ISO/IEC 90003:2014

INTERNATIONAL ISO/IEC
STANDARD 90003
Second edition
2014-12-15
Software engineering — Guidelines
for the application of ISO 9001:2008
to computer software
Ingénierie du logiciel — Lignes directrices pour l’application de l’ISO
9001:2008 aux logiciels informatiques
Reference number
©
ISO/IEC 2014
© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
1.1 General . 1
1.2 Application . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Quality management system . 5
4.1 General requirements . 5
4.2 Documentation requirements. 6
5 Management responsibility . 8
5.1 Management commitment . 8
5.2 Customer focus . 9
5.3 Quality policy . 9
5.4 Planning . 9
5.5 Responsibility, authority and communication .10
5.6 Management review .11
6 Resource management .12
6.1 Provision of resources .12
6.2 Human resources .12
6.3 Infrastructure .13
6.4 Work environment .14
7 Product realization .14
7.1 Planning of product realization .14
7.2 Customer-related processes .16
7.3 Design and development .21
7.4 Purchasing .29
7.5 Production and service provision .32
7.6 Control of monitoring and measuring devices .38
8 Measurement, analysis and improvement .39
8.1 General .39
8.2 Monitoring and measurement .40
8.3 Control of nonconforming product .42
8.4 Analysis of data .43
8.5 Improvement .44
Annex A (informative) Summary of guidance in the implementation of ISO 9001:2008 available in
ISO/IEC JTC 1/SC 7 and ISO/TC 176 standards .46
Annex B (informative) Planning in ISO/IEC 90003 and ISO/IEC 12207 .48
Bibliography .53
© ISO/IEC 2014 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT), see the following URL: Foreword — Supplementary information.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 7, Software and system engineering.
This second edition of ISO/IEC 90003 cancels and replaces the first edition. It has been updated for
conformity to ISO 9001:2008 and to reference recent editions of other relevant standards.
iv © ISO/IEC 2014 – All rights reserved

Introduction
This International Standard provides guidance for organizations in the application of ISO 9001:2008 to
the acquisition, supply, development, operation, and maintenance of computer software.
It identifies the issues that should be addressed and is independent of the technology, life cycle models,
development processes, sequence of activities, and organizational structure used by an organization. The
guidance and identified issues are intended to be comprehensive but not exhaustive. Where the scope of
an organization’s activities includes areas other than computer software development, the relationship
between the computer software elements of that organization’s quality management system and the
remaining aspects should be clearly documented within the quality management system as a whole.
Clauses 4, 5, and 6 and parts of Clause 8 of ISO 9001:2008 are applied mainly at the “global” level in the
organization, although they do have some effect at the “project/product level”. Each project or product
development may tailor the associated parts of the organization’s quality management system to suit
project/product-specific requirements.
Throughout ISO 9001:2008, “shall” is used to express a provision that is binding between two or more
parties, “should” to express a recommendation among possibilities, and “may” to indicate a course of
action permissible within the limits of ISO 9001:2008. This International Standard (ISO/IEC 90003)
provides guidance to assist in understanding how the provisions of ISO 9001:2008 apply in the context
of software.
Organizations with quality management systems for developing, operating, or maintaining software
based on this International Standard may choose to use processes from ISO/IEC 12207 to support
or complement the ISO 9001:2008 process model. The related paragraphs of ISO/IEC 12207:2008
are referenced in each clause of this International Standard; however, they are not intended to imply
requirements additional to those in ISO 9001:2008. Further guidance to the use of ISO/IEC 12207 may
be found in ISO/IEC 24748–3. For additional guidance, references are provided to the International
Standards for software engineering defined by ISO/IEC JTC 1/SC 7. Where these references are specific
to a clause or subclause of ISO 9001:2008, they appear after the guidance for that clause or subclause.
Where they apply generally across the parts of a clause or subclause, the references are included at the
end of the last part of the clause or subclause.
Where text has been quoted from ISO 9001:2008, that text is enclosed in a box, for ease of identification.
© ISO/IEC 2014 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 90003:2014(E)
Software engineering — Guidelines for the application of
ISO 9001:2008 to computer software
1 Scope
1.1 General
ISO 9001:2008, Quality management systems requirements
1.1  General
This International Standard specifies requirements for a quality management system where an
organization
a)  needs to demonstrate its ability to consistently provide product that meets customer and
applicable statutory and regulatory requirements, and
b)  aims to enhance customer satisfaction through the effective application of the system, including
processes for continual improvement of the system and the assurance of conformity to customer and
applicable statutory and regulatory requirements.
NOTE 1  In this International Standard, the term “product” only applies to
a)  product intended for, or required by, a customer,
b)  any intended output resulting from the product realization processes.
NOTE 2  Statutory and regulatory requirements can be expressed as legal requirements.
This International Standard provides guidance for organizations in the application of ISO 9001:2008
to the acquisition, supply, development, operation, and maintenance of computer software and related
support services. It does not add to or otherwise change the requirements of ISO 9001:2008.
Annex A (informative) provides a table pointing to additional guidance in the implementation of
ISO 9001:2008, available in ISO/IEC JTC 1/SC 7 and ISO/TC 176 International Standards.
The guidelines provided in this International Standard are not intended to be used as assessment criteria
in quality management system registration/certification.
1.2 Application
ISO 9001:2008, Quality management systems requirements
1.2  Application
All requirements of this International Standard are generic and are intended to be applicable to all
organizations, regardless of type, size, and product provided.
Where any requirement(s) of this International Standard cannot be applied due to the nature of an
organization and its product, this can be considered for exclusion.
Where exclusions are made, claims of conformity to this International Standard are not acceptable
unless these exclusions are limited to requirements within Clause 7, and such exclusions do not affect
the organization’s ability, or responsibility, to provide product that meets customer and applicable
statutory and regulatory requirements.
The application of this International Standard is appropriate to software that is
— part of a commercial contract with another organization,
© ISO/IEC 2014 – All rights reserved 1

