ISO/IEC TS 33030:2017

TECHNICAL ISO/IEC TS
SPECIFICATION 33030
First edition
2017-04
Information technology — Process
assessment — An exemplar
documented assessment process
Technologies de l’information — Évaluation des procédés — Un
exemple documenté d’évaluation des procédés
Reference number
©
ISO/IEC 2017
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Documented assessment process . 1
4.1 General . 1
4.2 Initiate the assessment . 4
4.2.1 Overview . 4
4.2.2 Tasks . 5
4.3 Plan the assessment .12
4.3.1 Overview .12
4.3.2 Tasks .13
4.4 Brief the assessment participants .16
4.4.1 Overview .16
4.4.2 Tasks .17
4.5 Collect the data .18
4.5.1 Overview .18
4.5.2 Tasks .18
4.6 Validate the data .19
4.6.1 Overview .19
4.6.2 Tasks .20
4.7 Determine the results .21
4.7.1 Overview .21
4.7.2 Tasks .21
4.8 Report the Assessment .23
4.8.1 Overview .23
4.8.2 Tasks .23
Annex A (informative) Work product descriptions .25
Annex B (informative) Conformity of the documented assessment process .31
Bibliography .33
© ISO/IEC 2017 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: w w w . i s o .org/ iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and systems engineering.
The ISO/IEC 15504 series is being revised as the ISO/IEC 330XX family.
This document replaces the contents of ISO/IEC 15504-3:2004, Annex A.
iv © ISO/IEC 2017 – All rights reserved

Introduction
This document provides an exemplar documented assessment process which includes the minimum
elements needed as a basis for performing a process assessment. It is applicable for performing process
assessments across all types of organizations using a variety of methods, techniques and tools.
The formal entry to the assessment process occurs with the assessment sponsor’s commitment to
proceed. The assessment input may then be compiled including the definition of responsibilities for
performing the assessment. After the assessment inputs are compiled, the assessment activities may
proceed which end with the production of the assessment report, its delivery to the Sponsor, and the
verification of the conformity of the assessment.
© ISO/IEC 2017 – All rights reserved v

TECHNICAL SPECIFICATION ISO/IEC TS 33030:2017(E)
Information technology — Process assessment — An
exemplar documented assessment process
1 Scope
This document contains an exemplar documented assessment process, and serves as guidance on the
nature of activities required by this document. The content of this exemplar contains the minimum
elements of a documented assessment process applicable for performing all classes of assessments as
defined in ISO/IEC 33002. See also Annex B.
This document is suitable for all classes of assessments defined in ISO/IEC 33002.
This exemplar includes the activities by describing the tasks, inputs, outputs and the assessment-related
roles and responsibilities. This description implicitly contains other elements that could comprise the
process, like purpose, initial/end conditions, additional supporting roles/responsibilities or necessary
resources.
While this exemplar contains all of the activities that are considered to be required for a process
assessment, it is the case that variation exists in individual process assessments, and therefore, some
degree of tailoring of this assessment process could be required. Tailoring of the assessment process is
permitted, though it is the responsibility of the Lead Assessor and it would need to be conformant to
the requirements of ISO/IEC 33002.
This document is not intended for use in performing organizational maturity assessments.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 33001:2015, Information technology — Process assessment — Concepts and terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 33001 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
4 Documented assessment process
4.1 General
This documented assessment process includes the definition of the activities which are performed
between the start and formal end of an assessment. It does not cover additional tasks involved in
utilizing the results of the assessment. The assessment process consists of the following activities:
© ISO/IEC 2017 – All rights reserved 1

