ISO/IEC 29110-3-2:2018

INTERNATIONAL ISO/IEC
STANDARD 29110-3-2
First edition
2018-04
Systems and software engineering —
Lifecycle profiles for Very Small
Entities (VSEs) —
Part 3-2:
Conformity certification scheme
Ingénierie des systèmes et du logiciel — Profils de cycle de vie pour
très petits organismes (TPO) —
Partie 3-2: Programme de certification de la conformité
Reference number
ISO/IEC 29110-3-2:2018(E)
©
ISO/IEC 2018

---------------------- Page: 1 ----------------------
ISO/IEC 29110-3-2:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 29110-3-2:2018(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 2
5 General requirements . 3
5.1 General . 3
5.2 Management of impartiality . 3
6 Structural requirements . 3
7 Resource requirements . 3
7.1 Certification body personnel . 3
7.1.1 General. 3
7.1.2 Management of competence for personnel involved in the certification process . 3
7.1.3 Contract with the personnel . 3
7.1.4 Personal attributes . . 3
7.1.5 Generic SEP competence requirements . 4
7.1.6 Competence requirements for Personnel granting certification . 4
7.1.7 Competence requirements for SEP auditors. 5
7.2 Resources for evaluation . 7
8 Process requirements . 7
8.1 General . 7
8.2 Application . 7
8.3 Application review . 8
8.4 Evaluation . 8
8.4.1 Evaluation Plan . . . 8
8.4.2 Audit plan . 8
8.4.3 Audit team selection and assignments .10
8.4.4 Determining audit time .10
8.4.5 Multi-site sampling .11
8.4.6 Communication of audit team tasks.11
8.4.7 Communication concerning audit team members .11
8.4.8 Communication of audit plan.11
8.4.9 Conducting on-site and remote audits .11
8.4.10 Initial certification audit .15
8.4.11 Initial certification audit conclusions .16
8.4.12 Personnel for evaluation .16
8.4.13 Information for evaluation .17
8.4.14 Resources for evaluation .17
8.4.15 Use of evaluations results completed prior to the application for certification .17
8.4.16 Nonconformities .17
8.4.17 Additional evaluation tasks .17
8.4.18 Results of evaluation .17
8.5 Review .17
8.6 Certification decision .17
8.6.1 General.17
8.6.2 Actions prior to making a decision .17
8.7 Certification documentation .18
8.8 Directory of certified VSEs .18
8.9 Surveillance.18
8.10 Changes affecting certification .18
© ISO/IEC 2018 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 29110-3-2:2018(E)

8.11 Termination, reduction, suspension or withdrawal of certification .19
8.12 Records .19
8.13 Complaints and appeals .19
9 Management system requirements .19
Annex A (informative) Considerations for the audit programme, scope or plan .20
Bibliography .22
iv © ISO/IEC 2018 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 29110-3-2:2018(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the WTO
principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary
information.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and systems engineering.
A list of all parts in the ISO/IEC 29110 series can be found on the ISO website.
© ISO/IEC 2018 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 29110-3-2:2018(E)

