ISO/IEC 15504-3:2004

INTERNATIONAL ISO/IEC
STANDARD 15504-3
First edition
2004-01-15
Information technology — Process
assessment —
Part 3:
Guidance on performing an assessment
Technologies de l'information — Évaluation des procédés du logiciel —
Partie 3: Réalisation d'une évaluation

Reference number
©
ISO/IEC 2004
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2004 – All rights reserved

Contents Page
Foreword. v
Introduction . vi
1 Scope. 1
2 Normative references. 1
3 Terms and definitions. 1
4 Overview of Process Assessment . 2
4.1 Introduction. 2
4.2 Assessment process. 2
4.3 Measurement Framework for Process Capability . 3
4.4 Process Reference Model. 3
4.5 Process Assessment Model. 3
4.6 Assessment Tools. 3
4.7 Competency of assessment team . 4
4.8 Assessment approaches. 4
4.9 Success factors for process assessment . 4
5 Guidance on Requirements for Performing an Assessment. 5
5.1 General. 5
5.2 The assessment process activities. 5
5.3 Roles and responsibilities. 9
5.4 Defining the initial assessment input . 10
5.5 Recording the assessment output. 14
5.6 Selecting a Documented Assessment Process. 14
6 Measurement Framework for Process Capability . 15
6.1 Level 0: Incomplete process. 16
6.2 Level 1: Performed process. 16
6.3 Level 2: Managed process . 17
6.4 Level 3: Established process. 20
6.5 Level 4: Predictable process . 22
6.6 Level 5: Optimizing process . 25
6.7 Rating process attributes. 27
6.8 Process capability level model. 29
7 Process Reference Models. 30
7.1 Interpreting The Requirements For A Process Reference Model . 31
7.2 Selecting Process Reference Models . 33
8 Process Assessment Models. 34
8.1 Interpreting the requirements for a Process Assessment Model . 34
8.2 Selection of a Process Assessment Model. 37
9 Selecting and Using Assessment Tools. 39
10 Guidance on Competency of Assessors.42
10.1 Overview. 42
10.2 Gaining and maintaining competence . 43
11 Guidance on Verification of Conformity. 43
11.1 Verifying conformity of Process Reference Models. 44
11.2 Verifying conformity of Process Assessment Models. 44
11.3 Verifying conformity of process assessments .45
© ISO/IEC 2004 – All rights reserved iii

Annex A (informative) An Exemplar Documented Assessment Process .46
Annex B (informative) Guidance on Indicators.52
Bibliography.54

iv © ISO/IEC 2004 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to the national bodies for voting. Publication
as an International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 15504-3 was prepared by Joint Technical Committee ISO/IEC/TC JTC 1, Information technology,
Subcommittee SC 7, Software and system engineering.
This first edition cancels and replaces ISO/IEC TR 15504-4:1998 and ISO/IEC TR 15504-6:1998, which have
been technically revised.
ISO/IEC 15504 consists of the following parts, under the general title Information technology — Process
assessment:
 Part 2: Performing an assessment
 Part 3: Guidance on performing an assessment
 Part 4: Guidance on use for process improvement and process capability determination
The following parts are in preparation:
 Part 1: Concepts and vocabulary
 Part 5: An exemplar Process Assessment Model
The complete series will replace ISO/IEC TR 15504-1 to ISO/IEC TR 15504-9.

