ISO/IEC 29110-3-3:2016

INTERNATIONAL ISO/IEC
STANDARD 29110-3-3
First edition
2016-10-15
Systems and software engineering —
Lifecycle profiles for Very Small
Enterprises (VSEs) —
Part 3-3:
Certification requirements for
conformity assessments of VSE
profiles using process assessment and
maturity models
Ingénierie des systèmes et du logiciel — Profils de cycle de vie pour
très petits organismes (TPO) —
Partie 3-3: Exigences de cetification pour la vérification de
conformité en utilisant la vérification des processus et les niveaux de
maturité
Reference number
ISO/IEC 29110-3-3:2016(E)
©
ISO/IEC 2016

---------------------- Page: 1 ----------------------
ISO/IEC 29110-3-3:2016(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 29110-3-3:2016(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 General requirements . 4
5 Structural requirements . 4
6 Resource requirements . 4
6.1 Introduction . 4
6.2 Independence . 4
6.3 Competence of people . 4
7 Process requirements . 5
7.1 General . 5
7.1.1 Introduction . 5
7.1.2 Class 2 assessments (from ISO/IEC 33002) . 7
7.2 Application . 7
7.3 Application review . 7
7.4 Evaluation . 7
7.4.1 Introduction . 7
7.4.2 Plan the certification assessment . 7
7.4.3 Collect the data . 9
7.4.4 Validate the data . 9
7.4.5 Derive results . 9
7.4.6 Report the assessment . . 9
7.5 Review .10
7.6 Certification decision .10
7.7 Certification documentation .10
7.8 Directory of certified products .11
7.9 Surveillance.11
7.9.1 Introduction .11
7.9.2 Process improvement reviews .11
7.10 Changes affecting certification .12
7.11 Termination, reduction, suspension or withdrawal of certification .12
7.12 Records .12
7.13 Complaints and appeals .12
8 Management system requirements .12
Annex A (normative) Competencies for resources .13
Annex B (informative) Typical third-party certification process .16
Bibliography .18
© ISO/IEC 2016 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 29110-3-3:2016(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 7, Software and systems engineering.
A list of all parts in the ISO/IEC 29110 series can be found on the ISO website.
iv © ISO/IEC 2016 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 29110-3-3:2016(E)

Introduction
Very Small Entities (VSEs) around the world are creating valuable products and services. For the
purpose of ISO/IEC 29110, a Very Small Entity (VSE) is an enterprise, an organization, a department
or a project having up to 25 people. Since many VSEs develop and/or maintain system and software
components used in systems, either as independent products or incorporated in larger systems, a
recognition of VSEs as suppliers of high quality products is required.
According to the Organization for Economic Co-operation and Development (OECD) SME and
Entrepreneurship Outlook report (2005), “Small and Medium Enterprises (SMEs) constitute the
dominant form of business organization in all countries world-wide, accounting for over 95 % and
up to 99 % of the business population depending on country”. The challenge facing governments
and economies is to provide a business environment that supports the competitiveness of this large
heterogeneous business population and that promotes a vibrant entrepreneurial culture.
From studies and surveys conducted, it is clear that the majority of International Standards do not
address the needs of VSEs. Implementation of and conformance with these standards is difficult, if not
impossible. Consequently VSEs have no, or very limited, ways to be recognized as entities that produce
quality systems/system elements including software in their domain. Therefore, VSEs are excluded
from some economic activities.
It has been found that VSEs find it difficult to relate International Standards to their business needs
and to justify the effort required to apply standards to their business practices. Most VSEs can neither
afford the resources, in terms of number of employees, expertise, budget and time, nor do they see a
net benefit in establishing over-complex systems or software life cycle processes. To address some of
these difficulties, a set of guides has been developed based on a set of VSE characteristics. The guides
are based on subsets of appropriate standards processes, activities, tasks, and outcomes, referred to as
Profiles. The purpose of a profile is to define a subset of International Standards relevant to the VSEs’
context; for example, processes, activities, tasks, and outcomes of ISO/IEC/IEEE 12207 for software;
and processes, activities, tasks, and outcomes of ISO/IEC/IEEE 15288 for systems; and information
products (documentation) of ISO/IEC/IEEE 15289 for software and systems.
VSEs can achieve recognition through implementing a profile and by being audited against
ISO/IEC 29110 specifications.
The ISO/IEC 29110- series of International Standards and Technical Reports can be applied at any
phase of system or software development within a life cycle. This series of International Standards
and Technical Reports is intended to be used by VSEs that do not have experience or expertise in
adapting/tailoring ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288 standards to the needs of a specific
project. VSEs that have expertise in adapting/tailoring ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288 are
encouraged to use those standards instead of ISO/IEC 29110.
ISO/IEC 29110 is intended to be used with any lifecycle such as waterfall, iterative, incremental,
evolutionary or agile. Systems, in the context of ISO/IEC 29110, are typically composed of hardware and
software components.
The ISO/IEC 29110- series, targeted by audience, has been developed to improve system or software
and/or service quality, and process performance. See Table 1.
© ISO/IEC 2016 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 29110-3-3:2016(E)