Each activity is described by defining the principal tasks to be executed, the roles and responsibilities
for each task and the corresponding necessary inputs and achieved outputs.
The documented assessment process may be tailored in order to address variations in organizational
scope, business context or process implementation. Tailoring may include:
— variation or deletion of individual tasks within an activity,
— modification of inputs, outputs and sources of information, and
— changes in the assignment of roles and responsibilities within the assessment.
All high-level tasks should be addressed in the assessment and all task outcomes achieved. If the
process is tailored, the extent of tailoring and demonstration of achievement of outcomes should be
documented.
For the description of the roles involved in the tasks, the following abbreviations and definitions are used:
LAC: Local Assessment Co-ordinator
Individual or entity, who takes responsibility for the organization of the assessment within
the organizational unit assessed.
SP: Sponsor
Individual or entity, internal or external to the organizational unit to be assessed, who re-
quires the assessment to be performed, and provides financial or other resources to carry it
out (see ISO/IEC 33001:2015, 3.2.9).
A: Assessor
Individual who participates in the rating of process attributes (see ISO/IEC 33001:2015,
3.2.11). Assessors have appropriate education, training and both capability assessment
experience and domain experience to perform the required class of assessment and make
professional judgments (see ISO/IEC 33001:2015, 3.2.11).
LA: Lead Assessor
Assessor who has demonstrated the competencies to conduct an assessment and to monitor
and verify the conformity of a process assessment (see ISO/IEC 33001:2015, 3.2.12).
P: Participant
Individual from the organizational unit to be assessed, who takes part in the assessment.
For the description of the roles involved in the tasks, the following abbreviations are used:
2 © ISO/IEC 2017 – All rights reserved

R: Responsible
Those who do the work to achieve the task. There is at least one role with a participation
type of responsible, although others can be delegated to assist in the work required (see
also RACI below for separately identifying those who participate in a supporting role).
A: Accountable (also approver or final approving authority)
The one ultimately answerable for the correct and thorough completion of the deliverable or
task, and the one who delegates the work to those responsible. In other words, an account-
able should sign off (approve) work that responsible provides. There should be only one
accountable specified for each task or deliverable.
© ISO/IEC 2017 – All rights reserved 3

C: Consulted (sometimes counsel)
Those whose opinions are sought, typically subject matter experts, and with whom there is
two-way communication.
I: Informed
Those who are kept up-to-date on progress, often only on completion of the task or delivera-
ble; and with whom there is just one-way communication.
NOTE While the role definitions provided above are considered to represent the standard approach to
responsibility distribution, it is possible that individual assessments extend or reduce these role definitions as is
appropriate for a given assessment. For example, the SP could be knowledgeable of process assessment and could
therefore participate in the detailed aspects of the assessment. The LAC could also be capable of performing
a greater role in the process assessment depending on their knowledge and training with respect to process
assessment.
4.2 Initiate the assessment
4.2.1 Overview
Activity Initiate the assessment
Brief The first step in the assessment process is to identify the relevant parties involved
description in the assessment, collect the required information and make necessary decisions
to set up the assessment plan.
Outcomes The following outcomes shall be achieved when performing this activity:
1) Identify the sponsor and define the purpose of the assessment and define the
class of assessment;
2)  Define the scope of the assessment and what constraints, if any, apply to the
assessment;
3)  Identify any additional information that needs to be gathered;
4)  Identify the assessment participants and the assessment team and define the
roles of team members;
5)  Define all assessment inputs and obtain sponsor approval for all assessment
inputs.
4 © ISO/IEC 2017 – All rights reserved

Tasks The following tasks shall be executed to achieve the outcomes of this activity:
4.2.2.1   Identify the sponsor and the sponsor’s relationship
4.2.2.2   Select the type and level of independence
4.2.2.3   Identify criteria for the competence of the Lead Assessor
4.2.2.4   Select the Lead Assessor
4.2.2.5   Select the Local Assessment Co-ordinator
4.2.2.6   Identify business context
4.2.2.7   Define the assessment purpose
4.2.2.8   Define the class of assessment
4.2.2.9   Identify the Process Assessment Model
4.2.2.10  Identify the need for and approve confidentiality agreements
4.2.2.11  Submit Pre-Assessment Questionnaires to the Local Assessment Co-ordi-
nator (optional)
4.2.2.12  Identify the assessment team structure
4.2.2.13  Establish the communication plan
4.2.2.14  Define the assessment scope
4.2.2.15  Specify the rating method(s)
4.2.2.16  Specify the aggregation method(s)
4.2.2.17  Specify constraints on the conduct of the assessment
4.2.2.18  Map the organizational unit to the Process Assessment Model
4.2.2.19  Identify any additional information
4.2.2.20  Review all inputs
4.2.2.21  Obtain sponsor approval
4.2.2 Tasks
4.2.2.1 Identify the sponsor and the sponsor’s relationship
Identify the sponsor and the sponsor’s relationship to the organizational unit(s) to be assessed.
Responsible SP LA A LAC P
A, R I — — —
(R, A, C, I)
Task inputs —  Formal or informal assessment inquiry
—  Information about the organization or organizational unit(s) to be assessed
Task outputs —  Commitment of the sponsor or contract with the sponsor’s organization
© ISO/IEC 2017 – All rights reserved 5

