INTRODUCTION

If you are reading this book, it is probably with the intention of gaining a decent grounding in the concept of software asset management (SAM), and the benefits it can bring to your business. Regardless of where your organisation is in respect of any economic climate, managing IT should never be treated as an afterthought; and, if we can summarise the four main aspects of what an IT director might reasonably oversee at a very base level, we can see that SAM has the potential to cover a sizeable domain:

• software
• hardware
• people
• money.

Getting these elements to seamlessly interact is the Zen of IT management; and so, from a conservative assessment, we can see that effective SAM could potentially occupy up to at least one quarter of your time.

You might also be asking, ‘If I have been in IT for as long as I have, how come I haven’t heard of SAM before?’ It could be that you may well have done so already, but it will have been hidden behind change management, service management, information security, procurement, vendor relationship management, or potentially any other facet of IT that has benefitted from greater scrutiny than SAM up until now. The reason for SAM’s rise in status has primarily come about as a result of seeking to address software vendor audits with considered and tangible data to counter (at face value) exorbitant demands for licence fees. This pattern of behaviour is not likely to decrease; licence fees are the heartbeat of any software vendor’s business – so what can we do to manage such a risk?

This brings us to the beginning and the very document this book is seeking to offer guidance on: ISO19770-1: Software Asset Management – Processes. In any Internet search, you might well have seen the diagram below seeking to represent SAM:

Figure 1: Software asset management

The processes centre on the effective management of the software life cycle, from ‘cradle to grave’, i.e. concerning requisition, acquisition, delivery, cataloguing, testing, deployment, upgrades/downgrades, change management, redeployment, retirement, storage and, finally, disposal. Each and every state change has the potential to alter a licence position, so needs a degree of management paying towards it.

Clearly, it would be cost-prohibitive to entrust such management entirely to a system (even if such a system existed) and, equally, it would be too onerous to manage SAM purely from a manual perspective, so the glue that binds the two together are the processes.

One thing ISO19770-1 does very well is to remain vendor and product neutral – it does not prescribe a preferred approach, or assign a priority to certain aspects of the framework it covers; that is your job!

Another important aspect to mention about ISO19770-1:2012 – it is an un-adopted standard, i.e. no one organisation has taken charge of trying to certify against ISO19770-1 for any certification bodies throughout the world. Why is this important? Well, it’s more a precautionary point than anything else; if a consultancy/company states that they can make your organisation ISO19770-1 compliant, then they can only make you compliant against their interpretation of the Standard – not the Standard itself. This is important for those companies that chase certification with a notion that it will indemnify them from software audits – it most definitely will not.

I should say at this point, that this does not negate the value of seeking to match/exceed the benchmark ISO19770-1 sets before us; as a famous tyre company once said: ‘power without control is nothing’. ISO19770-1 seeks to offer you control over your software assets; thereby empowering you to make informed decisions concerning IT operations and strategy.

STOP THE PRESS: A revised standard has been announced!

Fear not, for the ISO19770-1 gurus out there, the 2012 revision has not changed the 27 processes which comprise the SAM framework – it has merely sought to break down the objectives of ISO19770-1 into manageable tiers. There is a qualification worth noting here regarding conformance and certification. When formal certification against ISO19770-1 does eventually arrive, it will be expected that organisations work their way sequentially through the Standard – from Tier 1 to Tier 4, and that if an organisation is seeking certification at Tier 3 (as an example) all requirements to meet Tier 1 and Tier 2 will have been assessed and passed prior to Tier 3 assessment – you cannot cherry-pick the levels you wish to go for!

Also worthy of note are some of the Annexes that the new version now has. Annex A seeks to highlight the processes and their sub-components by tier. Annex C offers a line by line comparison of ISO19770-1 with other adjacent IT standards in the marketplace: IAITAM Best Practice, Japanese SAMAC Best Practice and COBIT.^® Annex E offers a selection of maturity assessments, which could be very useful in assessing where your organisation is in respect of SAM (what you already do well, and what needs to be done).