— a product available for a market sector,
— used to support the processes of an organization,
— embedded in a hardware product, or
— related to software services.
Some organizations may be involved in all of the above activities; others may specialize in one area.
Whatever the situation, the organization’s quality management system should cover all aspects
(software related and non-software related) of the business.
2 Normative references
ISO 9001:2008, Quality management systems requirements
2  Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 9000:2005, Quality management systems — Fundamentals and vocabulary
3 Terms and definitions
ISO 9001:2008, Quality management systems requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 9000 apply.
Throughout the text of this International Standard, wherever the term “product” occurs, it can also
mean “service”.
For the purposes of this document, the terms and definitions given in ISO 9001:2008, and certain terms
(repeated here for convenience) given in ISO/IEC 12207 apply.
However, in the event of a conflict in terms and definitions, the terms and definitions specified in
ISO 9000:2005 apply.
NOTE ISO/IEC 12207:2008 provides detailed provisions for software life cycle processes. This International
Standard will make reference to terms defined in it.
3.1
activity
set of cohesive tasks of a process
[SOURCE: ISO/IEC 12207:2008, 4.3]
3.2
baseline
specification or product that has been formally reviewed and agreed upon, that thereafter serves as the
basis for further development, and that can be changed only through formal change control procedures
[SOURCE: ISO/IEC 12207:2008, 4.6]
2 © ISO/IEC 2014 – All rights reserved

3.3
configuration item
entity within a configuration that satisfies an end use function and that can be uniquely identified at a
given reference point
[SOURCE: ISO/IEC 12207:2008, 4.7]
3.4
COTS
Commercial-Off-The-Shelf
available for purchase and use without the need to conduct development activities
3.5
implementation
software life cycle process that contains activities of requirements analysis, design, coding, integration,
testing, installation, and support for acceptance of software products
3.6
life cycle model
framework of processes and activities concerned with the life cycle that may be organized into stages,
which also acts as a common reference for communication and understanding
Note 1 to entry: The requirements of ISO 9001:2008 would apply to maintenance, only if contractually required,
after acceptance of the product by the customer. However, generally, the requirements do not apply to maintenance.
[SOURCE: ISO/IEC 12207:2008, 4.17]
3.7
measure
make a measurement
[SOURCE: ISO/IEC 15939:2007, 2.16]
3.8
measure
variable to which a value is assigned as the result of measurement
[SOURCE: ISO/IEC 15939:2007, 2.15]
3.9
measurement
set of operations having the object of determining a value of a measure
[SOURCE: ISO/IEC 15939:2007, 2.17]
3.10
process
set of interrelated or interacting activities which transforms inputs into outputs
Note 1 to entry: Inputs to a process are generally outputs of other processes.
[SOURCE: ISO 9000:2005, 3.4.1]
3.11
regression testing
testing required to determine that a change to a system component has not adversely affected
functionality, reliability, or performance, and has not introduced additional defects
© ISO/IEC 2014 – All rights reserved 3

