ISO/IEC 16350:2015
(Main)Information technology — Systems and software engineering — Application management
Information technology — Systems and software engineering — Application management
ISO 16350:2015 establishes a common framework for application management processes with well-defined terminology that can be referenced by the software industry. It contains processes, activities, and tasks that apply during the stage of operation and use from the point of view of the supplier organization that enhances, maintains, and renews the application software and the software-related products such as data-structures, architecture, designs, and other documentation. It applies to the supply, maintenance, and renewal of applications, whether performed internally or externally with respect to the organization that uses the applications.
Technologies de l'information — Gestion d'application — Exigences pour la gestion d'application
General Information
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 16350
First edition
2015-08-01
Information technology — Systems
and software engineering —
Application management
Technologies de l’information — Gestion d’application — Exigences
pour la gestion d’application
Reference number
ISO/IEC 16350:2015(E)
©
ISO/IEC 2015
---------------------- Page: 1 ----------------------
ISO/IEC 16350:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 16350:2015(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
1.1 General . 1
1.2 Applicability . 4
1.2.1 Audience. 4
1.2.2 Field of application . 5
1.3 Limitations . 5
2 Conformance . 6
2.1 Intended usage . 6
2.2 Full conformance. 6
2.2.1 General. 6
2.2.2 Full conformance to outcomes . 6
2.2.3 Full conformance to tasks . 6
2.3 Tailored conformance . 6
3 Normative references . 7
4 Terms and definitions . 7
5 Application Management Processes .13
5.1 Application Support Processes .13
5.1.1 Use Support .13
5.1.2 Configuration Management .15
5.1.3 Application Operation Management .18
5.1.4 Continuity Management .21
5.2 Application Maintenance and Renewal Processes .23
5.2.1 Impact Analysis .23
5.2.2 Software Design .26
5.2.3 Software Construction and Integration .29
5.2.4 Software Testing .33
5.2.5 Preparation of Transfer to Production .35
5.3 Connecting Processes .37
5.3.1 Application Change Management .38
5.3.2 Software Control and Distribution .40
5.4 Management Processes .42
5.4.1 Agreement Management .42
5.4.2 Planning and Control.45
5.4.3 Quality Management .49
5.4.4 Financial Management .52
5.4.5 Supplier Management .55
5.5 Application Strategy Processes .58
5.5.1 Analysis of Developments in IT .58
5.5.2 Customer Organizations Analysis .59
5.5.3 Customer Environment Analysis .60
5.5.4 Application Life Cycle Management .62
5.5.5 Application Portfolio Management .63
5.6 Application Management Organization Strategy Processes .65
5.6.1 Account and Market Definition .65
5.6.2 Capabilities Definition .66
5.6.3 Technology Definition .68
5.6.4 Sourcing Definition .69
5.6.5 Service Delivery Definition .71
Annex A (informative) Explanatory statements .75
Annex B (normative) Tailoring Process .77
© ISO/IEC 2015 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 16350:2015(E)
Annex C (informative) Process Reference Model for assessment purposes .79
Annex D (informative) Relationship to ISO/IEC 15504-8:2012 .81
Annex E (informative) References made to ISO/IEC 20000-1 and ISO/IEC 12207 .82
Bibliography .85
iv © ISO/IEC 2015 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 16350:2015(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 7, Software and systems engineering.
Its contents are based on the Dutch national standard, NEN 3434, Information technology — Application
management — Requirements for application management, which will be withdrawn after publication of
this International Standard.
© ISO/IEC 2015 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 16350:2015(E)
Introduction
Applications can live for decades. Applications that were developed twenty or thirty years ago are still
being used and most applications that have recently been developed will still be in use for the many
years to come. During their life cycle, these applications and the related data structures will have to be
monitored, enhanced, and sometimes renewed or renovated. This means that very often, in total, more
money and work is needed for the stage of operation and use than for the initial development stage.
But the emphasis very often lies at the initial development stage; there are various frameworks and
(international) standards covering initial application development. For the stage of operation and use,
there are little frameworks and standards. This International Standard has been developed to fill this gap.
initial
Stage of operation
development
anduse
Figure 1 — Stage of the lifecycle in scope
The initial development of applications usually takes place in a rather protected project environment
with a relatively small amount of operational interaction with the business processes, as they are not yet
supported by the application under development. The project has its own pace and rules, its own governance,
and a limited lifespan. In the final development stage, the application is transferred to operation then the
rules change. The business processes of the user organizations become largely or fully dependent on the
application. In that stage, the following two major types of actions will have to take place:
a) supporting use and operation of the application;
b) adapting the application based on changing demands or based on quality improvements (fixes,
patches, and releases).
