ISO/IEC 15504-3:2004

INTERNATIONAL ISO/IEC
STANDARD 15504-3
First edition
2004-01-15


Information technology — Process
assessment —
Part 3:
Guidance on performing an assessment
Technologies de l'information — Évaluation des procédés du logiciel —
Partie 3: Réalisation d'une évaluation




Reference number
ISO/IEC 15504-3:2004(E)
©
ISO/IEC 2004

---------------------- Page: 1 ----------------------
ISO/IEC 15504-3:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2004 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 15504-3:2004(E)
Contents Page
Foreword. v
Introduction . vi
1 Scope. 1
2 Normative references. 1
3 Terms and definitions. 1
4 Overview of Process Assessment . 2
4.1 Introduction. 2
4.2 Assessment process. 2
4.3 Measurement Framework for Process Capability . 3
4.4 Process Reference Model. 3
4.5 Process Assessment Model. 3
4.6 Assessment Tools. 3
4.7 Competency of assessment team . 4
4.8 Assessment approaches. 4
4.9 Success factors for process assessment . 4
5 Guidance on Requirements for Performing an Assessment. 5
5.1 General. 5
5.2 The assessment process activities. 5
5.3 Roles and responsibilities. 9
5.4 Defining the initial assessment input . 10
5.5 Recording the assessment output. 14
5.6 Selecting a Documented Assessment Process. 14
6 Measurement Framework for Process Capability . 15
6.1 Level 0: Incomplete process. 16
6.2 Level 1: Performed process. 16
6.3 Level 2: Managed process . 17
6.4 Level 3: Established process. 20
6.5 Level 4: Predictable process . 22
6.6 Level 5: Optimizing process . 25
6.7 Rating process attributes. 27
6.8 Process capability level model. 29
7 Process Reference Models. 30
7.1 Interpreting The Requirements For A Process Reference Model . 31
7.2 Selecting Process Reference Models . 33
8 Process Assessment Models. 34
8.1 Interpreting the requirements for a Process Assessment Model . 34
8.2 Selection of a Process Assessment Model. 37
9 Selecting and Using Assessment Tools. 39
10 Guidance on Competency of Assessors.42
10.1 Overview. 42
10.2 Gaining and maintaining competence . 43
11 Guidance on Verification of Conformity. 43
11.1 Verifying conformity of Process Reference Models. 44
11.2 Verifying conformity of Process Assessment Models. 44
11.3 Verifying conformity of process assessments .45
© ISO/IEC 2004 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 15504-3:2004(E)
Annex A (informative) An Exemplar Documented Assessment Process .46
Annex B (informative) Guidance on Indicators.52
Bibliography.54



iv © ISO/IEC 2004 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 15504-3:2004(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to the national bodies for voting. Publication
as an International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 15504-3 was prepared by Joint Technical Committee ISO/IEC/TC JTC 1, Information technology,
Subcommittee SC 7, Software and system engineering.
This first edition cancels and replaces ISO/IEC TR 15504-4:1998 and ISO/IEC TR 15504-6:1998, which have
been technically revised.
ISO/IEC 15504 consists of the following parts, under the general title Information technology — Process
assessment:
 Part 2: Performing an assessment
 Part 3: Guidance on performing an assessment
 Part 4: Guidance on use for process improvement and process capability determination
The following parts are in preparation:
 Part 1: Concepts and vocabulary
 Part 5: An exemplar Process Assessment Model
The complete series will replace ISO/IEC TR 15504-1 to ISO/IEC TR 15504-9.

