1、BSI Standards Publication Information technology Process assessment Requirements for performing process assessment BS ISO/IEC 33002:2015National foreword This British Standard is the UK implementation of ISO/IEC 33002:2015. Together with BS ISO/IEC 33003:2015, BS ISO/IEC 33004 and BS ISO/IEC 33020:2
2、015 it supersedes BS ISO/IEC 15504-2:2003. Together with BS ISO/IEC 33001:2015, BS ISO/IEC 33003:2015, BS ISO/IEC 33004, BS ISO/IEC 33010, and BS ISO/IEC 33014 it also supersedes PD ISO/IEC 15504-7:2008. These two standards will be withdrawn upon publication of the full series. The UK participation
3、in its preparation was entrusted to Technical Committee IST/15, Software and systems engineering. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are resp
4、onsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 74307 8 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Stan
5、dards Policy and Strategy Committee on 31 May 2015. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 33002:2015Information technology Process assessment Requirements for performing process assessment Technologies de linformation valuation du processus Exi
6、gences relatives la ralisation dune valuation du processus INTERNATIONAL STANDARD ISO/IEC 33002 Reference number ISO/IEC 33002:2015(E) Second edition 2015-03-01 ISO/IEC 2015 ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015 All rights reserved. Unless otherwise specified,
7、 no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs me
8、mber body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ISO/IEC 33002:2015(E) BS ISO/IEC 33002:2015 ISO/IEC 33002:2015(E)Foreword iv Introduction v
9、1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Performing an assessment . 1 4.1 General requirements . 2 4.2 Assessment activities 3 4.2.1 Plan the assessment 3 4.2.2 Collect the data 3 4.2.3 Validate the data . 4 4.2.4 Determine the results 4 4.2.5 Report the assessment . . 4 4
10、.3 Roles, responsibilities and competence 5 4.4 Assessment inputs . 6 4.5 Assessment record. 7 4.6 Class of assessment . 7 4.6.1 General 7 4.6.2 Specific requirements Class 1 assessment . 8 4.6.3 Specific requirements Class 2 assessment . 9 4.6.4 Specific requirements Class 3 assessment 10 4.7 Asses
11、sment of process capability 10 5 Verifying conformity to process assessments .10 Annex A (normative) Categories of independence .12 Annex B (informative) Example content of an assessment report 13 Bibliography .16 ISO/IEC 2015 All rights reserved iii Contents Page BS ISO/IEC 33002:2015 ISO/IEC 33002
12、:2015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards throu
13、gh technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
14、take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the diffe
15、rent approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be
16、the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/pa
17、tents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO prin
18、ciples in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 7, Software and systems engineering. This second edition cancels and replaces clauses of ISO/IEC 15504-
19、2:2003 and ISO/IEC/TR 15504- 7:2008, which have been technically revised.iv ISO/IEC 2015 All rights reserved BS ISO/IEC 33002:2015 ISO/IEC 33002:2015(E) Introduction This International Standard defines the minimum set of requirements for performing an assessment that will ensure assessment results a
20、re objective, consistent, repeatable, and representative of the assessed processes. The requirements help to ensure that the assessment output is self-consistent and to provide evidence to substantiate the ratings and to verify compliance with the requirements. Process assessment is applicable in th
21、e following circumstances: by or on behalf of an organization with the objective of understanding the state of its own processes for process improvement; by or on behalf of an organization with the objective of determining the suitability of its own processes for a particular requirement or category
22、 of requirements; by or on behalf of one organization with the objective of determining the suitability of another organizations processes for a particular purpose, contract, or category of contracts. This International Standard is applicable across all application domains and sizes of organizations
23、. Appropriate methods, techniques, and tools can be used to enable the assessment process to be effective and efficient. This International Standard is part of a set of International Standards designed to provide a consistent and coherent framework for the assessment of process quality characteristi
24、cs, based on objective evidence resulting from implementation of the processes. The framework for assessment covers processes employed in the development, maintenance, and use of systems across the information technology domain and those employed in the design, transition, delivery, and improvement
25、of services. The set of International Standards, as a whole, addresses process quality characteristics of any type. Results of assessment can be applied for improving process performance, or for identifying and addressing risks associated with application of processes. The ISO/IEC 330xx family of St
26、andards defines the requirements and resources needed for process assessment. The overall architecture and content of the series is described in ISO/IEC 33001:2015. Several International Standards in the ISO/IEC 330x x f amily of st andards for process assessment are intended to replace and extend p
27、arts of the ISO/IEC 15504 series of Standards. ISO/IEC 33001, Annex A provides a detailed record of the relationship between the ISO/IEC 330xx family and the ISO/IEC 15504 series. ISO/IEC 2015 All rights reserved v BS ISO/IEC 33002:2015BS ISO/IEC 33002:2015 Information technology Process assessment
28、Requirements for performing process assessment 1 Scope This International Standard defines the minimum set of requirements for performing an assessment that will ensure assessment results are objective, consistent, repeatable, and representative of the assessed processes. The requirements defined in
