ISO/IEC TR 30105-7:2019

TECHNICAL ISO/IEC TR
REPORT 30105-7
First edition
2019-10
Information technology — IT
Enabled Services-Business Process
Outsourcing (ITES-BPO) lifecycle
processes —
Part 7:
Exemplar for maturity assessment
Reference number
ISO/IEC TR 30105-7:2019(E)
©
ISO/IEC 2019

---------------------- Page: 1 ----------------------
ISO/IEC TR 30105-7:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 30105-7:2019(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Interrelationship across the parts of the ISO/IEC 30105 series . 1
5 Undertaking an assessment using the exemplar . 2
5.1 Prepare for the assessment . 2
5.1.1 Identify the processes in scope . 2
5.1.2 Prepare required evidence . 2
5.2 Set up the assessment activity . 3
5.2.1 Set up the assessment activity at audit entity level . 3
5.2.2 Consolidate the selected entity information along with process area .14
5.2.3 Final outcome determination for organization maturity level .16
5.2.4 Compare the rating results under the defined matrix in ISO/IEC 30105-3.17
5.3 Implement improvement to the defined maturity level .21
5.4 Re-assessment on a regular basis .21
Bibliography .22
© ISO/IEC 2019 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 30105-7:2019(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 40, IT Service Management and IT Governance.
A list of all parts in the ISO/IEC 30105 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO/IEC 2019 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 30105-7:2019(E)

Introduction
ITES-BPO services encompass the delegation of one or more IT enabled business processes to a
service provider who uses appropriate technology to deliver service. Such a service provider manages,
delivers, improves and administers the outsourced business processes in accordance with predefined
and measurable performance metrics. This covers diverse business process areas such as finance,
human resource management, administration, health care, banking and financial services, supply
chain management, travel and hospitality, media, market research, analytics, telecommunication,
manufacturing, etc. These services provide business solutions to customers across the globe and form
part of the core service delivery chain for customers.
ISO/IEC 30105 (all parts) specifies the lifecycle process requirements involved in the generic ITES-BPO
industry, which covers the entire outsourcing lifecycle and defines the processes that are considered
as good practice. Alignment to ISO/IEC 30105 (all parts) can improve consistency, quality and
predictability in delivery of ITES-BPO services, which can lead to clear return on investment for the
customer and service provider.
ISO/IEC 30105-1 specifies the lifecycle process requirements performed by the IT-enabled business
process outsourcing service provider for the outsourced business processes, ISO/IEC 30105-2
and ISO/IEC 30105-3 provide a detailed assessment and measurement framework for all business
outsourcing processes listed in ISO/IEC 30105-1.
This document presents an assessment exemplar, based on ISO/IEC 30105 (all parts), to enable
ITES-BPO organizations intending to apply ISO/IEC TR 30105-7 (this document) to understand the
measurement methods defined in ISO/IEC 30105-2 and ISO/IEC 30105-3, and to provide a model that an
ITES-BPO organization can adopt to measure the process capability and assess the maturity level. By
using this document, an ITES-BPO organization can accelerate delivery of its maturity level assessment.
Furthermore, this document assists internal and/or external assessors, to facilitate the assessment
activities.
Benefits of applying this document are:
— presenting an efficient assessment procedure: assessment procedures based on ISO/IEC 30105-1,
ISO/IEC 30105-2 and ISO/IEC 30105-3 can become more visible and easier to implement through
this document, which can significantly improve the assessment efficiency;
— illustrating the assessment framework across the different parts of ISO/IEC 30105: this document
illustrates the relationship between ISO/IEC 30105-2 and ISO/IEC 30105-3, especially the
relationship between process attribute and process capability level, as well as the relationship
between process attribute and maturity level;
— aligning standardizing the assessment practice: this document standardizes the procedures to
assess the organization maturity level to maximize the objectivity and minimize the impact limited
by a user’s knowledge of the ISO/IEC 30105 series.
© ISO/IEC 2019 – All rights reserved v

