ISO/IEC TR 29110-3-1:2015

TECHNICAL ISO/IEC TR
REPORT 29110-3-1
First edition
2015-10-15
Systems and software engineering —
Lifecycle profiles for Very Small
Entities (VSEs) —
Part 3-1:
Assessment guide
Ingénierie des systèmes et du logiciel — Profils de cycle de vie pour
très petits organismes (TPO) —
Partie 3-1: Guide d’évaluation
Reference number
ISO/IEC TR 29110-3-1:2015(E)
©
ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
1.1 Fields of application . 1
1.2 Target audience . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Conventions and abbreviated terms . 2
4.1 Naming, diagramming, and definition conventions . 2
4.2 Abbreviated terms . 2
5 Process assessment framework . 2
6 VSE process assessment . 3
6.1 Performing an assessment . 3
6.1.1 Introduction . 3
6.1.2 Assessment inputs . 4
6.1.3 Roles and responsibilities . 4
6.1.4 The assessment process . 4
6.2 Use of the assessment results . 6
6.3 Achievement of a VSE Profile . 6
6.4 Application of Process Assessment Models . 7
Annex A (informative) Measurement framework and Process Assessment Model .8
Bibliography .43
© ISO/IEC 2015 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 7, Software and systems engineering.
This first edition of ISO/IEC TR 29110-3-1 cancels and replaces ISO/IEC TR 29110-3:2011, which has
been technically revised.
The full list of parts of ISO/IEC 29110 is available here.
iv © ISO/IEC 2015 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

Introduction
Very Small Entities (VSEs) around the world are creating valuable products and services. For the
purpose of this International Standard, a Very Small Entity (VSE) is an enterprise, an organization, a
department, or a project having up to 25 people. Since many VSEs develop and/or maintain system
and software components used in systems, either as independent products or incorporated in larger
systems, a recognition of VSEs as suppliers of high quality products is required.
According to the Organization for Economic Co-operation and Development (OECD) SME and
Entrepreneurship Outlook report (2005), “Small and Medium Enterprises (SMEs) constitute the
dominant form of business organization in all countries world-wide, accounting for over 95 % and
up to 99 % of the business population depending on country”. The challenge facing governments
and economies is to provide a business environment that supports the competitiveness of this large
heterogeneous business population and that promotes a vibrant entrepreneurial culture.
From studies and surveys conducted, it is clear that the majority of International Standards do not
address the needs of VSEs. Implementation of and conformance with these standards is difficult, if not
impossible. Consequently, VSEs have no, or very limited, ways to be recognized as entities that produce
quality systems/system elements including software in their domain. Therefore, VSEs are excluded
from some economic activities.
It has been found that VSEs find it difficult to relate International Standards to their business needs
and to justify the effort required to apply standards to their business practices. Most VSEs can neither
afford the resources, in terms of number of employees, expertise, budget, and time, nor do they see a
net benefit in establishing over-complex systems or software lifecycle processes. To address some of
these difficulties, a set of guides has been developed based on a set of VSE characteristics. The guides
are based on subsets of appropriate standards processes, activities, tasks, and outcomes, referred to as
profiles. The purpose of a profile is to define a subset of International Standards relevant to the VSEs’
context; for example, processes, activities, tasks, and outcomes of ISO/IEC/IEEE 12207 for software;
and processes, activities, tasks, and outcomes of ISO/IEC/IEEE 15288 for systems; and information
products (documentation) of ISO/IEC/IEEE 15289 for software and systems.
VSEs can achieve recognition through implementing a profile and by being audited against
ISO/IEC 29110 specifications.
The ISO/IEC 29110 series of standards and technical reports can be applied at any phase of system or
software development within a lifecycle. This series of standards and technical reports is intended to
be used by VSEs that do not have experience or expertise in adapting/tailoring ISO/IEC/IEEE 12207
or ISO/IEC/IEEE 15288 standards to the needs of a specific project. VSEs that have expertise in
adapting/tailoring ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288 are encouraged to use those standards
instead of ISO/IEC 29110.
ISO/IEC 29110 is intended to be used with any lifecycle such as: waterfall, iterative, incremental,
evolutionary, or agile.
The ISO/IEC 29110 series, targeted by audience, has been developed to improve system or software
and/or service quality, and process performance. See Table 1.
© ISO/IEC 2015 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