4.2.2.2 Select the type and level of independence
Select the type and level of independence of the body performing the assessment according to the
selected class of assessment.
NOTE  The requirements for the type and level of independence of the body performing the assess-
ment are defined in ISO/IEC 33002:2015, 4.6.
Responsible SP LA A LAC P
A, R I — — —
(R, A, C, I)
Task inputs —  Definition of the class of assessment
Task outputs —  Definition of type and level of independence of the assessment body doc-
umented in the preliminary assessment plan
4.2.2.3 Identify criteria for the competence of the Lead Assessor
Identify criteria for competence of the Lead Assessor.
Responsible SP LA A LAC P
A, R I — — —
(R, A, C, I)
Task inputs —  Information obtained from sponsor
—  Application or domain specific requirements for assessor competencies
—  Information about the qualification of Lead Assessors
Task outputs —  Criteria for competence of the Lead Assessor
4.2.2.4 Select the Lead Assessor
Select the Lead Assessor, who will lead the assessment team and ensure that the persons nominated
possess the necessary competency and skills. The Lead Assessor shall have the required competen-
cies to perform the assessment.
Responsible SP LA A LAC P
A, R I — — —
(R, A, C, I)
Task inputs —  Information about the Lead Assessor
Task outputs —  Commitment between the assessing organization and the Lead Assessor
4.2.2.5 Select the Local Assessment Co-ordinator
Select the Local Assessment Co-ordinator. The Local Assessment Co-ordinator (LAC) manages the
assessment logistics and interfaces with the organizational unit.
Responsible SP LA A LAC P
A, C R — I —
(R, A, C, I)
Task inputs —  Information about the organization to be assessed
Task outputs —  Commitment between the organization to be assessed and the local as-
sessment coordinator
6 © ISO/IEC 2017 – All rights reserved

4.2.2.6 Identify business context
Identify business context including the goals of the organization to be assessed
Responsible SP LA A LAC P
I A, R — C —
(R, A, C, I)
Task inputs —  Information about the organization or organizational unit(s)
—  Previous audit reports and assessment reports, if available
Task outputs —  Information about the business context
4.2.2.7 Define the assessment purpose
Define the assessment purpose including alignment with business context (where appropriate).
NOTE  An assessment purpose may be for example: (i) to identify strengths and weaknesses in exist-
ing processes; (ii) to obtain a process quality (e.g. capability) rating.
Responsible SP LA A LAC P
A R — C —
(R, A, C, I)
Task inputs —  Information about the business context
Task outputs —  Information about the assessment purpose
4.2.2.8 Define the class of assessment
Define the class of assessment such as is appropriate to the assessment purpose.
NOTE  The requirements for the assessment class are defined in ISO/IEC 33002:2015, 4.6. Any class
from ISO/IEC 33002 can be chosen according to the purpose of the assessment.
Responsible SP LA A LAC P
A R — I —
(R, A, C, I)
Task inputs —  Information about the assessment purpose
Task outputs —  Definition of class of assessment documented in the preliminary assess-
ment plan
4.2.2.9 Identify the Process Assessment Model
Identify the Process Assessment Model conformant to ISO/IEC 33004 including the identification
of any requirements for coverage of the organizational scope or the process scope of the assessment
as defined for the class of the assessment to be used.
—  Specify the relevant process reference model(s) conformant to ISO/IEC 33004.
—  Specify the relevant process measurement framework conformant to ISO/IEC 33003.
—  Define the process quality characteristic to be investigated, including the highest process
quality level for each individual process within the assessment scope.
Responsible SP LA A LAC P
I A, R — I —
(R, A, C, I)
Task inputs —  Definition of the class of assessment
—  Process reference model
—  Measurement framework
Task outputs —  Definition of the process assessment model, process reference model and
measurement framework to be used, documented in the preliminary assess-
ment plan
© ISO/IEC 2017 – All rights reserved 7

