TickIT vs. ISO9000-3 vs. ISO 9001 - What are the Differences?

Marc

Fully vaccinated are you?
Leader
From: Gordon Kirk
Subject: Re: Tick-IT & ISO 9001 /Chen/Kirk/Chen/Kirk

Chitra,
> Would you be able to give me an idea of what these guidelines are
> like?

There is ISO 9000-3 "Guidelines for the application of ISO 9001 to the development, supply, and maintenance of software". More than anything this is a set of guidelines on best practice. I would not say that it adds any extra requirements.

In addition, there are various guides to good practice in the TickIT Guide Issue 4.0. Again there are no new requirements.

You can get the TickIT Guide from BSI
tel: +44-181-996 7427
fax: +44-181-996 7429

> Are there any special clauses added or waived when it comes to
> Tick-IT?

No. TickIT is, essentially, good practice and interpretation of the words of 9001 for the IT business. I don't think you should fear TickIT.

A difference between 9001/TickIT and 9001 is that TickIT requires that auditors be experienced in IT development. This means that they are more likely to see faults in your ways of doing things which an auditor who had no such experience might not pick up. In general, you get a more thorough audit as a result. [Whether you regard this as better or not depends on what you are seeking to achieve from the audit. If you're only seeking to get a certificate, you might find greater thoroughness worse, not better!]

Regards, Gordon
Professional Assessment Limited (accredited for TickIT by UKAS)
 

Marc

Fully vaccinated are you?
Leader
From: Pat Dey
Subject: RE: Tick-IT & ISO 9001 /Chen/Kirk/Peter

The strength of the CMM is its model for continuous improvement. The SEI's method includes, not only the process framework (the CMM itself) but the methods for managing improvement by involving everyone, eg, through a Software Engineering Process Group.

A TickIT certificate is somewhere around level 2/3 of the CMM - it skews across. the CMM has more software detail, ISO has more general business stuff, both useful and overlapping.

If an organisation is immature, the CMM offers a better strategy for building a QMS because it offers a sense of priority. TickIT and ISO require everything and can be overwhelming.

Further, the continuous references to clauses and how auditors might interpret them takes ownership away from the people and gives it to auditors. The SEI's approach leaves ownership with those who operate the process, so it's better balanced, less inclined to be bureaucratic. Compare the discussion traffic in this List with, eg, comp.software-engineering.

One way to approach this is to build the QMS using the SEI's CMM guidance, document it soundly, include a reconciliation with TickIT clauses - and add in the bits that the CMM does not explicitly require (eg, contract review, security & backups, etc).

Under the CMM, you can be a level 2, 3, 4 or 5 organisation (or, sadly, level 1).

Under TickIT, you can be TickIT Certified. There's no measurement scale.

Regards,
Pat
 

Marc

Fully vaccinated are you?
Leader
From: Pat Dey
Subject: RE: Tick-IT & ISO 9001 /Chen/Dey

1. TickIT defines a specific interpretation of ISO 9001 for software. With a TickIT-certified supplier, you're more confident that the software processes that should exist, actually do exist. And you're saved from arguments about how to interpret arcane issues such as "control of non-conforming product" in software terms.

2. TickIT defines how auditors should be trained and how they should behave, and how you should select them. E.g., they have to understand your specific software industry segment. The auditor is more likely to interpret the standard in a way which makes sense in your segment, more likely to understand software work products and whether they are sensible. Non-software ISO auditors can be fooled. Also, TickIT auditors cannot consult to the companies they audit: they cannot use audits to generate consultancy business. Their training, selection and behaviour is overseen by professional bodies. (In one country I visited a few years ago, ISO audits were managed by a consortium of suppliers. Needless to say, they all had a certificate.)

3. The scheme is recognised and respected world wide.

Hope this helps and good luck,
Pat

>
> From: Chitra Rachel Chen_CRC
> Subject: Q: Tick-IT & ISO 9001 /Chen
>
> Hello All,
>
> I've recently joined this mailing list and have been following the queries
> and their replies with great interest. Even the discussions that do not
> apply to my industry are interesting because of the thought-provoking issues
> they raise. I now have a question of my own for which I need your input.
>
> My company is into Software Development and we are currently aiming for ISO
> 9001 certification. We want to get the Tick-IT certification as it is
> specifically for software companies, but apart from this reason we are
> unable to justify our choice of Tick-IT over ISO 9001 certification to the
> management. Tick-IT certification is working out a lot more
> expensive than
> generic ISO 9001 certification which is why we need a good defense!
>
> Can anyone tell me in what other ways Tick-IT is better than ISO 9001 when
> it comes to software companies?
>
> Thanks in advance,
>
> Chitra Chen
> QA Group
> Indigo Technologies
> Chennai, India
 

Marc

Fully vaccinated are you?
Leader
From: Bill Deibler
Subject: Re: Tick-IT & ISO 9001 /Chen/Kirk/Peter/Dey/Deibler

> From: Pat Dey
> Subject: RE: Tick-IT & ISO 9001 /Chen/Kirk/Peter

Pat,

Since you've made some general statements about the CMM and ISO, I'd thought I'd play a little devil's advocate with you. My point throughout this response is to offer up a theme. The theme is that models really don't amount to a hill of beans as much as a desire to change. I make this statement in support of the fellow who said that all models are wrong....some are useful. I would say that all models have warts...and that the key to software process improvement (or any improvement) is wanting to improve....to deliver products better and faster...

