ISO IEC 29110-3-3-2016 Systems and software engineering - Lifecycle profiles for Very Small Enterprises (VSEs) - Part 3-3 Certification requirements for conform.pdf

1、Systems and software engineering Lifecycle profiles for Very Small Enterprises (VSEs) Part 3-3: Certification requirements for conformity assessments of VSE profiles using process assessment and maturity models Ingnierie des systmes et du logiciel Profils de cycle de vie pour trs petits organismes (

2、TPO) Partie 3-3: Exigences de cetification pour la vrification de conformit en utilisant la vrification des processus et les niveaux de maturit INTERNATIONAL STANDARD ISO/IEC 29110-3-3 Reference number ISO/IEC 29110-3-3:2016(E) First edition 2016-10-15 ISO/IEC 2016 ii ISO/IEC 2016 All rights reserve

3、d COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an i

4、ntranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightis

5、o.org www.iso.org ISO/IEC 29110-3-3:2016(E) ISO/IEC 29110-3-3:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 Terms and definitions . 2 4 General requirements . 4 5 Structural requirements 4 6 Resource requirements . 4 6.1 Introduction 4 6.2 Independence . 4 6.3 Competence o

6、f people 4 7 Process requirements . 5 7.1 General . 5 7.1.1 Introduction . 5 7.1.2 Class 2 assessments (from ISO/IEC 33002) . 7 7.2 Application . 7 7.3 Application review . 7 7.4 Evaluation 7 7.4.1 Introduction . 7 7.4.2 Plan the certification assessment 7 7.4.3 Collect the data 9 7.4.4 Validate the

7、 data . 9 7.4.5 Derive results 9 7.4.6 Report the assessment . . 9 7.5 Review .10 7.6 Certification decision 10 7.7 Certification documentation 10 7.8 Directory of certified products .11 7.9 Surveillance.11 7.9.1 Introduction 11 7.9.2 Process improvement reviews 11 7.10 Changes affecting certificati

8、on .12 7.11 Termination, reduction, suspension or withdrawal of certification 12 7.12 Records .12 7.13 Complaints and appeals .12 8 Management system requirements .12 Annex A (normative) Competencies for resources .13 Annex B (informative) Typical third-party certification process 16 Bibliography .1

9、8 ISO/IEC 2016 All rights reserved iii Contents Page ISO/IEC 29110-3-3:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO

10、or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,

11、 governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance ar

12、e described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn

13、 to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/

14、or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y

15、assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee S

16、C 7, Software and systems engineering. A list of all parts in the ISO/IEC 29110 series can be found on the ISO website.iv ISO/IEC 2016 All rights reserved ISO/IEC 29110-3-3:2016(E) Introduction Very Small Entities (VSEs) around the world are creating valuable products and services. For the purpose o

17、f ISO/IEC 29110, a Very Small Entity (VSE) is an enterprise, an organization, a department or a project having up to 25 people. Since many VSEs develop and/or maintain system and software components used in systems, either as independent products or incorporated in larger systems, a recognition of V

18、SEs as suppliers of high quality products is required. According to the Organization for Economic Co-operation and Development (OECD) SME and Entrepreneurship Outlook report (2005), “Small and Medium Enterprises (SMEs) constitute the dominant form of business organization in all countries world-wide

19、, accounting for over 95 % and up to 99 % of the business population depending on country”. The challenge facing governments and economies is to provide a business environment that supports the competitiveness of this large heterogeneous business population and that promotes a vibrant entrepreneuria

20、l culture. From studies and surveys conducted, it is clear that the majority of International Standards do not address the needs of VSEs. Implementation of and conformance with these standards is difficult, if not impossible. Consequently VSEs have no, or very limited, ways to be recognized as entit

21、ies that produce quality systems/system elements including software in their domain. Therefore, VSEs are excluded from some economic activities. It has been found that VSEs find it difficult to relate International Standards to their business needs and to justify the effort required to apply standar

22、ds to their business practices. Most VSEs can neither afford the resources, in terms of number of employees, expertise, budget and time, nor do they see a net benefit in establishing over-complex systems or software life cycle processes. To address some of these difficulties, a set of guides has bee

23、n developed based on a set of VSE characteristics. The guides are based on subsets of appropriate standards processes, activities, tasks, and outcomes, referred to as Profiles. The purpose of a profile is to define a subset of International Standards relevant to the VSEs context; for example, proces

24、ses, activities, tasks, and outcomes of ISO/IEC/IEEE 12207 for software; and processes, activities, tasks, and outcomes of ISO/IEC/IEEE 15288 for systems; and information products (documentation) of ISO/IEC/IEEE 15289 for software and systems. VSEs can achieve recognition through implementing a prof

25、ile and by being audited against ISO/IEC 29110 specifications. The ISO/IEC 29110- series of International Standards and Technical Reports can be applied at any phase of system or software development within a life cycle. This series of International Standards and Technical Reports is intended to be

26、used by VSEs that do not have experience or expertise in adapting/tailoring ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288 standards to the needs of a specific project. VSEs that have expertise in adapting/tailoring ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288 are encouraged to use those standards instead of

27、ISO/IEC 29110. ISO/IEC 29110 is intended to be used with any lifecycle such as waterfall, iterative, incremental, evolutionary or agile. Systems, in the context of ISO/IEC 29110, are typically composed of hardware and software components. The ISO/IEC 29110- series, targeted by audience, has been dev

28、eloped to improve system or software and/or service quality, and process performance. See Table 1. ISO/IEC 2016 All rights reserved v ISO/IEC 29110-3-3:2016(E) Table 1 ISO/IEC 29110 target audience ISO/IEC 29110 Title Target audience Part 1 Overview VSEs and their customers, assessors, standards pro

