ISO/IEC 15504-4:2004

INTERNATIONAL ISO/IEC
STANDARD 15504-4
First edition
2004-07-01
Information technology — Process
assessment —
Part 4:
Guidance on use for process
improvement and process capability
determination
Technologies de l'information — Procédés d'évaluation —
Partie 4: Conseils sur l'utilisation pour l'amélioration de processus et la
détermination de capacité de processus

Reference number
©
ISO/IEC 2004
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2004 – All rights reserved

Contents Page
Foreword. v
Introduction . vi
1 Scope. 1
2 Normative references. 1
3 Terms and definitions. 1
4 Introduction. 1
4.1 Process improvement and process capability determination. 1
4.2 PI and PCD sponsors and teams. 2
4.3 Process, guidance and method. 2
4.4 Process improvement – purpose and outcomes. 2
4.5 Process capability determination — purpose and outcomes . 3
4.6 Process assessment output. 3
5 Utilizing process assessment. 4
5.1 General. 4
5.2 Selecting Process Reference Model(s). 4
5.3 Setting target capability. 4
5.4 Defining the assessment input. 6
5.5 Evaluating process-related risk. 7
5.5.1 Inferring process-related risk from assessment output . 7
5.5.2 Analysing weaknesses. 9
6 Process improvement. 10
6.1 Overview. 10
6.2 Steps of process improvement . 10
6.2.1 Step 1 – Examine organization’s business goals.10
6.2.2 Step 2 – Initiate process improvement cycle . 11
6.2.3 Step 3 – Assess current capability. 12
6.2.4 Step 4 – Develop action plan . 12
6.2.5 Step 5 – Implement improvements. 15
6.2.6 Step 6 – Confirm improvements. 16
6.2.7 Step 7 – Sustain improvements. 17
6.2.8 Step 8 – Monitor performance . 17
7 Process capability determination. 18
7.1 Overview. 18
7.2 Steps of process capability determination. 19
7.2.1 Step 1 – Initiate process capability determination . 19
7.2.2 Step 2 – Set target capability . 20
7.2.3 Step 3 – Assess current capability. 20
7.2.4 Step 4 – Determine proposed capability. 20
7.2.5 Step 5 – Verify proposed capability . 21
7.2.6 Step 6 – Analyse process-related risk . 21
7.2.7 Step 7 – Act on results . 21
7.3 Comparability of assessment output analysis . 21
Annex A (informative) Analysing process-related risk. 23
A.1 Introduction. 23
A.2 Probability. 23
A.3 Consequence. 24
A.4 Process-related risk. 24
A.5 Determining which processes represent greatest risk. 25
© ISO/IEC 2004 – All rights reserved iii

A.6 Analysis approach.25
A.7 Example risk analysis.25
A.7.1 F.1.3.3 System and Architectural Design.26
A.7.2 F.2.2 Configuration Management.27
A.7.3 F.3.1.4 Risk Management.27
Annex B (informative) Subcontractors and consortia .28
B.1 Overview.28
B.1.1 Combining uniquely deployed processes .28
B.1.2 Combining processes deployed by more than one organizational unit.29
B.2 Enterprise reference architectures.29
Annex C (informative) Process improvement and organizational culture.30
C.1 Introduction.30
C.2 Management responsibility and leadership .30
C.3 Values, attitudes and behaviour .30
C.4 Process improvement objectives and motivation .31
C.5 Communication and teamwork.31
C.6 Recognition.31
C.7 Education and training .31
Bibliography.33

iv © ISO/IEC 2004 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 15504-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and system engineering.
This first edition cancels and replaces ISO/IEC TR 15504-7:1998 and ISO/IEC TR 15504-8:1998, which have
been technically revised.
ISO/IEC 15504 consists of the following parts, under the general title Information technology — Process
assessment:
 Part 1: Concepts and vocabulary
 Part 2: Performing an assessment
 Part 3: Guidance on performing an assessment
 Part 4: Guidance on use for process improvement and process capability determination
The following part is in preparation:
 Part 5: An exemplar Process Assessment Model
The complete series will replace ISO/IEC TR 15504-1 to ISO/IEC TR 15504-9.
© ISO/IEC 2004 – All rights reserved v

