CMM AND ISO

CERTIFICATION
GRANT GRIFFEY
JOHN ALEXANDER
DAVID SOLOVITZ
KATIE MANAHAN
Presentation Objectives
 Explanation of CMM
 CMM Case Study – Infosys
 Explanation of ISO – 9000/14000
 ISO Examples – Baublitz Advertising and
Industrial Security Services Inc.
 Comparison
 Questions?

2
Capability Maturity Model
 What is it?
 What is it’s purpose?
 How does it help the company?
 What are the major advantages?
 What are the major disadvantages?
 What is the future of CMM?

3
What is CMM?
 Capabilities Maturity Model

 Quantifies ability for a company to produce

high quality software

(10) 4
History of CMM
 In 1984, Congress founded a non-profit
group that could impact the growing field
of IT and obtain standardized, consistent
processes

 Created Software Engineering Institute or

SEI, which was headquartered at
Carnegie Melon University at Pittsburgh
(7) 5
History of CMM
 In 1991, the first version of CMM was
created by SEI
 Was created to help improve the practice
of software engineering and establish
protocols and methodologies in software
development
 By 2003, over 2000 organizations have
been appraised

(7) 6
What is CMM?
Describes a framework of 5 stages of software maturity

(9) 7
Predictability/Risk Relationship
Level 5

Level 4

Level 3
Predictability
Increases
Level 2

Level 1

Risk Increases
Implementing the Capability Maturity Model, James R. Persse

(7) 8
 Country Level 4 Level 5 Total
India 27 50 77
USA 39 20 59
China 0 2 2
Australia 2 0 2
Canada 0 1 1
Russia 0 1 1
France 1 0 1
Ireland 1 0 1
Israel 1 0 1
Singapore 1 0 1
(5) 9
Key Process Areas
 Each level of CMM specifies not only
general goals, but defines how the
company/organization should operate at
each level
 Key process areas are major functional
areas that need to be incorporated into the
organization when working with CMM

(7) 10
LEVELS OF CMM
 Level 1 – Initial Disciplines
process LEVEL 5
OPTIMIZING
 25 months to get to level 2 (15 months)
Standard,

 Level 2 – Repeatable consistent

process
(28 months)
LEVEL 4
MANAGED

 23 months to get to level 3 Predictable

Level 3 – Defined
process

LEVEL 3
(23 months) DEFINED

Continously
 28 months to get to level 4 improving
process LEVEL 2

Level 4 – Managed
(25 months) REPEATABLE

 15 months to get to level 5 LEVEL 1
INITIAL

 Level 5 - Optimizing

(8) 11
LEVEL 1 - INITIAL
 Characteristics Disciplines
LEVEL 5
process
OPTIMIZING
 Processes are chaotic (15 months)
Standard,
and disorganized consistent
process LEVEL 4
(28 months) MANAGED

 Few formal rules

Predictable

 Most companies would

process
LEVEL 3
(23 months) DEFINED

achieve Level 1 if they Continously

improving

were assessed process

(25 months)
LEVEL 2
REPEATABLE

 Comprises approx.
12% of certifications LEVEL 1
INITIAL

between 1998-2001

(8) 12
Level 1 Key Process Areas
 According to Persee in Implementing the
Capability Maturity Model, most groups
qualify for level 1 certification without
knowing it.
 Have no processes for software development
 Have processes in place without formal
assessment
 Therefore, there are no key processes
(7) 13
CMM Case Study - Infosys
 Infosys is a software house based in
 Bangalore, India

 Revenues have grown at an annual rate of over

70% each of the last 5 years

 Infosys has been assessed at level 4 of the

CMM

(11) 14
Level 1 – Initial (Infosys)

 At level one a customer will get in contact with

Infosys
 Customer will request information from Infosys
about itself. This is called request for
information (RFI)
 If only a single project is the goal, the customer
will then send back a request for proposal (RFP)

(11) 15
Level 1 – Initial (Infosys)
 From RFP, Infosys will prepare and send a proposal.
 Many models for proposal
 ie. Fixed price – RFP is analyzed and a cost is
determined from estimating manpower effort and
scheduling
 Proposal is fixed because customer will give agreed
price unless requirements change
 Requirements usually change, and projects are split into
two parts
 Creating detailed requirements analysis
 Developing the software

(11) 16
LEVEL 2 - REPEATABLE
 Characteristics Disciplines
LEVEL 5
process
OPTIMIZING
 Defined and documented (15 months)
Standard,
processes consistent
process LEVEL 4
MANAGED
 Success is repeated (28 months)