These actions and all the responsibilities, activities, and tasks around it, we call application management
and the stage in which a version of an application actually is in use and in operation is the subject of this
International Standard.
This International Standard aims to offer application management organizations a well-defined, directly
applicable, and complete standard for their specific activities. Although this International Standard is
partially overlapping with ISO/IEC 20000 and ISO/IEC 12207, this International Standard is a standard
organized from the viewpoint of application management and contributes to the convenience of users
who work in that area.
This International Standard provides a common framework for establishing the processes, tasks, and
activities of service providers that enhance, maintain, and/or renew applications or application objects
after the initial development (that is at the stage of exploitation and use) and that supports other service
providers that run the application in production environments and user organizations that use the
applications.
This International Standard also supports the definition, control, assessment, and improvement of such
processes. These processes can be applied uniquely, in conjunction, sequentially, or in parallel.
vi © ISO/IEC 2015 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 16350:2015(E)
Information technology — Systems and software
engineering — Application management
1 Scope
1.1 General
This International Standard establishes a common framework for application management processes
with well-defined terminology that can be referenced by the software industry. It contains processes,
activities, and tasks that apply during the stage of operation and use from the point of view of the supplier
organization that enhances, maintains, and renews the application software and the software-related
products such as data-structures, architecture, designs, and other documentation.
This International Standard applies to the supply, maintenance, and renewal of applications, whether
performed internally or externally with respect to the organization that uses the applications.
Application management comprises all of the tasks, responsibilities, and activities with the aim that
the support of business processes by applications continues to meet the requirements and needs of the
organizations that use these applications throughout the entire life span of their business processes.
This International Standard therefore focuses on the following:
— day-to-day management of applications (the software) and the related data structures and support
of costumer organizations, including handling calls such as incidents and service requests;
— maintenance and renewal of applications and data structures in accordance with changing
requirements and needs;
— opportunities, threats, and changes in the business and/or technology that influence the future of
the applications and, based on that, the strategy for maintaining and renewing the applications;
— organization and strategy of application management organizations.
Before retirement, the life cycle of an application consists of two important stages: the stage of initial
development of the application and the stage of operation and use (when the software is in use, in
operation, supported, modified, and renewed). This stage of operation and use is the subject of this
International Standard. The initial development of an application is not within the scope of this
International Standard, however the project that is responsible for the initial development has to
take the requirements of the application management organization that will enhance and maintain
the application into consideration. This means that the application management organization will
ask the project to deliver initial requirements, architecture products, design, standards, and other
documentation, in order to use these products during enhancement and maintenance.
© ISO/IEC 2015 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 16350:2015(E)
Stage of operationand use
Initial development
of application
IT
infrastructure
management
Business
information
management
Application
management
Figure 2 — Domains involved
In the stage of operation and use, the following three domains play a role:
a) business information management representing the business and end users of the application (use);
b) IT infrastructure management hosting the application (operation) and maintaining the technical
infrastructure;
c) application management
1) supporting the use and the operation;
2) maintaining and renewing the application software and data structures.
Business information management constitutes the demand side of information technology (IT) and
information provisioning. Business information management is responsible for supporting users in the
use of the information provisioning and represents the business organization as the client of the IT-
suppliers. Business information management acts as the customer of the IT organizations (application
management plus IT infrastructure management).
Specific tasks of business information management include the following:
— support of end users in how the information provisioning are to be used;
— define how information and IT are to look like (the functionality, the appearance, etc);
— advise and support business management with the prioritization of requirements and management
of their budgets for IT;
— assign work to IT providers and monitor their delivered services;
— define long term policy and plans regarding the information provisioning.
IT infrastructure management is responsible for managing the operation of the information system,
including maintaining the infrastructure (e.g. network, hardware), running the software, and data
processing. In brief, this is the organization that runs the information systems and aims to keep the
infrastructure in good order.
The activities of business information management and IT infrastructure management are closely
related to application management but not within the scope of this International Standard.
Application management is responsible for the management and maintenance of the application and
definition of the data structures used in databases and data files. This form of management requires
knowledge of software programming, information system development, design, day-to-day management
of applications, and application maintenance. Core qualities of the application management personnel are
in-depth knowledge of the customer or (at least) in-depth knowledge of the customer’s business processes
and in-depth knowledge of the existing applications (application objects), design, architecture, etc.
2 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 16350:2015(E)
This International Standard consists of the following three levels of processes:
— operational;
— managerial;
— strategic.