4.2.2.10 Identify the need for and approve confidentiality agreements
Identify the need for and approve confidentiality agreements (where necessary), especially if
external consultants are being used.
Responsible SP LA A LAC P
C A, R — C, A —
(R, A, C, I)
Task inputs —  Information about the confidentiality policies of the assessing organiza-
tion and the organization assessed
Task outputs —  Approved confidentiality agreement(s)
4.2.2.11 Submit Pre-Assessment Questionnaires to the Local Assessment Co-ordinator
(optional)
Submit Pre-Assessment Questionnaires to the Local Assessment Co-ordinator, if appropriate.
The Pre-Assessment Questionnaires (PAQs) help structure the on-site interviews by gathering infor-
mation about the Organizational unit(s) and projects of the assessed unit(s).
Responsible SP LA A LAC P
— A, R I I, C —
(R, A, C, I)
Task inputs —  Pre-Assessment Questionnaire Templates
Task outputs —  Completed Pre-Assessment Questionnaire(s)
4.2.2.12 Define the assessment scope
Define the assessment scope as it applies to the business, including a defined and agreed organiza-
tion scope including the following sub-tasks:
—  Define the processes to be investigated within each organizational unit according to the assess-
ment purpose and the requirements for the selected class of the assessment.
—  Identify the organizational unit(s) that deploy the defined processes to be investigated.
—  Identify the context for the organizational unit(s) that deploy the processes to be investigated.
Identify factors in the organizational unit that affect the assessment process. These factors include, at
a minimum:
—  the size of the organizational unit;
—  the application domain of the products or services of the organizational unit;
—  key characteristics (e.g. size, criticality, complexity and quality) of the products or services of
each organizational unit.
—  Identify the sample of products, services, lifecycle stages or projects within the assess-
ment scope.
The assessment scope may be renegotiated during the performance of the assessment. Any renegotia-
tion of the scope shall be approved by the sponsor.
The assessment scope shall be established according to the specific requirements for the defined
class of assessment in ISO/IEC 33002:2015, 4.6 in terms of the required number of process instances
to be assessed.
8 © ISO/IEC 2017 – All rights reserved

Responsible SP LA A LAC P
A, I R I C —
(R, A, C, I)
Task inputs —  Information about the organization assessed
—  Completed Pre-Assessment Questionnaire(s)
—  Purpose and Class of the assessment
—  Process reference model(s)
—  Measurement Framework
—  Team member list
Task outputs —  Assessment scope, highest quality level to be assessed for each individu-
al process and corresponding process quality characteristics defined in the
preliminary assessment plan
4.2.2.13 Identify the assessment team structure
Identify the assessment team structure. The principal structure of the assessment team such as
team size, necessary roles and workload share is identified based on the scope of the assessment.
NOTE  The assessment team structure can depend on the size of the assessed organization, the
complexity of the assessed project(s), local distribution of sites of the assessed organization or other
dependencies.
Responsible SP LA A LAC P
— A, R I — —
(R, A, C, I)
Task inputs —  Completed Pre-Assessment Questionnaire(s)
—  Assessment scope
Task outputs —  Assessment team structure documented in the preliminary assess-
ment plan
4.2.2.14 Establish the communication plan
Establish the communication plan to the personnel involved in the assessment.
Responsible SP LA A LAC P
— A, R I I, C —
(R, A, C, I)
Task inputs —  Assessment team structure documented in the preliminary assess-
ment plan
—  Completed Pre-Assessment Questionnaire(s)
—  Assessment scope
Task outputs —  Communication plan and records
© ISO/IEC 2017 – All rights reserved 9

4.2.2.15 Specify the rating method(s)
Specify the rating method(s) to be employed.
NOTE  For example, any rating method specified in ISO/IEC 33020 can be chosen to cover the assess-
ment purpose defined.
Responsible SP LA A LAC P
— A, R I I —
(R, A, C, I)
Task inputs —  The process quality characteristic to be assessed (e.g. process capability)
—  The class of assessment
Task outputs —  Definition of rating method documented in the preliminary assess-
ment plan
4.2.2.16 Specify the aggregation method(s)
Specify the aggregation method(s) to be employed.
NOTE  For example, any aggregation method specified in ISO/IEC 33020 can be chosen to cover the
assessment purpose defined.
Responsible SP LA A LAC P
— A, R I I —
(R, A, C, I)
Task inputs —  The process quality characteristic to be assessed (e.g. process capability)
—  The class of assessment
Task outputs —  Definition of aggregation method documented in the preliminary assess-
ment plan
4.2.2.17 Specify constraints on the conduct of the assessment
Specify constraints on the conduct of the assessment. The assessment constraints may include
—  availability of key resources,
—  the maximum duration of the assessment,
—  specific processes or organizational units to be excluded from the assessment,
—  the ownership of the assessment outputs and any restrictions on their use,
—  controls for handling confidential information and non-disclosure, and
—  identity and roles of assessees, assessment team members and assessment support staff with
specific responsibilities for the assessment.
Responsible SP LA A LAC P
A R I C —
(R, A, C, I)
Task inputs —  Information about the assessor team from the assessing organization
and the organization assessed
—  Completed Pre-Assessment Questionnaire(s)
—  Scope of the assessment
Task outputs —  Assessment constraints documented in the preliminary assessment plan
—  Updated scope (if applicable)
10 © ISO/IEC 2017 – All rights reserved