Table 1 — ISO/IEC 29110 target audience
ISO/IEC 29110 Title Target audience
Part 1 Overview VSEs and their customers, assessors, standards
producers, tool vendors and methodology
vendors.
Part 2 Framework for prof ile Profile producers, tool vendors and method-
preparation ology vendors.
Not intended for VSEs.
Part 3 Certification and assessment VSEs and their customers, assessors, accred-
guidance itation bodies.
Part 4 Profile specifications VSEs, customers, standards producers, tool
vendors and methodology vendors.
Part 5 Management, engineering VSEs and their customers.
and service delivery guides
Part 6 Management and engineer- VSEs and their customers.
ing guides not tied to a spe-
cific profile
If a new profile is needed, ISO/IEC 29110-4 and ISO/IEC/TR 29110-5 can be developed with minimal
impact to existing documents.
ISO/IEC/TR 29110-1 defines the terms common to the Set of ISO/IEC 29110 Documents. It introduces
processes, life cycle and standardization concepts, the taxonomy (catalogue) of ISO/IEC 29110 profiles,
and the ISO/IEC 29110- series. It also introduces the characteristics and needs of a VSE, and clarifies
the rationale for specific profiles, documents, standards and guides.
ISO/IEC 29110-2-1 introduces the concepts for systems and software engineering profiles for VSEs.
It establishes the logic behind the definition and application of profiles. For standardized profiles, it
specifies the elements common to all profiles (structure, requirements, conformance, assessment). For
domain-specific profiles (profiles that are not standardized and developed outside of the ISO process),
it provides general guidance adapted from the definition of standardized profiles.
ISO/IEC 29110-3 defines certification schemes, assessment guidelines and compliance requirements
for process capability assessment, conformity assessments, and self-assessments for process
improvements. ISO/IEC 29110-3 also contains information that can be useful to developers of
certification and assessment methods and developers of certification and assessment tools.
ISO/IEC 29110-3 is addressed to people who have direct involvement with the assessment process, e.g.
the auditor, certification and accreditation bodies and the sponsor of the audit, who need guidance on
ensuring that the requirements for performing an audit have been met.
ISO/IEC 29110-4-m provides the specification for all profiles in one profile group that are based on
subsets of appropriate standards elements.
ISO/IEC/TR 29110-5-m-n provides a management and engineering guide for each profile in one
profile group.
ISO/IEC/TR 29110-6-x provides management and engineering guides not tied to a specific profile.
This part of ISO/IEC 29110 presents conformity assessment requirements using process assessments
and maturity models. This part of ISO/IEC 29110 is addressed to people who have direct involvement
with the assessment process, e.g. assessor, certification and accreditation bodies and sponsor of an
assessment.
Figure 1 describes the ISO/IEC 29110 International Standards (IS) and Technical Reports (TR) and
positions the parts within the framework of reference. Overview, assessment guide, management and
engineering guide are available from ISO as freely available Technical Reports (TR). The Framework
document, profile specifications and certification schemes are published as International Standards (IS).
vi © ISO/IEC 2016 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 29110-3-3:2016(E)

