1、BSI Standards PublicationBS ISO/IEC 29169:2016Information technology Process assessment Application of conformityassessment methodology tothe assessment to processquality characteristics andorganizational maturityBS ISO/IEC 29169:2016 BRITISH STANDARDNational forewordThis British Standard is the UK
2、implementation of ISO/IEC29169:2016.The UK participation in its preparation was entrusted to TechnicalCommittee IST/15, Software and systems engineering.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all t
3、he necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2016. Published by BSI StandardsLimited 2016ISBN 978 0 580 71807 6ICS 35.080Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard
4、was published under the authority of theStandards Policy and Strategy Committee on 30 April 2016.Amendments issued since publicationDate Text affectedBS ISO/IEC 29169:2016Information technology Process assessment Application of conformity assessment methodology to the assessment to process quality c
5、haracteristics and organizational maturityTechnologies de linformation valuation du processus Application de la mthodologie de lvaluation de la conformit lvaluation de circuler les caractristiques de qualit et la maturit organisationnelleINTERNATIONAL STANDARDISO/IEC29169Reference numberISO/IEC 2916
6、9:2016(E)First edition2016-04-01 ISO/IEC 2016BS ISO/IEC 29169:2016ii ISO/IEC 2016 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or
7、by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP
8、 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgISO/IEC 29169:2016(E)BS ISO/IEC 29169:2016ISO/IEC 29169:2016(E)Foreword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Concepts of conformity assessment . 24.1
9、 Conformity assessment . 24.2 Conformity assessment and standards 24.3 Conformity assessment bodies . 34.4 Conformity assessment schemes 35 Functional approach to conformity assessment . 45.1 General . 45.2 Selection 45.3 Determination . 45.4 Review and attestation 45.5 Surveillance 56 Conformity as
10、sessment scheme . 66.1 Conformity assessment requirements . 66.2 Categorization of bodies . 66.3 Mutual recognition agreements . 66.4 Agreement groups 66.5 Accreditation 67 Requirements for performing an assessment . 78 Guidance on planning and performing an assessment 78.1 General . 78.2 Assessment
11、 approach . 88.3 Assessment scope . 88.4 Assessment sample . 98.5 Assessment performance. 98.6 Assessment data collection 98.7 Determining organizational process maturity level 108.8 Assessment reporting 119 Requirements for review and attestation .129.1 Review and attestation . 129.2 Statement of c
12、onformity 129.3 Certificate of conformity 1210 Requirements for surveillance .1310.1 General 1310.2 Surveillance assessments . 1311 Requirements for the operation of various bodies performing inspection .14Bibliography .18 ISO/IEC 2016 All rights reserved iiiContents PageBS ISO/IEC 29169:2016ISO/IEC
13、 29169:2016(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards t
14、hrough technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, a
15、lso take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the di
16、fferent approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may b
17、e the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/
18、patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO prin
19、ciples in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information .The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 7, Software and systems engineering.iv ISO/IEC 2016 All rights reservedBS ISO/IEC 29169:20
20、16ISO/IEC 29169:2016(E)IntroductionJTC 1s policy on conformity assessment is stated in the Consolidated JTC1 Supplement, 2015. To promote consistent implementation of standards, JTC 1 has resolved that it shall be a major contributor to international acceptance of conformity assessment procedures an
21、d specifications for IT related areas, and that it shall work to support an environment which encourages worldwide recognition of conformity assessment results.Each JTC 1 Subcommittee has the authority and responsibility to specify the conformity assessment methodology applicable to any distinct are
22、a of Information Technology that is entirely within the scope of that Subcommittee.In the conformity assessment area, JTC 1s objectives include the facilitation of mutual recognition of accreditation, test reports, certification and registration in the IT field, primarily by developing appropriate s
23、tandards, and recognition of Suppliers Declaration as a legitimate statement of conformity.To support JTC1s objectives of mutual recognition of accreditation, test reports, certification, registration, and recognition of a suppliers declaration of conformity, a conformity assessment methodology for
24、the assessment of process quality characteristics and organizational process maturity is defined in this International Standard which provides for an environment for and encourages the worldwide recognition of conformity assessment results.The overall framework for conformity assessment follows the
25、approach defined in ISO/IEC 17020, which covers inter alia the functions of bodies whose work includes the examination of processes, and the determination of their conformity, with requirements, and the subsequent reporting of results of these activities to clients and, when required, to supervisory
26、 authorities. Such work normally requires the exercise of professional judgement in providing the service, in particular when assessing conformity.ISO/IEC 17020 is used in the context of first, second and third party assessments resulting in the issuance of a conformity assessment report and stateme
27、nt of conformity. Where continuing assurance is needed or desirable to maintain the validity of an assessment result, the scope of conformity assessment can be extended to include periodic surveillance within a defined cycleAdditionally, ISO/IEC 17065 can be used as an alternative approach but only
28、in the context of a third-party certification body using an audit approach typically with the issuance non conformity reports.This International Standard has been developed following application of use in the field and in consultation with key stakeholders, national accreditation bodies, ISOs policy
29、 committee for conformity assessment (CASCO) and the International Certification Network (IQNet Association). ISO/IEC 2016 All rights reserved vBS ISO/IEC 29169:2016BS ISO/IEC 29169:2016Information technology Process assessment Application of conformity assessment methodology to the assessment to pr
30、ocess quality characteristics and organizational maturity1 ScopeThis International Standard aims to define the application of a conformity assessment methodology, based on the existing published ISO/IEC standards and guides, to the process assessment of process quality characteristics and organizati
31、onal process maturity, performed in accordance with the requirements of the ISO/IEC 33001 to ISO/IEC 33099 family of process assessment standards,Conformity assessment, also known as compliance assessment, is any activity to determine, directly or indirectly, that a process, product, or service meet
32、s relevant standards and fulfils relevant requirements. The subject of conformity assessment activities may include testing, inspection or certification.Conformity assessment in this International Standard can be performed by various types of bodies that meet the requirements of ISO/IEC 17020.The te
33、rm “inspection” as used in ISO/IEC 17020 is synonymous with the term “process assessment” as defined in ISO/IEC 33001 and used throughout the ISO/IEC 33001 to ISO/IEC 33099 family of standards.While a process assessment may be performed solely according to the ISO/IEC 33002 requirements for performi
34、ng an assessment, performing a process assessment in the context of conformity assessment according to a conformity assessment scheme brings with it additional requirements. Conformity assessment involves a functional approach consisting of a number of stages: selectiondeterminationreview and attest
35、ation, plus surveillance when there is a need to provide continuing assurance of conformity.2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies.
