ISO/IEC 15504-2:2003

INTERNATIONAL ISO/IEC
STANDARD 15504-2
First edition
2003-10-15


Software engineering — Process
assessment —
Part 2:
Performing an assessment
Génie logiciel — Procédés d'évaluation —
Partie 2: Exécution d'une évaluation




Reference number
ISO/IEC 15504-2:2003(E)
©
ISO/IEC 2003

---------------------- Page: 1 ----------------------
ISO/IEC 15504-2:2003(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2003
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2003 — All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 15504-2:2003(E)
Contents Page
Foreword. iv
Introduction . iv
1 Scope. 1
2 Normative references . 1
3 Terms and definitions. 2
4 Performing an assessment . 2
4.1 General. 2
4.2 The assessment process . 2
4.3 Roles and responsibilities. 4
4.4 Defining the initial assessment input . 4
4.5 Recording the assessment output. 6
5 Measurement framework for process capability . 6
5.1 Level 0: Incomplete process. 6
5.2 Level 1: Performed process. 6
5.3 Level 2: Managed process . 7
5.4 Level 3: Established process. 8
5.5 Level 4: Predictable process . 9
5.6 Level 5: Optimizing process . 9
5.7 Rating process attributes. 10
5.8 Process capability level model. 11
6 Models for process assessment . 11
6.1 Introduction . 11
6.2 Process Reference Models . 12
6.3 Process Assessment Models . 13
7 Mechanisms for verification of conformity . 15
7.1 Introduction . 15
7.2 Verifying conformity of Process Reference Models. 16
7.3 Verifying conformity of Process Assessment Models. 16
7.4 Verifying conformity of process assessments . 16

© ISO/IEC 2003 — All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 15504-2:2003(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 15504-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and system engineering.
This first edition of ISO/IEC 15504-2 cancels and replaces ISO/IEC TR 15504-2:1998 and
ISO/IEC TR 15504-3:1998, which have been technically revised.
ISO/IEC 15504 consists of the following parts, under the general title Software engineering — Process
assessment:
 Part 2: Performing an assessment
 Part 3: Guidance on performing an assessment
 Part 4: Guidance on use for process improvement and process capability determination
The following parts are in preparation:
 Part 1: Concepts and vocabulary
 Part 5: An exemplar Process Assessment Model
The complete series will replace ISO/IEC TR 15504-1 to ISO/IEC TR 15504-9.
iv © ISO/IEC 2003 — All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 15504-2:2003(E)
Introduction
This part of ISO/IEC 15504 defines the basis for process assessment. Other parts of ISO/IEC 15504 contain
guidance that will provide a more detailed understanding of the subject. It is primarily addressed to the
competent assessor and other stakeholders, such as the sponsor of the assessment, who need to be assured
that the requirements of this International Standard have been met. It will also be of value to developers of
assessment methods and of tools to support an assessment.
ISO/IEC 15504-2 sets out the minimum requirements for performing an assessment that ensure consistency
and repeatability of the ratings. The requirements help to ensure that the assessment output is self-consistent
and provides evidence to substantiate the ratings and to verify compliance with the requirements.
ISO/IEC 15504-1 provides a general introduction to the concepts of process assessment and a glossary for
assessment related terms.
ISO/IEC 15504-3 provides guidance for interpreting the requirements for performing an assessment.
This part of ISO/IEC 15504 identifies the measurement framework for process capability and the requirements
for:
a) performing an assessment;
b) Process Reference Models;
c) Process Assessment Models;
d) verifying conformity of process assessment.
Process assessment, as defined in this International Standard, is based on a two dimensional model
containing a process dimension and a capability dimension. The process dimension is provided by an external
Process Reference Model, which defines a set of processes characterized by statements of process purpose
and process outcomes. The capability dimension consists of a measurement framework comprising six
process capability levels and their associated process attributes.
The assessment output consists of a set of process attribute ratings for each process assessed, termed the
process profile, and may also include the capability level achieved by that process.
Process assessment is applicable in the following circumstances:
a) by or on behalf of an organization with the objective of understanding the state of its own processes for
process improvement;
b) by or on behalf of an organization with the objective of determining the suitability of its own processes for
a particular requirement or class of requirements;
c) by or on behalf of one organization with the objective of determining the suitability of another
organization’s processes for a particular contract or class of contracts.
As described in ISO/IEC 15504-4, process assessment is an activity that can be performed either as part of a
process improvement initiative or as part of a capability determination approach. The formal entry to the
assessment process occurs with the compilation of the assessment input which defines the purpose of the
assessment (why it is being carried out), the scope of the assessment, what constraints apply to the
assessment and any additional information that needs to be gathered. The assessment input also defines the
responsibility of the various parties in the performance of an assessment. An assessor who has the necessary
© ISO/IEC 2003 — All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 15504-2:2003(E)
competence and skills oversees the assessment. Assessors may be from within the organization, external to
the organization or a combination of both.
An assessment is carried out against a defined assessment input utilizing conformant Process Assessment
Model(s) related to one or more conformant or compliant Process Reference Models. ISO/IEC TR 15504-5
contains an exemplar Process Assessment Model that is based upon the Process Reference Model defined in
ISO/IEC 12207:1995/Amd.1, Annex F.
vi © ISO/IEC 2003 — All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 15504-2:2003(E)