Figure 1 — ISO/IEC 29110 Series
© ISO/IEC 2016 – All rights reserved vii

---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC 29110-3-3:2016(E)
Systems and software engineering — Lifecycle profiles for
Very Small Enterprises (VSEs) —
Part 3-3:
Certification requirements for conformity assessments of
VSE profiles using process assessment and maturity models
1 Scope
This document contains the requirements for certification bodies performing conformity assessments,
of the requirements contained in VSE profile specifications (e.g. ISO/IEC 29110-4-1 for VSE software
basic profile), using process assessments and maturity models. This document is based on published
ISO/IEC standards and guides for
a) certification bodies (see ISO/IEC 17065)
b) the process assessment and organizational process maturity performed according to the
requirements of the ISO/IEC 33001 to ISO/IEC 33099 family of process assessment standards, and
c) based on ISO/IEC 29169 to support an environment which encourages worldwide recognition of
VSE profiles conformity assessment results.
The overall framework for conformity assessment follows the approach defined in ISO/IEC 17065:2012.
This document has been developed following practical use and in consultation with key stakeholders,
national accreditation bodies, and ISO’s policy committee for conformity assessment (CASCO).
This document is addressed to people and certification bodies who have a direct relationship with the
assessment process based on the VSE profiles.
It is intended that ISO/IEC/TR 29110-1, ISO/IEC 29110-2-1 and ISO/IEC 29110-4-1 (containing VSE
profile specifications) be read first when investigating the possibility of conducting VSE profile
certification.
NOTE Any clause with requirements directly copied from other standards has those copied requirements
marked up in a box. Other requirements which are also copied but for which information is added are not marked
up in a box but their source is clearly referenced in the text.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17065:2012, Conformity assessment — Requirements for bodies certifying products, processes
and services
ISO/IEC/TR 29110-3-1, Systems and software engineering — Lifecycle profiles for Very Small Entities
(VSEs) — Part 3-1: Assessment guide
ISO/IEC 29110-4-1, Software engineering — Lifecycle profiles for Very Small Entities (VSEs) — Part 4-1:
Software engineering - Profile specifications: Generic profile group
© ISO/IEC 2016 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/IEC 29110-3-3:2016(E)

ISO/IEC 29169, Information technology — Process assessment — Application of conformity assessment
methodology to the assessment to process quality characteristics and organizational maturity
ISO/IEC 33002:2015, Information technology — Process assessment — Requirements for performing
process assessment
ISO/IEC 33003, Information technology — Process assessment — Requirements for process measurement
frameworks
ISO/IEC 33004, Information technology — Process assessment — Requirements for process reference,
process assessment and maturity models
ISO/IEC 33020, Information technology — Process assessment — Process measurement framework for
assessment of process capability
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC/TR 29110-1,
ISO/IEC 17000 and ISO/IEC 17065 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
basic process set
set of processes that ensure the achievement of the basic maturity level
Note 1 to entry: The set of processes are drawn from specified process assessment models.
Note 2 to entry: A basic process set will include a minimum set of processes, together with additional and optional
processes determined by the organizational context for the assessment.
3.2
certification body
third-party conformity assessment body operating certification schemes
Note 1 to entry: A certification body can be non-governmental or governmental (with or without regulatory
authority).
Note 2 to entry: For this document, the certification body will be also named the assessment body of Type A
independence (i.e. third party), as defined in ISO/IEC 33002 for process assessments.
[SOURCE: ISO/IEC 17065:2012, 3.12, modified – Note 2 has been added.]
3.3
certification scheme
certification system related to specified products, to which the same specified requirements, specific
rules and procedures apply
Note 1 to entry: Adapted from ISO/IEC 17000:2004, 2.8.
Note 2 to entry: A “certification system” is a “conformity assessment system”, which is defined in
ISO/IEC 17000:2004, 2.7.
[SOURCE: ISO/IEC 17065:2012, 3.9, modified – Notes 3 and 4 have been deleted.]
2 © ISO/IEC 2016 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 29110-3-3:2016(E)

