation, supported, modified, and renewed). This stage of operation and use is the subject of this International Standard. The initial development of an app

36、lication is not within the scope of this International Standard, however the project that is responsible for the initial development has to take the requirements of the application management organization that will enhance and maintain the application into consideration. This means that the applicat

37、ion management organization will ask the project to deliver initial requirements, architecture products, design, standards, and other documentation, in order to use these products during enhancement and maintenance. INTERNATIONAL ST ANDARD ISO/IEC 16350:2015(E) ISO/IEC 2015 All rights reserved 1 ISO

38、/IEC 16350:2015(E) Initial development of application Business information management IT infrastructure management Application management Stage of operationa nd use Figure 2 Domains involved In the stage of operation and use, the following three domains play a role: a) business information managemen

39、t representing the business and end users of the application (use); b) IT infrastructure management hosting the application (operation) and maintaining the technical infrastructure; c) application management 1) supporting the use and the operation; 2) maintaining and renewing the application softwar

40、e and data structures. Business information management constitutes the demand side of information technology (IT) and information provisioning. Business information management is responsible for supporting users in the use of the information provisioning and represents the business organization as t

41、he client of the IT- suppliers. Business information management acts as the customer of the IT organizations (application management plus IT infrastructure management). Specific tasks of business information management include the following: support of end users in how the information provisioning a

42、re to be used; define how information and IT are to look like (the functionality, the appearance, etc); advise and support business management with the prioritization of requirements and management of their budgets for IT; assign work to IT providers and monitor their delivered services; define long

43、 term policy and plans regarding the information provisioning. IT infrastructure management is responsible for managing the operation of the information system, including maintaining the infrastructure (e.g. network, hardware), running the software, and data processing. In brief, this is the organiz

44、ation that runs the information systems and aims to keep the infrastructure in good order. The activities of business information management and IT infrastructure management are closely related to application management but not within the scope of this International Standard. Application management

45、is responsible for the management and maintenance of the application and definition of the data structures used in databases and data files. This form of management requires knowledge of software programming, information system development, design, day-to-day management of applications, and applicat

46、ion maintenance. Core qualities of the application management personnel are in-depth knowledge of the customer or (at least) in-depth knowledge of the customers business processes and in-depth knowledge of the existing applications (application objects), design, architecture, etc.2 ISO/IEC 2015 All

47、rights reserved ISO/IEC 16350:2015(E) This International Standard consists of the following three levels of processes: operational; managerial; strategic. These process levels and the processes are interconnected with one another. Figure 3 provides an overview of the processes within each of the pro

48、cess levels. Figure 3 Process overview There are no separate processes defined for security, issues, risks, and/or vulnerability. These topics form an important part of the Continuity Management Process, but they are also part of other processes. Security, for instance, is an important part of the f

49、unctionality of the application, so it is addressed in the Impact Analysis process and dealt with within the specifications of the application and defined in the Software Design Process and also within the service levels and, therefore, specified in the Agreement Management and Supplier Management Processes. Other processes which deal with these topics are the management processes planning and control, quality management and financial management, and, for instance, the