Software engineering — Process assessment —
Part 2:
Performing an assessment
1 Scope
This part of ISO/IEC 15504 addresses the assessment of process and the application of process assessment
for improvement and capability determination. It defines the minimum set of requirements for performing an
assessment that will ensure assessment results are objective, impartial, consistent, repeatable and
representative of the assessed processes. Results of conformant process assessments may be compared
when the scopes of the assessments are considered to be similar. For guidance on this matter, refer to
ISO/IEC 15504-4.
The requirements for process assessment defined in this part of ISO/IEC 15504 form a structure which:
a) facilitates self-assessment;
b) provides a basis for use in process improvement and capability determination;
c) takes into account the context in which the assessed process is implemented;
d) produces a process rating;
e) addresses the ability of the process to achieve its purpose;
f) is applicable across all application domains and sizes of organization;
g) may provide an objective benchmark between organizations.
NOTE Copyright release: users of this part of ISO/IEC 15504 may freely reproduce relevant material as part of any
Process Assessment Model, or as part of any demonstration of conformance with this International Standard, so that it can
be used for its intended purpose.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 12207:1995/Amd.1:2002, Information technology — Software life cycle processes
1)
ISO/IEC TR 15504-9, Information technology — Software process assessment — Part 9: Vocabulary
ISO/IEC 15288:2002, Systems engineering — System life cycle processes

1) A revision of this document is in preparation under the following reference: ISO/IEC 15504-1.
© ISO/IEC 2003 — All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 15504-2:2003(E)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC TR 15504-9 apply.
4 Performing an assessment
4.1 General
The purpose of process assessment is to understand the capability of the processes implemented by an
organization. As a result of successful implementation of process assessment:
a) information and data that characterize the processes assessed is determined;
b) the extent to which the processes achieve the process purpose is determined.
This Clause of ISO/IEC 15504-2 sets out the requirements for an assessment or assessments conformant
with this International Standard. The requirements help to ensure that the assessment output is self-consistent
and provides evidence to substantiate the ratings. Figure 1 shows the logical arrangement of the normative
elements of this International Standard.
NOTE Higher levels of capability may give greater confidence that an organization’s business goals will be met; lower
levels of capability may indicate potential sources of risk.

Process Reference Model
Measurement Framework
• Capability Levels
• Domain and Scope
• Process Attributes
• Process Purpose
• Rating Scale
• Process Outcomes
Process
Assessment Model
idScopei t
•
Indicators
•
Mapping
•
Translation
•
ASSESSMENT PROCESS
INITIAL INPUT OUTPUT
Planning
• Purpose
• Date
Data Collection
• Scope
• Assessment Input
• Constraints Data Validation
• Identification of
• Identities Process Attribute Rating
Evidence
Assessment Process used
• Approach •
Reporting
• Assessor competence
• Process Profiles
criteria • Additional information
•
Additional information
Roles and Responsibilities
• Sponsor
• Competent Assessor
• Assessor(s)

