International standards in the ISO/IEC 19770 family of standards for IT asset management (ITAM) address both the processes and technology for managing software assets and related IT assets. Broadly speaking, the standard family belongs to the set of Software Asset Management (or SAM) standards and is integrated with other Management System Standards.
ISO/IEC 19770 day-to-day management comes under ISO/IEC/SC7/WG21, or Working Group 21 (WG21) chaired by Roger Cummings as convener and Peter Beruk as secretary. It is WG21 that is responsible for developing, improving and ensuring market needs are met when developing these standards.
What is the purpose of 19770?
The ISO 19770 standard is a concept of ITAM standardization within an organization incorporating ISO/IEC standards.
The objective of the standard is to give organizations of all sizes information and assistance to assist at the risk and cost minimization of ITAM assets. Through implementation, these same organizations will acquire a competitive advantage through:
- Management of the risk of interrupted IT service delivery, breach of legal agreements and audit;
- Reducing overall software costs through the implementation of various processes; and
- Better information availability leading to improved decision-making based on accurate data.
The major parts of this ITAM standard are detailed below.
- ISO/IEC 19770-1 is a process framework to enable an organization to prove that it is performing ITAM to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall.
- ISO/IEC 19770-2 provides an ITAM data standard for software identification tags ("SWID").
- ISO/IEC 19770-3 provides a technical definition of a schema that can encapsulate the details of software entitlements, including usage rights, limitations and metrics ("ENT").
- ISO/IEC 19770-5 provides the overview and vocabulary.
ISO/IEC 19770-1: processes
ISO/IEC 19770-1 is a framework of ITAM processes to enable an organization to prove that it is performing software asset management to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall. ISO/IEC 19770-1 is aligned to Service Management (ISO/IEC 20000-1), and contains 27 process areas, with objectives and detailed outcomes defined for each.
Updates to 19770-1
The first generation was published in 2006. The second generation was published in 2012. It retains the original content (with only minor changes), but splits the standard up into four tiers which can be attained sequentially. These tiers are:
- Tier 1: Trustworthy Data
- Tier 2: Practical Management
- Tier 3: Operational Integration
- Tier 4: Full ISO/IEC ITAM Conformance
Preview of 19770-1
ISO/IEC 19770-2: software identification tag
ISO/IEC 19770-2 provides an ITAM data standard for software identification (SWID) tags. Software ID tags provide authoritative identifying information for installed software or other licensable item (such as fonts or copyrighted papers).
Overview of SWID tags in use
There are three primary methods that may be used to ensure SWID tags are available on devices with installed software:
- SWID tags created by a software creator or publisher which are installed with the software are the most authoritative for identification purposes.
- Organizations can create their own SWID tags for any software title that does not include a tag, allowing the organization to more accurately track software installations in their network environment
- Third party discovery tools may optionally add tags to a device as software titles are discovered
Providing accurate software identification data improves organizational security, and lowers the cost and increases the capability of many IT processes such as patch management, desktop management, help desk management, software policy compliance, etc.
Discovery tools, or processes that utilize SWID tag data to determine the normalized names and values that are associated with a software application and ensure that all tools and processes used by an organization refer to software products with the same exact names and values.
Standards development information
Non-profit organizational support
In 2009, a non-profit organization called TagVault.org was formed under IEEE-ISTO to press for using SWID tags. TagVault.org acts as a registration and certification authority for ISO/IEC 19770-2 software identification tags (SWID tags) and will provide tools and services allowing all SAM ecosystem members to take advantage of SWID tags faster, with a lower cost and with more industry compatibility than would otherwise be possible. SWID tags can be created by anyone, so individuals and organizations are not required to be part of TagVault.org to create or distribute tags.
Commercial organizational support
Numerous Windows installation packaging tools utilize SWID tags including:
- Caphyon's Advanced Installer
- Flexera Software's InstallShield
- Flexera Software's InstallAnywhere
- Open Source - Windows Installer XML Toolset (WiX)
Many software discovery tools already utilize SWID tags, including Altiris, Aspera License Management, DeskCenter Management Suite, Belarc's BelManage, Sassafras Software's K2-KeyServer, Snow Inventory, CA Technologies discovery tools, Eracent's EnterpriseAM, Flexera Software's FlexNet Manager Platform, HP's Universal Discovery, IBM Endpoint Manager, and Microsoft's System Center 2012 R2 Configuration Manager.
