CMM vs.

ISO
David S. Craft CIRM, PMP
Engineering &
Manufactuing Services
11 April 2007

CMM vs. ISO, Sarbanes Oxley

/ 10 April 2007 / EDS INTERNAL

Agenda
Who Am I
CMM
ISO
Similarities And Differences
Sarbanes Oxley

11 April 2007

CMM vs. ISO, Sarbanes Oxley

2

/ 10 April 2007 / EDS INTERNAL

Who Am I
Managing Consultant
Engineering and Manufacturing Services
Applications Service Delivery

Shift Supervisor
Team Leader

Inventory Control Manager

Industrial Engineer

Internal ISO Auditor

Materials Manage
Information Specialist, SeniorVISTA Volunteer
Consultant
Manager Production Planning &
Chief Industrial Engineer
Project Manager
11 April 2007

CMM vs. ISO, Sarbanes Oxley

3

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

4

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

5

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

6

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

7

/ 10 April 2007 / EDS INTERNAL

CMMI History
Federal government cannot distinguish between competing bids for software
development
Early 1980s - Federal Government (Congress) awards a contract to establish
the Software Engineering Institute (SEI) at Carnegie Mellon University
(sponsored by the DOD)
1988 - SEI begins work on a Process Maturity Framework for judging a
companys capability to produce software
The Process Maturity Framework evolves into the Capability Maturity Model
(CMM)
August 1991 SW-CMM Version 1 released
SE-CMM developed by the Enterprise Process Improvement Collaboration
(EPIC)
1992 - CMM Version 1.1 released
1999 - Begin developing CMMI (CMM Integrated)
2002 CMMI SE/SW/IPPD/SS Version 1.1 introduced
200? - CMMI Version 1.2 Released

11 April 2007

CMM vs. ISO, Sarbanes Oxley

8

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

9

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

10

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

11

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

12

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

13

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

14

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

15

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

16

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

17

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

18

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

19

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

20

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

21

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

22

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

23

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

24

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

25

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

26

/ 10 April 2007 / EDS INTERNAL

ISO History
Began with British Military standards
ISO organization was established in 1947
Headquartered in Geneva, Switzerland
Currently composed of 148 National Standard Bodies
and 2,981 technical bodies
As of 12/31/05 there are 15,649 International
Standards embodied in 573,494 pages of English text

11 April 2007

CMM vs. ISO, Sarbanes Oxley

27

/ 10 April 2007 / EDS INTERNAL

What are standards?

Standards are documented agreements containing technical specifications
or other precise criteria to be used consistently as rules, guidelines, or
definitions of characteristics, to ensure that materials, products, processes
and services are fit for their purpose.
For example, the format of the credit cards, phone cards, and "smart" cards
that have become commonplace is derived from an ISO International
Standard. Adhering to the standard, which defines such features as an
optimal thickness (0,76 mm), means that the cards can be used worldwide.
International Standards thus contribute to making life simpler, and to
increasing the reliability and effectiveness of the goods and services we use.
Last modified 2002-07-17

11 April 2007

CMM vs. ISO, Sarbanes Oxley

28

/ 10 April 2007 / EDS INTERNAL

Where are the Standards (12/31/05)

Sector

Standard
s

Generalities, Infrastructure and Sciences

Pages

1,406

49,761

658

20,252

Engineering Technologies

4,099

169,843

Electronics, Information Technology and

Telecommunications

2,447

161,132

Transport and Distribution of Goods

1,710

44,918

954

20,335

3,943

93,121

Construction

311

11,068

Special Technologies

121

3,064

15,649

573,494

Health, Safety and Environment

Agriculture and Food Technology

Materials Technology

11 April 2007

Total
CMM vs. ISO, Sarbanes Oxley
29

/ 10 April 2007 / EDS INTERNAL

Which ISO Standards

The ISO family includes:
ISO 9000:2000 Quality Management Systems

Fundamentals and vocabulary

ISO 9001:2000 Quality Management Systems -

Requirements

ISO 9004:2000 Quality Management Systems

Guidelines for performance improvement

ISO 19011 Guidelines on quality and/or

environmental management systems auditing.

ISO 10012 Measurement control system

11 April 2007

CMM vs. ISO, Sarbanes Oxley

30

/ 10 April 2007 / EDS INTERNAL

Quality System Documentation

Level 1

Quality
Manual

Defines
Approach and
Responsibility

Level 2

Procedures

Defines
Who, What, When

Work/Job
Instructions

Level 3
Answers
How

Level 4

Records/Documentation

11 April 2007

Results: shows that

the system is
operating

CMM vs. ISO, Sarbanes Oxley

31

/ 10 April 2007 / EDS INTERNAL

ISO 9001:2000 Structure

4.

5.

6.

Quality Management System

4.1 General requirements
4.2 Document requirements

Management
Responsibility
5.1 Management
commitment
5.2 Customer focus
5.3 Quality policy
5.4 Planning
5.5 Responsibility, authority,
communication
5.6 Management review
Resource Management
6.1 Provision of resources
6.2 Human resources
6.3 Infrastructure
6.4 Work environment

7.

Product realization
7.1 Planning of product realization
7.2 Customer-related processes
7.3 Design and development
7.4 Purchasing
7.5 Production and service provision
7.6 Control of monitoring and
measuring devices

8.

Measurement, Analysis &

Improvement
8.1 General
8.2 Monitoring and measurement
8.3 Control of nonconforming product
8.4 Analysis of data
8.5
11 AprilImprovement
2007

CMM vs. ISO, Sarbanes Oxley

32

/ 10 April 2007 / EDS INTERNAL

Similarities
Both require the organization be explicit about what
their processes and quality systems are
Say what you do; do what you say
The organization records and tracks data for objective
analysis
Require strong management support to succeed
Provide a structured and measured approach to quality
improvement
Require an outside audit for certification
Both are refined/improved over time

11 April 2007

CMM vs. ISO, Sarbanes Oxley

33

/ 10 April 2007 / EDS INTERNAL

Differences
ISO 9000

SW-CMMI

Outwardly focused

Inwardly focused

Minimum requirements with

implied continuous improvements

Explicit continuous quality

improvement

Not specific to any one industry or

service

Software focus

Registration Document

No documentation

Continual Audits

No follow up audits
11 April 2007

CMM vs. ISO, Sarbanes Oxley

34

/ 10 April 2007 / EDS INTERNAL

Sarbanes-Oxley Implications
With its more than 300 discrete points of enforceable law, this is the most
significant piece of account legislation passed since the formation of the
SEC in 1933
SOX was passed with the specific intent of increasing accountability and
attempting to install ethical behavior in financial reporting and business
operations.
With this increase spotlight on reporting, companies must invest resources
and focus into their internal control process
The Act created the Public Company Accounting Oversight Board (PCAOB)
to oversee the activities of the auditing profession and mandated reforms to
enhance corporate and criminal fraud accountability.
A goal of SOX legislation is to continually improve the transparency of
financial and business events that can impact the accuracy and future
validity of financial statements. Projects to improve processes and regular
review of controls will become common-place activities as compliance
evolves. Tools that simplify project completion and track status will better
enable organization to cost-effectively undertake these projects.
11 April 2007

CMM vs. ISO, Sarbanes Oxley

35

/ 10 April 2007 / EDS INTERNAL

11 April 2007

CMM vs. ISO, Sarbanes Oxley

36

/ 10 April 2007 / EDS INTERNAL