Figure 1 — The normative elements of this International Standard
4.2 The assessment process
4.2.1 The assessment shall be conducted according to a documented assessment process that is capable
of meeting the assessment purpose.
2 © ISO/IEC 2003 — All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 15504-2:2003(E)
4.2.2 The documented assessment process shall contain at minimum the following activities:
a) Planning — a plan for the assessment shall be developed and documented, including at minimum:
1) the required inputs specified in this part of ISO/IEC 15504;
2) the activities to be performed in conducting the assessment;
3) the resources and schedule assigned to these activities;
4) the identity and defined responsibilities of the participants in the assessment;
5) the criteria to verify that the requirements of this International Standard have been met;
6) a description of the planned assessment outputs.
b) Data collection — data required for evaluating the processes within the scope of the assessment (see
4.4.2 c)) and additional information (see 4.4.2 j)) shall be collected in a systematic manner, applying at
minimum the following:
1) the strategy and techniques for the selection, collection, analysis of data and justification of the
ratings shall be explicitly identified and shall be demonstrable;
2) correspondence shall be established between the organizational unit’s processes, specified in the
assessment scope, and the elements in the Process Assessment Model;
3) each process identified in the assessment scope shall be assessed on the basis of objective
evidence;
4) the objective evidence gathered for each attribute for each process assessed shall be sufficient to
meet the assessment purpose and scope;
5) the identification of the objective evidence gathered shall be recorded and maintained to provide the
basis for verification of the ratings.
c) Data validation — the data collected shall be validated to:
1) confirm that the evidence collected is objective;
2) ensure that the objective evidence is sufficient and representative to cover the scope and purpose of
the assessment;
3) ensure that the data as a whole is consistent.
d) Process attribute rating — a rating shall be assigned based on validated data for each process attribute:
1) the set of process attribute ratings shall be recorded as the process profile for the defined
organizational unit;
2) during the assessment, the defined set of assessment indicators in the Process Assessment Model
shall be used to support the assessors’ judgement in rating process attributes in order to provide the
basis for repeatability across assessments;
3) the decision-making process that is used to derive rating judgements shall be recorded;
4) traceability shall be maintained between an attribute rating and the objective evidence used in
determining that rating;
© ISO/IEC 2003 — All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 15504-2:2003(E)
5) for each process attribute rated, the relationship between the indicators and the objective evidence
shall be recorded.
e) Reporting — the assessment results, including at minimum the outputs specified in 4.5, shall be
documented and reported to the assessment sponsor or to their delegated representative.
4.3 Roles and responsibilities
4.3.1 The sponsor of the assessment shall:
a) verify that the individual who is to take responsibility for conformity of the assessment is a competent
assessor;
b) ensure that resources are made available to conduct the assessment;
c) ensure that the assessment team has access to the relevant resources.
4.3.2 The competent assessor shall:
a) confirm the sponsor's commitment to proceed with the assessment;
b) ensure that the assessment is conducted in accordance with the requirements of this part of
ISO/IEC 15504;
c) ensure that participants in the assessment are briefed on the purpose, scope and approach of the
assessment;
d) ensure that all members of the assessment team have knowledge and skills appropriate to their roles;
e) ensure that all members of the assessment team have access to appropriate documented guidance on
how to perform the defined assessment activities;
f) ensure that the assessment team has the competencies to use the tools chosen to support the
assessment;
g) confirm receipt of the assessment result deliverables by the sponsor;
h) on completion of the assessment, verify and document the extent of conformance of the assessment to
ISO/IEC 15504 (see also 7.4).
4.3.3 The assessor(s) shall:
a) carry out assigned activities associated with the assessment, e.g. detailed planning, data collection, data
validation and reporting;
b) rate the process attributes.
4.4 Defining the initial assessment input
4.4.1 The assessment input shall be defined prior to the data collection phase of an assessment and
approved by the sponsor of the assessment or the sponsor's delegated authority.
4.4.2 At minimum, the assessment input shall specify:
a) the identity of the sponsor of the assessment and the sponsor’s relationship to the organizational unit
being assessed;
b) the assessment purpose;
4 © ISO/IEC 2003 — All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 15504-2:2003(E)
c) the assessment scope including:
1) the processes to be investigated within the organizational unit;
2) the highest capability level to be investigated for each individual process within the assessment
scope;
3) the organizational unit that deploys the processes;
4) the context which includes:
i) the size of the organizational unit;
ii) the application domain of the products or services of the organizational unit;
iii) key characteristics (e.g. size, criticality, complexity and quality) of the products or services of the
organizational unit;
d) the assessment approach;
e) the assessment constraints considering, at minimum:
1) availability of key resources;
2) the maximum duration of the assessment;
3) specific processes or organizational units to be excluded from the assessment;
4) the quantity and type of objective evidence to be examined in the assessment;
5) the ownership of the assessment outputs and any restrictions on their use;
6) controls on information resulting from a confidentiality agreement;
f) the identity of the Process Assessment Model (including the identity of the Process Reference Model(s)
used) that meets the requirements defined in 6.3;
1) if the Process Reference Model(s) includes system or software engineering processes then the
relationship of these processes with ISO/IEC 15288 or ISO/IEC 12207:1995/Amd.1:2002, Annex F