3.12
release
particular version of a configuration item that is made available for a specific purpose
Note 1 to entry: The term “release” used in the ISO 9001:2008 text quoted in this International Standard is used
in the context of the definition provided in ISO 9000:2005, 3.6.13, which is different from the ISO/IEC 12207
definition quoted above.
EXAMPLE Test release
[SOURCE: ISO/IEC 12207:2008, 4.35]
3.13
replication
copying a software product from one medium to another
3.14
software item
identifiable part of a software product
3.15
software product
set of computer programs, procedures, and possibly associated documentation and data
Note 1 to entry: A software product may be designated for delivery, an integral part of another product, or used
in development.
Note 2 to entry: This is different from a product in ISO 9000.
Note 3 to entry: For the purposes of this International Standard, “software” is synonymous with “software
product”.
[SOURCE: ISO/IEC 12207:2008, definition 4.42]
4 © ISO/IEC 2014 – All rights reserved

4 Quality management system
4.1 General requirements
ISO 9001:2008, Quality management systems requirements
4.1  General requirements
The organization shall establish, document, implement and maintain a quality management system
and continually improve its effectiveness in accordance with the requirements of this International
Standard.
The organization shall
a)  determine the processes needed for the quality management system and their application
throughout the organization (see 1.2),
b)  determine the sequence and interaction of these processes,
c)  determine criteria and methods needed to ensure that both the operation and control of these
processes are effective,
d)  ensure the availability of resources and information necessary to support the operation and
monitoring of these processes,
e)  monitor, measure where applicable, and analyse these processes, and
f)  implement actions necessary to achieve planned results and continual improvement of these
processes.
These processes shall be managed by the organization in accordance with the requirements of this
International Standard.
Where an organization chooses to outsource any process that affects product conformity to
requirements, the organization shall ensure control over such processes. The type and extent of
control to be applied to these outsourced processes shall be defined within the quality management
system.
NOTE 1  Processes needed for the quality management system referred to above include processes
for management activities, provision of resources, product realization, measurement, analysis and
improvement.
NOTE 2  An “outsourced process” is a process that the organization needs for its quality management
system and which the organization chooses to have performed by an external party.
NOTE 3  Ensuring control over outsourced processes does not absolve the organization of the
responsibility of conformity to all customer, statutory and regulatory requirements. The type and
extent of control to be applied to the outsourced process can be influenced by factors such as
a)  the potential impact of the outsourced process on the organization’s capability to provide
product that conforms to requirements,
b)  the degree to which the control for the process is shared,
c)  the capability of achieving the necessary control through the application of 7.4.
Guidance is provided for items a) and b) of ISO 9001:2008, 4.1, in relation to the organizational processes
as follows (see 5.4.2, and 7.4.1 for additional guidance on outsourcing).
a) Process identification and application
The organization should also identify the processes for software development, operation or maintenance.
b) Process sequence and interaction
The organization should also define the sequence and interaction of the processes in:
1) life cycle models for software development, e.g. waterfall, incremental and evolutionary, and
© ISO/IEC 2014 – All rights reserved 5

2) quality and development planning, which should be based upon a life cycle model.
NOTE For further information, see the following:
[5]
— ISO/IEC 12207:2008 (Software Life Cycle Processes) which defines a set of software life cycle
processes that may be used for reference;
[21] [22]
— ISO/IEC/TR 24748–1 and ISO/IEC/TR 24748–3 which provide guidance on how to use processes
from ISO/IEC 12207 in different life cycles.
4.2 Documentation requirements
4.2.1 General
ISO 9001:2008, Quality management systems requirements
4.2.1  General
The quality management system documentation shall include
a)  documented statements of a quality policy and quality objectives,
b)  a quality manual,
c)  documented procedures and records required by this International Standard, and
d)  documents, including records, determined by the organization to be necessary to ensure the
effective planning, operation and control of its processes.
NOTE 1  Where the term “documented procedure” appears within this International Standard, this
means that the procedure is established, documented, implemented and maintained. A single
document may address the requirements for one or more procedures. A requirement for a docu-
mented procedure may be covered by more than one document.
NOTE 2  The extent of the quality management system documentation can differ from one organiza-
tion to another due to
a)  the size of organization and type of activities,
b)  the complexity of processes and their interactions, and
c)  the competence of personnel.
NOTE 3  The documentation can be in any form or type of medium.
Documents for the effective planning, operation, and control of processes for software [ISO 9001:2008,
4.2.1, item d)] may cover the following:
1) descriptions of processes, such as those identified in implementing 4.1;
2) descriptions of procedural instructions and/or templates used;
3) descriptions of life cycle models used, such as waterfall, incremental and evolutionary;
4) descriptions of tools, techniques, technologies, and methods such as those identified in implementing
4.1;
5) technical topics such as standards or guidance documents for coding, design and development, and
testing.
NOTE For further information on document identification as part of configuration management, see 7.5.3.
6 © ISO/IEC 2014 – All rights reserved