Predictable
 Basic project management process
LEVEL 3
(23 months)
techniques track costs, Continously
DEFINED

schedules, etc improving

process LEVEL 2
(25 months)
 Largest percentage of REPEATABLE

companies assessed
LEVEL 1
between 1998-2001 INITIAL

(8) 17
Level 2 Key Process Areas
 Establish basic set of management
controls
 Requirements management
 Software project planning
 Software project tracking and oversight
 Software quality assurance
 Software configuration management
 Subcontractor management

(7) 18
Level 2 – Repeatable (Infosys)
 Two major activities
 Requirements analysis and specification
 Requirements change management
Main objective of requirements analysis is to
produce the software requirement
specification document (SRS)
Step by step process for requirements analysis
Prepare – Gather/elicit requirements – Analyze
– Prepare SRS – Review – Obtain sign off
(11) 19
Level 2 – Repeatable (Infosys)
 Requirements change management
 Changes can come at any time during a project
Process for dealing with changes
 Log the changes
 Perform impact analysis on the work products
 Estimate effort needed for the change request
 Re-estimate delivery schedule
 Perform cumulative cost impact analysis
 Review the impact with senior management if thresholds are exceeded
 Obtain customer sign-off
 Rework work products
A danger of requirements change is that even though changes are
usually small, the cumulative effect can be great

(11) 20
LEVEL 3 - DEFINED
 Characteristics Disciplines
process LEVEL 5
OPTIMIZING
(15 months)
 Standardized software Standard,
consistent
process meets process
(28 months)
LEVEL 4
MANAGED

organizations needs Predictable

process
LEVEL 3
 Process follows (23 months) DEFINED

Continously
defines process improving
process LEVEL 2
(25 months) REPEATABLE

LEVEL 1
INITIAL

(8) 21
Level 3 Key Process Areas
 Emphasizes project and organizational
issues
 Organizational process focus
 Organizational process definition
 Process training program
 Integrated software management
 Software product engineering
 Inter-group coordination
 Peer reviews
(7) 22
Level 3 – Defined (Infosys)
 KPA – Peer Review
 Defects are inevitable, reviews are done to
identify defects
 The best form of review is a formal group review
(in authors opinion)
 4 stages to a group review
 Planning
Verify entry criteria
Select the group review team
Prepare the group review package

(11) 23
Level 3 – Defined (Infosys)
 Overview and Preparation
Call a meeting to describe review objectives
Provide an overview of the work product
Review group review work individually
 Group Review Meeting
Conduct meeting
Record defects
Summarize issues and close meeting
 Rework and Follow-up
Perform rework to fix defects detected
Perform investigation and provide results to author
Prepare a summary report and send it to the SEPG

(11) 24
LEVEL 4 - MANAGED
 Characteristics Disciplines
LEVEL 5
process
 Processes are predictable (15 months)
OPTIMIZING

 Management can adjust Standard,

consistent
process
processes to specific (28 months)
LEVEL 4
MANAGED

projects without affecting Predictable

overall quality process
(23 months)
LEVEL 3
DEFINED

 Detailed measurements of Continously

process and product quality improving

process LEVEL 2
(25 months)
are collected REPEATABLE

 65% of Motorola’s Global

LEVEL 1
Software Group is at Level INITIAL

4 or greater

(8) 25
Level 4 Key Process Areas
 Establish quantitative understanding of
software process and software products
 Quantitativeprocess management
 Software quality management

(7) 26
Level 4 – Managed (Infosys)
 The goal of quality management is to plan
quality control activities and to properly
execute and control these activities so that
defects are detected before software is
delivered
 The later a defect is detected, the more it
cost to remove

(11) 27
Level 4 – Managed (Infosys)
 Quality Management
 Qualitymanagement focuses on the defect
injection and removal cycle

(11) 28
Level 4 – Managed (Infosys)
 Quantitative Quality Management
 Human reviews are done during RA, Design, and coding phases.
 After these phases comes the testing
 UT, IT/ST and AT (quantitative)

(11) 29
Level 4 – Managed (Infosys)
 Defect Removal Efficiency
 Tool used to measure effectiveness of quality
control activities

