ISO/IEC 15504-4:2004

INTERNATIONAL ISO/IEC
STANDARD 15504-4
First edition
2004-07-01


Information technology — Process
assessment —
Part 4:
Guidance on use for process
improvement and process capability
determination
Technologies de l'information — Procédés d'évaluation —
Partie 4: Conseils sur l'utilisation pour l'amélioration de processus et la
détermination de capacité de processus




Reference number
ISO/IEC 15504-4:2004(E)
©
ISO/IEC 2004

---------------------- Page: 1 ----------------------
ISO/IEC 15504-4:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2004 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 15504-4:2004(E)
Contents Page
Foreword. v
Introduction . vi
1 Scope. 1
2 Normative references. 1
3 Terms and definitions. 1
4 Introduction. 1
4.1 Process improvement and process capability determination. 1
4.2 PI and PCD sponsors and teams. 2
4.3 Process, guidance and method. 2
4.4 Process improvement – purpose and outcomes. 2
4.5 Process capability determination — purpose and outcomes . 3
4.6 Process assessment output. 3
5 Utilizing process assessment. 4
5.1 General. 4
5.2 Selecting Process Reference Model(s). 4
5.3 Setting target capability. 4
5.4 Defining the assessment input. 6
5.5 Evaluating process-related risk. 7
5.5.1 Inferring process-related risk from assessment output . 7
5.5.2 Analysing weaknesses. 9
6 Process improvement. 10
6.1 Overview. 10
6.2 Steps of process improvement . 10
6.2.1 Step 1 – Examine organization’s business goals.10
6.2.2 Step 2 – Initiate process improvement cycle . 11
6.2.3 Step 3 – Assess current capability. 12
6.2.4 Step 4 – Develop action plan . 12
6.2.5 Step 5 – Implement improvements. 15
6.2.6 Step 6 – Confirm improvements. 16
6.2.7 Step 7 – Sustain improvements. 17
6.2.8 Step 8 – Monitor performance . 17
7 Process capability determination. 18
7.1 Overview. 18
7.2 Steps of process capability determination. 19
7.2.1 Step 1 – Initiate process capability determination . 19
7.2.2 Step 2 – Set target capability . 20
7.2.3 Step 3 – Assess current capability. 20
7.2.4 Step 4 – Determine proposed capability. 20
7.2.5 Step 5 – Verify proposed capability . 21
7.2.6 Step 6 – Analyse process-related risk . 21
7.2.7 Step 7 – Act on results . 21
7.3 Comparability of assessment output analysis . 21
Annex A (informative) Analysing process-related risk. 23
A.1 Introduction. 23
A.2 Probability. 23
A.3 Consequence. 24
A.4 Process-related risk. 24
A.5 Determining which processes represent greatest risk. 25
© ISO/IEC 2004 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 15504-4:2004(E)
A.6 Analysis approach.25
A.7 Example risk analysis.25
A.7.1 F.1.3.3 System and Architectural Design.26
A.7.2 F.2.2 Configuration Management.27
A.7.3 F.3.1.4 Risk Management.27
Annex B (informative) Subcontractors and consortia .28
B.1 Overview.28
B.1.1 Combining uniquely deployed processes .28
B.1.2 Combining processes deployed by more than one organizational unit.29
B.2 Enterprise reference architectures.29
Annex C (informative) Process improvement and organizational culture.30
C.1 Introduction.30
C.2 Management responsibility and leadership .30
C.3 Values, attitudes and behaviour .30
C.4 Process improvement objectives and motivation .31
C.5 Communication and teamwork.31
C.6 Recognition.31
C.7 Education and training .31
Bibliography.33