© ISO/IEC 2004 – All rights reserved v

Introduction
This part of ISO/IEC 15504 assumes familiarity with the normative part of the standard. It is primarily
addressed to the competent assessor and other people, such as the sponsor of the assessment, who need
guidance on ensuring that the requirements for performing an assessment have been met. It will also be of
value to developers of assessment methods and of tools to support an assessment.
ISO/IEC 15504-1 will provide a general introduction to the concepts of process assessment and a glossary for
assessment related terms.
ISO/IEC 15504-2 sets out the minimum requirements for performing an assessment that ensure consistency
and repeatability of the ratings. The requirements help to ensure that the assessment output is self-consistent
and provides evidence to substantiate the ratings and to verify compliance with the requirements.
ISO/IEC 15504-2 defines the Measurement Framework for process capability and the requirements for:
a) performing an assessment;
b) process reference models;
c) process assessment models;
d) verifying conformity of process assessment.
This part of ISO/IEC 15504 provides guidance for interpreting the minimum requirements for performing an
assessment. It also provides guidance on:
 the nature of the measurement framework;
 the role and function of process reference models;
 the requirements for and selection of a process assessment model;
 the selection and use of assessment tools;
 criteria for assessor competence; and
 verification of conformity of process assessment.
ISO/IEC 15504-3 incorporates, as Annex A, an exemplar documented assessment process.
Process assessment, as defined in this International Standard, is based on a two dimensional model
containing a process dimension and a capability dimension. The process dimension is provided by an external
process reference model, which defines a set of processes characterized by statements of process purpose
and process outcomes. The capability dimension consists of a measurement framework comprising six
process capability levels and their associated process attributes.
The assessment output consists of a set of process attribute ratings for each process assessed, termed the
process profile, and may also include the capability level achieved by that process.
Process assessment is applicable in the following circumstances:
a) by or on behalf of an organization with the objective of understanding the state of its own processes for
process improvement;
vi © ISO/IEC 2004 – All rights reserved

b) by or on behalf of an organization with the objective of determining the adequacy of its own processes for
a particular requirement or class of requirements;
c) by or on behalf of an organization with the objective of determining the adequacy of another
organization’s processes for a particular contract or class of contracts.
As described in ISO/IEC 15504-4, process assessment is an activity that can be performed either as part of a
process improvement initiative or as part of a capability determination approach. The formal entry to the
assessment process occurs with the compilation of the assessment input, which defines the purpose of the
assessment (why it is being carried out), the scope of the assessment, what constraints apply to the
assessment and any additional information that needs to be gathered. The assessment input also defines the
responsibility of the various parties in the performance of an assessment. An assessor who has the necessary
competence and skills oversees the assessment. Assessors may be from within the organization, external to
the organization or a combination of both.
An assessment is carried out against a defined assessment input utilizing conformant process assessment
model(s) related to one or more conformant or compliant process reference models. ISO/IEC 15504-5
contains an exemplar process assessment model that is based upon the process reference model defined in
Annex F of ISO/IEC 12207:1995/Amd 1:2002.

© ISO/IEC 2004 – All rights reserved vii

INTERNATIONAL STANDARD ISO/IEC 15504-3:2004(E)

Information technology — Process assessment —
Part 3:
Guidance on performing an assessment
1 Scope
This part of ISO/IEC 15504 provides guidance on meeting the minimum set of requirements for performing an
assessment contained in ISO/IEC 15504-2.
It provides an overview of process assessment and interprets the requirements through the provision of
guidance on:
a) performing an assessment;
b) the measurement framework for process capability;
c) process reference models and process assessment models;
d) selecting and using assessment tools;
e) competency of assessors;
f) verification of conformity.
This document uses the following schema: the text inside a box is quoted from the normative ISO/IEC 15504-2
and the text following a box is guidance about the normative text. If the quoted text includes a clause
reference, it is understood that ISO/IEC 15504-2 should be referred to.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 15504-2:2003, Information technology — Process assessment — Part 2: Performing an assessment
1)
ISO/IEC TR 15504-9, Information technology — Software process assessment — Part 9: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC TR 15504-9 apply.

1) A revision of this document is in preparation under the following reference: ISO/IEC 15504-1.
© ISO/IEC 2004 – All rights reserved 1

