ISO/IEC 17998:2012

INTERNATIONAL ISO/IEC
STANDARD 17998
First edition
2012-09-01

Information technology — SOA
Governance Framework
Technologies de l'information — Cadre de gouvernance SOA




Reference number
ISO/IEC 17998:2012(E)
©
ISO/IEC 2012

---------------------- Page: 1 ----------------------
ISO/IEC 17998:2012(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2012 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 17998:2012(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 17998 was prepared by The Open Group and was adopted, under the PAS procedure, by Joint
Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of
ISO and IEC.

© ISO/IEC 2012 – All rights reserved iii

---------------------- Page: 3 ----------------------
Technical Standard
SOA Governance Framework

---------------------- Page: 4 ----------------------
ISO/IEC 17998:2012(E)
Copyright © 2009, The Open Group
The Open Group hereby authorizes you to copy this document for non-commercial use within your organization only. In
consideration of this authorization, you agree that any copy of this document which you make shall retain all copyright
and other proprietary notices contained herein.
This document may contain other proprietary notices and copyright information.
Nothing contained herein shall be construed as conferring by implication, estoppel, or otherwise any license or right
under any patent or trademark of The Open Group or any third party. Except as expressly provided above, nothing
contained herein shall be construed as conferring any license or right under any copyright of The Open Group.
Note that any product, process, or technology in this document may be the subject of other intellectual property rights
reserved by The Open Group, and may not be licensed hereunder.
This document is provided "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR
A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied
warranties, so the above exclusion may not apply to you.
Any publication of The Open Group may include technical inaccuracies or typographical errors. Changes may be
periodically made to these publications; these changes will be incorporated in new editions of these publications. The
Open Group may make improvements and/or changes in the products and/or the programs described in these
publications at any time without notice.
Should any viewer of this document respond with information including feedback data, such as questions, comments,
suggestions, or the like regarding the content of this document, such information shall be deemed to be non-confidential
and The Open Group shall have no obligation of any kind with respect to such information and shall be free to
reproduce, use, disclose and distribute the information to others without limitation. Further, The Open Group shall be
free to use any ideas, concepts, know-how, or techniques contained in such information for any purpose whatsoever
including but not limited to developing, manufacturing, and marketing products incorporating such information.

Technical Standard
SOA Governance Framework
ISBN: 1-931624-82-8
Document Number: C093

Published by The Open Group, August 2009.

