Which Software Development Standard Does Your Company Need?
The IT industry is an incredibly competitive one. Software development companies have lots of things to keep in mind: processes optimization, faster operation, high quality of software products, and customer satisfaction. In order to keep up with the set standards, many companies obtain certification, with ISO being the most prestigious and well-known. However, there are several ISO certifications that are applicable to software development companies - so which one does your company need?
What is a software development standard?
A software development standard is any standard, protocol, or similar document that describes the rules and procedures for developing software. Such documents are typically present at any development company and are intended for use by this specific company.
However, there are also international standards that help software companies worldwide better organize their processes by an established and efficient guideline. The most well-known software development standards are ISO and IEEE.
ISO stands for International Organization for Standardization and IEEE means the Institute of Electrical and Electronics Engineers. These standards include a set of rules and practices that help software companies increase the quality of the services, improve the organization of processes, and deliver better results.
Today, ISO standards are the most common ones and there are a few ISO standards that provide certification. Let’s see them in more detail below.
ISO standards: an overview
The ISO is an international standard-setting body that covers multiple industries, from software development to food and beverage. The main goal of ISO is to help the company optimize its processes and thus, increase the quality of its services by providing a set of requirements and rules to follow.
There are over 21,000 ISO standards so of course, the companies choose only those that are relevant to their activity. And since ISO certifications are known to be extremely time-consuming to obtain, here are the main pros and cons of becoming ISO-certified.
The benefits and challenges of ISO certification
ISO certifications are known to be extremely detailed, time-consuming, and it might take several years for a company to obtain one. So why does a company decide to become ISO-certified?
The main benefit of ISO certification is the focus on quality. The 9001 quality management standard is based on seven quality principles:
- Focus on the customer
- Relationship management
- Engagement of employees
- Approach to the processes
- Constant improvement
- Evidence-based decision making
Therefore, if an organization wishes to receive the certificate, its processes need to correspond to these principles.
Other benefits are the improvement of operations and services and, as a result, an increase in customer satisfaction and higher revenue.
Seems like an ISO certificate is a must-have for every software company - so what are the biggest restraints that make the companies think twice before getting one?
First, the process of obtaining a certificate is really complicated. It might take up to several years for a company to complete all the requirements and it involves a great amount of paperwork. As well, it might be too expensive to become ISO-certified. Hence, this certification is more common among big companies and serves as a competitive advantage.
As mentioned above, there are over 21,000 ISO standards to follow. Among them, software development companies normally adhere to ISO 9000, ISO 2700, ISO 12207, and ISO 29119. Let’s have a look at each.
ISO 9000: Quality Management Systems
ISO 9000 is the most well-known family of ISO standards. It caters to quality management and is most often chosen by software development companies.
There are 14 standards in ISO 9000 family and ISO 9001 is the only one to be certified to. This standard is incredibly customer-focused and aims to help the company bring constant quality and value to the customers throughout well-organized processes.
In order to better understand ISO 9001, here are a few sections included in the standard:
- Context of the organization (external and internal issues, relevant interested parties, the processes, etc.)
- Leadership (quality policy, the establishment of responsibility and authority)
- Planning (consideration of issues and requirements, determination of risks and opportunities, the establishment of quality objectives, planning of changes)
- Support (provision of resources, the competence of employees, determination of external and internal issues, creation and updating of documentation, etc.)
- Operation (planning and control of operations, communication with customers and determination of their requirements, establishment and maintenance of design and development process, etc)
- Performance evaluation (internal outfit program, monitoring, management reviews).
And these are not all of the sections included in the ISO 9001 standard.
The ISO 9001 is applicable to any organization despite the industry or size. In order to obtain a certification, a company needs to do the following:
- Follow the steps to implement the ISO 9001 QMS
- Receive the audit of your performance by a Certification Body
- Upon passing the audit, you will be registered to ISO 9001 for three years (and will have to get re-certified every three years if you wish to maintain the certificate)
ISO 2700: Information Security
Another popular standard among software development companies, the ISO 2700 family includes the standards of information security within an organization. The main goal of ISO 2700 is to protect the company’s assets and improve its security practices.