4 Overview of Process Assessment
4.1 Introduction
Process assessment is undertaken to understand the capability of an Organizational Unit's current processes.
Process assessment may encompass all or a subset of the processes (e.g. project management,
development, maintenance, configuration management) used by an organization.
Process assessment is performed by one or more assessor(s), one of them (the competent assessor) being
responsible for assuring conformity of the assessment to the requirements in ISO/IEC 15504-2.
The assessment of the Organizational Unit's processes is made utilizing a Process Assessment Model based
upon a Process Reference Model (e.g. ISO/IEC 12207:1995/Amd 1:2002). A Process Reference Model
describes the processes in terms of purpose and outcomes. A Process Assessment Model provides detailed
indicators necessary to assess the achievement of the process attributes.
There is a set of 9 process attributes applicable to any process and characterizing the capability of an
implemented process. They are defined in ISO/IEC 15504-2.
Process attributes are grouped into capability levels that define an ordinal scale of process capability and
provide a rational route for improvement of each individual process. Each process attribute represents
measurable characteristics which support achievement of the process purpose and contribute to meeting the
business goals of the organization.
The fundamental assessment output consists of up to nine process attribute ratings (referred to as a process
profile) for each process assessed.
4.2 Assessment process
An assessment must be conducted according to a documented process that is capable of meeting the
assessment purpose. The key elements of a documented assessment process are closely tied to the
requirements for performing an assessment, defined in Clause 4 of ISO/IEC 15504-2. A brief overview of
these elements is given in the next section while more details on interpreting the activities for performing an
assessment are given in Clause 5 of this part of the standard. Note, however, that the guidance provided does
not constitute a complete, documented assessment process. Its purpose is to provide help in interpreting the
requirements in ISO/IEC 15504-2 and to provide a starting point for selecting or creating a documented
assessment process.
The documented assessment process is the set of instructions for conducting the assessment. A documented
assessment process addresses the following aspects of the conduct of an assessment:
 defining the inputs to an assessment such as purpose, scope, constraints and the identity of the
conformant Process Assessment Model to be used;
 defining key roles and responsibilities;
 providing guidance for planning, data collection, data validation, process attributes rating and reporting of
assessment results;
 recording of assessment outputs.
Clause 5 provides guidance on requirements for the assessment process and 11.3 provides guidance on
verifying conformity of process assessments. In addition, Annex A provides an exemplar documented
assessment process.
2 © ISO/IEC 2004 – All rights reserved

4.3 Measurement Framework for Process Capability
The Measurement Framework defines a six point ordinal scale of increasing process capability ranging from a
process which is not capable of achieving its purpose (process capability level zero) to a process which
optimizes its performance (process capability level 5). Each process has a set of process attribute ratings that
constitute the process profile. Process attribute ratings are expressed using the process attribute scale as
defined in ISO/IEC 15504-2. The process capability level model is described in terms of the process attribute
ratings that must be achieved in order to achieve a particular level. Clause 6 provides guidance on the
Measurement Framework for process capability.
4.4 Process Reference Model
A Process Reference Model describes a set of one or more processes in terms of purpose and expected
outcomes.
The purpose describes the high-level objectives that the process should achieve while the associated
outcomes are the expected results of a successful enactment of the process. The purpose statements in
conjunction with the outcomes describe what to achieve, but do not prescribe how the process should achieve
its objectives. Clause 7 provides guidance on Process Reference Models and 11.1 provides guidance on
verifying conformity or compliance of Process Reference Models.
Annex F of ISO/IEC 12207:1995/Amd 1:2002, as well as ISO/IEC 15288, provide Process Reference Models.
4.5 Process Assessment Model
A Process Assessment Model as defined in this International Standard is one that meets the requirements
specified in ISO/IEC 15504-2. In summary, a conformant Process Assessment Model is one:
 that is suitable for the purpose of process assessment;
 whose relevant elements are mapped to the processes described in a selected conformant Process
Reference Model(s), and to the relevant process attributes defined in ISO/IEC 15504-2;
 that is base upon a set of indicators for use during an assessment to gather the information about
processes and process attributes;
 that has a formal and verifiable mechanism for expressing the information gathered using the Process
Assessment Model into process attribute ratings as defined in ISO/IEC 15504-2.
Clause 8 provides guidance on Process Assessment Models and 11.2 provides guidance on verifying
conformity of Process Assessment Models. The model in ISO/IEC 15504-5 is an exemplar Process
Assessment Model based on the Process Reference Model defined in ISO/IEC 12207:1995/Amd 1:2002.
4.6 Assessment Tools
In any assessment, data will need to be collected, recorded, stored, collated, processed, analysed, retrieved
and presented. This may be supported by various tools. For some assessments, the support tools may be
paper-based (forms, questionnaires, checklists, etc.). In some cases the volume and complexity of the
assessment information may result in the need for computer-based support tools.
Regardless of the form of the supporting tools, their objectives are:
 to help an assessor perform an assessment in a consistent and reliable manner, reducing subjectivity and
contributing to the achievement of valid, useful and comparable assessment results;
 to perform the assessment more efficiently.
© ISO/IEC 2004 – All rights reserved 3