Introduction
ISO/IEC 15504 provides a framework for process assessment and sets out the minimum requirements for
performing an assessment in order to ensure consistency and repeatability of assessment ratings. Process
assessment is applicable in the following circumstances:
 by or on behalf of an organization with the objective of understanding the state of its own processes for
process improvement;
 by or on behalf of an organization with the objective of determining the capability of another organization's
processes for a particular contract or class of contracts, or to determine the capability of its own
processes for a particular requirement or class of requirements.
This informative part of ISO/IEC 15504 provides guidance on how to utilize a conformant process assessment
within a process improvement programme or within either type of process capability determination.
ISO/IEC 15504-1 provides a general introduction to the concepts of process assessment and a glossary for
assessment related terms.
ISO/IEC 15504-2 sets requirements for performing an assessment that ensure consistency and repeatability
of the ratings. The requirements help to ensure that the assessment output is self-consistent and provides
evidence to substantiate the ratings and to verify compliance with the requirements.
ISO/IEC 15504-3 provides guidance for interpreting the requirements for performing an assessment.
ISO/IEC 15504-5 contains an exemplar Process Assessment Model that is mapped to
ISO/IEC 12207:1995/Amd.1:2002 as a Process Reference Model.

vi © ISO/IEC 2004 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 15504-4:2004(E)

Information technology — Process assessment —
Part 4:
Guidance on use for process improvement and process
capability determination
1 Scope
This part of ISO/IEC 15504 provides guidance on how to utilize a conformant process assessment within a
process improvement programme or a process capability determination. This part of ISO/IEC 15504 is for
information only.
The guidance provided does not presume specific organizational structures, management philosophies, life
cycle models or development methods, although some of the examples and tables within the text are based
upon processes from ISO/IEC 12207.
In the case of process improvement, the concepts and principles are appropriate for the full range of different
business goals, application domains and sizes of organization, so that all types of organizations may use them.
In the case of process capability determination, this guidance is applicable within any customer–supplier
relationship, and to any organization wishing to determine the process capability of its own processes.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 12207, Information technology — Software life cycle processes
1)
ISO/IEC 15504-1, Information technology — Process assessment — Part 1: Concepts and vocabulary
ISO/IEC 15504-2, Information technology — Process assessment — Part 2: Performing an assessment
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 15504-1 apply.
4 Introduction
4.1 Process improvement and process capability determination
Within ISO/IEC 15504, process assessment can be utilized:
 by or on behalf of an organization with the objective of understanding its own processes for process
improvement;
1) To be published.
© ISO/IEC 2004 – All rights reserved 1

