ISO/IEC 33002:2015

INTERNATIONAL ISO/IEC
STANDARD 33002
Second edition
2015-03-01
Information technology — Process
assessment — Requirements for
performing process assessment
Technologies de l’information — Évaluation du processus —
Exigences relatives à la réalisation d’une évaluation du processus
Reference number
ISO/IEC 33002:2015(E)
©
ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC 33002:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 33002:2015(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Performing an assessment . 1
4.1 General requirements . 2
4.2 Assessment activities . 3
4.2.1 Plan the assessment . 3
4.2.2 Collect the data . 3
4.2.3 Validate the data . 4
4.2.4 Determine the results . 4
4.2.5 Report the assessment . . 4
4.3 Roles, responsibilities and competence . 5
4.4 Assessment inputs . 6
4.5 Assessment record. 7
4.6 Class of assessment . 7
4.6.1 General. 7
4.6.2 Specific requirements — Class 1 assessment . 8
4.6.3 Specific requirements — Class 2 assessment . 9
4.6.4 Specific requirements — Class 3 assessment .10
4.7 Assessment of process capability .10
5 Verifying conformity to process assessments .10
Annex A (normative) Categories of independence .12
Annex B (informative) Example content of an assessment report .13
Bibliography .16
© ISO/IEC 2015 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 33002:2015(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 7, Software
and systems engineering.
This second edition cancels and replaces clauses of ISO/IEC 15504-2:2003 and ISO/IEC/TR 15504-
7:2008, which have been technically revised.
iv © ISO/IEC 2015 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 33002:2015(E)

Introduction
This International Standard defines the minimum set of requirements for performing an assessment
that will ensure assessment results are objective, consistent, repeatable, and representative of the
assessed processes. The requirements help to ensure that the assessment output is self-consistent and
to provide evidence to substantiate the ratings and to verify compliance with the requirements. Process
assessment is applicable in the following circumstances:
— by or on behalf of an organization with the objective of understanding the state of its own processes
for process improvement;
— by or on behalf of an organization with the objective of determining the suitability of its own
processes for a particular requirement or category of requirements;
— by or on behalf of one organization with the objective of determining the suitability of another
organization’s processes for a particular purpose, contract, or category of contracts.
This International Standard is applicable across all application domains and sizes of organizations.
Appropriate methods, techniques, and tools can be used to enable the assessment process to be effective
and efficient.
This International Standard is part of a set of International Standards designed to provide a consistent and
coherent framework for the assessment of process quality characteristics, based on objective evidence
resulting from implementation of the processes. The framework for assessment covers processes
employed in the development, maintenance, and use of systems across the information technology
domain and those employed in the design, transition, delivery, and improvement of services. The set of
International Standards, as a whole, addresses process quality characteristics of any type. Results of
assessment can be applied for improving process performance, or for identifying and addressing risks
associated with application of processes.
The ISO/IEC 330xx family of Standards defines the requirements and resources needed for process
assessment. The overall architecture and content of the series is described in ISO/IEC 33001:2015.
Several International Standards in the ISO/IEC 330xx family of standards for process assessment are intended
to replace and extend parts of the ISO/IEC 15504 series of Standards. ISO/IEC 33001, Annex A provides a
detailed record of the relationship between the ISO/IEC 330xx family and the ISO/IEC 15504 series.
© ISO/IEC 2015 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 33002:2015(E)
Information technology — Process assessment —
Requirements for performing process assessment
1 Scope
This International Standard defines the minimum set of requirements for performing an assessment
that will ensure assessment results are objective, consistent, repeatable, and representative of the
assessed processes.
The requirements defined in this International Standard can be used by or on behalf of an organization to
a) facilitate self-assessment,
b) provide a basis for improving process performance and mitigating process-related risk,
c) produce a rating of the achievement of the relevant process quality characteristic, and
d) provide an objective benchmark between organizations.
This International Standard is applicable across all application domains and sizes of organization.
NOTE An organization can implement a set of integrated processes in a system.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 33001:2015, Information technology — Process assessment — Concepts and terminology
ISO/IEC 33003:2015, Information technology — Process assessment — Requirements for process
measurement frameworks
ISO/IEC 33004:2015, Information technology — Process assessment — Requirements for process reference,
process assessment and maturity models
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 33001:2015; apply.
4 Performing an assessment
The purpose of process assessment is to understand and assess the processes implemented by an
organizational unit.
Figure 1 shows the key elements of the process assessment process.
© ISO/IEC 2015 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 33002:2015(E)

Figure 1 — Key elements of the process assessment process
Clause 4 sets out the requirements for performing an assessment conformant with this International
Standard. The requirements help to ensure that the assessment output is self-consistent and provides
evidence to substantiate the ratings.
4.1 General requirements
The assessment shall be conducted according to a documented assessment process. The documented
assessment process shall be capable of meeting the assessment purpose and shall be structured in a
manner that ensures that the purpose for performing the assessment is satisfied, in terms of the rigour
and independence of the assessment and its suitability for the intended use.
The documented assessment process shall prescribe a set of activities and tasks to be performed
that meet all of the requirements defined in this International Standard. Specifically, the documented
assessment process shall:
— identify as a minimum, the assessment activities as defined in 4.2;
— identify as a minimum the roles, responsibilities and competencies as defined in 4.3;
— identify the classes of assessment for which the documented assessment process can be applied, and
the nature and extent of tailoring associated with each class addressed by the documented process;
— define the criteria for ensuring coverage for both the defined organizational scope and the defined
process scope for the assessment, in terms of the strategy for collecting and analysing data;
— identify the rating method(s) to be used in rating process attributes;
— identify or define the aggregation method(s) to be used in determining ratings.
Classes of assessment are described in 4.6. They reflect different levels of confidence in the results of
the assessment.
Different categories of independence for different types of bodies and personnel are described in Annex
A, with criteria for their use.
The documented assessment process shall contain at minimum the following activities:
2 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 33002:2015(E)