In order to achieve these objectives, the tools need to make a Process Assessment Model and its indicators
accessible to the assessors.
Clause 9 provides guidance on selecting and using assessment tools.
4.7 Competency of assessment team
Assessments are performed by individuals:
 with an adequate mix of education, training and experience on relevant processes,
 who have access to appropriate documented guidance on how to perform the defined assessment
activities,
 who have the competencies to use the tools chosen to support the assessment.
The competency of team members should be verified by the competent assessor before assigning roles and
responsibilities for performing the assessment.
The competency of the competent assessor will be verified by the sponsor.
Clause 10 provides guidance on competency of assessors.
4.8 Assessment approaches
4.8.1 Self-assessment
A self-assessment is carried out by an organization to assess the capability of its own process. The sponsor of
a self-assessment is normally internal to the Organizational Unit as are the member(s) of the assessment
team.
4.8.2 Independent assessment
An independent assessment is an assessment conducted by an assessment team whose member(s) are
independent of the Organizational Unit being assessed. An independent assessment may be conducted, for
example, by an organization on its own behalf as independent verification that its assessment program is
functioning properly; the assessment sponsor will belong to the same organization but not necessarily to the
Organizational Unit being assessed.
The sponsor of an assessment may be external to the Organizational Unit being assessed, such as an
acquirer who wishes to have an independent determination of process capability. The degree of
independence, however, may vary according to the purpose, scope and context of the assessment.
In the case of an external assessment sponsor, mutual agreement between the assessment sponsor and the
assessed organisation is assumed.
4.9 Success factors for process assessment
The following factors are essential to a successful process assessment.
4.9.1 Commitment
The commitment of the sponsor is essential to ensuring that the assessment objectives are met. This
commitment requires that the necessary resources, time and personnel are available to perform the
assessment. The competent assessor will confirm the sponsor's commitment to proceed with the assessment.
4 © ISO/IEC 2004 – All rights reserved

4.9.2 Motivation
The attitude of the organization's management has a significant influence on the outcome of an assessment.
The organization's management, therefore, needs to motivate participants to be open and constructive.
Process assessments focus on the process, not on the performance of Organizational Unit members
implementing the process. The intent is to make the processes more effective in support of the defined
business goals, not to allocate blame to individuals.
Providing feedback and maintaining an atmosphere that encourages open discussion about preliminary
findings during the assessment helps to ensure that the assessment output is meaningful to the
Organizational Unit. The organization needs to recognize that the participants are a principal source of
knowledge and experience about the process and that they are in a good position to identify potential
weaknesses.
4.9.3 Confidentiality
Respect for the confidentiality of the sources of information and documentation gathered during assessment is
essential in order to secure that information. Where interviews or discussions are employed, consideration
should be given to ensuring that participants do not feel threatened or have any concerns regarding
confidentiality. Some of the information provided might be proprietary to the Organizational Unit. It is therefore
important that adequate controls are in place to handle such information.
4.9.4 Relevance
The Organizational Unit members should believe that the assessment will result in some benefits that will
accrue to them directly or indirectly.
4.9.5 Credibility
The sponsor, the management and the staff of the Organizational Unit should all believe that the assessment
will deliver a result which is objective and is representative of the assessment scope. It is important that all
parties can be confident that the assessors have adequate assessment experience, are sufficiently impartial
and have an adequate understanding of the Organizational Unit and its business to conduct the assessment.
5 Guidance on Requirements for Performing an Assessment
5.1 General
The requirements for performing an assessment defined in ISO/IEC 15504-2 aim at achieving a greater
degree of uniformity in the approach to process assessment, so as to maximize the reliability of different
approaches and provide a degree of comparability between the results of different assessments. It may make
sense to verify the requirements prior to and during the course of the assessment so that corrective actions
can occur.
5.2 The assessment process activities
The assessment shall be conducted according to a documented assessment process that is capable of
meeting the assessment purpose.
[ISO/IEC 15504-2, 4.2.1]
© ISO/IEC 2004 – All rights reserved 5