© ISO/IEC 2004 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 15504-3:2004(E)
Introduction
This part of ISO/IEC 15504 assumes familiarity with the normative part of the standard. It is primarily
addressed to the competent assessor and other people, such as the sponsor of the assessment, who need
guidance on ensuring that the requirements for performing an assessment have been met. It will also be of
value to developers of assessment methods and of tools to support an assessment.
ISO/IEC 15504-1 will provide a general introduction to the concepts of process assessment and a glossary for
assessment related terms.
ISO/IEC 15504-2 sets out the minimum requirements for performing an assessment that ensure consistency
and repeatability of the ratings. The requirements help to ensure that the assessment output is self-consistent
and provides evidence to substantiate the ratings and to verify compliance with the requirements.
ISO/IEC 15504-2 defines the Measurement Framework for process capability and the requirements for:
a) performing an assessment;
b) process reference models;
c) process assessment models;
d) verifying conformity of process assessment.
This part of ISO/IEC 15504 provides guidance for interpreting the minimum requirements for performing an
assessment. It also provides guidance on:
 the nature of the measurement framework;
 the role and function of process reference models;
 the requirements for and selection of a process assessment model;
 the selection and use of assessment tools;
 criteria for assessor competence; and
 verification of conformity of process assessment.
ISO/IEC 15504-3 incorporates, as Annex A, an exemplar documented assessment process.
Process assessment, as defined in this International Standard, is based on a two dimensional model
containing a process dimension and a capability dimension. The process dimension is provided by an external
process reference model, which defines a set of processes characterized by statements of process purpose
and process outcomes. The capability dimension consists of a measurement framework comprising six
process capability levels and their associated process attributes.
The assessment output consists of a set of process attribute ratings for each process assessed, termed the
process profile, and may also include the capability level achieved by that process.
Process assessment is applicable in the following circumstances:
a) by or on behalf of an organization with the objective of understanding the state of its own processes for
process improvement;
vi © ISO/IEC 2004 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 15504-3:2004(E)
b) by or on behalf of an organization with the objective of determining the adequacy of its own processes for
a particular requirement or class of requirements;
c) by or on behalf of an organization with the objective of determining the adequacy of another
organization’s processes for a particular contract or class of contracts.
As described in ISO/IEC 15504-4, process assessment is an activity that can be performed either as part of a
process improvement initiative or as part of a capability determination approach. The formal entry to the
assessment process occurs with the compilation of the assessment input, which defines the purpose of the
assessment (why it is being carried out), the scope of the assessment, what constraints apply to the
assessment and any additional information that needs to be gathered. The assessment input also defines the
responsibility of the various parties in the performance of an assessment. An assessor who has the necessary
competence and skills oversees the assessment. Assessors may be from within the organization, external to
the organization or a combination of both.
An assessment is carried out against a defined assessment input utilizing conformant process assessment
model(s) related to one or more conformant or compliant process reference models. ISO/IEC 15504-5
contains an exemplar process assessment model that is based upon the process reference model defined in
Annex F of ISO/IEC 12207:1995/Amd 1:2002.

© ISO/IEC 2004 – All rights reserved vii

---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC 15504-3:2004(E)

Information technology — Process assessment —
Part 3:
Guidance on performing an assessment
1 Scope
This part of ISO/IEC 15504 provides guidance on meeting the minimum set of requirements for performing an
assessment contained in ISO/IEC 15504-2.
It provides an overview of process assessment and interprets the requirements through the provision of
guidance on:
a) performing an assessment;
b) the measurement framework for process capability;
c) process reference models and process assessment models;
d) selecting and using assessment tools;
e) competency of assessors;
f) verification of conformity.
This document uses the following schema: the text inside a box is quoted from the normative ISO/IEC 15504-2
and the text following a box is guidance about the normative text. If the quoted text includes a clause
reference, it is understood that ISO/IEC 15504-2 should be referred to.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 15504-2:2003, Information technology — Process assessment — Part 2: Performing an assessment
1)
ISO/IEC TR 15504-9, Information technology — Software process assessment — Part 9: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC TR 15504-9 apply.