Introduction
Very Small Entities (VSEs) around the world are creating valuable products and services. For the
purpose of ISO/IEC 29110, a Very Small Entity (VSE) is an enterprise, an organization, a department
or a project having up to 25 people. Since many VSEs develop and/or maintain system elements and
software components used in systems, or sold to be used by others, a recognition of VSEs as suppliers of
high quality products is required.
According to the Organization for Economic Co-operation and Development (OECD) SME and
Entrepreneurship Outlook report (2005) ‘Small and Medium Enterprises (SMEs), i.e. Enterprises
which employ fewer than 250 persons, constitute the dominant form of business organization in all
countries world-wide, accounting for over 95 % and up to 99 % of the business population depending on
country’. The challenge facing OECD governments is to provide a business environment that supports
the competitiveness of this large heterogeneous business population and that promotes a vibrant
entrepreneurial culture.
From studies and surveys conducted, it is clear that the majority of International Standards do not
address the needs of VSEs. Implementation of and conformance with these standards is difficult, if not
impossible. Subsequently VSEs have no, or very limited, ways to be recognized as entities that produce
quality systems/system elements including software in their domain. Therefore, VSEs are often cut off
from some economic activities.
It has been found that VSEs find it difficult to relate International Standards to their business needs
and to justify the application of standards to their business practices. Most VSEs can neither afford
the resources, in terms of number of employees, expertise, budget and time, nor do they see a net
benefit in establishing systems or software lifecycle processes. To rectify some of these difficulties,
a set of guidelines has been developed according to a set of VSE characteristics. The guidelines are
based on subsets of appropriate standards processes, activities, tasks, and outcomes, referred to as
Profiles. The purpose of a profile is to define a subset of International Standards relevant to the VSEs'
context; for example, processes, activities, tasks, and outcomes of ISO/IEC/IEEE 12207 for software;
and processes, activities, tasks, and outcomes of ISO/IEC/IEEE 15288 for systems; and information
products (documentation) of ISO/IEC/IEEE 15289 for software and systems.
VSEs can achieve recognition through implementing a profile and by being audited against ISO/
IEC 29110 specifications.
ISO/IEC 29110 series of standards and technical reports can be applied at any phase of system or
software development within a lifecycle. This series of standards and technical reports is intended to
be used by VSEs that do not have experience or expertise in adapting/tailoring ISO/IEC/IEEE 12207 or
ISO/IEC/IEEE 15288 to the needs of a specific project. VSEs that have expertise in adapting/tailoring
ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288 are encouraged to use those standards instead of ISO/
IEC 29110.
ISO/IEC 29110 is intended to be used with any lifecycles such as: waterfall, iterative, incremental,
evolutionary or agile.
Systems, in the context of ISO/IEC 29110, are typically composed of hardware and software components.
The ISO/IEC 29110 series, targeted by audience, has been developed to improve system or software
and/or service quality, and process performance. See Table 1.
vi © ISO/IEC 2018 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 29110-3-2:2018(E)

Table 1 — ISO/IEC 29110 target audience
ISO/IEC 29110 Title Target audience
ISO/IEC 29110-1 Overview VSEs and their customers, assessors,
standards producers, tool vendors and
methodology vendors.
ISO/IEC 29110-2 Framework for profile Profile producers, tool vendors and
preparation methodology vendors.
Not intended for VSEs.
ISO/IEC 29110-3 Certification and assessment VSEs and their customers, assessors,
guidance accreditation bodies.
ISO/IEC 29110-4 Profile specifications VSEs, customers, standards producers,
tool vendors and methodology vendors.
ISO/IEC 29110-5 Management, engineering and VSEs and their customers.
service delivery guidelines
If a new profile is needed, ISO/IEC 29110-4 and ISO/IEC/TR 29110-5 can be developed without
impacting existing documents.
[5]
ISO/IEC TR 29110-1 defines the terms common to the ISO/IEC 29110 series. It introduces processes,
lifecycle and standardization concepts, the taxonomy (catalogue) of ISO/IEC 29110 profiles and the ISO/
IEC 29110 series. It also introduces the characteristics and needs of a VSE and clarifies the rationale for
specific profiles, documents, standards and guidelines.
ISO/IEC 29110-2 introduces the concepts for systems and software engineering profiles for VSEs. It
establishes the logic behind the definition and application of profiles. For standardized profiles, it
specifies the elements common to all profiles (structure, requirements, conformance, and assessment).
For domain-specific profiles (profiles that are not standardized and developed outside of the ISO
process), it provides general guidance adapted from the definition of standardized profiles.
ISO/IEC 29110-3 defines certification schemes, assessment guidelines and compliance requirements
for process capability assessment, conformity assessments, and self-assessments for process
improvements. ISO/IEC 29110-3 also contains information that can be useful to developers of
certification and assessment methods and developers of certification and assessment tools. ISO/
IEC 29110-3 is addressed to people who have direct involvement with the assessment process, e.g.
the auditor, certification and accreditation bodies and the sponsor of the audit, who need guidance on
ensuring that the requirements for performing an audit have been met.
ISO/IEC 29110-4-m provides the specification for all profiles in one profile group (a profile group may
contain a single profile or multiple profiles). A profile is specified in terms of requirements imported
from appropriate base standards.
ISO/IEC TR 29110-5-m provides management, engineering and service delivery guidelines for the
profiles in a profile group.
This document defines the process certification scheme, assessment guidelines and compliance
requirements needed to meet the purpose of the defined Profiles.
Figure 1 describes the ISO/IEC 29110 International Standards (IS) and Technical Reports (TR) and
positions the parts within the framework of reference. Overview, assessment guidelines, management
and engineering guidelines are available from ISO as freely available Technical Reports (TR). The
Framework document, profile specifications and certification schemes are published as International
Standards (IS).
© ISO/IEC 2018 – All rights reserved vii