Table 1 — ISO/IEC 29110 target audience
ISO/IEC 29110 Title Target audience
Part 1 Overview VSEs and their customers, assessors,
standards producers, tool vendors,
and methodology vendors
Part 2 Framework Profile producers, tool vendors, and
methodology vendors
Not intended for VSEs
Part 3 Assessment guide VSEs and their customers, assessors,
accreditation bodies
Part 4 Profile specifications VSEs, customers, standards produc-
ers, tool vendors, and methodology
vendors
Part 5 Management and engi- VSEs and their customers
neering guide
If a new profile is needed, ISO/IEC 29110-4 and ISO/IEC TR 29110-5 can be developed with minimal
impact to existing documents.
ISO/IEC TR 29110-1 defines the terms common to the ISO/IEC 29110 series. It introduces processes,
lifecycle and standardization concepts, the taxonomy (catalogue) of ISO/IEC 29110 profiles, and
the ISO/IEC 29110 series. It also introduces the characteristics and needs of a VSE, and clarifies the
rationale for specific profiles, documents, standards, and guides.
ISO/IEC 29110-2 introduces the concepts for systems and software engineering profiles for VSEs. It
establishes the logic behind the definition and application of profiles. For standardized profiles, it
specifies the elements common to all profiles (structure, requirements, conformance, assessment). For
domain-specific profiles (profiles that are not standardized and developed outside of the ISO process),
it provides general guidance adapted from the definition of standardized profiles.
ISO/IEC TR 29110-3 defines certification schemes, assessment guidelines, and compliance requirements
for process capability assessment (ISO/IEC 33xxx), conformity assessments (ISO/IEC 17xxx), and
self-assessments for process improvements. ISO/IEC TR 29110-3 also contains information that can
be useful to developers of certification and assessment methods and developers of certification and
assessment tools. ISO/IEC TR 29110-3 is addressed to people who have direct involvement with the
assessment process, e.g. the auditor, certification, and accreditation bodies, and the sponsor of the
audit, who need guidance on ensuring that the requirements for performing an audit have been met.
ISO/IEC 29110-4-m provides the specification for all profiles in one profile group that are based on
subsets of appropriate standards elements.
ISO/IEC TR 29110-5-m-n provides a management and engineering guide for each profile in one
profile group.
The future ISO/IEC TR 29110-6-x provides management and engineering guides not tied to a
specific profile.
Figure 1 describes the International Standards (IS) and Technical Reports (TR) of ISO/IEC 29110 and
positions the parts within the framework of reference. Overview, assessment guide, management, and
engineering guide are available from ISO as freely available Technical Reports (TR). The Framework
document, profile specifications, and certification schemes are published as International Standards (IS).
vi © ISO/IEC 2015 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