4.2.2 Quality manual
ISO 9001:2008, Quality management systems requirements
4.2.2  Quality manual
The organization shall establish and maintain a quality manual that includes
a)  the scope of the quality management system, including details of and justification for any
exclusions (see 1.2),
b)  the documented procedures established for the quality management system, or reference
to them, and
c)  a description of the interaction between the processes of the quality management system.
4.2.3 Control of documents
ISO 9001:2008, Quality management systems requirements
4.2.3  Control of documents
Documents required by the quality management system shall be controlled. Records are a special
type of document and shall be controlled according to the requirements given in 4.2.4.
A documented procedure shall be established to define the controls needed
a)  to approve documents for adequacy prior to issue,
b)  to review and update as necessary and re-approve documents,
c)  to ensure that changes and the current revision status of documents are identified,
d)  to ensure that relevant versions of applicable documents are available at points of use,
e)  to ensure that documents remain legible and readily identifiable,
f)  to ensure that documents of external origin determined by the organization to be necessary for
the planning and operation of the quality management system are identified and their distribution
controlled, and
g)  to prevent the unintended use of obsolete documents, and to apply suitable identification to them
if they are retained for any purpose.
NOTE For further information on document control as part of configuration management, see 7.5.3.
4.2.4 Control of records
ISO 9001:2008, Quality management systems requirements
4.2.4  Control of records
Records established to provide evidence of conformity to requirements and of the effective operation
of the quality management system shall be controlled.
The organization shall establish a documented procedure to define the controls needed for the
identification, storage, protection, retrieval, retention and disposition of records.
Records shall remain legible, readily identifiable and retrievable.
4.2.4.1 Evidence of conformity to requirements
Evidence of conformity to requirements may include:
a) documented test results,
b) problem reports, including those related to tools problems,
© ISO/IEC 2014 – All rights reserved 7

c) change requests,
d) documents marked with comments,
e) audit and assessment reports, and
f) review and inspection records, such as those for design reviews, code inspections, and walk-
throughs.
4.2.4.2 Evidence of effective operation
Examples of evidence of effective operation of the quality management system may include, but are not
limited to
a) changes (and the reasoning) to resources (people, software and equipment),
b) estimates, e.g. project size and effort (people, cost, schedule),
c) how and why tools, methodologies and suppliers were selected and qualified,
d) software license agreements (both for software supplied to customers and software procured to
aid development),
e) minutes of meetings, and
f) software release records.
4.2.4.3 Retention and disposition
When determining the retention periods for records, consideration should be given to statutory and
regulatory requirements. Where records are held on electronic media, consideration of the retention
times and accessibility of the records should take into account the rate of media degradation, the
availability of the devices, and software needed to access the records. Records may include information
held in email systems. Protection from computer viruses and unapproved or illegal access should be
considered.
The proprietary nature of the information stored on records should be assessed, in determining the
methods of data erasure from the media, at the end of its required retention period.
[5]
NOTE For further guidance related to ISO 9001:2008, 4.2, see ISO/IEC 12207:2008, 6.3.6 (Information
Management Process) and 7.2.1 (Software Documentation Management Process).
5 Management responsibility
5.1 Management commitment
ISO 9001:2008, Quality management systems requirements
5.1  Management commitment
Top management shall provide evidence of its commitment to the development and implementation of
the quality management system and continually improving its effectiveness by
a)  communicating to the organization the importance of meeting customer as well as statutory and
regulatory requirements,
b)  establishing the quality policy,
c)  ensuring that quality objectives are established,
d)  conducting management reviews, and
e)  ensuring the availability of resources.
8 © ISO/IEC 2014 – All rights reserved