4.2.2.18 Map the organizational unit(s) to the Process Assessment Model
Map the organizational unit to the Process Assessment Model. Establish a correspondence be-
tween the organizational unit’s processes specified in the assessment scope and the processes in the
Process Assessment Model. Identify any conflicting terminology between the organizational unit(s)
and the Process Assessment Model.
Responsible SP LA A LAC P
— A, R I I —
(R, A, C, I)
Task inputs —  Information about the organization assessed
—  Process Assessment Model
Task outputs —  Mapping of organizational unit(s) processes to the Process Assess-
ment Model
4.2.2.19 Identify any additional information
Identify any additional information that the sponsor requests to be gathered during the assessment.
Responsible SP LA A LAC P
C, A R — I —
(R, A, C, I)
Task inputs —  Information obtained from sponsor
Task outputs —  Additional information in the preliminary assessment plan
4.2.2.20 Review all inputs
Review all inputs.
Responsible SP LA A LAC P
— A, R I C —
(R, A, C, I)
Task inputs —  Preliminary assessment plan
—  Completed Pre-Assessment Questionnaire(s)
Task outputs —  Review record
4.2.2.21 Obtain sponsor approval
Obtain sponsor approval of inputs.
Responsible SP LA A LAC P
A R — I —
(R, A, C, I)
Task inputs —  Preliminary assessment plan
Task outputs —  Approval of the preliminary assessment plan by the sponsor
© ISO/IEC 2017 – All rights reserved 11

4.3 Plan the assessment
4.3.1 Overview
Activity Plan the assessment
Brief descrip- In this phase of the assessment process, a specific plan including activities, re-
tion sources, schedule and communication interfaces is developed.
Outcomes The following outcomes shall be achieved when performing this activity:
1)  An assessment plan describing all activities performed in conducting the as-
sessment is developed and documented together with an assessment schedule;
2)  Using the assessment scope, resources necessary to perform the assessment
are identified and committed to be available;
3)  The method of collating, reviewing, validating and documenting all of the infor-
mation required for the assessment is determined;
4)  Co-ordination with participants in the Organizational unit(s) is planned.
Tasks The following tasks shall be executed to achieve the outcomes of this activity:
4.3.2.1   Determine the assessment activities
4.3.2.2   Establish the assessment team and assign team roles
4.3.2.3   Select the assessment participants
4.3.2.4   Assign responsibilities
4.3.2.5   Determine the necessary resources and schedule for the assessment
4.3.2.6   Define how the assessment data will be collected, recorded, stored, ana-
lysed and presented
4.3.2.7   Define the planned outputs of the assessment
4.3.2.8   Schedule the assessment
4.3.2.9   Verify conformance to requirements
4.3.2.10  Identify and manage risks
4.3.2.11  Co-ordinate assessment logistics with the Local Assessment Co-ordinator
4.3.2.12  Review and obtain acceptance of the plan
4.3.2.13  Confirm the sponsor’s commitment
12 © ISO/IEC 2017 – All rights reserved

4.3.2 Tasks
4.3.2.1 Determine the assessment activities
Determine the assessment activities. The assessment activities will include all activities described
in this documented assessment process but may be tailored as necessary.
Responsible SP LA A LAC P
— A, R I I —
(R, A, C, I)
Task inputs —  Preliminary assessment plan
—  Commitment of the sponsor or contract with the sponsor’s organization
—  Commitment between the assessing organization and the Lead Assessor
—  Commitment between the organization to be assessed and the local as-
sessment coordinator
—  Information about the business context
—  Information about the assessment purpose
—  Approved confidentiality agreement(s)
—  Communication plan and records
—  Updated scope (if applicable)
—  Mapping of organizational unit(s) processes to the Process Assess-
ment Model
—  Review records
—  Approval of the preliminary assessment plan by the sponsor
Task outputs —  Activities documented in the assessment plan
4.3.2.2 Establish the assessment team and assign team roles
Establish the assessment team and assign team roles. Assessment team members ensure a bal-
anced set of skills necessary to perform the assessment. The assessment team shall be established
according to the specific requirements for the defined class of assessment in ISO/IEC 33002:2015, 4.6
and the type of independence of the assessment body.
Responsible SP LA A LAC P
— A, R I I —
(R, A, C, I)
Task inputs —  Information about the assessing organization and the organization
assessed
—  Skill information of available personnel
—  Class of assessment
—  Defined type of independence
Task outputs —  Assessment team member list
—  Updated assessment plan
© ISO/IEC 2017 – All rights reserved 13