iv © ISO/IEC 2004 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 15504-4:2004(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 15504-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and system engineering.
This first edition cancels and replaces ISO/IEC TR 15504-7:1998 and ISO/IEC TR 15504-8:1998, which have
been technically revised.
ISO/IEC 15504 consists of the following parts, under the general title Information technology — Process
assessment:
 Part 1: Concepts and vocabulary
 Part 2: Performing an assessment
 Part 3: Guidance on performing an assessment
 Part 4: Guidance on use for process improvement and process capability determination
The following part is in preparation:
 Part 5: An exemplar Process Assessment Model
The complete series will replace ISO/IEC TR 15504-1 to ISO/IEC TR 15504-9.
© ISO/IEC 2004 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 15504-4:2004(E)
Introduction
ISO/IEC 15504 provides a framework for process assessment and sets out the minimum requirements for
performing an assessment in order to ensure consistency and repeatability of assessment ratings. Process
assessment is applicable in the following circumstances:
 by or on behalf of an organization with the objective of understanding the state of its own processes for
process improvement;
 by or on behalf of an organization with the objective of determining the capability of another organization's
processes for a particular contract or class of contracts, or to determine the capability of its own
processes for a particular requirement or class of requirements.
This informative part of ISO/IEC 15504 provides guidance on how to utilize a conformant process assessment
within a process improvement programme or within either type of process capability determination.
ISO/IEC 15504-1 provides a general introduction to the concepts of process assessment and a glossary for
assessment related terms.
ISO/IEC 15504-2 sets requirements for performing an assessment that ensure consistency and repeatability
of the ratings. The requirements help to ensure that the assessment output is self-consistent and provides
evidence to substantiate the ratings and to verify compliance with the requirements.
ISO/IEC 15504-3 provides guidance for interpreting the requirements for performing an assessment.
ISO/IEC 15504-5 contains an exemplar Process Assessment Model that is mapped to
ISO/IEC 12207:1995/Amd.1:2002 as a Process Reference Model.

vi © ISO/IEC 2004 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 15504-4:2004(E)

Information technology — Process assessment —
Part 4:
Guidance on use for process improvement and process
capability determination
1 Scope
This part of ISO/IEC 15504 provides guidance on how to utilize a conformant process assessment within a
process improvement programme or a process capability determination. This part of ISO/IEC 15504 is for
information only.
The guidance provided does not presume specific organizational structures, management philosophies, life
cycle models or development methods, although some of the examples and tables within the text are based
upon processes from ISO/IEC 12207.
In the case of process improvement, the concepts and principles are appropriate for the full range of different
business goals, application domains and sizes of organization, so that all types of organizations may use them.
In the case of process capability determination, this guidance is applicable within any customer–supplier
relationship, and to any organization wishing to determine the process capability of its own processes.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 12207, Information technology — Software life cycle processes
1)
ISO/IEC 15504-1, Information technology — Process assessment — Part 1: Concepts and vocabulary
ISO/IEC 15504-2, Information technology — Process assessment — Part 2: Performing an assessment
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 15504-1 apply.
4 Introduction
4.1 Process improvement and process capability determination
Within ISO/IEC 15504, process assessment can be utilized:
 by or on behalf of an organization with the objective of understanding its own processes for process
improvement;