Symantec has also released multiple products that include SWID tags and is committed to helping move the software community to a more consistent and normalized approach to software identification and eventually to a more automated approach to compliance.
IBM started shipping tags with some software products in early 2014, but as of November, all releases of IBM software include SWID tags. This equates to approximately 300 product releases a month that include SWID tags.
The US federal government has identified 19770-2 SWID tags as an important aspect of the efforts necessary to manage compliance, logistics and security software processes. The 19770-2 standard is included on the US Department of Defense Information Standards Registry (DISR) as an emerging standard as of September 2012. The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) recently discussed the need for SWIDs in the marketplace.
Standards development organization support
The Trusted Computing Group (TCG) is developing a standard TNC SWID Messages and Attributes for IF-M Specification that utilizes tag data for security purposes.
The National Cybersecurity Center of Excellence (NCCoE) has documented the Software Asset Management Continuous Monitoring building block that specifies how SWID tags are used for the near real-time identification of software.
The National Institute of Standards and Technology (NIST) is in the process of creating documentation that specifies how SWID tags will be used by governmental organizations including the Department of Homeland Security. David Waltermire presented information describing the NIST Security Automation Program and how SWID tags can support that effort.
The National Institute of Standards and Technology (NIST) published "Guidelines for the Creation of Interoperable Software Identification (SWID) Tags", NISTIR 8060, April 2016.
Preview of ISO 19770-2:2015
An overview of the standard is available from ISO and is available in English
ISO/IEC 19770-3: software entitlement schema (ENT)
This part of ISO/IEC 19770 provides a technical definition of an XML schema that can encapsulate the details of software entitlements, including usage rights, limitations and metrics.
The primary intentions of 19770-3 are:
- To provide a basis for common terminology to be used when describing entitlement rights, limitations and metrics
- To provide a schema which allows effective description of rights, limitations and metrics attaching to a software license.
The specific information provided by an entitlement schema (ENT) may be used to help ensure compliance with license rights and limits, to optimize license usage and to control costs. Though ENT creators are encouraged to provide the data that allow for the automatic processing, it is not mandated that data be automatically measurable. The data structure is intended to be capable of containing any kind of terms and conditions included in a software license agreement.
This part of ISO/IEC 19770 supports ITAM processes as defined in ISO/IEC 19770-1 It is also designed to work together with software identification tags as defined in ISO/IEC 19770-2. Standardization in the field of software entitlements provides uniform, measurable data for both the license compliance, and license optimization, processes of SAM practice.
This part of ISO/IEC 19770 does not provide requirements or recommendations for processes related to software asset management or ENTs. The software asset management processes are in the scope of ISO/IEC 19770-1.
Standards development information
John Tomeny of Sassafras Software Inc served as the convener and lead author of the ISO/IEC 19770-3 "Other Working Group" (later renamed the ISO/IEC 19770-3 Development Group). Mr Tomeny was appointed by Working Group 21 (ISO/IEC JTC 1/SC 7/WG 21) together with Krzysztof (Chris) Baczkiewicz of Eracent who served as Project Editor concurrent with Mr. Tomeny's leadership. In addition to WG21 members, other participants in the 19770-3 Development Group served as "individuals considered to have relevant expertise by the Convener".
ISO/IEC 19770-3 was published on April 15, 2016.
This part of ISO/IEC 19770 has been developed with the following practical principles in mind:
Maximum possible usability with legacy entitlement information
The ENT, or software entitlement schema, is intended to provide the maximum possible usability with existing entitlement information, including all historical licensing transactions. While the specifications provide many opportunities for improvement in entitlement processes and practices, they must be able to handle existing licensing transactions without imposing requirements which would prevent such transactions being codified into Ent records.
Maximum possible alignment with the software identification tag specification (ISO/IEC 19770-2)
This part of ISO/IEC 19770 (entitlement schema) is intended to align closely with part 2 of the standard (software identification tags). This should facilitate both understanding and their joint use. Furthermore, any of the elements, attributes, or other specifications of part 2 which the ENT creator may wish to utilize may be used in this part as well.