1) A revision of this document is in preparation under the following reference: ISO/IEC 15504-1.
© ISO/IEC 2004 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/IEC 15504-3:2004(E)
4 Overview of Process Assessment
4.1 Introduction
Process assessment is undertaken to understand the capability of an Organizational Unit's current processes.
Process assessment may encompass all or a subset of the processes (e.g. project management,
development, maintenance, configuration management) used by an organization.
Process assessment is performed by one or more assessor(s), one of them (the competent assessor) being
responsible for assuring conformity of the assessment to the requirements in ISO/IEC 15504-2.
The assessment of the Organizational Unit's processes is made utilizing a Process Assessment Model based
upon a Process Reference Model (e.g. ISO/IEC 12207:1995/Amd 1:2002). A Process Reference Model
describes the processes in terms of purpose and outcomes. A Process Assessment Model provides detailed
indicators necessary to assess the achievement of the process attributes.
There is a set of 9 process attributes applicable to any process and characterizing the capability of an
implemented process. They are defined in ISO/IEC 15504-2.
Process attributes are grouped into capability levels that define an ordinal scale of process capability and
provide a rational route for improvement of each individual process. Each process attribute represents
measurable characteristics which support achievement of the process purpose and contribute to meeting the
business goals of the organization.
The fundamental assessment output consists of up to nine process attribute ratings (referred to as a process
profile) for each process assessed.
4.2 Assessment process
An assessment must be conducted according to a documented process that is capable of meeting the
assessment purpose. The key elements of a documented assessment process are closely tied to the
requirements for performing an assessment, defined in Clause 4 of ISO/IEC 15504-2. A brief overview of
these elements is given in the next section while more details on interpreting the activities for performing an
assessment are given in Clause 5 of this part of the standard. Note, however, that the guidance provided does
not constitute a complete, documented assessment process. Its purpose is to provide help in interpreting the
requirements in ISO/IEC 15504-2 and to provide a starting point for selecting or creating a documented
assessment process.
The documented assessment process is the set of instructions for conducting the assessment. A documented
assessment process addresses the following aspects of the conduct of an assessment:
 defining the inputs to an assessment such as purpose, scope, constraints and the identity of the
conformant Process Assessment Model to be used;
 defining key roles and responsibilities;
 providing guidance for planning, data collection, data validation, process attributes rating and reporting of
assessment results;
 recording of assessment outputs.
Clause 5 provides guidance on requirements for the assessment process and 11.3 provides guidance on
verifying conformity of process assessments. In addition, Annex A provides an exemplar documented
assessment process.
2 © ISO/IEC 2004 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 15504-3:2004(E)
4.3 Measurement Framework for Process Capability
The Measurement Framework defines a six point ordinal scale of increasing process capability ranging from a
process which is not capable of achieving its purpose (process capability level zero) to a process which
optimizes its performance (process capability level 5). Each process has a set of process attribute ratings that
constitute the process profile. Process attribute ratings are expressed using the process attribute scale as
defined in ISO/IEC 15504-2. The process capability level model is described in terms of the process attribute
ratings that must be achieved in order to achieve a particular level. Clause 6 provides guidance on the
Measurement Framework for process capability.
4.4 Process Reference Model
A Process Reference Model describes a set of one or more processes in terms of purpose and expected
outcomes.
The purpose describes the high-level objectives that the process should achieve while the associated
outcomes are the expected results of a successful enactment of the process. The purpose statements in
conjunction with the outcomes describe what to achieve, but do not prescribe how the process should achieve
its objectives. Clause 7 provides guidance on Process Reference Models and 11.1 provides guidance on
verifying conformity or compliance of Process Reference Models.
Annex F of ISO/IEC 12207:1995/Amd 1:2002, as well as ISO/IEC 15288, provide Process Reference Models.
4.5 Process Assessment Model
A Process Assessment Model as defined in this International Standard is one that meets the requirements
specified in ISO/IEC 15504-2. In summary, a conformant Process Assessment Model is one:
 that is suitable for the purpose of process assessment;
 whose relevant elements are mapped to the processes described in a selected conformant Process
Reference Model(s), and to the relevant process attributes defined in ISO/IEC 15504-2;
 that is base upon a set of indicators for use during an assessment to gather the information about
processes and process attributes;
 that has a formal and verifiable mechanism for expressing the information gathered using the Process
Assessment Model into process attribute ratings as defined in ISO/IEC 15504-2.
Clause 8 provides guidance on Process Assessment Models and 11.2 provides guidance on verifying
conformity of Process Assessment Models. The model in ISO/IEC 15504-5 is an exemplar Process
Assessment Model based on the Process Reference Model defined in ISO/IEC 12207:1995/Amd 1:2002.
4.6 Assessment Tools
In any assessment, data will need to be collected, recorded, stored, collated, processed, analysed, retrieved
and presented. This may be supported by various tools. For some assessments, the support tools may be
paper-based (forms, questionnaires, checklists, etc.). In some cases the volume and complexity of the