 by or on behalf of an organization with the objective of determining the capability of another organization's
processes for a particular contract or class of contracts, or determining the capability of its own processes
for a particular requirement or class of requirements.
Within a process improvement (PI) context, process assessment provides a means of characterizing an
organizational unit in terms of the capability of selected processes. Analysis of the output of a conformant
process assessment against an organizational unit's business goals identifies strengths, weaknesses and
risks related to the processes. This, in turn, can help determine whether the processes are effective in
achieving business goals, and provide the drivers for making improvements.
Process capability determination (PCD) is concerned with analysing the output of one or more conformant
process assessments to identify the strengths, weaknesses and risks involved in undertaking a specific
project using the selected processes within a given organizational unit. A process capability determination can
provide a fundamental input to supplier selection, in which case it is often termed a ‘supplier capability
determination’.
4.2 PI and PCD sponsors and teams
Process improvement programmes and process capability determinations will usually be required and
resourced by a sponsor – as described in ISO/IEC 15504-1. The sponsor has the authority to ensure that the
programme is carried out effectively, and takes ownership of the results. The sponsor may have one or more
staff working within a team – a PI Team or PCD Team – whose task is to plan and implement the actions
required to achieve the objectives identified by the sponsor.
Sponsorship may be implemented in a variety of ways, according to the culture of the organization. In non-
hierarchical or higher maturity organizations for example, both sponsorship and project management of
process improvement activities may be delegated to working level, although authorities, roles and
responsibilities should always be clearly defined.
4.3 Process, guidance and method
In order to achieve improvements to selected processes, PI Sponsors should deploy a PI process as outlined
in 4.4. In order to determine the capability of selected processes, PCD Teams should deploy a PCD process,
as outlined in 4.5. This part of ISO/IEC 15504 provides guidance on how to deploy such processes. In either
case, organizations should deploy a suitably capable process, and either acquire or develop a suitable
method — setting out appropriate roles, techniques and specific activities — with which to implement the
process. Such a method should:
 take account of the guidance contained within this part of ISO/IEC 15504;
 include or reference an assessment process which satisfies the requirements set out within
ISO/IEC 15504-2 and accords with the guidance set out in ISO/IEC 15504-3.
4.4 Process improvement – purpose and outcomes
The purpose of process improvement is to continually improve the organization’s effectiveness and efficiency
through the processes used and maintained aligned with the business need.
As a result of successful implementation of process improvement:
 commitment is established to provide resources to sustain improvement actions;
 issues arising from the organization's internal/external environment are identified as improvement
opportunities and justified as reasons for change;
 analysis of the current status of the existing process is performed, focusing on those processes from
which improvement stimuli arise;
 improvement goals are identified and prioritized, and consequent changes to the process are defined and
implemented;
2 © ISO/IEC 2004 – All rights reserved

 the effects of process implementation are monitored and confirmed against the defined improvement
goals;
 knowledge gained from the improvements is communicated within the organization; and
 the improvements made are evaluated and consideration given for using solutions elsewhere within the
organization.
2)
[ISO/IEC 12207:1995/Amd.2 , F.3.3.3]
NOTE 1 Information sources providing input for change may include: process assessment results, audits, customer's
satisfaction reports, organizational effectiveness / efficiency, cost of quality.
NOTE 2 The current status of processes may be determined by process assessment.
4.5 Process capability determination — purpose and outcomes
The purpose of process capability determination is to identify the strengths, weaknesses and process-related
risks associated with selected processes with respect to a particular specified requirement.
As a result of successful implementation of process capability determination:
 a target capability appropriate to the particular specified requirement is identified;
 reviews of the organization's processes are carried out to determine their suitability for the particular
specified requirement in the light of process assessment results;
 strengths and weaknesses within the assessed processes are identified;
 any gaps between target and assessed capabilities are analysed;
 overall process-related risk is determined.
NOTE 1 The selected processes are chosen by the PCD Team as described in 7.2.2.
NOTE 2 The specified requirement may involve deploying an organization's processes for a new or an existing task, a
contract or an internal undertaking, a product or a service, or any other business requirement.
NOTE 3 Reviews of the organization's standard processes are generally carried out following a process assessment of
the organization’s implemented processes, as described in ISO/IEC 15504-3.
NOTE 4 Process capability determination does not address all aspects of risk, which may include strategic,
organizational, financial, personnel and many other factors. The output from a process capability determination feeds into
an organization’s risk management process, but only with respect to process-related risk – as outlined in 5.5.
4.6 Process assessment output
The output of a conformant process assessment includes a set of process profiles, which express the process
attribute ratings assigned for each process selected from the specified Process Reference Model(s) – as
described in ISO/IEC 15504-2.
An example set of process profiles, with ISO/IEC 12207 as the Process Reference Model, might be presented
as illustrated in Figure 1. The processes (F.1.3.1, etc.) are from ISO/IEC 12207, while the process attributes
(PA 1.1, etc.) and ratings (Fully achieved, etc.) are defined in ISO/IEC 15504-2.