Comments relating to the material contained in this document may be submitted to:
The Open Group, Thames Tower, 37-45 Station Road, Reading, Berkshire, RG1 1LX, United Kingdom
or by electronic mail to: ogspecs@opengroup.org
ii Technical Standard (2009)
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC 17998:2012(E)
Contents
1 Introduction.1
1.1 Objective.1
1.2 Overview.1
1.3 Conformance.2
1.4 Terminology.3
1.5 Future Directions .4
2 Background .6
2.1 SOA Challenges and Goals.6
2.2 SOA Governance .7
3 SOA Governance .9
3.1 SOA Governance Definition.9
3.2 SOA Governance Scope .10
3.3 SOA Governance Framework.10
3.3.1 SOA Governance Reference Model (SGRM) .11
3.3.2 SOA Governance Vitality Method (SGVM).11
4 SOA Governance Reference Model (SGRM).12
4.1 SOA Governance Guiding Principles .12
4.2 SOA Governing Processes.15
4.2.1 Compliance.15
4.2.2 Dispensation .16
4.2.3 Communication .16
4.3 Governed SOA Processes .18
4.3.1 Service Portfolio Management .19
4.3.2 Service Lifecycle Management .20
4.3.3 Solution Portfolio Management .21
4.3.4 SOA Solution Lifecycle .22
4.4 SOA Governance Roles and Responsibilities.24
4.5 SOA Governance Process Artifacts.27
4.6 SOA Governance Technology .29
5 SOA Governance Vitality Method (SGVM).30
5.1 Plan Phase.31
5.1.1 Understand Current Governance Structures.31
5.1.2 Assess SOA Maturity .32
5.1.3 Develop SOA Governance Vision and Strategy.33
5.1.4 Develop SOA Governance Scope .33
5.1.5 Develop SOA Governance Principles .33
5.1.6 Develop SOA Governance Roadmap.34
SOA Governance Framework iii
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 17998:2012(E)
5.2 Define Phase .34
5.2.1 Define Governed SOA Processes.35
5.2.2 Define Governing SOA Processes.36
5.2.3 Collect SOA Guidelines and Standards.36
5.2.4 Define SOA Governance Organization, Roles, and
Responsibilities .36
5.2.5 Define SOA Governance Information Artifacts.36
5.2.6 Define SOA Governance Environment .37
5.2.7 Create Transition Plans .37
5.3 Implement Phase.38
5.3.1 SOA Governance Organization Transition Plan
Implementation.39
5.3.2 SOA Governance Process Transition Plan
Implementation.40
5.3.3 SOA Governance Technology Transition Plan
Implementation.40
5.4 Monitor Phase.41
5.4.1 Monitor and Evaluate SOA Governed Processes.42
5.4.2 Monitor and Evaluate SOA Governing Processes.42
5.4.3 Monitor External Changes.42
5.4.4 Monitor and Evaluate SOA Guidelines Development .43
5.5 SGVM Use of SOA Governance Artifacts .43
A SOA Governance Process Activities.45
A.1 SOA Governing Processes.45
A.2 SOA Governed Processes .48
B SOA Governance Process Information Entities.72
B.1 SOA Governing Process Artifacts .73
B.2 SOA Governed Process Artifacts.73
B.3 SGVM Artifacts.79
C SOA Governance Metrics Example .81