4.3.2.3 Select the assessment participants
Select the assessment participants from within the Organizational unit(s). The participants should
adequately represent the processes in the assessment scope.
Responsible SP LA A LAC P
I A, R — C I
(R, A, C, I)
Task inputs —  Updated assessment plan
—  Completed Pre-Assessment Questionnaire(s)
Task outputs —  List of assessment participants documented in the assessment plan
4.3.2.4 Assign responsibilities
Assign responsibilities. Assign the responsibilities of all individuals participating in the assessment
including the sponsor, lead assessor, assessors, local assessment co-ordinator and participants.
Responsible SP LA A LAC P
— A, R C C I
(R, A, C, I)
Task inputs —  Assessment team member list defined in the assessment plan
—  List of assessment participants documented in the assessment plan
—  Information about the qualification of the assessors
Task outputs —  Responsibilities documented in the assessment plan
4.3.2.5 Determine the necessary resources and schedule for the assessment
Determine the necessary resources and schedule for the assessment. From the scope, identify
the time and resources needed to perform the assessment. Resources may include the use of equip-
ment such as overhead projectors, etc.
Responsible SP LA A LAC P
I A, R C C C
(R, A, C, I)
Task inputs —  Preliminary assessment plan
—  Information about availability of resources in the organizational unit
assessed
Task outputs —  Schedule and resource list documented in the assessment plan
4.3.2.6 Define how the assessment data will be collected, recorded, stored, analysed and
presented
Define how the assessment data will be collected, recorded, stored, analysed and presented
(with reference to the assessment tool — if applicable).
Responsible SP LA A LAC P
— A, R C I —
(R, A, C, I)
Task inputs —  Preliminary assessment plan
—  Templates and documenting guidelines of the assessing organization
—  Assessment tool (if applicable)
—  Retention/storage requirements
Task outputs —  Documentation definitions documented in the assessment plan
14 © ISO/IEC 2017 – All rights reserved

4.3.2.7 Define the planned outputs of the assessment
Define the planned outputs of the assessment. Assessment outputs desired by the sponsor in addi-
tion to those required as part of the assessment record are identified and described.
Responsible SP LA A LAC P
A R C I —
(R, A, C, I)
Task inputs —  Documentation definitions documented in the assessment plan
—  Information obtained from sponsor
Task outputs —  Target assessment results documented in the assessment plan
4.3.2.8 Schedule the assessment
Schedule the assessment. Detail the schedule and agenda of the assessment, assigning the resourc-
es (participants, assessment team members and tools) to each assessment activity and detailed data
gathering stage.
Responsible SP LA A LAC P
— A, R — — —
(R, A, C, I)
Task inputs —  ISO/IEC 33002
—  Assessment plan
Task outputs —  Assessment schedule
4.3.2.9 Verify conformance to requirements
Verify conformance to requirements. Detail how the assessment will meet all the requirements in
the standard.
Responsible SP LA A LAC P
— A, R — — —
(R, A, C, I)
Task inputs —  ISO/IEC 33002
Task outputs —  Conformity statement in the assessment plan
4.3.2.10 Identify and manage risks
Manage risks. Potential risk factors and mitigation strategies are documented, prioritized and
tracked through assessment planning. All identified risks will be monitored throughout the assess-
ment. Potential risks may include changes to the assessment team, organizational changes, changes
to the assessment purpose/scope, lack of resources for assessment, confidentiality, priority of the
data, base practices and criticality of indicators and availability of key information products such as
documents.
Responsible SP LA A LAC P
— A, R C C —
(R, A, C, I)
Task inputs —  Schedule and resource list documented in the assessment plan
—  Information about the assessing organization and the organization
assessed
Task outputs —  Risk and risk mitigation list
© ISO/IEC 2017 – All rights reserved 15