> The strength of the CMM is its model for continuous improvement. The SEI's
> method includes, not only the process framework (the CMM itself) but the
> methods for managing improvement by involving everyone, eg, through a
> Software Engineering Process Group.

But the reality is that the CMM is a staged model that doesn't really focus on defect prevention until level 5. In addition, the SEPG can have the same problems you've referenced below with ISO auditors, in that they can end up driving an incredible bureaucracy that doesn't serve the developers or the rest of the product team.

In addition, the SEPG can't address a lack of management commitment. This is no different than a distributed model for ISO implementation that lacks true top-level support....you can have the buy-in from the troops and middle management and still fizzle.

> A TickIT certificate is somewhere around level 2/3 of the CMM - it skews
> across. the CMM has more software detail, ISO has more general business
> stuff, both useful and overlapping.

Actually, there is no true correlation between maturity levels and ISO implementation. However, it is true that there is strong support for ISO at all CMM levels, including Defect Prevention at Level 5. If one were to take a true organizational approach to an ISO implementation, then it would very much represent a level 3 organization. Both models pretty much say the same thing, whats not hows.....but one takes about 479 pages to do it.

> If an organisation is immature, the CMM offers a better strategy for
> building a QMS because it offers a sense of priority . TickIT and ISO require
> everything and can be overwhelming.

If you remove the models and look at software engineering fundamentals, you have the same problem of trying to bite off more than you can chew. A phased approach in any implementation is necessary. And I think alot has to do whether you agree with the construction of the CMM which pretty much focuses strictly on the management side at level 2 and doesn't have an engineering focus until level 3.

The simple framework that ISO offers can be phased-in on a project by
project basis, with the areas that offer the biggest bang for the buck
being addressed first.

The biggest problem I see in SPI is that folks don't have good implementation planning skills. This is the same for the CMM and ISO...and when you look at how large the CMM model is and how little has been written about how to successfully implement it.....well...the job can be daunting.

Although more commercial organizations are looking to the CMM for process improvement, it pales in comparison to the organizations that must implement or else....DoD contractors in bidding wars.

> Further, the continuous references to clauses and how auditors might
> interpret them takes ownership away from the people and gives it to
> auditors. The SEI's approach leaves ownership with those who operate the
> process, so it's better balanced, less inclined to be bureaucratic. Compare
> the discussion traffic in this List with, eg, comp.software-engineering.

The same darn problem exists in the CMM world. Don't kid yourself. Organizations face SCEs (software capability evaluations) and CBA IPIs....CMM based assessments for Internal Process Improvement. Many times the "Level Rating" is all that matters....even with the CBA IPI approach which is supposed to be a collaborative exercise for improvement. You would be surprised how many organizations coach their employees to get ready for a CBA IPI, when that is not the intent.....it's not supposed to be about the "score"....it's supposed to be about improvement.

Again....this is a management issue similar to the ISO implementation that says....let's get the certificate.....and we're done.....

> One way to approach this is to build the QMS using the SEI's CMM guidance,
> document it soundly, include a reconciliation with TickIT clauses - and add
> in the bits that the CMM does not explicitly require (eg, contract review,
> security & backups, etc).

Yes...there is a lot of information in the CMM that can assist one with an ISO implementation. I would also say that folks can also turn to the IEEE standards or ISO 12207 or other sources of information.

It's all fundamental stuff.

> Under the CMM, you can be a level 2, 3, 4 or 5 organisation (or, sadly,
> level 1).

Yes...but you could be a level 3 organization and that would mean little in many circumstances. For example, when was the organization's last assessment....3 years ago? I've been in shops that tout their level 3 profile but were behaving as level 1 (chaotic). Remember CMM ratings are not a certification scheme of any sort. There is no requirement other than individual customer or market requirements that would require you to reassess your organization.

> Under TickIT, you can be TickIT Certified. There's no measurement scale.
>
> Regards,
> Pat

Yes and TickIT is just an ISO 9001 registration, pure and simple. But the true measurement in implementing either model is whether you have a return on investment and whether it translates into better product and staying abreast of your competitors.

The companies that succeed with the CMM and ISO succeed because they aren't driven by what is in the model and they overlook the shortcomings of the models. They embrace what is good for their business and question what is unnecessary. They go beyond the models to crush their competition.

I've seen both models work effectively...and...I've seen them both fail
miserably.

The same can be said about Deming, Juran, Crosby, TQM.....

For the most part, the model doesn't matter...change does....