---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/IEC TR 30105-7:2019(E)
Information technology — IT Enabled Services-Business
Process Outsourcing (ITES-BPO) lifecycle processes —
Part 7:
Exemplar for maturity assessment
1 Scope
This document presents an exemplar for maturity assessment, following the framework for assessment
of process capability levels and measurement of an organization’s maturity level for an ITES-BPO
service provider.
This document:
— uses the set of indicators for process performance and process capability;
— helps to collect the objective evidence that enables an assessor to determine the process ratings;
— helps to assess the result of the process capability level;
— serves as a measurement framework for processes and provides an organization maturity model
for ITES-BPO organizations delivering the services;
— is useful for all users of the ISO/IEC 30105 series, including but not limited to internal assessors,
external assessors, ITES-BPO service providers and ITES-BPO service customers;
— supports the performance assessment by providing a framework to measure and derive capability
and organization maturity levels.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 30105-4:2016, Information technology — IT Enabled Services-Business Process Outsourcing
(ITES-BPO) lifecycle processes — Part 4: Terms and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 30105-4 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
4 Interrelationship across the parts of the ISO/IEC 30105 series
Figure 1 shows the interrelationship of the process reference model with the process assessment
model, and establishes the link with the measurement framework that enables process capability
© ISO/IEC 2019 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC TR 30105-7:2019(E)

assessment and organization maturity determination. This assessment framework is based on this
interrelationship across these parts.
Figure 1 — Interrelationship across the parts of the ISO/IEC 30105 series
5 Undertaking an assessment using the exemplar
5.1 Prepare for the assessment
5.1.1 Identify the processes in scope
ITES-BPO organizations should identify the ITES-BPO services scope and its process model to confirm
if the ISO/IEC 30105 series is suitable for the overall environment.
All processes from the ISO/IEC 30105-1 process reference model are included in the process dimension
for the process assessment model for ITES-BPO. This includes all aspects of an ITES-BPO outsourced
service, from developing an ITES-BPO solution through service delivery and to transition out.
The processes include the leadership, relationship management and enabling processes which support
the outsourced business across its lifecycle. The name, context, purpose and outcomes of the process
will give an ITES-BPO organization a clear understanding of the processes.
A basic or extended process set will include additional processes that are required for assessments
with a particular scope of application, but can be optional depending on the particular circumstances of
the organization, as described in ISO/IEC 30105-3.
5.1.2 Prepare required evidence
When the processes in scope have been identified, an ITES-BPO organization should gather all
related evidence to support the assessment activities. By examining the assessment indicators in
ISO/IEC 30105-2, the ITES-BPO organization can determine how well these processes are performed.
Process attributes (PA) are process features which can be evaluated on a scale of achievement to provide
a process capability measure. Each process attribute describes a feature of the overall capability in
managing and improving process effectiveness in achieving its process purpose and contributing to
the organization’s business goals. This evidence also provides observable evidence for collection by the
assessor.
2 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC TR 30105-7:2019(E)