Figure 1 — ISO/IEC 29110 Series
© ISO/IEC 2015 – All rights reserved vii

---------------------- Page: 7 ----------------------
TECHNICAL REPORT ISO/IEC TR 29110-3-1:2015(E)
Systems and software engineering — Lifecycle profiles for
Very Small Entities (VSEs) —
Part 3-1:
Assessment guide
1 Scope
1.1 Fields of application
This part of ISO/IEC 29110 defines the process assessment guidelines needed to meet the purpose
of defined Very Small Entity (VSE) profiles. It is applicable to all VSE profiles and is compatible with
ISO/IEC 33002.
The possible uses of this part of ISO/IEC 29110 are as follows.
a) Assessment to evaluate the process capabilities. This is when an organization wants an assessment
execution in order to obtain a process profile of the implemented processes.
b) Supplier’s capability assessment. This is when a customer asks for a third party to conduct an
assessment in order to obtain a process profile of the implemented process by the system or
software development and maintenance supplier. The customer chooses the processes to be
assessed depending on the services to be contracted.
1.2 Target audience
The target audience of this part of ISO/IEC 29110 is primarily those who perform process assessments
of VSEs. This part of ISO/IEC 29110 also contains information that can be useful to developers of
assessment methods and assessment tools.
This part of ISO/IEC 29110 is addressed to people who have a direct relation with the assessment
process based on the VSE profiles, e.g. the assessors and the sponsor of the assessment, who need
guidance on ensuring that the requirements for performing an assessment have been met.
It is intended that ISO/IEC TR 29110-1 and ISO/IEC 29110-2 be read first when initially exploring VSE
profile documents.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC TR 29110-1, Software engineering — Lifecycle profiles for Very Small Entities (VSEs) — Part 1:
Overview
ISO/IEC 33001:2015, Information technology — Process assessment — Concepts and terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC TR 29110-1, ISO/IEC 33001
and the following apply.
© ISO/IEC 2015 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

3.1
process quality
ability of a process to satisfy stated and implied stakeholder needs when used in a specified context
[SOURCE: ISO/IEC 33001:2015, 3.4.8]
3.2
process quality level
representation of the achieved level of a process quality characteristic derived from the process
attribute ratings for an assessed process
[SOURCE: ISO/IEC 33001:2015, 3.4.9, modified]
3.3
organizational profile
set of process profiles defined in the ISO/IEC 29110- series
Note 1 to entry: The profiles will conform to the organizational maturity levels that will correspond to the basic,
intermediate, and advanced profiles (as defined in ISO/IEC 29110- series).
4 Conventions and abbreviated terms
4.1 Naming, diagramming, and definition conventions
None.
4.2 Abbreviated terms
BP Base Practice
PA Process Attributes
PAM Process Assessment Model
PRM Process Reference Model
5 Process assessment framework
These guidelines apply to VSE process assessments. The assessment, as defined in this part of
ISO/IEC 29110, has two purposes.
— To evaluate the process capability based on a two-dimensional assessment model containing a
process dimension and the process quality dimension. The process dimension refers to the processes
defined in each VSE profile which are provided by an external Process Reference Model (PRM).
The process quality dimension consists of a Process Measurement Framework comprising Process
Quality Levels, their associated Process Attributes, and the rating scale.
— To evaluate whether an organization fulfils the targeted VSE profile based on the evaluated
capabilities for the processes.
For an official recognition, the conformity assessments should be carried out following a process
assessment process satisfying the requirements of ISO/IEC 33002 and described in Clause 6. For
self-assessments emphasizing identification of process improvements, other approaches can be
applied (additional information can be found in other parts of ISO/IEC 29110 specifically dedicated
to self-assessment).
According to ISO/IEC 33001, a process assessment is a disciplined evaluation of an organizational unit’s
processes against a Process Assessment Model (PAM). In this context, the Process Assessment Model
consists of a subset of process purposes and outcomes of a Process Reference Model, and the process
2 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