D Relationships with Other SOA Standards .83


iv Technical Standard (2009)
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 17998:2012(E)
Preface
The Open Group
The Open Group is a vendor-neutral and technology-neutral consortium, whose vision of
Boundaryless Information Flow™ will enable access to integrated information within and
between enterprises based on open standards and global interoperability. The Open Group works
with customers, suppliers, consortia, and other standards bodies. Its role is to capture,
understand, and address current and emerging requirements, establish policies, and share best
practices; to facilitate interoperability, develop consensus, and evolve and integrate
specifications and Open Source technologies; to offer a comprehensive set of services to
enhance the operational efficiency of consortia; and to operate the industry's premier
®
certification service, including UNIX certification.
Further information on The Open Group is available at www.opengroup.org.
The Open Group has over 15 years' experience in developing and operating certification
programs and has extensive experience developing and facilitating industry adoption of test
suites used to validate conformance to an open standard or specification.
More information is available at www.opengroup.org/certification.
The Open Group publishes a wide range of technical documentation, the main part of which is
focused on development of Technical and Product Standards and Guides, but which also
includes white papers, technical studies, branding and testing documentation, and business titles.
Full details and a catalog are available at www.opengroup.org/bookstore.
As with all live documents, Technical Standards and Specifications require revision to align with
new developments and associated international standards. To distinguish between revised
specifications which are fully backwards-compatible and those which are not:
• A new Version indicates there is no change to the definitive information contained in the
previous publication of that title, but additions/extensions are included. As such, it
replaces the previous publication.
• A new Issue indicates there is substantive change to the definitive information contained
in the previous publication of that title, and there may also be additions/extensions. As
such, both previous and new documents are maintained as current publications.
Readers should note that updates – in the form of Corrigenda – may apply to any publication.
This information is published at www.opengroup.org/corrigenda.
This Document
This document is the Technical Standard for the SOA Governance Framework. It has been
developed by the SOA Governance project of The Open Group SOA Working Group.
SOA Governance Framework v
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 17998:2012(E)
Trademarks
™ ™ ®
Boundaryless Information Flow and TOGAF are trademarks and Making Standards Work ,
® ®
The Open Group , UNIX , and the “X” device are registered trademarks of The Open Group in
the United States and other countries.
The Open Group acknowledges that there may be other brand, company, and product names
used in this document that may be covered by trademark protection and advises the reader to
verify them independently.
vi Technical Standard (2009)
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 17998:2012(E)
Acknowledgements
The Open Group gratefully acknowledges all contributors to the SOA Governance project, and
in particular the following individuals:
• Ali Arsanjani, IBM
• Stephen G. Bennett, Oracle (Former Co-Chair)
• William A. Brown, IBM
• Tony Carrato, IBM (Former Co-Chair)
• Carleen Christner, HP
• Jorge Diaz, IBM (Co-Chair)
• Steve Dupont, The Boeing Company
• Mats Gejnevall, Capgemini (Co-Chair)
• Chris Harding, The Open Group (Forum Director)
• Andrew Hately, IBM (Former Co-Chair)
• Heather Kreger, IBM
• Nikhil Kumar, ApTSi
• Bob Laird, IBM
• Milena Litoiu, CGI
• Ranu Pandit, Deloitte
• Vishal Prabhu, Deloitte
• Madhu Reddiboina, Deloitte
• Chuck Reynolds, Deloitte
• Mohan Venkataraman, Deloitte
• Bobbi Young, Unisys
SOA Governance Framework vii
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 17998:2012(E)
Referenced Documents
The following documents are referenced in this Technical Standard:
• Introduction to SOA Governance and Service Lifecycle Management, Bill Brown, IBM,
March 2009; refer to:
ftp://ftp.software.ibm.com/software/soa/pdf/IBMSGMMOverview.pdf
• Introduction to SOA Governance: The official IBM definition and why you need it,
Bobby Woolf, IBM developerWorks, July 2007; refer to:
www.ibm.com/developerworks/webservices/library/ar-servgov
• Navigating the SOA Open Standards Landscape Around Architecture”, Joint White Paper
from OASIS, OMG, and The Open Group, July 2009 (W096); refer to:
www.opengroup.org/bookstore/catalog/w096.htm
• OASIS Reference Model for SOA (SOA RM), Version 1.0, OASIS Standard, 12 October
2006; refer to: docs.oasis-open.org/soa-rm/v1.0/soa-rm.pdf
• OECD Corporate Governance Principles 2004, Organization for Economic Cooperation
and Development; available from: www.oecd.org
• SOA Source Book, C. Harding (editor), The Open Group, 2009; refer to:
www.opengroup.org/bookstore/catalog/g093.htm
• The Open Group Architecture Framework (TOGAF); refer to:
www.opengroup.org/architecture/togaf9
• The Open Group SOA Integration Maturity Model (OSIMM), Technical Standard, August
2009 (C092); refer to: www.opengroup.org/bookstore/catalog/c092.htm
See also Appendix D.
viii Technical Standard (2009)
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 17998:2012(E)