5.2 Set up the assessment activity
5.2.1 Set up the assessment activity at audit entity level
This exemplar is based on a spreadsheet model. As assessments may vary by organization, ITES-BPO
organizations should create their own assessment model based on the assessment logic outlined in this
document and in accordance with the assessment logic in ISO/IEC 30105-2 and ISO/IEC 30105-3 and
the defined process attribute rating scale in ISO/IEC 30105-3.
The assessment activity should be set up based on audit entity level, i.e. to support auditing of each
process in the PRM across every business process service within scope. The key steps include:
a) the assessor creates a template, as shown in Table 1, for audit entity information: including columns
for key practices;
b) the assessor pre-populates the template columns from ISO/IEC 30105-2, for ease of reference:
— key practices: all base practices (BPs) and generic practices (GP);
— work products (inputs and outputs): all relevant for each BP or GP;
c) the percentage achievement for each key practice (a BP or a GP) is calculated based on the number of
key practices achieving a compliance status of ‘Y’ as a percentage of the total number of applicable
practices (Y and N, excludes N/A);
d) as the key practice achievement corresponds with the PA achievement, the achievement percentage
can be used to determine the key practice rating, based on the process attribute rating scale defined
in ISO/IEC 30105-3:2016, 6.1:
A process attribute is measured using an ordinal scale as defined below.
N Not achieved: There is little or no evidence of achievement of the defined process attribute in the assessed
process.
P- Partially achieved: There is some evidence of an approach to, and some achievement of, the defined
process attribute in the assessed process. Many aspects of achievement of the process attribute may be
unpredictable.
P+ Partially achieved: There is some evidence of an approach to, and some achievement of, the defined
process attribute in the assessed process. Some aspects of achievement of the process attribute may be
unpredictable.
L- Largely achieved: There is evidence of a systematic approach to, and significant achievement of, the
defined process attribute in the assessed process. Many weaknesses related to this process attribute may
exist in the assessed process.
L+ Largely achieved: There is evidence of a systematic approach to, and significant achievement of, the
defined process attribute in the assessed process. Some weaknesses related to this process attribute may
exist in the assessed process.
F Fully achieved: There is evidence of a complete and systematic approach to, and full achievement of, the
defined process attribute in the assessed process. No significant weaknesses related to this process attribute
exist in the assessed process.
The corresponding percentages shall be as follows:
— N Not achieved 0 % to ≤15 % achievement;
— P- Partially achieved ->15 % to ≤32,5 % achievement;
— P+ Partially achieved+>32,5 % to ≤50 % achievement;
© ISO/IEC 2019 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC TR 30105-7:2019(E)

— L- Largely achieved->50 % to ≤ 67,5 % achievement;
— L+ Largely achieved+>67,5 % to ≤85 % achievement;
— F Fully achieved >85 % to ≤100 % achievement.
e) the assessment activity should be carried out for all selected audit entities and processes.
Using the defined process capability ratings in ISO/IEC 30105-3, the process attribute ratings achieved
can be used to determine the process capability level for each process within each service.
In this document, OEN2 is used as an example process for audit entity level (see Table 1). All the
applicable services and processes should be assessed in the same way. Table 1 shows an example
template with the compliance status column completed to illustrate the calculation of the achievement.
4 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC TR 30105-7:2019(E)

© ISO/IEC 2019 – All rights reserved 5
Table 1 — Sample assessment template at entity level (partially completed)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
BP1. Define information 4.02 Information
Y 1.02 Contract
security policy security policy
BP2. Agree on new and 8.16 Legal. Statutory 8.12 Information
changed information and regulatory security
security requirements: requirements requirements
Analyse evolving business
requirements, informa-
tion flows, organiza-
tional policies, customer
requirements, contractual
BP 80 % L+
obligations, regulatory
requirements, technology Y
5.15 Security
environments and threat
4.02 Information
risk management
environments from the
security policy
approach
perspective of information
security on a regular basis.
Identify, evaluate, modify
and report information
security requirements in
agreement with all relevant
stakeholders.

---------------------- Page: 10 ----------------------
ISO/IEC TR 30105-7:2019(E)

6 © ISO/IEC 2019 – All rights reserved
Table 1 (continued)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
BP3. Define a risk manage- 8.12 Information se-
9.30 Risk log
ment approach: Identify curity requirements
suitable risk acceptance
levels, mitigation, criteria
for assessment and assess-
Y
5.15 Security risk
ment frequency. Determine
5.14 Security con-
management ap-
required security assessor
trols procedure
proach
competencies and qualifica-
tions. Classify information of
information security risks.
BP4. Apply risk manage- 6.18 Information 2.06 Training
ment approach: Apply security action log material
BP 80 % L+
defined risk management
approach across the infor-
N
6.20 Information
mation lifecycle at defined
6.19 Information
security incident
frequency. Identify and
security audit report
report
select appropriate security
controls.
3.26 Information
BP5. Deploy selected
9.05 Communica-
security awareness
information security con-
tion record
plan
trols: Secure information NA
with selected information
5.14 Security con-

security controls.
trols procedure
BP6. Establish awareness
of information security:
3.14 Communication
Define and implement NA
plan
training and awareness for
information security.
BP7. Manage information
BP 80 % L+
security incidents to clo-
sure: Manage information 6.20 Information
security incidents including Y security incident
identification, categori- report
zation, notification, and
response and reporting.