29、ducers, tool vendors and methodology vendors. Part 2 Framework for profile preparation Profile producers, tool vendors and method- ology vendors. Not intended for VSEs. Part 3 Certification and assessment guidance VSEs and their customers, assessors, accred- itation bodies. Part 4 Profile specificat

30、ions VSEs, customers, standards producers, tool vendors and methodology vendors. Part 5 Management, engineering and service delivery guides VSEs and their customers. Part 6 Management and engineer- ing guides not tied to a spe- cific profile VSEs and their customers. If a new profile is needed, ISO/

31、IEC 29110-4 and ISO/IEC/TR 29110-5 can be developed with minimal impact to existing documents. ISO/IEC/TR 29110-1 defines the terms common to the Set of ISO/IEC 29110 Documents. It introduces processes, life cycle and standardization concepts, the taxonomy (catalogue) of ISO/IEC 29110 profiles, and

32、the ISO/IEC 29110- series. It also introduces the characteristics and needs of a VSE, and clarifies the rationale for specific profiles, documents, standards and guides. ISO/IEC 29110-2-1 introduces the concepts for systems and software engineering profiles for VSEs. It establishes the logic behind

33、the definition and application of profiles. For standardized profiles, it specifies the elements common to all profiles (structure, requirements, conformance, assessment). For domain-specific profiles (profiles that are not standardized and developed outside of the ISO process), it provides general

34、guidance adapted from the definition of standardized profiles. ISO/IEC 29110-3 defines certification schemes, assessment guidelines and compliance requirements for process capability assessment, conformity assessments, and self-assessments for process improvements. ISO/IEC 29110-3 also contains info

35、rmation that can be useful to developers of certification and assessment methods and developers of certification and assessment tools. ISO/IEC 29110-3 is addressed to people who have direct involvement with the assessment process, e.g. the auditor, certification and accreditation bodies and the spon

36、sor of the audit, who need guidance on ensuring that the requirements for performing an audit have been met. ISO/IEC 29110-4-m provides the specification for all profiles in one profile group that are based on subsets of appropriate standards elements. ISO/IEC/TR 29110-5-m-n provides a management an

37、d engineering guide for each profile in one profile group. ISO/IEC/TR 29110-6-x provides management and engineering guides not tied to a specific profile. This part of ISO/IEC 29110 presents conformity assessment requirements using process assessments and maturity models. This part of ISO/IEC 29110

38、is addressed to people who have direct involvement with the assessment process, e.g. assessor, certification and accreditation bodies and sponsor of an assessment. Figure 1 describes the ISO/IEC 29110 International Standards (IS) and Technical Reports (TR) and positions the parts within the framewor

39、k of reference. Overview, assessment guide, management and engineering guide are available from ISO as freely available Technical Reports (TR). The Framework document, profile specifications and certification schemes are published as International Standards (IS).vi ISO/IEC 2016 All rights reserved I

40、SO/IEC 29110-3-3:2016(E) Figure 1 ISO/IEC 29110 Series ISO/IEC 2016 All rights reserved vii Systems and software engineering Lifecycle profiles for Very Small Enterprises (VSEs) Part 3-3: Certification requirements for conformity assessments of VSE profiles using process assessment and maturity mode

41、ls 1 Scope This document contains the requirements for certification bodies performing conformity assessments, of the requirements contained in VSE profile specifications (e.g. ISO/IEC 29110-4-1 for VSE software basic profile), using process assessments and maturity models. This document is based on

42、 published ISO/IEC standards and guides for a) certification bodies (see ISO/IEC 17065) b) the process assessment and organizational process maturity performed according to the requirements of the ISO/IEC 33001 to ISO/IEC 33099 family of process assessment standards, and c) based on ISO/IEC 29169 to

43、 support an environment which encourages worldwide recognition of VSE profiles conformity assessment results. The overall framework for conformity assessment follows the approach defined in ISO/IEC 17065:2012. This document has been developed following practical use and in consultation with key stak

44、eholders, national accreditation bodies, and ISOs policy committee for conformity assessment (CASCO). This document is addressed to people and certification bodies who have a direct relationship with the assessment process based on the VSE profiles. It is intended that ISO/IEC/TR 29110-1, ISO/IEC 29

45、110-2-1 and ISO/IEC 29110-4-1 (containing VSE profile specifications) be read first when investigating the possibility of conducting VSE profile certification. NOTE Any clause with requirements directly copied from other standards has those copied requirements marked up in a box. Other requirements

46、which are also copied but for which information is added are not marked up in a box but their source is clearly referenced in the text. 2 Normative references The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document

47、. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17065:2012, Conformity assessment Requirements for bodies certifying products, processes and services ISO/IEC/TR 29110-3-1, System

48、s and software engineering Lifecycle profiles for Very Small Entities (VSEs) Part 3-1: Assessment guide ISO/IEC 29110-4-1, Software engineering Lifecycle profiles for Very Small Entities (VSEs) Part 4-1: Software engineering - Profile specifications: Generic profile group INTERNATIONAL ST ANDARD ISO

49、/IEC 29110-3-3:2016(E) ISO/IEC 2016 All rights reserved 1 ISO/IEC 29110-3-3:2016(E) ISO/IEC 29169, Information technology Process assessment Application of conformity assessment methodology to the assessment to process quality characteristics and organizational maturity ISO/IEC 33002:2015, Information technology Process assessment Requirements for performing process assessment ISO/IEC 33003, Information technology Process assessment Requirements for process measurement fram