ISO/IEC DTR 7052

ISO/IEC DTR2 DTR 7052:202x(X)
ISO JTC 1/SC 7 N9089
ISO/IEC JTC 1/SC 7/WG 7 N2935
2023-01-16
Secretariat: BIS
Date: 2023-05-31
Software engineering -- Risk management– Controlling frequently
occurring risks during development and maintenance of custom
software

DTR2Ingéniérie du logiciel – Contrôle des risques fréquents au cours du développement et

This document is not an ISO International Standard. It is distributed for review and comment. It is subject to

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this

publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical,

including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can

be requested from either ISO at the address below or ISO’s member body in the country of the requester.

Foreword ............................................................................................................................................................................................ vi

Introduction ......................................................................................................................................................................................vi i

1 Scope ....................................................................................................................................................................................... 1

2 Normative references ....................................................................................................................................................... 1

3 Terms and definitions ...................................................................................................................................................... 1

4 Abbreviated terms .......................................................................................................................................................... 12

5 Explanatory note on terms .......................................................................................................................................... 13

5.1 The term risk .................................................................................................................................................................... 13

5.2 The term control .............................................................................................................................................................. 13

6 Risks ..................................................................................................................................................................................... 14

6.1 General ................................................................................................................................................................................ 14

6.2 Product-related risks ..................................................................................................................................................... 14

6.2.1 General ............................................................................................................................................................................ 14

6.2.2 Risk 01: The quality of the software is reduced because of modifications to it ............................... 15

6.2.3 Risk 02: The quality of the software is reduced because of modifications to the environment in

which it runs .................................................................................................................................................................................... 15

6.3 Project-related risks ...................................................................................................................................................... 16

6.3.1 General ............................................................................................................................................................................ 16

6.3.2 Risk 03: Planned functionality is not completed on time because of underestimation of the

amount of work involved ........................................................................................................................................................... 16

6.3.3 Risk 04: The product is not delivered on time and within budget because the scope is changed

6.3.4 Risk 05: The software does not meet the requirements laid down because the team does not

have the required expertise ...................................................................................................................................................... 17

6.3.5 Risk 06: The product does not offer the right functionality because of inadequate management

of the work ....................................................................................................................................................................................... 17

6.3.6 Risk 07: The product lacks the right non-functional properties because functional requirements

were given too much priority ................................................................................................................................................... 18

6.3.7 Risk 08: Misunderstandings occur because the communication between stakeholders is poor

6.3.8 Risk 09: Custom software does not (demonstrably) meet obligations because development, use

and maintenance were not sufficiently auditable ............................................................................................................ 19

6.3.9 Risk 10: The product is not delivered on time because a great deal of time was needed to set up

for software development.......................................................................................................................................................... 19

7 Controls ............................................................................................................................................................................... 20

7.1 General ................................................................................................................................................................................ 20

7.2 Project-related controls ............................................................................................................................................... 20

7.2.1 General ............................................................................................................................................................................ 20

7.2.2 Project preparation ................................................................................................................................................... 21

7.2.3 Project execution ........................................................................................................................................................ 25

7.2.4 Completion of development and/or maintenance ....................................................................................... 29

7.3 Organization-related controls ................................................................................................................................... 30

7.3.1 Control 16: Supporting teams with specialist knowledge and tools .................................................... 30

7.3.2 Control 17: Continuous risk management ....................................................................................................... 31

Annex A (informative) Overview of risks and controls ................................................................................................ 33

Annex B (informative) Assessment tool ............................................................................................................................. 35

Bibliography .................................................................................................................................................................................... 38

ISO (the International Organization for Standardization) is a and IEC (the International Electrotechnical

standardsstandardization. National bodies (that are members of ISO member bodies). The work of

preparing or IEC participate in the development of International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a established by

the respective organization to deal with particular fields of technical activity. ISO and IEC technical

committee has been established has the right to be represented on that committee.