 DRE =

(11) 30
LEVEL 5 - OPTIMIZING
 Characteristics Disciplines
process LEVEL 5
OPTIMIZING
(15 months)
 Processes are Standard,
consistent
continuously improving process
(28 months)
LEVEL 4
MANAGED

through feedback and Predictable

process
shared ideas (23 months)
LEVEL 3
DEFINED

Continously
 147 organizations from improving
process LEVEL 2
(25 months)
10 different countries REPEATABLE

that have achieved LEVEL 1

INITIAL
Level 5 certification

(8) 31
Level 5 Key Process Areas
 Addresses issues for continuous,
measurable software process
improvement
 Technology change management
 Process change management

(7) 32
How to reach each level of CMM
 6 stage process involving senior management
and coaches from SEI or other licensed
assessment vendor
 1. Selection stage
 2. Commitment stage
 3. Preparation stage
 4. Assessment phase
 5. Report stage
 6. Assessment follow-up stage

(8) 33
How to Reach each level of CMM

 No reassessment is completed once a

company achieves any level of CMM

 Assumed that company will continue to

maintain levels achieved

(8) 34
CMM success factors and pitfalls

 Creating strategic motivation to pursue certification

 Internal – help build capabilities crucial to success of company
 External – reassurance of customers
 Increases visibility to customers
 Customer recognition of certification importance may not reflect
changing in their own organization with regards to maturity

 Sustaining management commitment

 Necessary for substantial time and financial investment by
management
 Improper motivation for obtaining CMM certification
 Expenditure versus investment

(8) 35
CMM Success Factors and Pitfalls
 Ensuring organizational socialization to encourage
developer buy-in for process discipline
 Shift in attitude from independent to interdependent
 Everyone may not be “on board”
 Broad participation in defining and refining
processes
 Involve as many people as possible to foster acceptance of
program
 Managers do not explain rationale behind some process
requirements

(8) 36
Benefits of CMM Certification
 Productivity increases
 According to one study, software productivity
increased 35%
 Decrease in defects
 Post-release defects lowered by 39%
 Cost savings
 9.2 million dollars were saved within a 3 year
period on software re-works

(9) and (10) 37

International Standards Organization
 The international standards organization
specifies requirements for a quality management
system
 Basic form of the Standard requires:
 Understand product and service requirements
 Establish processes to meet those requirements
 Provide resources to run the processes
 Operate, monitor, and measure the processes
 Improve continuously, based on analysis of the results

(12) 38
Model of a process-based
quality management system

(3) 39
“Plan-Do-Check-Act” Methodology
 Plan
 Establish objectives and
processes
 Do
 Implement the processes
 Check
 Monitor and measure
processes
 Act
 Take actions to continually
improve process
performance

(12) 40
ISO Certification
 ISO consists of members from 156 countries on
the basis of one member per country.
 Full members:
 Member bodies = one vote
 Members from countries with non developed
national standards activity:
 Correspondent members = no vote
 Members from countries with small economies:
 Subscriber members
(1) 41
ISO Certification
 Central Secretariat in Geneva, Switzerland
 Permanently appointed
 Reports to the ISO Council
 ISO Council develops proposals for
standards to be presented to ISO
members

(1) 42
ISO Certification
 ISO’s principal activity is the development
of technical standards
 These standards contribute to making the
development, manufacturing and supply of
products and services more efficient, safer
and cleaner

(1) 43
ISO Certification
 ISO officially began operations on
February 23, 1947
 Delegates from 25 countries met in
London and decided to create an
organization with the mission of “to
facilitate the international coordination and
unification of industrial standards.”

(1) 44
Top Ten Countries for ISO Certifications in
2004
 1. China
 2. Italy
 2. United Kingdom
 3. United States
 4. Germany
 5. Japan
 6. Spain
 7. Australia
 8. France
 9. Korea

(5) 45
(3) 46
Benefits to Society
 Businesses
 Allows
them to produce a product under
worldwide standards
 Customers
 Providesa wider range of products
 More competition between producers
 Governments
 Provide
standards on health, safety and
environmental legislation
(1) 47
Benefits to Society
 Trade Officials
 Helpscreate a more level playing field for all
competitors
 Developing Countries
 Helps these countries invest their scarce resources
more wisely in order to produce products that meet
worldwide standards
 Consumers
 Provides assurance of quality, safety, and reliability

(1) 48
Benefits to Society
 Everyone
 Assures the things we use in everyday life are
of the highest quality
 Planet
 Provides standards on air, water and soil
quality

(1) 49
Particulars of ISO
 Equal treatment
 Allfull members have the right to take part in
any activity ISO is involved in
 Voluntary
 Allof ISO’s standards are voluntary. ISO has
no legal authority to impose it’s standards.

