A third version of the ISO standard for SAM is being developed. This article provides an overview of updates and how you can review the latest drafts and provide your feedback. If you have any questions please contact me.
The ISO SAM process standard is being revised to cover full ITAM and to integrate with the standards for Information Security, Service Management, Quality Management and others.
This will be edition 3 of ISO/IEC 19770-1. The expectation is that the revised ITAM standard will formally be published in early 2017, but that it will be usable before then. The latest draft is available for public review and comment through 12 February.
Some notable features of this proposed revision are:
The revision maintains continuity with the principles of edition 2, i.e. with the 2012 edition of ISO/IEC 19770-1. Any organization which has used edition 2 for self-assessment, improvement, or certification should find it easy to transition to edition 3.
Improved Tiers. The revision continues the use of tiers, but has revised them to be more intuitive. There are now just three tiers, which are trustworthy data (as with edition 2); life-cycle integration; and optimization.
Integrated Use with Other Standards. The revision is being rewritten using a new high-level structure and common wording required by ISO for every ‘Management System Standard’ (MSS). ISO 9001 (Quality Management), ISO/IEC 27001 (Information Security Management) and a number of others have already been revised and re-issued. ISO/IEC 20000-1 (Service Management) is also being revised at present. This new approach will facilitate the Integrated Use of Management Systems (IUMS – another ISO acronym). Particular focus is being given to ensure easy integration with Information Security Management and Service Management.
Leveraging on Physical Asset Management. The revision uses as its basis a new standard for generic asset management (ISO 55001) which was developed primarily for physical asset management, but with the involvement of SAM/ITAM experts to ensure it was a suitable basis for ITAM as well.
Addressing Additional Requirements for SAM and ITAM. The revision adds to ISO 55001 requirements to meet the special or more demanding characteristics of SAM and ITAM. In particular, these include controls over:
Software, which has major exposures relating to possible unauthorized modification, duplication and distribution
Licensing
Complex organizational ownership/responsibility scenarios, such as for cloud computing
Mixed organizational/personal responsibility scenarios, such as for BYOD
How to review and provide feedback
There are multiple ways of reviewing the draft and of submitting comments.
Members of the public may review the draft and submit comments through 12 February via the British Standards Institution’s web site, using this URL: https://drafts.bsigroup.com/Home/Details/55799. This website requires registration, but otherwise anyone may submit comments using it.
If you are a member of a national standards body (such as the BSI, ANSI, or DIN) or if you are a member of a liaison organization with the responsible ISO committee SC7WG21 (such as ISACA, itSMFI, IAITAM, SAMAC or TCG) you can submit comments via them. Such comments should be provided using the template that is available from https://isotc.iso.org/livelink/livelink/Open/16689282. Please note that recommendations for change need to be include specific replacement text; it is not sufficient simply to say that something should be ‘considered’ or ‘reviewed’.
The ongoing legal battle between VMware (under Broadcom ownership) and Siemens is yet another example of why ITAM goes far beyond license compliance and SAM. What might, at first glance, appear to be a licensing dispute, ...
During one of the keynotes at the FinOps X conference in San Diego, JR Storment, Executive Director of the FinOps Foundation, interviewed a senior executive from Salesforce. They discussed the idea of combining the roles of ...
I recently reported on the FinOps Foundation’s inclusion of SaaS and Datacenter in its expanded Cloud+ scope. At that time, I highlighted concerns about getting the myriad SaaS companies to supply FOCUS-compliant billing data. A couple ...
Podcast
No time to read? Want to stay up to date on the move? Subscribe to the ITAM Review podcast.
Marks & Spencer (M&S), the iconic UK retailer, recently became the latest high-profile victim of a devastating cyberattack. Fellow retailers The Co-Op and Harrods were also attacked. Recent reports suggest the rapid action at the Co-Op ...
During our Wisdom Unplugged USA event in New York in March 2025, we engaged ITAM professionals with three targeted polling questions to uncover their current thinking on Artificial Intelligence—what concerns them, where they see opportunity, and ...
In the world of ITAM, the regulatory spotlight continues to intensify, especially for financial institutions facing increasing scrutiny from regulatory bodies due to the growing importance of IT in operational resilience, service delivery, and risk management. ...
Executive Summary For ITAM teams, sustainability is a core responsibility and opportunity. Managing hardware, software, and cloud resources now comes with the ability to track, reduce, and report carbon emissions. Understanding emission scopes—from direct operational emissions ...