attributes, quality levels and rating scale that are defined in the correspondent Process Assessment
Model. A Process Reference Model is, for instance, ISO/IEC/IEEE 12207 and the applicable subset is
defined in a Specification of a profile, for instance, ISO/IEC 29110-4-1. The applied Process Assessment
Model needs to be conformant to ISO/IEC 33002. The result of a process assessment is represented as
a set of process attribute ratings, i.e. a process profile. Figure 2 illustrates the relevant documents and
data for a process applicable to VSE process assessment.
ISO/IEC 33002 ISO/IEC 29110-3-1
Process
Process
Assessment
Assessment
Requirements
Guidelines
VSE Process
Process Pro
ile
Assessment (Assessment
ISO/IEC 29110-3-1-
  result)
Annex A
Measurement
framework
ISO/IEC 29110-3-1
ISO/IEC 29110-4-m
Annex A
Pro
ile
Process
Speci
ications
Assessment Model
Process
Reference
Model
Figure 2 — Elements of VSE process assessment
ISO/IEC 33002 sets out the minimum requirements for performing a process assessment that ensure
consistency and repeatability of the ratings. The requirements help to ensure that the process
assessment output is self-consistent and provides evidence to substantiate the ratings and to verify
conformance with the requirements.
Self-assessments are typically performed to identify process improvement opportunities or to check
current status of the organization’s performance. Self-assessments in VSEs are outside the scope of this
part of ISO/IEC 29110.
6 VSE process assessment
6.1 Performing an assessment
6.1.1 Introduction
In performing a process assessment based on ISO/IEC 29110, the requirements expressed in
ISO/IEC 33002 are intended to be satisfied in full. This Clause provides additional guidance related
specifically to the process assessment in VSEs.
A process assessment is conducted according to a documented process that is capable of meeting
the process assessment purpose. The key elements of a documented assessment process are closely
tied to the requirements for performing an assessment, defined in ISO/IEC 33002. The documented
© ISO/IEC 2015 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

assessment process is the set of instructions for conducting the process assessment. A documented
assessment process addresses the following aspects of the conduct of a process assessment:
— incorporate as a minimum, the tasks defined in ISO/IEC 33002;
— identify the classes of process assessment for which the documented assessment process can
be applied, and the nature and extent of tailoring associated with each class addressed by the
documented process;
— define the criteria for ensuring coverage for both the defined organizational scope and the defined
process scope for the assessment, in terms of the strategy for collecting and analysing data;
— identify or define the approach to be taken in performing the generation of process attribute ratings,
including (where applicable) the aggregation of observations and/or characterisations across the
elements of the assessment.
6.1.2 Assessment inputs
Process assessment inputs as specified in ISO/IEC 33002:2015, 4.4 are to be defined. In conducting
process assessments of VSEs based on ISO/IEC 29110-4-m, the following issues are expected.
— The process scope of the process assessment [ISO/IEC 33002:2015, 4.4.1 (d) (1, 2)] should be
determined by the target VSE Profile specified for the process assessment.
— The organizational scope of the process assessment [ISO/IEC 33002:2015, 4.4.1 (d) (3)] should
be typically be the entire VSE; however, where the VSE deploys a small number of clearly distinct
projects or functions, the scope can be limited to a single project or function.
— In defining the process assessment context [ISO/IEC 33002:2015, 4.4.1 (d) (4)], the process assessment
plan should take into account the VSE business and engineering context and be affordable for a VSE.
— In defining the process assessment constraints [ISO/IEC 33002:2015, 4.4.1 (g)], the specific nature
of the VSE should be explored to establish constraints on availability of resources or data that might
affect the reliability of the process assessment.
6.1.3 Roles and responsibilities
Typically, the process assessment team for VSE process assessment process consists of at least one
lead assessor or a lead assessor with other assessors. The assessors should be familiar with the VSE
characteristics.
6.1.4 The assessment process
The activities to be performed will be determined by the chosen documented assessment process
tailored as necessary. The documented process for the process assessment of a VSE should address all
of the required activities defined in ISO/IEC 33002:2015, 4.2.
Specific concerns of relevance to process assessment of VSEs include the following:
Plan the assessment
Typically, the schedule for process assessment of a VSE will need to take account of the availability
of key resources. The level of resources required for the process assessment should be determined
according to the resources available to the VSE.
Collect the data
The strategy for data collection should take account of the nature of the work performed within the
VSE, and of the nature of the items of objective evidence that will typically be available. Often, process
assessments in VSEs rely heavily on testimony from performers of the processes; however, to the best
4 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

extent possible, the assessors should endeavour to obtain other supporting objective evidence drawn
from the VSE work products.
© ISO/IEC 2015 – All rights reserved 5