These process levels and the processes are interconnected with one another.
Figure 3 provides an overview of the processes within each of the process levels.
Figure 3 — Process overview
There are no separate processes defined for security, issues, risks, and/or vulnerability. These topics
form an important part of the Continuity Management Process, but they are also part of other processes.
Security, for instance, is an important part of the functionality of the application, so it is addressed in the
Impact Analysis process and dealt with within the specifications of the application and defined in the
Software Design Process and also within the service levels and, therefore, specified in the Agreement
Management and Supplier Management Processes. Other processes which deal with these topics are the
management processes planning and control, quality management and financial management, and, for
instance, the strategic process technology definition, where risk and vulnerability are important features.
© ISO/IEC 2015 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 16350:2015(E)
1.2 Applicability
1.2.1 Audience
This International Standard is intended to be used by application management organizations. The
application management service providers that enhance, maintain, and/or renew applications or
application objects and that support infrastructure management organizations and user organization
in the stage operation and use.
Other users of this International Standard can be application software developers, quality assurance
managers (or consultants), and customers of application management organizations.
The purpose of this International Standard is to provide a defined set of processes to facilitate
communication among all parties involved in application management.
Different parties can carry out different activities in the field of application management. For example,
some parties are responsible for maintenance of the application after the development stage while others
also support the user organization and the IT infrastructure management organization. Some parties
just change the software items while others are responsible for the entire chain of impact analysis,
design, build, test, and release of changes. These different parties can be all in one organization or in
different internal and external organizations.
Key
AM application management
COTS commercial off-the-shelf
SaaS software as a service
Figure 4 — Examples of application management organizations
The following are examples of different types of application management organizations shown in Figure 4:
— organization that produces and maintains a specific component;
— organization that supplies and maintains standard products or standard components;
— organization that delivers custom services to an individual customer, either with or without
integration with other systems or the infrastructure;
— organization that manages and maintains a custom application;
4 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 16350:2015(E)
— organization that implements software.
The following are other examples of application management organizations:
— integrator that merges or combines services;
— producer of configurable software platforms;
— organization that configures and maintains such platforms for customers.
These types of application management organizations have a strong impact on the way in which the
processes are implemented and operated. The processes shown in Figure 3 therefore vary in importance
and characteristics.
1.2.2 Field of application
This International Standard is applicable to all the following organizations using the processes that play
a role in application management within the scope mentioned in 1.1:
— anyone performing application management activities;
— those responsible for establishing and continuously improving application management processes;
— those responsible for executing application management processes at a project level;
— customers and suppliers involved in subcontracting application management activities;
— those responsible for assessing application management processes.
Annex C provides information regarding the use of the application management processes as a process
reference model. It defines the basic activities needed to perform tailoring of this International
Standard. It has to be noted that tailoring might diminish the perceived value of a claim of conformance
to this International Standard. An organization asserting a single-party claim of conformance to this
International Standard might find it advantageous to claim full conformance to a smaller list of processes
rather than tailored conformance to a larger list of processes.
1.3 Limitations
The initial development of an application is not within the scope of this International Standard.
The activities of business information management and IT infrastructure management are not within
the scope of this International Standard.
This International Standard does not detail the application management processes in terms of methods
or working procedures required to meet the requirements and outcomes of a process.
This International Standard does not detail documentation to be used or produced within the activities
described in the processes in Clause 5 in terms of name, format, explicit content, and recording media.
The International Standard might require development of documents of similar class or type. The
International Standard, however, does not imply that such documents have to be developed or packaged
separately or combined in some fashion. These decisions are left to the user of this International Standard.
This International Standard does not prescribe a specific application management methodology, design
methodology, development methodology, test methodology, project management method, or other
methods, models, or techniques. The users of this International Standard are responsible for selecting
these methods and mapping the processes, activities, and tasks in this International Standard onto
those methods. The users of this International Standard are also responsible for selecting and applying
the methods and for performing the activities and tasks suitable for application management.
This International Standard is not intended to be in conflict with any organization’s policies, procedures,
and standards or with any national laws and regulations. Any such conflict has to be resolved before
using this International Standard.
© ISO/IEC 2015 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 16350:2015(E)
2 Conformance
2.1 Intended usage
The requirements in this International Standard are contained in Clause 5 and Annex B. This International
Standard provides requirements for a number of processes suitable for usage in the field of application
management. It is recognized that particular projects or organizations might not need to use all of the
processes provided by this International Standard. Therefore, implementation of this International
Standard typically involves selecting and declaring
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.