ISO/IEC 40180:2017 Information technology

Courtesy: ISO/IEC 40180:2017 Information technology

ISO/IEC 19770-1 is a framework of ITAM processes to enable an organization to prove that it is performing software asset management to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall. ISO/IEC 19770-1:2017 specifies the requirements for the establishment, implementation, maintenance and improvement of a management system for IT asset management (ITAM), referred to as an “IT asset management system” (ITAMS).

While ISO 55001:2014 specifies the requirements for the establishment, implementation, maintenance and improvement of a management system for asset management, referred to as an “asset management system”, it is primarily focused on physical assets with little provision for the management of software assets. There are a number of characteristics of IT assets which create additional or more detailed requirements. As a result of these characteristics of IT assets, the 19770-1 management system for IT assets has explicit additional requirements dealing with:

• controls over software modification, duplication and distribution, with particular emphasis on access and integrity controls;
• audit trails of authorizations and of changes made to IT assets;
• controls over licensing, underlicensing, overlicensing, and compliance with licensing terms and conditions;
• controls over situations involving mixed ownership and responsibilities, such as in cloud computing and with ‘Bring-Your-Own-Device’ (BYOD) practices; and
• reconciliation of IT asset management data with data in other information systems when justified by business value, in particular with financial information systems recording assets and expenses.
• The first generation was published in 2006.
• The second generation was published in 2012. It retained the original content (with only minor changes) but splits the standard up into four tiers which can be attained sequentially.