---------------------- Page: 7 ----------------------
ISO/IEC 29110-3-2:2018(E)

Figure 1 — ISO/IEC 29110 series
viii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 8 ----------------------
INTERNATIONAL STANDARD ISO/IEC 29110-3-2:2018(E)
Systems and software engineering — Lifecycle profiles for
Very Small Entities (VSEs) —
Part 3-2:
Conformity certification scheme
1 Scope
This document:
— defines the rules applicable for certification of the implementation of systems engineering,
software engineering and service delivery processes complying with the requirements given in
ISO/IEC 29110-4-m, Profile specifications; and
— provides the necessary information and confidence to customers about the way certification of
their suppliers has been granted.
Certification of the implementation of systems and software engineering processes (named
“certification” in this document) is a third-party conformity assessment activity (see ISO/
IEC 17000:2004, 5.5). Bodies performing this activity are therefore third-party conformity assessment
bodies (named “certification body/bodies” in this document).
NOTE This document is primarily intended to be used as a criteria document for the accreditation or peer
assessment of certification bodies which seek to be recognized as being competent to certify that a Very Small
Entity (VSE) complies with ISO/IEC 29110-4-m, Profile Specifications. Some of its requirements could also be
found useful by any other parties involved in the conformity assessment of such certification bodies.
Systems and software engineering processes certification does not attest the fitness of the systems and
or software products offered by a VSE.
It is important to note that certification of the implementation of systems and software engineering
processes according to ISO/IEC 29110-4-m, Profile Specifications, is a process certification and not a
management systems certification neither a product certification.
Certification of the implementation of systems and software engineering processes (SEP) of a very
small entity (VSE) is one means of providing assurance that the VSE has implemented systems and
software engineering processes to the development or maintenance of systems and or software.
Requirements for the implementation of SEP can originate from a number of sources, and this
International Standard has been developed to assist in the certification of SEP that fulfil the
requirements of ISO/IEC 29110-4-m, Profile Specifications. The contents of this document can also be
used to support certification of SEP that are based on other sets of specified SEP requirements.
This document is intended for use by bodies that carry out audit and certification of SEP for VSEs. It
gives generic requirements for such certification bodies performing audit and certification in the field
of SEP for VSEs. Such bodies are referred to as certification bodies. This wording is not intended to be
an obstacle to the use of this document by bodies with other designations that undertake activities
covered by the scope of this document. Indeed, this document is intended to be usable by anyone
involved in the assessment of SEP for VSEs.
Certification activities involve the audit of a VSE’s SEP. The form of attestation of conformity of a VSE’s
SEP to a specific lifecycle profile standard setting the applicable SEP (for example ISO/IEC 29110-4-
1 or ISO/IEC 29110-4-3) or other specified requirements are normally a certification document or a
certificate.
© ISO/IEC 2018 – All rights reserved 1