This clause addresses two different aspects of process assessment:
 The documented assessment process shall be capable of meeting the assessment purpose;
 The assessment shall be conducted in accordance with the documented assessment process.
The assessment purpose is defined as one of the assessment inputs [ISO/IEC 15504-2, 4.4.2 b)]; this
International Standard defines assessment purpose as “a statement, provided as part of the assessment input,
which defines the reason for performing the assessment.”
A documented assessment process supports repeatability of an assessment approach. Subclause 5.6
provides guidance on the selection of a documented assessment process.
5.2.1 Planning
The documented assessment process shall contain at minimum the following activities:
a) Planning A plan for the assessment shall be developed and documented, including at minimum:
1) the required inputs defined in this part of ISO/IEC 15504;
2) the activities to be performed in conducting the assessment;
3) the resources and schedule assigned to these activities;
4) the identity and defined responsibilities of the participants in the assessment;
5) the criteria to verify that the requirements of this International Standard have been met;
6) a description of the planned assessment outputs.
[ISO/IEC 15504-2, 4.2.2 a)]
The activities to be performed will be determined by the chosen documented assessment process tailored as
necessary.
The resource and schedule depend strongly on information contained in the assessment input such as scope
and purpose of the assessment. This information should be reviewed thoroughly before planning. Timing and
resource needs may change during the process assessment activities. Monitoring and corrective actions to
maintain schedule and resources should be one of the planned activities.
In the first version of the plan some information may be missing or not available (e.g. identity of all
participants). As process assessment activities progress, the plan will be updated with the necessary
information.
Clause 11 provides guidance on the criteria to verify that the requirements of this International Standard have
been met.
The assessment output that will be delivered to the assessment Sponsor will be identified and briefly
described. The minimum output required is the assessment record. Any additional information [as indicated by
ISO/IEC 15504-2, 4.5.2 f)] will need to be defined in the plan.
6 © ISO/IEC 2004 – All rights reserved

5.2.2 Data collection
b) Data Collection Data required for evaluating the processes within the scope of the assessment [see
4.4.2 c)] and additional information [see 4.4.2 j)] shall be collected in a systematic manner, applying at
minimum the following:
1) the strategy and techniques for the selection, collection, analysis of data and justification of the
ratings shall be explicitly identified and shall be demonstrable;
2) correspondence shall be established between the organizational unit’s processes, specified in the
assessment scope, and the elements in the Process Assessment Model;
3) each process identified in the assessment scope shall be assessed on the basis of objective
evidence;
4) the objective evidence gathered for each attribute for each process assessed shall be sufficient to
meet the assessment purpose and scope;
5) the identification of the objective evidence gathered shall be recorded and maintained to provide
the basis for verification of the ratings.
[ISO/IEC 15504-2, 4.2.2 b)]
Data collection may be performed in various ways such as interviews, questionnaires, discussions and
artefact review. Before starting data collection, the Organizational Unit’s processes should be mapped to the
processes defined within the Process Assessment Model.
The sampling mechanism should ensure that the set of processes selected is appropriate to the assessment
purpose. The sampling information and rationale should be retained.
The information gathering may be organized as part of a monitoring or reporting mechanism used by one or
more projects. Alternatively, information collection may be automated or semi-automated through the support
of a tool. A tool could be used continuously throughout the life cycle, for example, at defined milestones to
measure adherence to the process, to measure process improvement progress, or to gather information to
facilitate a future assessment.
5.2.3 Data validation
c) Data Validation The data collected shall be validated to:
1) confirm that the evidence collected is objective;
2) ensure that the objective evidence is sufficient and representative to cover the scope and purpose
of the assessment;
3) ensure that the data as a whole is consistent.
[ISO/IEC 15504-2, 4.2.2 c)]
The data collected should accurately represent the processes assessed. Validation of this data should include
assessing whether the sample size chosen is representative of the processes assessed.
© ISO/IEC 2004 – All rights reserved 7