Internationalcommittees collaborate in fields of mutual interest. Other international organizations,

governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. ISO

collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documentsdocument should be noted. This document was drafted in accordance

with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

Attention is drawnISO and IEC draw attention to the possibility that some of the elementsimplementation

of this document may beinvolve the subjectuse of (a) patent(s). ISO and IEC take no position concerning

the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date of

publication of this document, ISO and IEC had not received notice of (a) patent(s) which may be required

to implement this document. However, implementers are cautioned that this may not represent the latest

information, which may be obtained from the patent database available at www.iso.org/patents and

https://patents.iec.ch rights. ISO. ISO and IEC shall not be held responsible for identifying any or all such

patent rights. Details of any patent rights identified during the development of the document will be in

Any trade name used in this document is information given for the convenience of users and does not

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the World

Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT),) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-

Information and communication technology (ICT) projects run many risks. ICT projects often have to

ICT projects in which custom software is developed and/or maintained often run extra riskrisks, on top

of the risks that are part and parcel of ICT projects in general . . This would seemseems to be caused

by the sheer size and complexity of such custom software projects, and by a failure to mitigate the risks

inherent to software development in general, despite the fact that they are well known, and that there

This document describes controls for some of the risks inherent in custom software development. The

purpose of this document is that during the development of custom software stakeholders can avail

themselves of a collection of suitable controls. The controls included are each common of themselves,

making this collection of controls a logical starting point for assuring the quality of custom software

development. Controls were selected for inclusion based on the experience and opinion of the subject

Two target groups are important when mitigating risks during the development of custom software:

This document details risks and controls specific to custom software development. Risk management in

the context of software development is covered in ISO/IEC/IEEE 12207 and its elaboration standard

ISO/IEC/IEEE 16085. Generic risk management is covered by ISO 31000 and its related standards.

This document is based on NPR 5326 developed by Royal Netherlands Standardization Institute

— describes frequently occurring risks during development and maintenance of custom software;

— standards, measurements, testing and assessment of the properties of products and

ISO and IEC maintain terminologicalterminology databases for use in standardization at the following

development method where team members with various backgrounds [developers (3.18(3.18),), testers

and business analysts)] jointly write the acceptance tests prior to development of the relevant

Note 1 to entry: Although the name of the method, acceptance test-driven development, suggests that ATDD is a

specialization of test-driven development (3.46(3.49)) (TDD), this is not the case. Rather, TDD focuses on driving

development by writing unit tests (3.48) first and ATDD focuses on driving development by writing acceptance tests

stakeholder that acquires or procures a product or service from a supplier (3.44(3.47))

Note 1 to entry: Other terms commonly used for an acquirer are buyer, customer, owner, purchaser or

development approach based on iterative development, frequent inspection and adaptation, and

incremental deliveries in which requirements and solutions evolve through collaboration in cross-

Note 1 to entry: Any use of the word “agile” in this document refers to methodology.

[SOURCE: ISO/IEC/IEEE 26515:2018, 3.1], modified — In note 1 to entry, removed the reference to

collection of agile features or stories of both functional and non-functional requirements that are typically

Note 1 to entry 1: : This can be used as a list of product requirements and deliverables (3.13(3.13)) not part of

development method where team members with various backgrounds [developers (3.18(3.18),), testers

and business analysts)] jointly describe the behaviour of the intended functionality prior to development

indicator of the work completed and an estimate of remaining work to be completed or remaining effort

needed to complete a product development iteration cycle.cycleNote 1 to entry: Work is measured as all

work done to deliver story points, stories, features, functions, function points (3.25(3.26),), user stories

(3.50(3.53),), use cases (3.49(3.52),), or requirements during a product development iteration.

[SOURCE: ISO/IEC/IEEE 24765:2017, 3.437, modified — Restructured into definition and note 1 to

Figure 1 — Example of a burndown chart with time on the horizontal axis and work-remaining

on the vertical axis. The solid line represents the actual work-remaining and the stippled line

Note 1 2 to entry: This can be used as a chart to show the amount of the work done versus the amount of the work

Note 2 3 to entry: This can be presented per sprint (3.42(3.35),), as well as per release or iteration.

Note 3 4 to entry: For example, user story points (3.51(3.54)) or function points (3.25(3.26)) can be used to measure

[SOURCE: ISO/IEC/IEEE 26511:2018, 3.1.6. Modified – Notes, modified — Added the example figure and

Note 1 to entry: The outcome is a statement and justification of business continuity requirements.

activity where one or more developers (3.18(3.18)) establish the quality (3.35(3.38)) of (part of) the

Note 1 to entry: There are a variety of ways to conduct code reviews which range from formal to very informal and

[SOURCE: NEN NPR 5326:2019, 3.10., modified — Modified definition and added note 1 to entry added].]

database that is used by an organization to store information about the hardware and software in use

Note 2 to entry: A consequence can be certain or uncertain and can have positive or negative effects on objectives.

Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.

Note 2 to entry: Controls cannot always exert the intended or assumed modifying effect.

[SOURCE: ISO Guide 73:2009, 3.8.1.1, modified – Note— In note 2 to entry modified from, changed “may

software product developed for a specific application from a user requirements specification

tool described in the General Data Protection Regulation (3.27(3.28)) (GDPR) to assess in advance the

privacy risks of data processing and then to be able to implement controls (3.12(3.12)) to reduce the risks

[SOURCE: NEN NPR 5326:2019 3.12, modified –— Changed “take measures” to “implement controls”.

any unique and verifiable product, result, or capability to perform a service that must be produced to

[SOURCE: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) — Sixth Edition]

information-gathering technique used as a way to reach consensus of experts on a subject

Note 1 to entry: The Delphi method is applied as consensus tool for determining weights of indicators/sub-

Note 2 to entry: A facilitator uses a questionnaire to solicit ideas about the important project points related to the

subject. The responses are summarized and are then recirculated to the experts for further comment. Consensus

[SOURCE: ISO/IEC/IEEE 24765:2017, 3.1102, restructuredmodified — Restructured into definition and

methodology for solving (very complex) problems where these are defined from the human needs

Note 1 to entry: In design thinking solutions are determined with brainstorming sessions, where prototypes

individual or organization that performs development activities (including requirements analysis,

design, testing through acceptance) during the system or software life-cycle process

Note 1 to entry: Activities of the developer of custom software (3.13(3.13)) include setup and analysis of functional

and non-functional system and software requirements, design, programming and testing.

Note 2 to entry: Designers, programmers and testers are therefore all developers.

set of tools aimed at the managed and controlled build of a package with which an application can be

Note 1 to entry: As part of this various tests are carried out to determine and assess quality (3.35(3.38).).

Note 1 to entry: The acquirer (3.2(3.2),), product owner (3.33(3.35)) and future maintainer can form part of the

Note 2 to entry: Development teams can be broken down by function (for examplee.g. a team of designers, a team

of programmers, a team of testers) or be multidisciplinary (each team has for examplee.g. design, programming and

set of principles and practices which enable better communication and collaboration between relevant

stakeholders for the purpose of specifying, developing, and operating software and systems products and

unauthorized access to a system resource or the delaying of system operations and functions in the way

of compromising multiple systems to flood the bandwidth or resources of the targeted system, with

management methodology for integrating scope, schedule, and resources; for objectively measuring

[SOURCE: Project Management Institute, Practice Standard for Earned Value Management - Second

Note 1 to entry: An event can be one or more occurrences and can have several causes.

Note 3 to entry: An event can sometimes be referred to as an ‘incident’ or ‘accident’.

Note 4 to entry: An event without consequences (3.11(3.11)) can also be referred to as a ‘near miss’, ‘accident’, ‘near

form of agile software development where procedures for iterative planning and working are combined

[SOURCE: ISO/IEC 20926:2009, 3.35, modified — removed “as defined…” clause.] within this

[SOURCE: ISO/IEC 20926:2009, 3.36, modified — removed “as defined…” clause.] within this

European Regulation that standardizes the rules for processing personal data by private businesses and

testing in which software components, hardware components, or both are combined and tested to

set of practices for helping entrepreneurs increase their odds of a building a successful start-up

‘’[SOURCE: Ries, 2011, p. 27, modified — spelling changed from “lean startup”Removed note 1 to “lean

version of a work product with just enough features and requirements to satisfy early customers and/or

Note 1 to entry: To achieve an objective several tools and activities are generally needed, one of which can be custom

test type conducted to evaluate the degree to which a test item accomplishes its designated functions

Note 1 to entry: A distinction is often made between load, stress and endurance tests. Load tests simulate a normal

load on the system. Stress tests allow the load to increase to determine the maximum load at which the system still

functions. Endurance tests load the system for a longer period in order to discover memory leaks or other problems

[SOURCE: ISO/IEC/IEEE 29119-1:2022, 3.58. Added Note, modified — Changed the term from

"performance testing" to "performance test"; changed "type of testing" to "test type"; added note 1 to

Note 1 to entry: The PBS begins with the complete product at the top of the hierarchy and below this the main

[SOURCE: ISO 21511:2018, 3.7, modified – added Note— Added the abbreviated term and note 1 to