1) To be published.
© ISO/IEC 2004 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 15504-4:2004(E)
 by or on behalf of an organization with the objective of determining the capability of another organization's
processes for a particular contract or class of contracts, or determining the capability of its own processes
for a particular requirement or class of requirements.
Within a process improvement (PI) context, process assessment provides a means of characterizing an
organizational unit in terms of the capability of selected processes. Analysis of the output of a conformant
process assessment against an organizational unit's business goals identifies strengths, weaknesses and
risks related to the processes. This, in turn, can help determine whether the processes are effective in
achieving business goals, and provide the drivers for making improvements.
Process capability determination (PCD) is concerned with analysing the output of one or more conformant
process assessments to identify the strengths, weaknesses and risks involved in undertaking a specific
project using the selected processes within a given organizational unit. A process capability determination can
provide a fundamental input to supplier selection, in which case it is often termed a ‘supplier capability
determination’.
4.2 PI and PCD sponsors and teams
Process improvement programmes and process capability determinations will usually be required and
resourced by a sponsor – as described in ISO/IEC 15504-1. The sponsor has the authority to ensure that the
programme is carried out effectively, and takes ownership of the results. The sponsor may have one or more
staff working within a team – a PI Team or PCD Team – whose task is to plan and implement the actions
required to achieve the objectives identified by the sponsor.
Sponsorship may be implemented in a variety of ways, according to the culture of the organization. In non-
hierarchical or higher maturity organizations for example, both sponsorship and project management of
process improvement activities may be delegated to working level, although authorities, roles and
responsibilities should always be clearly defined.
4.3 Process, guidance and method
In order to achieve improvements to selected processes, PI Sponsors should deploy a PI process as outlined
in 4.4. In order to determine the capability of selected processes, PCD Teams should deploy a PCD process,
as outlined in 4.5. This part of ISO/IEC 15504 provides guidance on how to deploy such processes. In either
case, organizations should deploy a suitably capable process, and either acquire or develop a suitable
method — setting out appropriate roles, techniques and specific activities — with which to implement the
process. Such a method should:
 take account of the guidance contained within this part of ISO/IEC 15504;
 include or reference an assessment process which satisfies the requirements set out within
ISO/IEC 15504-2 and accords with the guidance set out in ISO/IEC 15504-3.
4.4 Process improvement – purpose and outcomes
The purpose of process improvement is to continually improve the organization’s effectiveness and efficiency
through the processes used and maintained aligned with the business need.
As a result of successful implementation of process improvement:
 commitment is established to provide resources to sustain improvement actions;
 issues arising from the organization's internal/external environment are identified as improvement
opportunities and justified as reasons for change;
 analysis of the current status of the existing process is performed, focusing on those processes from
which improvement stimuli arise;
 improvement goals are identified and prioritized, and consequent changes to the process are defined and
implemented;
2 © ISO/IEC 2004 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 15504-4:2004(E)
 the effects of process implementation are monitored and confirmed against the defined improvement
goals;
 knowledge gained from the improvements is communicated within the organization; and
 the improvements made are evaluated and consideration given for using solutions elsewhere within the
organization.
2)
[ISO/IEC 12207:1995/Amd.2 , F.3.3.3]
NOTE 1 Information sources providing input for change may include: process assessment results, audits, customer's
satisfaction reports, organizational effectiveness / efficiency, cost of quality.
NOTE 2 The current status of processes may be determined by process assessment.
4.5 Process capability determination — purpose and outcomes
The purpose of process capability determination is to identify the strengths, weaknesses and process-related
risks associated with selected processes with respect to a particular specified requirement.
As a result of successful implementation of process capability determination:
 a target capability appropriate to the particular specified requirement is identified;
 reviews of the organization's processes are carried out to determine their suitability for the particular
specified requirement in the light of process assessment results;
 strengths and weaknesses within the assessed processes are identified;
 any gaps between target and assessed capabilities are analysed;
 overall process-related risk is determined.
NOTE 1 The selected processes are chosen by the PCD Team as described in 7.2.2.
NOTE 2 The specified requirement may involve deploying an organization's processes for a new or an existing task, a
contract or an internal undertaking, a product or a service, or any other business requirement.
NOTE 3 Reviews of the organization's standard processes are generally carried out following a process assessment of
the organization’s implemented processes, as described in ISO/IEC 15504-3.
NOTE 4 Process capability determination does not address all aspects of risk, which may include strategic,
organizational, financial, personnel and many other factors. The output from a process capability determination feeds into
an organization’s risk management process, but only with respect to process-related risk – as outlined in 5.5.
4.6 Process assessment output
The output of a conformant process assessment includes a set of process profiles, which express the process
attribute ratings assigned for each process selected from the specified Process Reference Model(s) – as
described in ISO/IEC 15504-2.
An example set of process profiles, with ISO/IEC 12207 as the Process Reference Model, might be presented
as illustrated in Figure 1. The processes (F.1.3.1, etc.) are from ISO/IEC 12207, while the process attributes
(PA 1.1, etc.) and ratings (Fully achieved, etc.) are defined in ISO/IEC 15504-2.