4.3.2.11 Co-ordinate assessment logistics with the Local Assessment Co-ordinator
Co-ordinate assessment logistics with the Local Assessment Co-ordinator. Ensure the compati-
bility and the availability of technical equipment and confirm that identified workspace and schedul-
ing requirements will be met.
Responsible SP LA A LAC P
— A, R C C —
(R, A, C, I)
Task inputs —  Schedule and resource list documented in the assessment plan
Task outputs —  Updated assessment plan
4.3.2.12 Review and obtain acceptance of the plan
Review and obtain acceptance of the plan. The sponsor identifies who will approve the assessment
plan. The plan, including the assessment schedule and logistics for site visits is reviewed and approved.
Responsible SP LA A LAC P
— R C A —
(R, A, C, I)
Task inputs —  Assessment plan
Task outputs —  Acceptance statement for the assessment plan by the local coordinator
4.3.2.13 Confirm the sponsor’s commitment
Confirm the sponsor’s commitment to proceed with the assessment.
Responsible SP LA A LAC P
A R — I —
(R, A, C, I)
Task inputs —  Assessment plan
Task outputs —  Approval of the assessment plan by the sponsor
4.4 Brief the assessment participants
4.4.1 Overview
Activity Brief the assessment participants
Brief descrip- Before the data collection takes place, the Lead Assessor briefs all relevant parties
tion involved in the assessment.
Outcomes The following outcomes shall be achieved when performing this activity:
1)  Ensure that the assessment team understands the assessment input, process
and output;
2)  The organizational unit(s) is(are) briefed on the performance of the assessment.
Tasks The following tasks shall be executed to achieve the outcomes of this activity:
4.4.2.1  Brief the assessment team
4.4.2.2  Brief the organizational unit(s)
16 © ISO/IEC 2017 – All rights reserved

4.4.2 Tasks
4.4.2.1 Brief the assessment team
Brief the assessment team. Ensure that the team understands the approach defined in the docu-
mented process, the assessment inputs and outputs, and is proficient in using the assessment tool.
Responsible SP LA A LAC P
I A, R C — —
(R, A, C, I)
Task inputs —  Assessment plan
—  Schedule
Task outputs —  Meeting minutes

4.4.2.2 Brief the organizational unit(s)
Brief the organizational unit(s). Explain the assessment purpose, scope, constraints, and model.
Stress the confidentiality policy and the need for openness. Stress the confidentiality policy, the need
for openness and the importance of integrity in maximizing the benefits of the assessment for the
organization. Emphasize the benefits of the assessment for the organization. Present the assessment
schedule. Ensure that staff understands what is being undertaken and their role in the process. An-
swer any questions or concerns that they may have. Potential participants and anyone who will see
the presentation of the final results should be present at the briefing session.
Responsible SP LA A LAC P
I A, R C C C
(R, A, C, I)
Task inputs —  Assessment plan
—  Schedule
Task outputs —  Meeting minutes
© ISO/IEC 2017 – All rights reserved 17

4.5 Collect the data
4.5.1 Overview
Activity Collect the data
Brief descrip- A key prerequisite for performing the process attribute rating is to collect data
tion building the objective evidence to substantiate the ratings and to verify compli-
ance with the requirements.
Outcomes The following outcomes shall be achieved when performing this activity:
1)  Data required for evaluating the processes within the scope of the assessment
is collected in a systematic manner;
2)  The strategy and techniques for the selection, collection, analysis of data and
justification of the ratings are explicitly identified and demonstrable;
3)  The objective evidence gathered for each attribute of each process assessed
must be sufficient to meet the assessment purpose and scope as also required for
the selected class of the assessment;
4)  Objective evidence that supports the assessors’ judgement of process attribute
ratings is recorded and maintained in the assessment record;
5)  Information which is relevant to the assessment to support understanding of
the output of the assessment is recorded.
Tasks The following tasks shall be executed to achieve the outcomes of this activity:
4.5.2.1  Collect evidence of process attribute indicators
4.5.2.2  Record and maintain the references to the evidence
4.5.2.3  Verify the completeness of the data
4.5.2 Tasks
4.5.2.1 Collect evidence of process attribute indicators
Collect evidence of process attribute indicators for each process instance and process within
the scope. Evidence includes observation of information products and their characteristics, tes-
timony from the process performers, and observat
...