You must have control over your software and hardware. Not just because you should – but because it makes perfect sense and it is good for your business.
The updated ISO standard 19770-1:2017 promises to help you do just that. ISO 19770-1:2017 is really not a new standard, but an update from ISO 19770-1:2012.
But it is not a minor update. It feels more like an overhaul in that it now meets the requirements of a “real” management systems standard, such as ISO 27001. In relation to IT asset management (ITAM), the standard helps to address some significant problems when it comes to reducing risk and establishing a best practice for managing your IT assets.
The 19770-x family covers all the essential areas, such as lifecycle processes and best practices, software tagging and usage rights (entitlements).
Until this latest new release, the standard was a software asset management (SAM) standard, but it has become more and more obvious that looking at software and SAM as an island makes little sense.
Over the years, efforts have been made to build bridges to related areas, such as IT service management. But you cannot talk about managing software assets without also accounting for the hardware on which the software operates. So, SAM and hardware asset management (HAM) need to be tied closely together. This is reflected in the new ISO standard.
The main difference in this release is that it has been designed as a “management system standard”. This means that you share the approach towards risk management with ISO 27001. It also means that the 19770 standard is compatible with other management systems standards. For instance, the ISO 20000-1 for IT service management is currently being rewritten in the same manner.
As these standards evolve with comparable approaches and methodologies, it becomes easier to set in place governance structures across disciplines and specialist areas. But the trade-off is that the guidance and the “how to” becomes much more vague and it becomes a task for the individual organisation to figure out a plan on how to comply with the standard.
It will, of course, introduce more challenges – but there is also reason to believe that the challenges in managing IT assets in a global bank are somewhat different than for a regional manufacturing company.
Some people may question whether adhering to such standards is worthwhile. In the end, it is really up to each organisation to decide at what level it wishes to apply certain standards and whether this then brings value and supports the organisation’s strategic goals.
Most organisations expect that there is a certain level of control over the IT assets they own, and that these assets are properly managed, but this is very far from the truth. The complexity of taking control, the growing demand from the lines of business to acquire technology when they need to, and the internet of thkngs (IoT) revolution increase the effort required to keep on top of IT assets.
And if you find you can’t manage what you don’t know, the new standard can help. It allows the organisation to decide on the level of control that is required or desired. The 19770 family also sets a standard for:
- How software should be identified through identification tags (ISO 19770-2).
- How to keep track of what usage rights are possessed (entitlements – ISO 19770-3) and how these change on an ongoing basis.
- Best practices and lifecycle processes (back to ISO 19770-1).
For most organisations, the main driver for taking control of their software assets is the desire to avoid issues of software non-compliance during a licence audit. Sound management of IT assets can also improve an organisation’s security stance on cyber threats. New vulnerabilities are discovered every day and, on average, three out of every four attacks is aimed at web applications.
Both the WannaCry and the Equifax attacks took advantage of poor patch management, and therefore a lack of proper processes safeguarding IT assets. Good processes would have helped mitigate this.
As an organisation, you should be able to take advantage of the international standards laid out from ISO with regard to software tagging and entitlement tagging. You should insist software providers (Microsoft, IBM, Oracle, for example) and tools providers (such as Snow and Flexera) should support your ITAM activities by adhering to the ISO standards.
But IT asset management starts internally. Look at your own organisation: do you have the right resources in place and are people aware of their roles and responsibilities? Look into your processes. Do you have a set of policies and procedures in place to support effective ITAM? Are you aware of the threats from cyber attacks and are you ready to take cautious action?
Adherence to the new ISO 19770 standard boils down to having proper processes in place. These will help to avoid licence non-compliance, which is a financial risk to the organisation. Also, ISO 19770 enables you to optimise your software licence and secure operational processes, thus reducing IT security risks.