2) To be published.
© ISO/IEC 2004 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 15504-4:2004(E)

Process Process Attributes

Performed Managed Established Predictable Optimizing
PA 1.1  PA 2.1  PA 2.2 PA 3.1  PA 3.2  PA 4.1 PA 4.2 PA 5.1 PA 5.2
F F L
F.1.3.1 Requirements Elicitation
F.1.3.3 System and Architectural
F F F F L L L
Design
F.2.2 Configuration Management F P L F L
F.3.1.4 Risk Management
P N N N N
F.1.1.2 Supplier Selection
L L L L L
Key (as defined in Part 2)
Not rated F Fully achieved L Largely achieved
Partially achieved
P N Not achieved

Figure 1 — Example assessment output set of process profiles
The guidance contained in this part of ISO/IEC 15504 is intended to apply to the output from a conformant
process assessment.
5 Utilizing process assessment
5.1 General
This clause provides guidance upon issues common to both process improvement and process capability
determination.
5.2 Selecting Process Reference Model(s)
Both process improvement and process capability determination require that the sponsor select a suitable
Process Reference Model or Models.
A Process Reference Model describes a set of processes in terms of purpose and outcomes as defined in
ISO/IEC 15504-2. A Process Reference Model is generally a recognized domain standard. ISO/IEC 12207,
Annex F, and ISO/IEC 15288:2002 are Process Reference Models within the domains of software engineering
and systems engineering, respectively.
The sponsor should determine which Process Reference Model(s) will best suit the specified requirement (for
PCD) or business goals (for PI), following the guidance in ISO/IEC 15504-3 on the selection of suitable
Process Reference Models.
Where improvements are planned for processes that do not align with any recognized domain standard,
appropriate process models can still be defined and used, but this could not then be considered to be based
upon a conformant process assessment.
5.3 Setting target capability
The sponsor should determine which processes from the chosen Process Reference Model(s) are most
important to meeting the specified requirement (for PCD) or business goals (for PI).
The sponsor should then specify, for each selected process, a target process profile showing which process
attributes are required, and – for each process attribute – what rating is judged necessary. Only process
4 © ISO/IEC 2004 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 15504-4:2004(E)
attribute ratings of Fully achieved or Largely achieved should be set; Not required should be noted for any
process attributes deemed not necessary. Partially achieved should not be set since this would indicate that
some aspects of achievement would be unpredictable – as defined in ISO/IEC 15504-2.
The set of target process profiles expresses the target capability which the sponsor judges to be adequate,
subject to an acceptable process risk, for meeting the specified requirement (for PCD) or business goals
(for PI).
Table 1 — Example target capability
Selected process from Process attributes Required process
Process Reference Model attribute rating
F.1.3.1 Requirements
PA 1.1 Fully achieved
elicitation
PA 2.1, PA 2.2 Largely achieved
F.1.3.3 System and
PA 1.1, PA 2.1, PA 2.2, PA 3.1, PA 3.2 Fully achieved
Architectural Design
PA 4.1, PA 4.2 Largely achieved
F.2.2 Configuration
PA 1.1, PA 2.1, PA 2.2 Fully achieved
management
PA 3.1, PA 3.2 Largely achieved
F.3.1.4 Risk Management
PA 1.1, PA 2.1, PA 2.2, PA 3.1, PA 3.2 Fully achieved
F.1.1.2 Supplier Selection
PA 1.1, PA 2.1 Fully achieved
PA 2.2 Not required
PA 3.1, PA 3.2 Largely achieved


Process Process Attributes
Performed Managed Established Predictable Optimizing
PA 1.1  PA 2.1  PA 2.2 PA 3.1  PA 3.2  PA 4.1 PA 4.2 PA 5.1 PA 5.2
F L L
F.1.3.1 Requirements Elicitation
F.1.3.3 System and Architectural
F
F F F F L L
Design
F F F L L
F.2.2 Configuration Management
F F F F F
F.3.1.4 Risk Management
F F L L
F.1.1.2 Supplier Selection
Key (as defined in Part 2)
Not required F Fully achieved Largely achieved
L
Partially achieved
Not achieved
P N

Figure 2 — Example target capability presented as a set of target process profiles
Table 1 and Figure 2 illustrate an example target capability. The processes shown (F.1.3.1, etc.) are from
ISO/IEC 12207, while the process attributes (PA 1.1, etc.) and ratings (Fully achieved, etc.) are defined in
ISO/IEC 15504-2. Figure 2 illustrates a target capability where required ratings have been specified for
individual process attributes.
© ISO/IEC 2004 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC 15504-4:2004(E)
Target capability can also be expressed by specifying a required capability level rating for each selected
process, using the required process attribute ratings shown in ISO/IEC 15504-2, Ta
...