The following mechanisms are useful in supporting data validation:
 comparing results to those from previous assessments for the same Organizational Unit;
 looking for consistencies between connected or related processes;
 feedback sessions of preliminary findings to the Organizational Unit.
Some data validation may take place during the data collection phase, as data is gathered and evaluated.
If validation cannot be achieved, the circumstance should be clearly stated in the process assessment output
together with a risk analysis associated with potential lack of validity of the results.
5.2.4 Process attribute rating
d) Process attribute rating A rating shall be assigned based on validated data for each process attribute.
1) the set of process attribute ratings shall be recorded as the process profile for the defined
organizational unit;
2) during the assessment, the defined set of assessment indicators in the Process Assessment Model
shall be used to support the assessor's judgement in rating process attributes in order to provide
the basis for repeatability across assessments;
3) the decision-making process that is used to derive rating judgements shall be recorded;
4) traceability shall be maintained between an attribute rating and the objective evidence used in
determining that rating;
5) for each process attribute rated, the relationship between the indicators and the objective evidence
shall be recorded.
[ISO/IEC 15504-2, 4.2.2 d)]
Rating is essentially based on assessor’s judgement and relies on validated objective evidence. This
judgement should take into account assessment purpose and assessment context.
When the rating elements of the Process Assessment Model used are different from the defined process
attributes (ISO/IEC 15504-2, Clause 5), then these ratings should be translated according to the mechanisms
defined in the Process Assessment Model (see 8.1.3).
Attribute ratings should be validated and recorded, ensuring that each rating record can be uniquely identified
and traced to the process to which it relates. A rating is assigned for each process attribute and the set of
process attribute ratings is provided as the process profile of the assessed Organizational Unit. Each process
attribute is rated based on validated objective evidence gathered using assessment indicators provided by the
Process Assessment Model.
In deciding the rating for each attribute assessed, it is desirable to have the maximum agreement among the
assessors. If the agreement is not unanimous then rules must be set for the decision making process (e.g.
consensus, majority vote, etc.). The agreed rule should be recorded.
The process profile should be presented in form(s) that allow straightforward interpretation of their meaning
and value. The requirements for constructing a Process Assessment Model ensure that the indicators are
traceable to the statements of process purpose and outcomes in the Process Reference Model and to the
process attributes in ISO/IEC 15504-2, Clause 5. In this clause, further traceability is required between
attribute ratings and the objective evidence used. This is required in order to justify the assessor's judgements
8 © ISO/IEC 2004 – All rights reserved

and provide the basis for repeatability. In other words, a third party verification or repetition of the rating, could
trace all the evidence associated to an attribute rating and presumably would arrive at the same results.
Furthermore, in order to facilitate this traceability and in order to provide confidence on the effective presence
of an indicator, it is required that, for each attribute rated, the link between indicators and objective evidence
be recorded.
5.2.5 Reporting
e) Reporting The assessment results, including at minimum the outputs specified in 4.5, shall be
documented and reported to the assessment sponsor or to their delegated representative.
[ISO/IEC 15504-2, 4.2.2 e)]
The reporting of the assessment results might simply be in the form of a presentation for an internal
assessment or might be in the form of a detailed report for an independent external assessment. In addition,
other findings and proposed action plans may be prepared for presentation, depending upon the assessment
purpose and whether this additional analysis is performed at the same time as the assessment. The results
may be presented in absolute terms or relative terms in comparison to previous assessment results,
benchmark data, comparison to business needs, etc.
The assessment results will normally be used as a basis for developing an improvement plan or determining
capability and associated risks as appropriate. This guidance is provided in ISO/IEC 15504-4.
5.3 Roles and responsibilities
5.3.1 Responsibilities of the Sponsor
The sponsor of the assessment shall:
a) verify that the individual who is to take responsibility for conformity of the assessment is a competent
assessor;
b) ensure that resources are made available to conduct the assessment;
c) ensure that the assessment team has access to the relevant resources.
[ISO/IEC 15504-2, 4.3.1]
The sponsor will have the responsibilities and the authority to make sure that adequate resources and
competencies are made available in order to perform a conformant assessment. Examples of relevant
resources the assessment team require access to are: key personnel for interviews, infrastructure needed
during assessment, artefacts to be examined. Although no specific responsibility is assigned to the
Organizational Unit’s management directly, their commitment and motivation is very important. This is
particularly true when the Sponsor is not a member of the Organizational Unit’s management.
© ISO/IEC 2004 – All rights reserved 9