2) To be published.
© ISO/IEC 2004 – All rights reserved 3

Process Process Attributes
Performed Managed Established Predictable Optimizing
PA 1.1  PA 2.1  PA 2.2 PA 3.1  PA 3.2  PA 4.1 PA 4.2 PA 5.1 PA 5.2
F F L
F.1.3.1 Requirements Elicitation
F.1.3.3 System and Architectural
F F F F L L L
Design
F.2.2 Configuration Management F P L F L
F.3.1.4 Risk Management
P N N N N
F.1.1.2 Supplier Selection
L L L L L
Key (as defined in Part 2)
Not rated F Fully achieved L Largely achieved
Partially achieved
P N Not achieved
Figure 1 — Example assessment output set of process profiles
The guidance contained in this part of ISO/IEC 15504 is intended to apply to the output from a conformant
process assessment.
5 Utilizing process assessment
5.1 General
This clause provides guidance upon issues common to both process improvement and process capability
determination.
5.2 Selecting Process Reference Model(s)
Both process improvement and process capability determination require that the sponsor select a suitable
Process Reference Model or Models.
A Process Reference Model describes a set of processes in terms of purpose and outcomes as defined in
ISO/IEC 15504-2. A Process Reference Model is generally a recognized domain standard. ISO/IEC 12207,
Annex F, and ISO/IEC 15288:2002 are Process Reference Models within the domains of software engineering
and systems engineering, respectively.
The sponsor should determine which Process Reference Model(s) will best suit the specified requirement (for
PCD) or business goals (for PI), following the guidance in ISO/IEC 15504-3 on the selection of suitable
Process Reference Models.
Where improvements are planned for processes that do not align with any recognized domain standard,
appropriate process models can still be defined and used, but this could not then be considered to be based
upon a conformant process assessment.
5.3 Setting target capability
The sponsor should determine which processes from the chosen Process Reference Model(s) are most
important to meeting the specified requirement (for PCD) or business goals (for PI).
The sponsor should then specify, for each selected process, a target process profile showing which process
attributes are required, and – for each process attribute – what rating is judged necessary. Only process
4 © ISO/IEC 2004 – All rights reserved

attribute ratings of Fully achieved or Largely achieved should be set; Not required should be noted for any
process attributes deemed not necessary. Partially achieved should not be set since this would indicate that
some aspects of achievement would be unpredictable – as defined in ISO/IEC 15504-2.
The set of target process profiles expresses the target capability which the sponsor judges to be adequate,
subject to an acceptable process risk, for meeting the specified requirement (for PCD) or business goals
(for PI).
Table 1 — Example target capability
Selected process from Process attributes Required process
Process Reference Model attribute rating
F.1.3.1 Requirements
PA 1.1 Fully achieved
elicitation
PA 2.1, PA 2.2 Largely achieved
F.1.3.3 System and
PA 1.1, PA 2.1, PA 2.2, PA 3.1, PA 3.2 Fully achieved
Architectural Design
PA 4.1, PA 4.2 Largely achieved
F.2.2 Configuration
PA 1.1, PA 2.1, PA 2.2 Fully achieved
management
PA 3.1, PA 3.2 Largely achieved
F.3.1.4 Risk Management
PA 1.1, PA 2.1, PA 2.2, PA 3.1, PA 3.2 Fully achieved
F.1.1.2 Supplier Selection
PA 1.1, PA 2.1 Fully achieved
PA 2.2 Not required
PA 3.1, PA 3.2 Largely achieved

Process Process Attributes
Performed Managed Established Predictable Optimizing
PA 1.1  PA 2.1  PA 2.2 PA 3.1  PA 3.2  PA 4.1 PA 4.2 PA 5.1 PA 5.2
F L L
F.1.3.1 Requirements Elicitation
F.1.3.3 System and Architectural
F
F F F F L L
Design
F F F L L
F.2.2 Configuration Management
F F F F F
F.3.1.4 Risk Management
F F L L
F.1.1.2 Supplier Selection
Key (as defined in Part 2)
Not required F Fully achieved Largely achieved
L
Partially achieved
Not achieved
P N
Figure 2 — Example target capability presented as a set of target process profiles
Table 1 and Figure 2 illustrate an example target capability. The processes shown (F.1.3.1, etc.) are from
ISO/IEC 12207, while the process attributes (PA 1.1, etc.) and ratings (Fully achieved, etc.) are defined in
ISO/IEC 15504-2. Figure 2 illustrates a target capability where required ratings have been specified for
individual process attributes.
© ISO/IEC 2004 – All rights reserved 5