assessment information may result in the need for computer-based support tools.
Regardless of the form of the supporting tools, their objectives are:
 to help an assessor perform an assessment in a consistent and reliable manner, reducing subjectivity and
contributing to the achievement of valid, useful and comparable assessment results;
 to perform the assessment more efficiently.
© ISO/IEC 2004 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/IEC 15504-3:2004(E)
In order to achieve these objectives, the tools need to make a Process Assessment Model and its indicators
accessible to the assessors.
Clause 9 provides guidance on selecting and using assessment tools.
4.7 Competency of assessment team
Assessments are performed by individuals:
 with an adequate mix of education, training and experience on relevant processes,
 who have access to appropriate documented guidance on how to perform the defined assessment
activities,
 who have the competencies to use the tools chosen to support the assessment.
The competency of team members should be verified by the competent assessor before assigning roles and
responsibilities for performing the assessment.
The competency of the competent assessor will be verified by the sponsor.
Clause 10 provides guidance on competency of assessors.
4.8 Assessment approaches
4.8.1 Self-assessment
A self-assessment is carried out by an organization to assess the capability of its own process. The sponsor of
a self-assessment is normally internal to the Organizational Unit as are the member(s) of the assessment
team.
4.8.2 Independent assessment
An independent assessment is an assessment conducted by an assessment team whose member(s) are
independent of the Organizational Unit being assessed. An independent assessment may be conducted, for
example, by an organization on its own behalf as independent verification that its assessment program is
functioning properly; the assessment sponsor will belong to the same organization but not necessarily to the
Organizational Unit being assessed.
The sponsor of an assessment may be external to the Organizational Unit being assessed, such as an
acquirer who wishes to have an independent determination of process capability. The degree of
independence, however, may vary according to the purpose, scope and context of the assessment.
In the case of an external assessment sponsor, mutual agreement between the assessment sponsor and the
assessed organisation is assumed.
4.9 Success factors for process assessment
The following factors are essential to a successful process assessment.
4.9.1 Commitment
The commitment of the sponsor is essential to ensuring that the assessment objectives are met. This
commitment requires that the necessary resources, time and personnel are available to perform the
assessment. The competent assessor will confirm the sponsor's commitment to proceed with the assessment.
4 © ISO/IEC 2004 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 15504-3:2004(E)
4.9.2 Motivation
The attitude of the organization's management has a significant influence on the outcome of an assessment.
The organization's management, therefore, needs to motivate participants to be open and constructive.
Process assessments focus on the process, not on the performance of Organizational Unit members
implementing the process. The intent is to make the processes more effective in support of the defined
business goals, not to allocate blame to individuals.
Providing feedback and maintaining an atmosphere that encourages open discussion about preliminary
findings during the assessment helps to ensure that the assessment output is meaningful to the
Organizational Unit. The organization needs to recognize that the participants are a principal source of
knowledge and experience about the process and that they are in a good position to identify potential
weaknesses.
4.9.3 Confidentiality
Respect for the confidentiality of the sources of information and documentation gathered during assessment is
essential in order to secure that information. Where interviews or discussions are employed, consideration
should be given to ensuring that participants do not feel threatened or have any concerns regarding
confidentiality. Some of the information provided might be proprietary to the Organizational Unit. It is therefore
important that adequate controls are in place to handle such information.
4.9.4 Relevance
The Organizational Unit members should believe that the assessment will result in some benefits that will
accrue to them directly or indirectly.
4.9.5 Credibility
The sponsor, the management and the staff of the Organizational Unit should all believe that the assessment
will deliver a result which is objective and is representative of the assessment scope. It is important that all
parties can be confident that the assessors have adequate assessment experience, are sufficiently impartial
and have an adequate understanding of the Organizational Unit and its business to conduct the assessment.
5 Guidance on Requirements for Performing an Assessment
5.1 General
The requirements for performing an assessment defined in ISO/IEC 15504-2 aim at achieving a greater
degree of uniformity in the approach to process assessment, so as to maximize the reliability of different
approaches and provide a degree of comparability between the results of different assessments. It may make
sense to verify the requirements prior to and during the course of the assessment so that corrective actions
can occur.
5.2 The assessment process activities
The assessment shall be conducted according to a documented assessment process that is capable of
meeting the assessment purpose.
[ISO/IEC 15504-2, 4.2.1]

© ISO/IEC 2004 – All rights reserved 5

---------------------- Page: 12 ----------------------
ISO/IEC 15504-3:2004(E)
This clause addresses two different aspects of process assessment:
 The documented assessment process shall be capable of meeting the assessment purpose;
 The assessment shall be conducted in accordance with the documented assessment process.
The assessment purpose is defined as one of the assessment inputs [ISO/IEC 15504-2, 4.4.2 b)]; this
International Standard defines assessment purpose as “a statement, provided as part of
...