5.3.2 Responsibilities of the Competent Assessor
The competent assessor shall:
a) confirm the sponsor's commitment to proceed with the assessment;
b) ensure that the assessment is conducted in accordance with the requirements of this part of
ISO/IEC 15504;
c) ensure that participants in the assessment are briefed on the purpose, scope and approach of the
assessment;
d) ensure that all members of the assessment team have knowledge and skills appropriate to their roles;
e) ensure that all members of the assessment team have access to appropriate documented guidance on
how to perform the defined assessment activities;
f) ensure that the assessment team has the competencies to use the tools chosen to support the
assessment;
g) confirm receipt of the assessment result deliverables by the sponsor;
h) on completion of the assessment, verify and document the extent of conformance of the assessment to
ISO/IEC 15504 (see also 7.4).
[ISO/IEC 15504-2, 4.3.2]
The competent assessor is responsible for ensuring that the assessment achieves its purpose and that it is
conformant with the requirements of ISO/IEC 15504-2. It is therefore imperative that the competent assessor
selects an appropriate documented assessment process. Even if the documented assessment process is
selected by the assessment sponsor, the competent assessor remains responsible for ensuring that
assessors are competent in its use.
5.3.3 Responsibilities of the Assessors
The assessors shall:
a) carry out assigned activities associated with the assessment, e.g. detailed planning, data collection,
data validation and reporting;
b) rate the process attributes.
[ISO/IEC 15504-2, 4.3.3]
The rating activities are performed solely by the competent assessor and assessors. Other personnel may
participate as assessment team members providing specific expertise or supporting clerical work. They may
support assessors in formulating the judgement but will not be responsible for the final rating of process
attributes.
5.4 Defining the initial assessment input
The assessment input shall be defined prior to the data collection phase of an assessment and approved by
the sponsor of the assessment or the sponsor's delegated authority.
[ISO/IEC 15504-2, 4.4.1]
10 © ISO/IEC 2004 – All rights reserved

All the information required for the assessment input should be collated, reviewed, approved and documented
before commencing the assessment. The approval of the assessment input by the sponsor of the assessment
is essential since it includes the driving elements of the assessment process. By approving the assessment
input the sponsor also demonstrates involvement and commitment to the purpose of the assessment.
At a minimum, the assessment input shall specify:
a) the identity of the sponsor of the assessment and the sponsor’s relationship to the organizational unit
being assessed;
[ISO/IEC 15504-2, 4.4.2 a)]
The sponsor is normally an individual internal to the organization but not necessarily to the Organizational Unit
being assessed. In case of independent assessments, the sponsor may be a legal entity external to the
Organizational Unit being assessed, such as an acquirer who wishes to have an independently derived
assessment output.
b) the assessment purpose;
[ISO/IEC 15504-2, 4.4.2 b)]
Different types of assessments have different purposes. The purposes may vary depending upon the business
goals of the sponsor such as facilitating internal process improvement or selecting suppliers (either internal or
external).
c) the assessment scope including:
1) the processes to be investigated within the organizational unit;
2) the highest capability level to be investigated for each individual process within the assessment
scope;
3) the organizational unit that deploys the processes;
4) the context which includes:
i) the size of the organizational unit;
ii) the application domain of the products or services of the organizational unit;
iii) key characteristics (e.g. size, criticality, complexity and quality) of the products or services of
the organizational unit.
[ISO/IEC 15504-2, 4.4.2 c)]
The process scope may inc
...