Target capability can also be expressed by specifying a required capability level rating for each selected
process, using the required process attribute ratings shown in ISO/IEC 15504-2, Table 1. This approach is
also illustrated in Figure 2, where the required process attribute ratings for F.1.3.1 Requirements Elicitation
correspond to level 2, the required ratings for F.2.2 Configuration Management correspond to level 3, and the
required ratings for F.1.3.3 System and Architectural Design correspond to level 4.
A defined PI method should include a means of deriving a target capability from analysis of the organization’s
business goals. A defined PCD method should include a means of setting target capability from analysis of the
specified requirement.
One simple approach to establishing target capability – based on ISO/IEC 12207 as the Process Reference
Model – is set out in Table 2.
Table 2 — Setting target capability
Step Action Rationale
Step 1 – Select an initial set of Select the Primary Lifecycle The Primary Lifecycle Processes within the ISO/IEC 12207
processes Processes, excluding any Process Reference Model contribute most directly to the
processes not relevant to the delivery of products and services
specified requirement
Step 2 – Set default required Set all process attribute ratings for This approach ensures that selected processes are fully
process attribute ratings for the capability levels 1, 2 and 3 to Fully performed; that practices are in place to avoid missed
initial set of processes achieved deadlines, budget overspend and product quality problems;
and that processes are deployed following proven best

practice, thus providing confidence that future performance
will be consistent with past accomplishments
Step 3 – Review and adjust the Add attribute ratings for level 4 or Adding level 4 and level 5 process attributes for some
required process attribute level 5; or remove attribute ratings processes may sometimes be justified to reduce process–
ratings for each initial process for level 3 related risks, as illustrated in Figure 2 where the target
process profile for F.1.3.3 System and Architectural Design
includes process attributes from capability level 4
Sometimes, deleting process attributes from level 3 may be
justified, as illustrated in Figure 2, where the target process
profile for F.1.3.1 Requirements Elicitation includes process
attribute from capability levels 1 and 2 only
Step 4 – Add further processes, Add supporting Lifecycle The supporting Lifecycle Processes and Organizational
plus required process attribute Processes and Organizational Lifecycle Processes are critical to establishing high levels of
ratings for each Lifecycle Processes process capability within an organization
Many process attributes are related to Supporting Lifecycle
Processes and Organizational Lifecycle Processes
For example, if the Performance Management attribute
(PA 2.1) has been included for a Primary Lifecycle Process,
then the Project Management process should also be
included
The target capability for Supporting Lifecycle Processes and
Organizational Lifecycle Processes is driven by the extent to
which they support process attributes applying to the initial
set of selected processes
Other Supporting Lifecycle Processes and Organizational
Lifecycle Processes should also be included in the target
capability statement where they are relevant to the specified
requirement (for PCD) or business goals (for PI)

Note that the target capability may need to address organizational capability, rather than a product or service.
The requirement may, for example, be to establish a strong configuration management process as an end in
itself, and the selected process set would then include this single process.
5.4 Defining the assessment input
The sponsor should generate the input for a process assessment – as specified in ISO/IEC 15504-2 –
according to the guidance set out in ISO/IEC 15504-3 and the additional guidance set out below.