---------------------- Page: 11 ----------------------
ISO/IEC TR 30105-7:2019(E)

© ISO/IEC 2019 – All rights reserved 7
Table 1 (continued)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
Human resources
GP 2.1.1 Identify the objec-
with identified ob-
tives for the performance of Y 3.00 Plan
jectives, responsibil-
the process.
ities and authorities;
GP 2.1.X 100 % F
GP 2.1.2 Plan the perfor-
Facilities and infra-
mance of the process to ful- Y 6.00 Report
structure resources
fil the identified objectives.
Planning, manage-
GP 2.1.3 Monitor the ment and control
performance of the process Y tools, including time 9.00 Record
against the plans. and cost reporting,
shift, off-time rosters
GP 2.1.4 Adjust the perfor- Workflow manage-
Y
mance of the process. ment system
GP 2.1.5 Define responsi- Email and/or other
bilities and authorities for Y communication
performing the process. mechanisms
GP 2.1.X 100 % F
Prepare those performing Information and/
the process to execute the Y or experience reposi-
process. tory
GP 2.1.7 Identify and make
Problem and issue
available resources to per-
Y management mech-
form the process according
anisms
to plan.
GP 2.1.8 Manage the in-
terfaces between involved Y
parties.

---------------------- Page: 12 ----------------------
ISO/IEC TR 30105-7:2019(E)

8 © ISO/IEC 2019 – All rights reserved
Table 1 (continued)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
Requirement man-
3.00 Plan
GP 2.2.1 Define the re-
agement method
quirements for the work Y
Configuration man-
products.
5.00 Record
agement system
Detailed elaboration
8.00 Specification
GP 2.2.2 Define the re-
and support tool
quirements for documenta-
Y
Document identifi-
tion and control of the work
cation and control
products.
procedure
Work product
GP 2.2.X 100 % F
review methods and
GP 2.2.3 Identify, docu-
experiences
ment and control the work Y
products.
Review management

method/toolset
Intranets, extranets
and/or other commu-
GP 2.2.4 Review and adjust
nication mechanisms
work products to meet the Y
Problem and issue
defined requirements.
management mech-
anisms

---------------------- Page: 13 ----------------------
ISO/IEC TR 30105-7:2019(E)

© ISO/IEC 2019 – All rights reserved 9
Table 1 (continued)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
GP 3.1.1 Define the
standard process that will Process modelling
Y 2.00 Description
support the deployment of methods/tools
the defined process.
GP 3.1.2 Determine the
sequence and interaction
between processes so that Training material
Y 3.00 Plan
they work as an and courses
integrated system of pro-
cesses.
GP 3.1.3 Identify the roles
Resource manage-
GP 3.1.X 75 % L+
and competencies for per- N 5.00 Procedure
ment system
forming the process.
GP 3.1.4 Identify the Process infrastruc-
8.00 Specification
required infrastructure ture
and work environment for NA
Audit and trend
performing the
9.00 Record
analysis tools
process.
Process monitoring
GP 3.1.5 Determine suita-

method
ble methods to monitor the
Y
effectiveness and suitability
Process transition

of the process.
method

---------------------- Page: 14 ----------------------
ISO/IEC TR 30105-7:2019(E)

10 © ISO/IEC 2019 – All rights reserved
Table 1 (continued)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
Feedback mecha-
GP 3.2.1 Determine suita-
nisms (customer,
ble methods to monitor the
staff, other stake-
Y 2.00 Description
effectiveness and suitability
holders)
of the process.
Process repository
Resource manage-
GP 3.2.2 Assign and commu-
3.00 Plan
ment system
nicate roles, responsibilities
N
and authorities for perform-
Knowledge manage-
6.00 Report
ing the defined process
ment system
GP 3.2.3 Ensure necessary
Problem and change
GP 3.2.X 80 % L+
competencies for perform- NA 8.00 Specification
management system
ing the defined process.
Working environ-
GP 3.2.4 Provide resources
ment and infra- 9.00 Record
and information to support
structure
Y
the performance of the
Data collection anal-
defined process

ysis system
GP 3.2.5 Provide process
infrastructure to support Process assessment
Y
the performance of the framework
defined process.
GP 3.2.6 Collect and an-
alyse data about perfor-
GP 3.2.X mance of the process to Y Audit/review system 80 % L+
demonstrate its effective-
ness and suitability.