5.2 Customer focus
ISO 9001:2008, Quality management systems requirements
5.2  Customer focus
Top management shall ensure that customer requirements are determined and are met with the aim
of enhancing customer satisfaction (see 7.2.1 and 8.2.1).
5.3 Quality policy
ISO 9001:2008, Quality management systems requirements
5.3  Quality Policy
Top management shall ensure that the quality policy
a)  is appropriate to the purpose of the organization,
b)  includes a commitment to comply with requirements and continually improve the effectiveness of
the quality management system,
c)  provides a framework for establishing and reviewing quality objectives,
d)  is communicated and understood within the organization, and
e)  is reviewed for continuing suitability.
5.4 Planning
5.4.1 Quality objectives
ISO 9001:2008, Quality management systems requirements
5.4.1  Quality objectives
Top management shall ensure that quality objectives, including those needed to meet requirements
for product [see 7.1 a)], are established at relevant functions and levels within the organization. The
quality objectives shall be measurable and consistent with the quality policy.
NOTE 1 Information on attributes of software processes suitable for setting objectives may be found in
[10]
ISO/IEC 15504–1. ISO/IEC 15504 (all parts) may be used for assessing process capabilities and for setting
objectives for improving process capabilities.
NOTE 2 Information on quality characteristics, subcharacteristics and attributes of a software product
[24]
suitable for setting quality objectives are defined in ISO/IEC 25010. The ISO/IEC 25000 series of standards are
useful for defining quality requirements and for setting quality objectives of a software product.
5.4.2 Quality management system planning
ISO 9001:2008, Quality management systems requirements
5.4.2  Quality management system planning
Top management shall ensure that
a)  the planning of the quality management system is carried out in order to meet the requirements
given in 4.1, as well as the quality objectives, and
b)  the integrity of the quality management system is maintained when changes to the quality
management system are planned and implemented.
Planning may occur at organizational and project/product levels.
© ISO/IEC 2014 – All rights reserved 9

Quality management system planning at the organizational level may include the following:
a) defining appropriate software life cycle models to be used for the types of project that the
organization undertakes, including how the organization normally implements software life cycle
processes;
b) defining the work products of software development, such as software requirements documents,
architectural design documents, detailed design documents, program code, and software user
documentation;
c) defining the content of software management plans, such as software project management plans,
software configuration management plans, software verification and validation plans, software
quality assurance plans and training plans;
d) defining how software engineering methods are tailored for the organization’s projects within the
life cycle (see 1.2);
e) identifying the tools and environment for software development, operations or maintenance;
f) specifying conventions for the use of programming languages, e.g. coding rules, software libraries
and frameworks;
g) identifying any software reuse (see also 7.5.4).
The organization’s management representative should consider any change to a software life cycle
model which may affect the quality management system and should ensure that such changes do not
compromise any quality management system controls.
Software quality planning at the project/product level is discussed in 7.1.
5.5 Responsibility, authority and communication
5.5.1 Responsibility and authority
ISO 9001:2008, Quality management systems requirements
5.5.1  Responsibility and authority
Top management shall ensure that responsibilities and authorities are defined and communicated
within the organization.
5.5.2 Management representative
ISO 9001:2008, Quality management systems requirements
5.5.2  Management representative
Top management shall appoint a member of the organization’s management who, irrespective of other
responsibilities, shall have responsibility and authority that includes
a)  ensuring that processes needed for the quality management system are established, implemented
and maintained,
b)  reporting to top management on the performance of the quality management system and any
need for improvement, and
c)  ensuring the promotion of awareness of customer requirements throughout the organization.
NOTE  The responsibility of a management representative can include liaison with external parties
on matters relating to the quality management system.
For a software-producing organization, there is benefit if the management representative has had
experience with software development.
10 © ISO/IEC 2014 – All rights reserved

5.5.3 Internal communication
ISO 9001:2008, Quality management systems requirements
5.5.3  Internal communication
Top management shall ensure that appropriate communication processes are established within the
organization and that communication takes place regarding the effectiveness of the quality
management system.
5.6 Management review
5.6.1 General
ISO 9001:2008, Quality management systems requirements
5.6.1  General
Top management shall review the organization’s quality management system, at planned intervals,
to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing
opportunities for improvement and the need for changes to the quality management system,
including the quality policy and quality objectives.
Records from management reviews shall be maintained (see 4.2.4).
5.6.2 Review input
ISO 9001:2008, Quality management systems requirements
5.6.2  Review input
The input to management review shall include information on
a)  results of audits,
b)  customer feedback,
c)  process performance and product conformity,
d)  status of preventive and corrective actions,
e)  follow-up actions from previous management reviews,
f)  changes that could affect the quality management system, and
g)  recommendations for improvement.
Guidance is provided for ISO 9001:2008, 5.6.2, item c) as follows.
One way to measure process performance is to perform software process assessments (see 8.2.3). The
outcomes of software process assessments should be considered as input to management reviews.
One way to measure product conformity is to perform software product evaluation (see 8.2.4). The
outcomes of software product evaluation should be considered as input to management review.
© ISO/IEC 2014 – All rights reserved 11