1 Introduction
1.1 Objective
This document describes a framework that provides context and definitions to enable
organizations to understand and deploy SOA governance.
This document defines:
• SOA Governance, including its relationship between Business, IT, and EA governance;
this assists organizations in understanding the impact that the introduction of SOA into an
organization has on governance
• An SOA Governance Reference Model (SGRM) and its constituent parts, which assists
organizations in specifying their appropriate governance regimes; and capturing best
practice as a basis for a common approach
• The SOA Governance Vitality Method (SGVM) which assists organizations in
customizing the SGRM and realizing their SOA Governance Regimen
This document is not intended to be used as provided; it is intended to be customized to create
appropriate SOA governance for the organization. Many of the lists are non-normative and
exemplary and intended to be filtered and as input to the customization process.
This document does not include an explanation of the fundamentals and value of SOA which is
important for being able to understand and apply SOA governance. Many other specifications
and books are available on SOA basics (see Referenced Documents and Appendix D).
1.2 Overview
Many companies have adopted Service-Oriented Architecture (SOA) as an approach to
architecture to assist in closing the business and IT gap by delivering the appropriate business
functionality in a timely and efficient manner. For more details on this, refer to available books
and standards on SOA (see Referenced Documents and Appendix D).
Many companies that have approached SOA via a pilot project have not been seeing the same
demonstrated SOA benefits once they have deployed a fully-fledged SOA project. While pilot
projects achieved a level of re-use, they have tended to be within one division, but as soon as a
project boundary crosses multiple divisions, new challenges are encountered.
One of the key disciplines to assist in addressing these challenges is governance. Whilst
governance has been around a long time, SOA has heightened the need and importance of
having a formal SOA Governance Regimen that sets expectations and eases the transition of an
organization to SOA by providing a means to reduce risk, maintain business alignment, and
SOA Governance Framework 1
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC 17998:2012(E)
show business value of SOA investments through a combination of people, process, and
technology. The role of the SOA Governance Regimen is to create a consistent approach across
processes, standards, policies, and guidelines while putting compliance mechanisms in place.
Most organizations already have a governance regimen for their IT department covering project
funding, development, and maintenance activities. These tend to have been defined using either
one of the formal standard IT governance frameworks – such as COBIT, ITIL, etc. – or an
informal in-house governance framework that has been built over many years. The focus of The
Open Group's initial release of an SOA Governance Framework is primarily based on the IT
aspects of SOA governance.
This document contains a description of the governance activities that are impacted by SOA, and
puts forward some best practice governance rules and procedures for those activities. In order to
specify the changes necessary to accommodate SOA in an existing governance regime, the
governance activities described in this document must be mapped and integrated to the activities
being utilized in the existing regime. Many of the lists provided with the explanations of the
SGRM and SGVM are non-normative examples intended to provide a starting point for
customization to the SOA solution.
This document is organized as follows:
• This chapter provides a general introduction.
• Chapter 2 discusses the background to SOA governance, describing the reasons why
governance is important for SOA, the challenges involved, and the benefits that should be
achieved.
• Chapter 3 defines SOA governance and explains The Open Group SOA Governance
Framework.
• Chapter 4 defines the generic SOA Governance Reference Model (SGRM) used as a
baseline for tailoring an SOA Governance Model for an organization.
• Chapter 5 defines the SOA Governance Vitality Method (SGVM) which describes a
method using the generic SGRM to instantiate an organizational unique SOA Governance
Model.
• Appendix A describes the SOA governance process activities.
• Appendix B describes the SOA governance process information entities.
• Appendix C provides an SOA governance metrics example.
• Appendix D describes the relationship of this document to other SOA standards.
1.3 Conformance
The SOA Governance Framework does not have strict compliance statements or testing. It is
expected that this Technical Standard will be customized appropriately into a governance
regimen for the industry or organization applying it.
2 Technical Standard (2009)
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC 17998:2012(E)

For those SOA Governance Regimens to be conformant with this Technical Standard, they must
have at least the following processes defined:
• Compliance process
• Dispensation process
• Communication process
The SGVM must also be defined for the organization.
The nature and extensiveness of the guidelines and the governed processes depends upon the
SOA maturity of the organization; therefore, SOA governance conformance does not assert any
requirements on them.
1.4 Terminology
Can Describes a permissible optional feature or behavior available to the user or
application. The feature or behavior is mandatory for an implementation that
conforms to this document. An application can rely on the existence of the feature
or behavior.
Implementation-dependent
(Same meaning as "implementation-defined".) Describes a value or behavior that is
not defined by this document but is selected by an implementer. The value or
behavior may vary among implementations that conform to this document. An
application should not rely on the existence of the value or behavior. An application
that relies on such a value or behavior cannot be assured to be portable across
conforming implementations. The implementer shall document such a value or
behavior so that it can be used correctly by an application.
Legacy Describes a feature or behavior that is being retained for compatibility with older
applications, but which has limitations which make it inappropriate for developing
portable applications. New applications should use alternative means of obtaining
equivalent functionality.
May Describes a feature or behavior that is optional for an implementation that conforms
to this document. An application should not rely on the existence of the feature or
behavior. An application that relies on such a feature or behavior cannot be assured
to be portable across conforming implementations. To avoid ambiguity, the
opposite of "may" is expressed as "need not", instead of "may not".
Must Describes a feature or behavior that is mandatory for an application or user. An
implementation that conforms to this document shall support this feature or
behavior.
Shall Describes a feature or behavior that is mandatory for an implementation that
conforms to this document. An application can rely on the existence of the feature
or behavior.
SOA Governance Framework 3
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 14 ----------------------
ISO/IEC 17998:2012(E)