---------------------- Page: 15 ----------------------
ISO/IEC TR 30105-7:2019(E)

© ISO/IEC 2019 – All rights reserved 11
Table 1 (continued)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
Management infor-
GP 4.1.1 Align the process mation (cost, time,
with quantitative business Y reliability, profit- 2.00 Description
goals. ability, customer
benefits, risks, etc.)
GP 4.1.2 Identify process
information needs, in Applicable measure-
N 3.00 Plan
relation with quantitative ment techniques
business goals.
GP 4.1.X 83 % L+
Product and process
GP 4.1.3 Derive process
measurement tools
measurement objective from Y 5.00 Record
and results data-
process information needs.
bases
GP 4.1.4 Identify measur-
able relationships between
Measurement
process elements that Y 6.00 Report
framework
contribute to the process
performance.
GP 4.1.5 Establish quan-
titative objectives for the
performance of the defined Tools for data analy-
Y 8.00 Specification
process, according to the sis and measurement
alignment of the process
with the business goals.
GP 4.1.6 Identify product
GP 4.1.X and process measure that 83 % L+
support the achievement of Y
the quantitative objectives
for process performance.
GP 4.1.7 Collect product
and process measurement
NA
results through performing
the defined process.

---------------------- Page: 16 ----------------------
ISO/IEC TR 30105-7:2019(E)

12 © ISO/IEC 2019 – All rights reserved
Table 1 (continued)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
GP 4.2.1 Select analysis
Process control and
techniques, appropriate to Y 2.00 Description
analysis techniques
collected data.
GP 4.2.2 Determine as-
signable causes of process Statistical analysis
GP 4.2.X Y 3.00 Plan 60 % L-
variation by analysing the tools/applications
collect data.
GP 4.2.3 Establish distribu-
Process control
tions that characterize the Y 6.00 Report
tools/applications
process performance.
GP 4.2.4 Identify and imple-
ment corrective actions to N 9.00 Record
address assignable causes.
GP 4.2.5 Establish separate
GP 4.2.X 60 % L-
distributions for analysing
the process under the influ- N
ence of assignable causes of
variation.
GP 5.1.1 Define the process
innovation objectives for Process improve-
Y 2.00 Description
the process that support the ment framework
relevant business goals.
Process feedback
GP 5.1.2 Analyse data of the
and analysis system
process to identify opportu-
GP 5.1.X Y (measurement data, 3.00 Plan 100 % F
nities for best practices and
causal analysis
innovation.
results, etc.)
GP 5.1.3 Identify innova-
tion opportunities of the Piloting and trialing
NA 5.00 Procedure
process from new technolo- mechanism
gies and process concepts.
GP 5.1.4 Derive an imple-
mentation strategy based
Y 6.00 Report
on long-term innovation
GP 5.1.X 100 % F
vision and objectives.
  8.00 Specification
  9.00 Record

---------------------- Page: 17 ----------------------
ISO/IEC TR 30105-7:2019(E)

© ISO/IEC 2019 – All rights reserved 13
Table 1 (continued)
Process Applicability
Notes for Work product Work product Achievement Rating
Key practice
the auditor (Input) (Output) (%) result
OEN2 Y/N/NA Corporation/Function Service
GP 5.2.1 Assess the impact
of each proposed change
Change manage-
against the objectives of Y 2.00 Description
ment system
the defined and standard
process.
GP 5.2.2 Manage the
implementation of agreed
Process evaluation
changes to selected areas
N system (impact anal- 3.00 Plan
of the defined and standard
...