6 © ISO/IEC 2004 – All rights reserved

At a minimum, the assessment input shall specify:
a) the identity of the sponsor of the assessment and the sponsor’s relationship to the organizational unit
being assessed,
[ISO/IEC 15504-2, 4.4.2]
The identity of the assessment sponsor will be either the PCD Sponsor or the PI Sponsor.
e) the assessment constraints considering, at minimum:
...
4) the quantity and type of objective evidence to be examined in the assessment,
5) the ownership of the assessment outputs and any restrictions on their use,
[ISO/IEC 15504-2, 4.4.2]
The quantity and type of objective evidence needed to support each process attribute rating will depend upon
the assessment purpose and scope.
 For an initial process improvement programme, a sponsor or method may for example require that every
process attribute rating be supported by a minimum of two verbal assertions collected at distinct data
collection sessions – but with possibly no documentary evidence required.
 For a supplier capability evaluation, a sponsor or method may for example require that every process
attribute rating be supported by a minimum of three verbal assertions collected at different data collection
sessions plus at least one piece of documentary evidence. The sponsor or method may also specify that
if a document has been formally requested by a competent assessor but the organizational unit has
stated that it cannot be produced, then this assertion may be counted in lieu of the documentary evidence
required.
The ownership of the assessment outputs and any restrictions on their use, plus any controls on information
resulting from a confidentiality agreement, must be defined within the assessment input, reflecting any
confidentiality agreements in place that affect the overall process improvement programme or process
capability determination.
5.5 Evaluating process-related risk
5.5.1 Inferring process-related risk from assessment output
The quality of a product or service is greatly influenced by the processes deployed to provide it. Process
capability is measured via the process attributes described in ISO/IEC 15504-2. Process-related risk arises
from inappropriate process management, i.e. not deploying appropriate processes, or from deploying them in
a way which does not achieve required process attribute ratings.
The output of a conformant process assessment includes a set of process profiles as described in 4.6 and
illustrated in Figure 1. Required process attributes can be represented as a set of target process profiles, as
described in 5.3 and illustrated in Figure 2.
Both target and assessed process profiles can be presented within a single diagram, as illustrated in Figure 3.
Again, the processes shown (F.1.3.1, etc.) are from ISO/IEC 12207, while the process attributes (PA 1.1, etc.)
and ratings (Fully achieved, etc.) are defined in ISO/IEC 15504-2.
© ISO/IEC 2004 – All rights reserved 7

Process Attributes
Process
Performed Managed Established Predictable Optimizing
PA 1.1  PA 2.1 PA 2.2  PA 3.1 PA 3.2 PA 4.1 PA 4.2  PA 5.1 PA5.2
L L L L
Target F
F.1.3.1 Requirements
Elicitation
F F L
Assessed
F F F F F L L
Target
F.1.3.3 System and
Architectural Design
F F F F L L L
Assessed
F F F L L
Target
F.2.2 Configuration
Management
F P L F L
Assessed
F F F F F
Target
F.3.1.4 Risk
Management
P N N N N
Assessed
F F L L
Target
F.1.1.2 Supplier
selection
L L L L L
Assessed
Key (as defined in Part 2)
An example of a gap:
F L
Fully achieved Largely achieved
target rating is Fully
achieved while
Partially achieved Not achieved
assessed rating is P N
Partially achieved
Figure 3 — Target and assessed process profiles
Process-related risk can be inferred from the existence of gaps between a target process profile and an
assessed process profile. A gap is said to exist:
 if the target process profile requires that a particular process attribute be Fully achieved, while the
assessed process attribute rating is less than Fully achieved;
 if the target process profile requires that a particular process attribute be Largely achieved, while the
assessed process attribute rating is less than Largely achieved.
The potential consequence of a gap depends upon the capability level and process attribute where the gap
occurs – as illustrated in Table 3, where the process attributes (PA 1.1, etc.) are defined in ISO/IEC 15504-2.
8 © ISO/IEC 2004 – All rights reserved

Table 3 — Potential consequence of process attribute gaps
Process attribute where gap Potential consequence
occurs
PA 1.1 Process performance
• missing work products; process outcomes not achieved
PA 2.1 Performance management
• cost or time overruns; inefficient use of resources
• unclear responsibilities, uncontrolled decisions, and uncertainty
over whether time and cost objectives will be met
PA 2.2 Work product management • unpredictable product quality and integrity, uncontrolled versions,
increased support costs, integration problems and increased re-
work costs
PA 3.1 Process definition
• identified best practice and lessons learned from previous projects
not defined, published and available within organization
• no foundation for organization-wide process improvement
PA 3.2 Process deployment
• implemented process not incorporating identified best practice and
lessons learned from previous projects; inconsistent process
performance across organization
• lost opportunities to understand process and identify improvements.
PA 4.1 Process measurement • no quantitative understanding of how well process performance
objectives and defined business goals are being achieved
• no quantitative ability to detect performance problems early
PA 4.2 Process control
• process not capable and/or stable (predictable) within defined limits
• quantitative performance objectives and defined business goals not
met
PA 5.1 Process innovation
• process improvement objectives not clearly defined
• opportunities for improvement not clearly identified
PA 5.2 Process optimization
• inability to change process effectively to achieve relevant process
improvement objectives
• inability to evaluate effectiveness of process changes