---------------------- Page: 9 ----------------------
ISO/IEC 29110-3-2:2018(E)

This certification is outside the scope of ISO/IEC 29169 to the assessment to process quality
characteristics and organizational maturity, and does not cover the results of process assessment. ISO/
IEC 29110-3-3 describes such a scheme.
It is for the VSE being certified to develop its own processes (including ISO/IEC 29110-4-m SEP), other
sets of specified SEP requirements, other processes and it is for the VSE to decide how the various
components of these will be arranged. It is therefore for certification bodies that operate in accordance
with this document to take into account the culture and practices of their clients with respect to the
implementation of SEP, including, if applicable, within the wider organization.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29110-2-1, Software engineering — Lifecycle profiles for Very Small Entities (VSEs) — Part 2-1:
Framework and taxonomy
ISO/IEC 17000, Conformity assessment — Vocabulary and general principles
ISO/IEC 17065:2012, Conformity assessment — Requirements for bodies certifying products, processes
and services
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29110-2-1, ISO/IEC 17000,
ISO/IEC 17065:2012 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
3.1
certification body
third-party conformity assessment body operating certification schemes
Note 1 to entry: A certification body can be non-governmental or governmental (with or without regulatory
authority).
[SOURCE: ISO/IEC 17065:2012]
3.2
client
organization that is responsible to a certification body for ensuring certification
requirements, including product requirements are fulfilled
[SOURCE: ISO/IEC 17065:2012, modified — Definition editorially revised and Note 1 to entry removed.]
4 Symbols and abbreviated terms
4.1 Abbreviated Terms
The following abbreviations are used in this document:
2 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 29110-3-2:2018(E)

SEP Systems and Software Engineering Process
VSE Very Small Entity
5 General requirements
5.1 General
All the requirements given in ISO/IEC 17065:2012, Clause 4 apply.
5.2 Management of impartiality
The certification body and any part of the same legal entity shall not offer or provide systems and
software engineering processes consultancy.
The fact that the organization employing the auditor is known to have provided systems and software
engineering processes consultancy to the VSE, within two years following the end of the consultancy, is
likely to be considered as a high threat to impartiality.
6 Structural requirements
All the requirements given in of ISO/IEC 17065:2012, Clause 5 apply.
7 Resource requirements
7.1 Certification body personnel
7.1.1 General
All the requirements given in ISO/IEC 17065:2012, 6.1, apply.
Additionally, the certification body shall have processes to ensure that personnel have appropriate
knowledge relevant to the market in which it operates.
7.1.2 Management of competence for personnel involved in the certification process
All the requirements given in ISO/IEC 17065:2012, 6.1.2, apply.
7.1.3 Contract with the personnel
All the requirements given in of ISO/IEC 17065:2012, 6.1.3, apply.
7.1.4 Personal attributes
The certification body shall ensure that all personnel involved in the certification activities possess the
following personal attributes. The personnel shall be:
a) ethical, i.e. fair, truthful, sincere, honest and discreet;
b) open-minded, i.e. willing to consider alternative ideas or points of view;
c) diplomatic, i.e. tactful in dealing with people;
d) observant, i.e. actively observing physical surroundings and activities;
e) perceptive, i.e. aware of and able to understand situations;
© ISO/IEC 2018 – All rights reserved 3

---------------------- Page: 11 ----------------------
ISO/IEC 29110-3-2:2018(E)

f) versatile, i.e. able to readily adapt to different situations;
g) tenacious, i.e. persistent and focused on achieving objectives;
h) decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis;
i) self-reliant, i.e. able to act and function independently whilst interacting effectively with others;
j) acting with fortitude, i.e. able to act responsibly and ethically, even though these actions may not
always be popular and may sometimes result in disagreement or confrontation; and
k) open to improvement, i.e. willing to learn from situations, and striving for better audit results.
7.1.5 Generic SEP competence requirements
7.1.5.1 General considerations
The certification body shall have processes to e
...