3.4
conformity assessment
demonstration that specified requirements relating to a product, process, system, person or body are
fulfilled
[SOURCE: ISO/IEC 17000:2004, 2.1]
3.5
conformity assessment body
body that performs conformity assessment services
[SOURCE: ISO/IEC 17000:2004, 2.5]
Note 1 to entry: Where the term conformity assessment is used, the definition in ISO/IEC 17000 applies. Wherever
the term assessment is used without the word conformity (e.g. assessment, process assessment, conformant
process assessment, assessment body), the relevant ISO/IEC 33001 definitions apply.
Note 2 to entry: Conformity assessment body is synonymous with assessment body or the body performing
assessment in ISO/IEC 33002.
Note 3 to entry: In this document it will only refer to third-party conformity assessment body operating
conformity assessment services.
3.6
conformity assessment scheme
conformity assessment system as related to specified objects of conformity assessment to which the
same particular specified requirements, rules and procedures apply
[SOURCE: ISO/IEC 17000:2004, 2.8]
3.7
extended process set
set of processes specific to a maturity level higher than the basic maturity level that ensures the
achievement of the relevant process profile
Note 1 to entry: The set of processes are drawn from specified process assessment models.
Note 2 to entry: An extended process set will include a minimum set of processes, together with additional and
optional processes determined by the organizational context for the assessment.
3.8
maturity model
model, derived from one or more specified process assessment model(s), that identifies the process sets
associated with the levels in a specified scale of organizational process maturity
[SOURCE: ISO/IEC 33001:2015, 3.3.7]
Note 1 to entry: The maturity model for the VSE profiles is defined in ISO/IEC/TR 29110-3-1:2015, Annex A.
3.9
organizational (process) maturity
extent to which an organizational unit consistently implements processes within a defined scope that
contributes to the achievement of its business needs (current or projected)
Note 1 to entry: The defined scope is that of the specified maturity model.
Note 2 to entry: In this document, and as defined in ISO/IEC/TR 29110-3-1, organizational (process) maturity
corresponds to fulfilment of VSE profiles.
[SOURCE: ISO/IEC 33001:2015, 3.4.2, modified – Note 2 has been added.]
© ISO/IEC 2016 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/IEC 29110-3-3:2016(E)

4 General requirements
The requirements of ISO/IEC 17065:2012, Clause 4, apply.
ISO/IEC 29169 applies to this document.
5 Structural requirements
The requirements of ISO/IEC 17065:2012, Clause 5, apply.
6 Resource requirements
6.1 Introduction
The requirements of ISO/IEC 17065:2012, Clause 6, apply.
6.2 Independence
In addition, an important clarification when using the results of an Organizational Maturity Level
Assessment is the level of independence of the assessment body and the assessment team performing
the assessment.
ISO/IEC 33002:2015, Annex A sets out a typology to categorize the types of independence of different
assessment bodies and the make-up of the assessment team performing an assessment (Types A, B, C and
D). The relationship between ISO/IEC 17065 certification bodies and the ISO/IEC 33002 independence
typology is defined below. For conformity assessments for VSE profiles, the process assessment is to be
performed by an assessment body, ensuring impartiality towards the objects for which conformity is to
be assessed.
The Type A of independence (as defined in ISO/IEC 33002:2015, Annex A) shall be the one to be used to
ensure these impartiality needs.
6.3 Competence of people
In the conformity assessment field as in any other, the competence of the people managing and carrying
out the conformity assessment activities is of paramount importance. Whether the work is being carried
out by the supplier, the purchaser or an independent body, there shall be a clear understanding of the
knowledge, skills and experience necessary for those performing the conformity assessment tasks
ISO/IEC 33002 requires that assessors shall be competent on the basis of appropriate education,
training and experience, including domain experience, to perform the required class of assessment and
to make professional judgments.
Competencies of the assessment team responsible for the assessment of VSE profiles shall cover the
following knowledge areas.
— Process modelling and assessment Models. This knowledge area shall address what a “process
model” is, what types of process models exist, and how the content of a process model can be
obtained. It shall also cover the “process modelling” concept, including the construction of PAMs.
— Inter-relationships between processes and process modelling. This knowledge area shall address
the complex inter-relationships between processes and process modelling, input to understand
measuring process quality characteristics and process measurement frameworks. This knowledge
area shall also cover all ISO/IEC 33004 requirements
— Process Measurement and Evaluation. This knowledge area shall cover the “characteristics” of
process performance, and the basics of measuring these characteristics. It shall include the content
4 © ISO/IEC 2016 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 29110-3-3:2016(E)

of ISO/IEC 33003 for measurement frameworks as well as ISO/IEC 33020 for process capability and
maturity assessment. It shall also include other characteristics, e.g. “process security”.
— Assessment Process. This knowledge area shall cover the assessment process for process capability
as well as for organizational maturity. It shall include all ISO/IEC 33002 requirements.
— In addition and i
...