36、 For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 33001:2015, Information technology Process assessment Concepts and terminologyISO/IEC 33002:2015, Information technology Process assessment Requirements for performing process assessment
37、ISO/IEC 17000, Conformity assessment Vocabulary and general principlesISO/IEC 17020:2012, Conformity assessment Requirements for the operation of various types of bodies performing inspection3 Terms and definitionsFor the purposes of this International Standard, the definitions in ISO/IEC 33001, ISO
38、/IEC 33020, ISO/IEC 17000 and ISO/IEC 17020 apply.NOTE 1 Where the term conformity assessment is used, the definition in ISO/IEC 17000 applies.NOTE 2 Wherever the term assessment is used without the word conformity (e.g. assessment, process assessment, conformant process assessment, assessment body)
39、, the relevant ISO/IEC 33001 definitions apply.INTERNATIONAL STANDARD ISO/IEC 29169:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 29169:2016ISO/IEC 29169:2016(E)NOTE 3 The term inspection as used in ISO/IEC 17020 is synonymous with the term process assessment as defined in ISO/IEC 33001 and u
40、sed throughout the ISO/IEC 33001 to ISO/IEC 33099 family of standards.NOTE 4 Both ISO/IEC 17020 and ISO/IEC 33002 refer to the independence of the different types of bodies. In order to clearly distinguish terminology used in the standards, ISO/IEC 17020 uses the term Type to identify the three type
41、s of inspection body (Types A, B and C); whereas, ISO/IEC 33002 uses the term Category to categorize the independence of different types of body and the make-up of the assessment team performing an assessment (Categories A, B, C and D).4 Concepts of conformity assessment4.1 Conformity assessmentISO/
42、IEC 17000 defines conformity assessment as: demonstration that specified requirements relating to a product, process, system, person, or body are fulfilled.The term object of conformity assessment, or sometimes just object, is used in ISO/IEC 17000 to refer to “product, process, system, person or bo
43、dy”.4.2 Conformity assessment and standardsIn the context of conformity assessment there are two major aspects of standardization.The first aspect is the availability of national, regional and international standards that can be used by suppliers, purchasers, conformity assessment bodies and regulat
44、ors for setting the requirements for an object and assessing its conformity with them.The essential features of a standard to be used for conformity assessment are that the standard must be so written that it can be applied by any of the following: a manufacturer or supplier (first party); a user or
45、 purchaser (second party); an independent body (third party).The relevant standard with reference to this International Standard is the ISO/IEC 33001 to ISO/IEC 33099 family of standards on process assessment, where ISO/IEC 33002 defines the requirements for performing process assessment.The scope o
46、f the standard should also be clearly stated in terms both of the type of objects to which it relates and to the characteristics of those objects which it specifies.The type of objects with reference to this International Standard is the process (es) within the scope of an ISO/IEC 33002 process asse
47、ssment. The relevant characteristic of the objects is the selected process quality characteristic.The second aspect of particular relevance to conformity assessment bodies is the availability of standards which set out requirements for best practice of conformity assessment and the bodies which carr
48、y it out. These standards are intended to ensure that there are consistent and internationally harmonized practices amongst conformity assessment bodies and the bodies with which they work (such as accreditation bodies). The responsibility for preparation and maintenance of these conformity assessme
49、nt standards lies with ISO/CASCO.The relevant standard with reference to this International Standard is ISO/IEC 17020.2 ISO/IEC 2016 All rights reservedBS ISO/IEC 29169:2016ISO/IEC 29169:2016(E)4.3 Conformity assessment bodiesISO/CASCO standards and guides define the characteristics for a number of different types of conformity assessment bodies. ISO/IEC 17020 sets out three types of inspection bodies (Types A, B, and C) with different requirements for independence.ISO/IEC 33002:2015, Annex A sets out a typology t