shall be defined;
g) the identity of the competent assessor;
h) the criteria for competence of the assessor who is responsible for the assessment;
i) the identity and roles of assessees, the assessment team and assessment support staff with specific
responsibilities for the assessment;
j) any additional information to be collected during the assessment to support process improvement or
process capability determination, e.g. specific data (or measurement results) that are needed to quantify
the organization's ability to meet a particular business goal (this may also include information detailed at
6.3.5 and associated note).
4.4.3 Any changes in the assessment input shall be agreed with the sponsor or the sponsor's delegated
authority and documented in the assessment record.
© ISO/IEC 2003 — All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC 15504-2:2003(E)
4.5 Recording the assessment output
4.5.1 Information which is pertinent to the assessment and will support understanding of the output of the
assessment shall be compiled and included in the assessment record for retention by the sponsor or their
delegated authority.
4.5.2 At minimum, the assessment record shall contain:
a) the date of the assessment;
b) the assessment input;
c) the identification of the objective evidence gathered;
d) identification of the documented assessment process;
e) the set of process profiles resulting from the assessment (i.e. one profile for each process assessed);
f) the identification of any additional information collected during the assessment as specified in 4.4.2 j).
5 Measurement framework for process capability
This Clause of ISO/IEC 15504-2 defines a measurement framework for the assessment of process capability.
Process capability is defined on a six point ordinal scale that enables capability to be assessed from the
bottom of the scale, Incomplete, through to the top end of the scale, Optimizing. The scale represents
increasing capability of the implemented process, from not achieving the process purpose through to meeting
current and projected business goals.
The measurement framework provides a schema for use in characterizing the capability of an implemented
process with respect to a Process Assessment Model.
Within this measurement framework, the measure of capability is based upon a set of process attributes (PA).
Each attribute defines a particular aspect of process capability. The extent of process attribute achievement is
characterized on a defined rating scale. The combination of process attribute achievement and a defined
grouping of process attributes together determine the process capability level.
Although PAs are defined in such a way that they can be rated independently of one another, this does not
imply that there are no other relationships between them, e.g. the achievement of one attribute may be linked
to the achievement of another attribute within the capability dimension.
NOTE The listing of elements within the PAs does not imply any sequencing or priority, but is for identification only.
5.1 Level 0: Incomplete process
The process is not implemented, or fails to achieve its process purpose.
At this level there is little or no evidence of any systematic achievement of the process purpose.
5.2 Level 1: Performed process
The implemented process achieves its process purpose.
The following attribute of the process demonstrates the achievement of this level:
6 © ISO/IEC 2003 — All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC 15504-2:2003(E)
5.2.1 PA 1.1 Process performance attribute
The process performance attribute is a measure of the extent to which the process purpose is achieved. As a
result of full achievement of this attribute:
a) the process achieves its defined outcomes.
5.3 Level 2: Managed process
The previously described Performed process is now implemented in a managed fashion (planned, monitored
and adjusted) and its work products are appropriately established, controlled and maintained.
The following attributes of the process, together with the previously defined attributes, demonstrate the
achievement of this level.
5.3.1 PA 2.1 Performance management attribute
The performance management attribute is a measure of the extent to which the performance of the process is
managed. As a result of full achievement of this attribute:
a) objectives for the performance of the process are identified;
b) performance of the process is planned and monitored;
c) performance of the process is adjusted to meet plans;
d) responsibilities and authorities for performing the process are defined, assigned and communicated;
e) resources and information necessary for performing the process are identified, made available, allocated
and used;
f) interfaces between the involved parties are managed to ensure both effective communication and also
clear assignment of responsibility.
5.3.2 PA 2.2 Work product management attribute
The work product management attribute is a measure of the extent to which the work products produced by
the process are appropriately managed. As a result of full achievement of this attribute:
a) requirements for the work products of the process are defined;
b) requirements for documentation and control of the work products are defined;
c) work products are appropriately identified, documented, and controlled;
d) work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet
requirements.
NOTE 1 Requirements for documentation and control of work products may include requirements for the identification
of changes and revision status, approval and re-approval of work products, and for making relevant versions of applicable
work products available at points of use.
NOTE 2 The work products referred to in this Clause are those that result from the achievement of the process
outcomes.
© ISO/IEC 2003 — All rights reserved 7

---------------------- Page: 13 ----------------------
ISO/IEC 15504-2:2003(E)
5.4 Level 3: Established process
The previously described Managed process is now implemented using a defined process that is capable of
achieving its process outcomes.
The following attributes of the process, together with the previously defined attributes, demonstrate the
achievement of this level.
5.4.1 PA 3.1 Process definition attribute
The process definition attribute is a measure of the extent to which a standard process is maintained to
support the deployment of the defined process. As a result of full achievement of this attribute:
a) a s
...