29、 this International Standard can be used by or on behalf of an organization to a) facilitate self-assessment, b) provide a basis for improving process performance and mitigating process-related risk, c) produce a rating of the achievement of the relevant process quality characteristic, and d) provid
30、e an objective benchmark between organizations. This International Standard is applicable across all application domains and sizes of organization. NOTE An organization can implement a set of integrated processes in a system. 2 Normative references The following documents, in whole or in part, are n
31、ormatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 33001:2015, Information technology Process assessm
32、ent Concepts and terminology ISO/IEC 33003:2015, Information technology Process assessment Requirements for process measurement frameworks ISO/IEC 33004:2015, Information technology Process assessment Requirements for process reference, process assessment and maturity models 3 T erms a nd definiti o
33、ns For the purposes of this document, the terms and definitions given in ISO/IEC 33001:2015; apply. 4 Performing an assessment The purpose of process assessment is to understand and assess the processes implemented by an organizational unit. Figure 1 shows the key elements of the process assessment
34、process. INTERNATIONAL ST ANDARD ISO/IEC 33002:2015(E) ISO/IEC 2015 All rights reserved 1 BS ISO/IEC 33002:2015 ISO/IEC 33002:2015(E) Figure 1 Key elements of the process assessment process Clause 4 sets out the requirements for performing an assessment conformant with this International Standard. T
35、he requirements help to ensure that the assessment output is self-consistent and provides evidence to substantiate the ratings. 4.1 General requirements The assessment shall be conducted according to a documented assessment process. The documented assessment process shall be capable of meeting the a
36、ssessment purpose and shall be structured in a manner that ensures that the purpose for performing the assessment is satisfied, in terms of the rigour and independence of the assessment and its suitability for the intended use. The documented assessment process shall prescribe a set of activities an
37、d tasks to be performed that meet all of the requirements defined in this International Standard. Specifically, the documented assessment process shall: identify as a minimum, the assessment activities as defined in 4.2; identify as a minimum the roles, responsibilities and competencies as defined i
38、n 4.3; identify the classes of assessment for which the documented assessment process can be applied, and the nature and extent of tailoring associated with each class addressed by the documented process; define the criteria for ensuring coverage for both the defined organizational scope and the def
39、ined process scope for the assessment, in terms of the strategy for collecting and analysing data; identify the rating method(s) to be used in rating process attributes; identify or define the aggregation method(s) to be used in determining ratings. Classes of assessment are described in 4.6. They r
40、eflect different levels of confidence in the results of the assessment. Different categories of independence for different types of bodies and personnel are described in Annex A, with criteria for their use. The documented assessment process shall contain at minimum the following activities:2 ISO/IE
41、C 2015 All rights reserved BS ISO/IEC 33002:2015 ISO/IEC 33002:2015(E) 4.2 Assessment activities The assessment process shall start with the assessment sponsors commitment to proceed. 4.2.1 Plan the assessment A plan for the assessment shall be developed and documented, including at a minimum: a) re
42、quired inputs specified in this standard (refer to 4.4); b) class of assessment (refer to 4.6); c) category of independence of the body performing the assessment, the lead assessor and the other members of the assessment team (refer to Annex A) d) communications to the personnel involved in the asse
43、ssment; e) identification of the documented assessment process including: 1) the strategy and techniques for the selection, identification, collection and analysis of objective evidence and data, to satisfy any requirements for coverage of the organizational scope or the process scope of the assessm
44、ent as defined for the class of the assessment (refer 4.6); 2) the approach to derive an agreed process attribute rating, where relevant. f) activities to be performed in performing the assessment; g) resources and schedule assigned to these activities; h) identification and definition of roles and
45、responsibilities of the participants in the assessment; i) criteria to verify that the requirements of this International Standard have been met; j) description of the planned assessment outputs. Roles and responsibilities for process assessment shall be assigned and communicated to personnel impact
46、ed by the assessment. The plan for the assessment shall be approved by the assessment sponsor, and the approval shall be documented. 4.2.2 Collect the data The data collected shall be sufficient to provide coverage of the organization scope and the process scope for the assessment, as specified for
47、the selected class of the assessment. Data shall be collected on the basis of direct or indirect evidence that shall be sufficient for the class of assessment (refer to 4.6). Evidence required for evaluating the processes within the assessment scope and additional information shall be collected in a
48、 systematic manner applying at minimum the following: a) a correspondence between the organizational units processes and the elements in the process assessment model, specified in the assessment scope, shall be established; b) each process identified in the assessment scope shall be assessed on the
49、basis of objective evidence; c) objective evidence shall be identified and gathered to provide the basis for verification of the ratings; d) objective evidence gathered for each process attribute for each process assessed shall be sufficient to meet the assessment purpose, assessment scope and class of assessment; e) objective evidence collected for each process shall be representative of the implementation of the process across the organizational scope