---------------------- Page: 12 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

Validate the data
The key issue in data validation in process assessment of a VSE is ensuring that the data collected is
representative of the normal operations of the enterprise.
Derive results
In conducting process attribute rating, the assessors should focus on the extent to which the evidence
obtained addresses the processes and process attributes being rated. The requirement for traceability
between the rating and the evidence employed [ISO/IEC 33002:2015, 4.2.1 e) 1)] is relevant here.
Report the assessment
The assessors should ensure that the report to the sponsor of the process assessment covers the full
scope of the VSE Profile employed in the process assessment.
6.2 Use of the assessment results
The process assessment results can be used to:
a) evaluate the process quality levels of an organization,
b) determine the improvement opportunities, in order to enhance the organization’s ability to meet
its business goals by improving efficiency and quality of its products and services. The findings can
be used as a base to perform the improvement plan,
c) benchmark the process quality levels with other organizations in the market, and
d) select a supplier based on the supplier’s quality level assessment.
6.3 Achievement of a VSE Profile
This subclause provides guidance on how to determine whether an organization fulfils a VSE Profile.
The determination is based on the evaluated quality levels for the processes within each VSE Profile.
ISO/IEC 29110-4-m defines the conformance requirements.
The requirements for the profiles are defined in ISO/IEC 29110-4-m. The corresponding quality levels
to be evaluated for each profile can be derived from the respective parts of ISO/IEC 29110-4-m. At
minimum, all mandatory elements of the VSE profile, as defined in ISO/IEC 29110-4-m, need to be
considered in the process assessment.
For example, to achieve the software basic profile, the assessed processes need to achieve quality level
one as defined in Annex A. This means that the implemented process achieves its process purpose and
its defined outcomes. For example, for VSE Generic basic profile for software, the applicable process
purposes are documented in ISO/IEC 29110-4-1 (Process Reference Model for the Basic Profile):
— Project Management process;
— Software Implementation process.
NOTE Process Reference Models are now to be contained in ISO/IEC 29110-4-m.
The related outcomes of the Process Reference Model are documented in Annex A (supported by
ISO/IEC 29110-5-m-n under the process specific Objectives). A detailed mapping of the profile process
elements to ISO/IEC/IEEE 15288, ISO/IEC/IEEE 12207, and other base standards are provided in
ISO/IEC 29110-4-m.
6 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

6.4 Application of Process Assessment Models
Use of ISO/IEC 33004 compliant Process Assessment Model (PAM) ensures that the process assessment
results are comparable, reliable, and repeatable. The assessor should confirm that the applied PAM is
suitable for assessing the process capability in the context of VSEs.
The applied PAM should have a set of indicators that address the process purpose and outcomes, and
demonstrate the achievement of the required capability level.
ISO/IEC 29110-4-m Specifications for VSE profiles document a detailed mapping of process elements
between ISO/IEC 29110-5-m-n and the Process Reference Model in of ISO/IEC 29110-4-m, respectively.
A VSE specific PAM can be derived by selecting those process assessment indicators relevant to the
corresponding process outcomes defined in ISO/IEC 29110-4-m. An exemplar Process Assessment
Model for the VSE Processes and profiles is provided in Annex A of this part of ISO/IEC 29110.
© ISO/IEC 2015 – All rights reserved 7

---------------------- Page: 14 ----------------------
ISO/IEC TR 29110-3-1:2015(E)

Annex A
(informative)

Measurement framework and Process Assessment Model
A.1 Introduction
This Annex provides both the measurement framework and the Process Assessment and Maturity
Model for the evaluation of the process quality attributes of the processes defined in the ISO/IEC 29110
series for VSEs.
A.2 sets out the measurement framework that can be used in the assessment of process capability
and organizational pro
...