For some organizations models can be handy, because they can hang their failure on choosing one particular model over another.....but that's another story.....

best,
bill

Bill Deibler
 

Marc

Fully vaccinated are you?
Leader
From: Bill Deibler
Subject: Re: Tick-IT & ISO 9001 /Chen/Kirk/Peter/Deibler

> From: Satish Kumar Peter
> Subject: RE: Tick-IT & ISO 9001 /Chen/Kirk/Peter
>
> Hi,
> Greetings to you all. I have a query on Tick-IT also.
> Is continuous process improvement an issue in Tick-IT?
> CMM would be the one that offers tremendous potential for the process
> improvement.

Hi Peter,

Corrective and Preventive Action in ISO 9001 along with a few other clauses such as Control of nonconforming product map fairly closely to the Defect Prevention KPA in the CMM. ISO 9001 however, falls a little bit short of a continuous improvement requirement.

> I do not have an idea on Tick-IT certification, but the evolutionary
> model of CMM would definitely stand out as one of the best IT
> certification programs in the industry.

There is no certification scheme in the CMM. There are CMM appraisals (assessment and audits), but there is no accreditation nor certification scheme associated with the CMM. There are SEI "Authorized" Lead Assessors who have specific software backgrounds, assessment training, and assessment experience.

> The problem with the generic ISO9001 certification is the language
> itself. Though 9000-3 offers guidelines for the IT industry, the
> manufacturing centric terminology would be a stumbling block in marching
> forward.

Language is a problem with all models...The CMM language is biased toward military standards....as the DoD was the sponsor of the model. Remember, the CMM's main purpose was to act as a standard to support software acquisition....your tax dollars at work......

Please understand that all models have their warts...but if you dig a little...they all say pretty much the same thing...and a lot of it is good stuff....

I work in both models quite a bit...and the biggest difference in the two models is volume.....10 pages versus 479....but the similarities are quite striking....

Bill Deibler
 

Marc

Fully vaccinated are you?
Leader
From: Roman Mervart - camcontrol.co.uk
Subject: RE: Tick-IT & ISO 9001 /../Mervart/Dey/Mervart

The official explanation was given in the UKAS UPDATE, edition 11, summer 1998.

It said that " TickIT was born in the late 1980s out of concerns that ISO9000 certification was being applied without adequate understanding of software"... Due to those concerns it was made mandatory... "This was an anomaly and put certification in the software sector on a different level from that for any other economic activity". ... "The requirements that were special for software in the 1980s now apply to all forms of economic activity, and there is a recognition that every company is special and should only receive certification following audit by a team designed to understand everything it does. In this context, insistence on TickIT for the certification of every software related activity becomes self-defeatingly prescriptive, and maintenance of this mandatory requirement is no longer necessarily the best means of ensuring competent certification".... " UKAS believes that this move will strengthen TickIT on the understanding that the scheme has matured and should flourish in the market in a volunteer capacity...". Many "specifiers will continue to specify TickIT, and , in such circumstances, certification bodies will only be allowed to provide the service as long as they provide the TickIT service. However, where specifiers do not specify TickIT (and this is a situation commonly met by UK certification bodies operating outside UK) there will be no obligation to provide TickIT certification."

Unofficially I understand that the pressure to drop this mandatory requirement came from outside UK certification bodies and from those UK certification bodies that found it to be an inconvenient constraint on their activities outside UK.

Regards Roman

--> From: Pat Dey
Subject: RE: Tick-IT & ISO 9001 /Chen/Hale/Mervart/Dey
What happened after 1 Aug 1998, and why?

Curious,
Patrick L Dey
 

Marc

Fully vaccinated are you?
Leader
Subject: Re: ISO for Software company /Pereira/Mervart/Perry
Date: Fri, 1 Oct 1999 14:21:01 -0600
From: ISO Standards Discussion

From: Mark Perry
Subject: RE: ISO for Software company /Pereira/Mervart/Perry

You may choose to have your quality system certificated to ISO9001 through TickIt. In this case you would need to be audited by a TickIT auditor, rather than an ordinary ISO9001 auditor. (TickIT auditors are required to be experienced in software development as well as ISO9000).

TickIt essentially interprets the requirements of ISO9001 in such a way as to be particularly relevant to the software industry. It was launched in Britain some years ago, and I understand has since been adopted in Japan and Sweden. In addition to providing guidance, there may be benefits in going for TickIT, especially if any of your clients are located in these countries, since it will imply that you have an appropriate Quality System for the nature of your business.

The TickIT guide is available from the DISC TickIT Office in London. Ph: +44 181 996 7427

Regards

Mark Perry

>From: Roman Mervart
Subject: RE: ISO for Software company /Pereira/Mervart

The following are two main complementary documents to ISO 9001: 1994 ( the main standard) for software:
1. ISO 9000-3 : 1997
2. The TickIT Guide Issue 4.0 ( A guide to Software Quality System Construction and Certification using ISO 9001:1994)

Regards
>Roman Mervart

>>From: FRANCO Maria Pereira
Subject: Q: ISO for Software company /Pereira

I'm new to ISO standards, and I am searching for the best guide in order to create a Quality plan for a Software development company. I've heard about ISO9000-3 and also ISO9000:1994. Which one is the best ? Can you give me any pointers ?

>>Many thanks.
 
Top Bottom