Should For an implementation that conforms to this document, describes a feature or
behavior that is recommended but not mandatory. An application should not rely on
the existence of the feature or behavior. An application that relies on such a feature
or behavior cannot be assured to be portable across conforming implementations.
For an application, describes a feature or behavior that is recommended
programming practice for optimum portability.
Undefined Describes the nature of a value or behavior not defined by this document that results
from use of an invalid program construct or invalid data input. The value or
behavior may vary among implementations that conform to this document. An
application should not rely on the existence or validity of the value or behavior. An
application that relies on any particular value or behavior cannot be assured to be
portable across conforming implementations.
Unspecified Describes the nature of a value or behavior not specified by this document that
results from use of a valid program construct or valid data input. The value or
behavior may vary among implementations that conform to this document. An
application should not rely on the existence or validity of the value or behavior. An
application that relies on any particular value or behavior cannot be assured to be
portable across conforming implementations.
Will Same meaning as “shall”; “shall” is the preferred term.
1.5 Future Directions
The current version of this Technical Standard defines a core SOA Governance Framework.
Future versions could evolve the material and expand on a variety of relevant topics. The
following are some possible areas:
• Meta-model: The current document expands on a variety of topics. It would be beneficial
to have a meta-model that explicitly represents the various framework elements. This
would help avoid possible ambiguities, and enable possible tool automation.
• Compliance: Most of the current conformance text (Section 1.3) is not normative. Future
versions could provide more specific guidance regarding what constitutes adherence to
this specification.
• Maturity Model: The method and model shown in this document provide key conceptual
tools for defining an SOA governance effort. Complementary to them is an SOA
Governance Maturity Model, which can be used within the Plan phase, helping to define
more robust roadmaps. This maturity model would be synchronized with the OSIMM
effort.
• Policy: The topic of policy is important to governance. Further versions expect to expand
on its relationship with the rest of the model concepts.
• Control Gates: The topic of control gates is important to governance. Further versions
expect to expand on its relationship with the rest of the model concepts.
4 Technical Standard (2009)
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 15 ----------------------
ISO/IEC 17998:2012(E)

• Business Governance: Business governance refers to the set of processes, customs,
policies, laws, and institutions affecting the way in which an organization is directed,
administered, or controlled. The primary focus of this SOA Governance Framework
version is on the IT aspects of SOA governance, with a small number of key business
governance items. However, additional business governance aspects will enhance the
completeness of an overall SOA governance program.
• Governance Model Maps: More detail positioning to other relevant governance models;
e.g. COBIT, ITIL, etc., could be added.
• Other Topics: For example, description of SOA governance for particular contexts; e.g.,
external ecosystems, and positioning of SOA governance with TOGAF governance, as
well as working with OASIS and OMG to ensure alignment around SOA governance.
Further information on this alignment work and its current status is in Appendix D.
• Examples: Future versions will have given time for examples of specification to be
defined. These examples could be added to the effort to provide further clarity.
SOA Governance Framework 5
© ISO/IEC 2012 – All rights reserved

---------------------- Page: 16 ----------------------
ISO/IEC 17998:2012(E)

2 Background
2.1 SOA Challenges and Goals
While this Technical Standard focuses on the governance considerations of SOA solutions, it is
important to set the stage with an understanding of SOA. Other specifications and
...