The most popular standards in ISO 2700 family are ISO 27001 and ISO 27002. ISO 27001 is focused on a robust management-based system while ISO 27002 is more of a technical document and places emphasis on the individual and establishment of a strict code of conduct. The ISO 27001 standard also provides certification for an organization that wishes to follow it.
The biggest benefit of the ISO 27001 certificate for a company is the guarantee of security of the processes and the data within this organization. In this way, a company seems more reliable and trustworthy among the clients while retaining a competitive advantage among the businesses alike.
Some of the main ISO 27001 clauses are:
- Information security leadership
- Planning of an information security management system
- Risk assessment, risk treatment
- Review of the system’s performance
- Planning and adopting the approach to corrective actions
While the ISO 27001 certification is not obligatory, the nature of your business might require you to obtain it. In this case, you will need to perform the same steps as for the ISO 9001: follow the steps for implementation and pass the audit.
ISO 12207: Software life cycle processes
Another standard applicable to software development companies is ISO 12207. It covers all aspects of software development and maintenance and overall, defines 43 system and software processes. These processes, in turn, are separated into three categories: basic, for support, organizational.
The main sections of the ISO 12207 standard are:
- Organizational project enabling (lifecycle management, infrastructure management, HR management, quality management)
- Project (planning process, assessment and control, decision management, risk management, information management, etc.)
- Technical (analysis of system requirements, system architectural design, implementation, integration, software installation, etc.)
- Software implementation (implementation process, requirements analysis, architectural design, construction process, etc.)
- Software support (documentation management, configuration management, quality assurance, verification and validation, review and audit, etc.)
The great benefit of ISO 12207 is its flexibility. That means you can choose the processes that are required for your specific project.
Another note on ISO 12207: this standard should be followed in order to achieve the ISO 9001 certification for a software development company.
ISO 29119: Software Testing
One more family of standards that is applicable for software development companies is ISO 29119 that focuses on software testing. While there are many development companies that provide various services, some of them are focused on testing only so this standard should be taken into consideration.
ISO 29119 is comprised of five parts for software testing:
- Keyword-driven testing
- Test documentation
- Test technique
- Test processes
- Concepts and definitions
The main idea behind ISO 29119 is that testing is the primary approach to risk mitigation and prevention. Therefore, all the standards follow the risk-based approach and encourage companies to focus on the most important functions.
Who can grant your company an ISO certification?
One of the common misbeliefs is that the only organization eligible for ISO certification is ISO itself. However, there are several registrars and Certification Bodies (CB) who can grant a company an ISO certificate.
The primary condition for an organization that wishes to become a registrar or a CB is to be a member of the International Accreditation Forum (IAF) and to be ISO/IEC 17021:2015 certified. In order to become internationally recognized, a CB has to become accredited by a member of IAF. You can see a complete list of accredited registrars here.
Do you need an ISO certificate?
In some countries, ISO certification is required by law or contractually so in this case, the answer would obviously be a yes. But if it’s not obligatory in your country, we recommend that you carefully evaluate all pros and cons of becoming ISO-certified.
The ISO certificate will grant you better management of processes and will enable you to keep a close focus on the quality of your services. As well, ISO certification is a significant competitive advantage, especially in the IT industry.
However, as we stated above, this certification might take too much time and resources so you need to evaluate whether it will pay off. For small companies and startups, we recommend applying the CMMI model for process optimization which is much more flexible. Though CMMI is a process model (while ISO is an audit standard), it is widely used in the US and provides useful and detailed information on processes improvement.
As for the established and mature software development companies, we can say that ISO certification is absolutely worth it. Being ISO 9001- certified, we can say that it contributes to better organization of processes, increases the trust among the clients, and indicates high quality.
Irina LinnikView all articles by this author.