(1) 50
Particulars of ISO
 Market-driven
 Market requirements are what drive standards
development
 Consensus
 Helps ensure application of standards due to
the market demand for these standards and
the agreement of interested parties on the
standards

(1) 51
Particulars of ISO
 Worldwide
 Worldwide standards are difficult to implement
 ISO has some 3,000 technical groups with
some 50,000 experts to develop standards
 A process that has been set to an ISO
standard is only useful if it achieves the
desired output. ISO will only accomplish
the exact same undesired output every
time.
(1) 52
Facts about ISO

 Number of Standards
Since 1947 the ISO has developed
 15,036

(1) 53
ISO 9000
 “Provides a framework for quality
management throughout the processes of
producing and delivering products and
services for the cutomer.”(1)
 >500,000 organizations in 149 countries
have implemented ISO 9000

(1) 54
ISO 14000
 Primarily concerned with environmental
management.
 “Helps companies minimize harmful
effects on the environment caused by it’s
activities, and continually to improve its
environmental performance.”(1)

(1) 55
(4) 56
ISO Examples – Baublitz Advertising

 21 year old business wholly owned by The

Wolf Organization Inc.
 Located in York, Pennsylvania
 First advertising company to receive ISO
9001 certification in September 1997

(2) 57
ISO Examples – Baublitz Advertising
 They were looking to gain competitive
advantage
 Baublitz President – James Groff has
stated:
 “We saw (standardization of quality) going on
in the industry with our clients”
 “It adds accountability and concreteness to a
business that has not been known for it”

(2) 58
ISO Examples-Industrial Security
Service Inc.
 A midsized guard-services company based in
Ohio
 Began the process to become ISO certified in
1999
 Received ISO 9001:2000 certification in
February 2004
 With the ISO certification it allowed the company
to go from a small, single-site company to a
multi-site company with three corporate offices

(6) 59
ISO Examples-Industrial Security
Service Inc.
 Recognized benefits
 An increase in operational efficiency
 Measurable rise in customer satisfaction
 Identified was to decrease indirect costs
 Gained insight in security officer retention
trends
 Has the ability to better justify costs

(6) 60
ISO and CMM Comparison
ISO CMM
Is a Certification Is an assessment

Used for all industry development Used for software

Yearly re-certification No follow up after reaching level

Outwardly focus Inwardly focus

Third Party Certification Certified by the SEI (Developers of CMM)

(5) 61
Questions?
References
 1. [Link] viewed October 2005
 2. Gaboda, Gail “Ad agency uses ISO certification to gain
competitive edge” Marketing News Chicago: December 8,
1997 Volume 31, Issue 25 page 2
 3. West, John E. “Guidance Documents for Using ISO 9001
Effectively” Quality Digest August 2005
 4. Berchelor, Sylvie and Coulmont, Michel “ISO 14000-a
profitable investment?” CMA Management Hamilton:
November 2004 Volume 78, Issue 7 page 36
 5. Griggs, Gary M. “Quality Management of the Software
Industry” May 19, 2004

63
References (continued)
 6. Ricci, Joseph “ISO Proof of Quality” Security Management
Arlington: March 2005 Volume 49, Issue 3 page 31
 7. Perse, James R. Implementing the Capability Maturity
Model 2001 page 5
 8. Adler, Paul, Binney, Derek, Irion-Talbot, Wendy, and
McGarry, Frank "Enabling Process Discipline: Lessons from
the Journey to CMM Level 5" MIS Quarterly Executive Volume
4, Number 1, March 2005 page 215-227
 9. Freedman, Rick "More on Standards-Based IT Consulting"
Consulting to Management June 2005 Volume 16, Issue 2
page 43

64
References (continued)
 10. Kesh, Someswar and Ramanujuan, Sam “Comparison of
Knowledge Management and CMM/CMMI Implementation”
The Journal of American Academy of Business, Cambridge
March 2004 Volume 4 pages 271-277
 11. Jalote, Pankaj CMM in Practice-Processes for Executing
Software Projects at Infosys Reading, Mass.; Wokingham,
England : Addison-Wesley, 2000
 12. Beaumont, Leland R. ISO 9001, The Standard
Interpretation: The International Standard for Quality
Management Systems Third Edition; Middletown, NJ.; ISO
Easy 2002 pages 9-16

65