4.2 Assessment activities
The assessment process shall start with the assessment sponsor’s commitment to proceed.
4.2.1 Plan the assessment
A plan for the assessment shall be developed and documented, including at a minimum:
a) required inputs specified in this standard (refer to 4.4);
b) class of assessment (refer to 4.6);
c) category of independence of the body performing the assessment, the lead assessor and the other
members of the assessment team (refer to Annex A)
d) communications to the personnel involved in the assessment;
e) identification of the documented assessment process including:
1) the strategy and techniques for the selection, identification, collection and analysis of objective
evidence and data, to satisfy any requirements for coverage of the organizational scope or the
process scope of the assessment as defined for the class of the assessment (refer 4.6);
2) the approach to derive an agreed process attribute rating, where relevant.
f) activities to be performed in performing the assessment;
g) resources and schedule assigned to these activities;
h) identification and definition of roles and responsibilities of the participants in the assessment;
i) criteria to verify that the requirements of this International Standard have been met;
j) description of the planned assessment outputs.
Roles and responsibilities for process assessment shall be assigned and communicated to personnel
impacted by the assessment.
The plan for the assessment shall be approved by the assessment sponsor, and the approval shall be
documented.
4.2.2 Collect the data
The data collected shall be sufficient to provide coverage of the organization scope and the process
scope for the assessment, as specified for the selected class of the assessment. Data shall be collected on
the basis of direct or indirect evidence that shall be sufficient for the class of assessment (refer to 4.6).
Evidence required for evaluating the processes within the assessment scope and additional information
shall be collected in a systematic manner applying at minimum the following:
a) a correspondence between the organizational unit’s processes and the elements in the process
assessment model, specified in the assessment scope, shall be established;
b) each process identified in the assessment scope shall be assessed on the basis of objective evidence;
c) objective evidence shall be identified and gathered to provide the basis for verification of the ratings;
d) objective evidence gathered for each process attribute for each process assessed shall be sufficient
to meet the assessment purpose, assessment scope and class of assessment;
e) objective evidence collected for each process shall be representative of the implementation of the
process across the organizational scope of the assessment, as required for the selected class of the
assessment (refer to 4.6);
© ISO/IEC 2015 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 33002:2015(E)

f) objective evidence shall be collected for each element in the selected process assessment model, as
required for the selected class of assessment (refer to 4.6);
g) information which is relevant to the assessment to support understanding of the output of the
assessment shall be compiled.
4.2.3 Validate the data
The data validation approach for the assessment shall ensure that the requirements of this standard
are met in respect of every process instance identified in the assessment scope, and that the coverage
requirements are satisfied. The activities shall:
a) confirm that the evidence collected is objective;
b) ensure that the objective evidence is sufficient and representative to cover the assessment purpose
and class of assessment;
c) confirm that the data collected provides coverage of the organization scope and the process scope
of the assessment, as required for the selected class of the assessment (refer 4.6);
d) ensure that the data as a whole is consistent.
4.2.4 Determine the results
The defined set of assessment indicators in the process assessment model shall be used to support the
assessors’ judgement when analysing the validated data.
The process attribute ratings shall be expressed in terms that are consistent with the process
measurement framework.
The assessment team shall perform the following activities:
a) rate the process attributes according to the selected rating method;
b) aggregate the rating(s) using the selected aggregation method(s), where applicable;
c) maintain traceability between a process attribute rating and the objective evidence used in
determining that rating;
d) record the relationship between the assessment indicators for each process attribute rated and the
objective evidence;
e) record the process profile and (if required) the process quality levels for the defined assessment scope;
f) derive the maturity level, if applicable.
The results from these activities shall be linked to the purpose of the assessment, and also linked to the
business context for the assessment e.g. assessment purpose, target profile, or desired outcomes.
4.2.5 Report the assessment
Information which is relevant to the assessment and supports understanding of the output of the
assessment shall be compiled. The assessment results shall be presented in a way that enables
comparison, if required, and effective communication to the sponsor and affected parties.
The assessment report shall include at minimum the following:
a) general:
1) unique identifier;
2) date of issue;
4 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 33002:2015(E)

3) version number;
4) issuer of the document;
5) document change history.
b) the company and organizational unit being assessed;
c) the class of the assessment;
d) the names and roles of the assessors;
e) if applicable, the category of independence of the body performing the assessment, the lead assessor
and the other members of the assessment team
f) the assessment participants (by name, role or functional area);
g) date and duration of the assessment;
h) reference to applicable standard(s) and requirements;
i) identification of models, e.g. process assessment model, maturity model;
j) identification of the process measurement framework;
k) the assessment results;
l) opportunities for improvement and risk mitigation, if applicable.
The assessment report shall be documented and issued to the assessment sponsor.
An example of the content of an assessment report is shown in Annex B.
4.3 Roles, responsibilities and competence
The roles and responsibilities defined for the assessment shall include the following:
a) The sponsor of the assessment shall:
1) verify that the individual who is to take responsibility for conformity to the assessment with
this International Standard and designated as the lead assessor has the required competencies
to perform the assessment;
2) finalize the scope of the assessment and approve the assessment plan;
3) ensure th
...