5.6.3 Review output
ISO 9001:2008, Quality management systems requirements
5.6.3  Review output
The output from the management review shall include any decisions and actions related to
a)  improvement of the effectiveness of the quality management system and its processes,
b)  improvement of product related to customer requirements, and
c)  resource needs.
6 Resource management
6.1 Provision of resources
ISO 9001:2008, Quality management systems requirements
6.1  Provision of resources
The organization shall determine and provide the resources needed
a)  to implement and maintain the quality management system and continually improve its
effectiveness, and
b)  to enhance customer satisfaction by meeting customer requirements.
6.2 Human resources
6.2.1 General
ISO 9001:2008, Quality management systems requirements
6.2.1  General
Personnel performing work affecting conformity to product requirements shall be competent on the
basis of appropriate education, training, skills and experience.
NOTE  Conformity to product requirements can be affected directly or indirectly by personnel
performing any task within the quality management system.
[5]
NOTE For further information, see ISO/IEC 12207:2008, 6.2.4, Human Resource Management Process.
6.2.2 Competence, awareness and training
ISO 9001:2008, Quality management systems requirements
6.2.2  Competence, training, and awareness
The organization shall
a)  determine the necessary competence for personnel performing work affecting conformity to
product requirements,
b)  where applicable, provide training or take other actions to achieve the necessary competence,
c)  evaluate the effectiveness of the actions taken,
d)  ensure that its personnel are aware of the relevance and importance of their activities and how
they contribute to the achievement of the quality objectives, and
e)  maintain appropriate records of education, training, skills and experience (see 4.2.4).
12 © ISO/IEC 2014 – All rights reserved

The training needs should be determined considering the requirements notation, design methods, specific
programming languages, tools, techniques and computer resources to be used in the development and
management of the software product/project. It might also be useful to include training in the skills and
knowledge of the specific field within which the software is applied and in other topics such as project
management.
The technologies employed in software development, operation and maintenance should be continually
monitored and evaluated in order to determine requirements for updating staff skills.
The form of training may not be necessarily traditional training courses but could be workshops,
computer-based training, self-study, mentoring, training on-the-job or web-based training.
Evaluation of the effectiveness of training may be performed using measurements of products
and processes, identifying areas of improvement in personal performance (among other areas for
improvement).
6.3 Infrastructure
ISO 9001:2008, Quality management systems requirements
6.3  Infrastructure
The organization shall determine, provide and maintain the infrastructure needed to achieve
conformity to product requirements. Infrastructure includes, as applicable,
a)  buildings, workspace and associated utilities,
b)  process equipment (both hardware and software), and
c)  supporting services (such as transport, communication or information systems).
The infrastructure should include hardware, software, tools and facilities for development, operation or
maintenance of software.
The infrastructure may include software tools that support the design and development process
including the following:
a) tools, such as for analysis, design and development, configuration management, testing, project
management, documentation, code creation or generation;
b) application development and support environments;
c) knowledge management, intranet, extranet tools;
d) network tools, including security, backup, virus protection, firewall;
e) help desk and maintenance tools;
f) access controls;
g) software libraries;
h) operations control tools such as for network monitoring, systems management and storage
management.
Whether these tools and techniques are developed internally or are purchased, the organization should
evaluate whether or not they are fit for purpose. Tools used in the implementation of the product, such
as analysis and design and development tools, compilers and assemblers should be evaluated, approved
and placed under an appropriate level of configuration management control prior to use. The scope of
use of such tools and techniques may be documented with appropriate guidance, and their use reviewed,
as appropriate, to determine whether there is a need to improve and/or upgrade them.
NOTE For further information, see the following:
© ISO/IEC 2014 – All rights reserved 13

[5]
— ISO/IEC 12207:2008, 6.2.2, Infrastructure Management Process;
[23] [25] [26]
— ISO/IEC 25001 (Acquisition) and ISO/IEC 25040 and 25041 (Evaluation of a Software
Product);
[6]
— ISO/IEC 14102.
6.4 Work environment
ISO 9001:2008, Quality management systems requirements
6.4  Work environment
The organization shall determine and manage the work environment needed to achieve conformity to
product requirements.
NOTE  The term “work environment” relates to those conditions under which work is performed
including physical, environmental and other factors (such as noise, temperature,
...