It is intended that this standardized schema will be of benefit to all stakeholders involved in the creation, licensing, distribution, release, installation, and ongoing management of software and software entitlements.
- Benefits to software licensors who provide ENTs include, but are not limited to:
- Immediate software customer recognition of details of the usage rights derived from their software entitlement.
- Ability to specify details to customers that allow software assets to be measured and reported for license compliance purposes.
- Increased awareness of software license compliance issues on the part of end-customers.
- Improved software customer relationships through quicker and more effective license compliance audits.
- Benefits to SAM tool providers, deployment tool providers, re-sellers, value-added re-sellers, packagers and release managers include, but are not limited to:
- Receipt of consistent and uniform data from software licensors and ENT creators.
- More consistent and structured entitlement information, supporting the use of automated techniques to determine the need for remediation of software licensing.
- Improved reporting from additional categorization made possible by the use of ENTs.
- Improved SAM tool entitlement reconciliation capabilities resulting from standardization in location and format of software entitlement data.
- Ability to deliver value-added functionality for compliance management through the consumption of entitlement data.
- The benefits for software customers, SAM practitioners, IT support professionals and end users of a given software configuration item include, but are not limited to:
- Receipt of consistent and uniform data from software licensors, resellers and SAM tools providers.
- More consistent and structured entitlement information supporting the use of automated techniques to determine the need for remediation of software licensing.
- Improved reporting from additional categorization made possible by the use of ENTs.
- Improved SAM and software license compliance capabilities stemming from standardized, software licensor-supplied, ISO/IEC 19770-2 software identification tags to reconcile with these ENTs.
- Improved ability to avoid software license under-procurement or over-procurement with subsequent cost optimization.
- Standardized usage across multiple platforms, rendering heterogeneous computing environments more manageable.
Preview of ISO 19770-3
An overview of the ISO 19770-3 standard is available from ISO and is available in English
ISO/IEC 19770-4: resource utilization measurement
ISO/IEC 19770 4 provides a standard for resource utilization measurement information (RUM) structures. The RUM incorporates a standardized structure containing authoritative usage information about consumption of resources related to the use of a software asset. The structure will be created in a manner that is consistent with the identification information defined in ISO/IEC 19770-2, and with the entitlement information defined in ISO/IEC 19770-3, and when used together these three types of information have the capability to significantly enhance and automate the processes of IT asset management.
ISO/IEC 19770-5: overview and vocabulary
ISO/IEC 19770-5:2015 provides an overview of ITAM, which is the subject of the ISO/IEC 19770 family of standards, and defines related terms. ISO/IEC 19770-5:2015 is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations).
ISO/IEC 19770-5:2015 contains:
- an overview of the ISO/IEC 19770 family of standards;
- an introduction to SAM;
- a brief description of the foundation principles and approaches on which SAM is based; and
- consistent terms and definitions for use throughout the ISO/IEC 19770 family of standards.
Free copy of ISO/IEC 19770-5
A free copy of the overview and vocabulary is available here.
- ISO/IEC 19770
- Roger Cummings
- Peter Beruk
- International Standard ISO/IEC 19770-1:2012 (2012-06-13). "Information technology — Software asset management-- Part 1: Processes and tiered assessment of conformance". International Organization for Standardization and International Electrotechnical Commission: vi.
- ISO/IEC 19770-2:2009(en)
- Steve Klos
- Web site for TagVault.org
- Website for IEEE-ISTO
- Microsoft SWID Tagging Information Page
- A copy of that presentation is available here
- TNC SWID Messages and Attributes for IF-M Specification
- Software Asset Management Continuous Monitoring building block
- information describing the NIST Security Automation Program
- ISO/IEC 19770-1
- ISO/IEC 19770-2
- Web site from the working group developing the 19770-3 standard
- John Tomeny
- W21N0805 (revision 2): Terms of Reference for ISO/IEC 19770-3 Software Entitlement Tag Other Working Group
- Jason Keogh
- Official WG21 web site (temporary site)
- Business Software Alliance
- Distributed Management Task Force
- International Association of Information Technology Asset Managers
- National Cybersecurity Center of Excellence
- National Institute for Standards and Technology
- Trusted Computing Group
- ITAM.ORG - Organization for IT Asset Management Professionals and ITAM Providers
- Australian Software Asset Management Association (ASAMA)