Process-related risk is assessed from the probability of a problem arising from an identified gap, and from its
potential consequence, should it occur. A chosen PI or PCD method should contain a defined approach to
analysing process-related risk. An example approach is illustrated at Annex A.
5.5.2 Analysing weaknesses
Whenever a gap is identified, a weakness is said to exist. For each identified gap, the analysis team may
determine and record, with respect to the specified requirement or business goals:
 the nature of the weakness;
 the source or cause of the weakness;
 the potential consequences of the weakness;
 what would have to be done to correct the weakness;
 what the cost, benefit and risk of correcting the weakness would be.
© ISO/IEC 2004 – All rights reserved 9

6 Process improvement
6.1 Overview
Figure 4 illustrates the steps of process improvement utilizing a conformant process assessment – as
described in ISO/IEC 15504-2 and ISO/IEC 15504-3.
The ovals in Figure 4 represent steps in the process, and the arrows represent information being passed
between steps.
Improvements in
organizational unit’s
processes
Institutionalised
improvements
Current
Process improvement
8. Monitor
performance
initiation
performance
7. Sustain
Confirmed
improvements
improvements
Organisation’s
needs
1. Examine
organization’s
business goals
6. Confirm
improvements
Re-assessment
request
Process
improvement
objectives Implemented
Analyzed
improvements
2. Initiate
re-assessment
process
results
improvement
cycle 5. Implement
improvements
4. Develop
3. Assess
Approved
Process Improvement Action Plan
action plan
Implementation Plan current
capability
Current
capability
(Parts 2 and 3)
Assessment
input Assessment Industry
benchmarks
output
Figure 4 — Steps of process improvement
Each of these steps is elaborated below.
6.2 Steps of process improvement
6.2.1 Step 1 – Examine organization’s business goals
The business goals of an organization are often centred around:
 achieving customer satisfaction;
 achieving greater competitiveness;
 achieving improved business value associated with delivery of products or services.
These key management concerns become drivers that initiate process improvement throughout the
organization with objectives of:
 increasing product and service quality;
10 © ISO/IEC 2004 – All rights reserved

 decreasing development and maintenance costs;
 decreasing time to market;
 increasing predictability and controllability of processes;
 decreasing variability between projects.
From an analysis of the organization’s business goals and existing stimuli for improvement, the objectives of
process improvement are set.
Setting improvement objectives involves firstly determining which Process Reference Model(s) will best
address the organization’s business goals, as described in 5.2. It also includes defining a set of target process
profiles, as described in 5.3, which present the choice of the processes to be assessed and the improvement
targets set, and which will guide identification of the most effective improvement actions.
Following analysis of the organization’s business goals, it is essential to build executive awareness of the
necessity for a process improvement programme, which requires both managerial and financial commitments.
The objectives of such a process improvement programme should be clearly stated and understood, and
expressed using measurable objectives. The process improvement programme should form part of the
organization’s overall strategic business plan.
The executive decision to undertake the process improvement programme, together with the identification of a
preliminary process improvement programme budget and the main process improvement priorities, enable the
improvement process to progress.
6.2.2 Step 2 – Initiate process improvement cycle
The process improvement programme should be implemented as a project in its own right, with defined
sponsorship, project management, budget, milestones and accountability. In short, the project should be
managed according to a project management process, aligned to the Process Assessment Model being used.
Sponsorship may be implemented in a variety of ways, according to the culture of the organization. In non-
hierarchical or higher maturity o
...