ISO 19770-1: Best Practices for Software Asset Management

Published on March 2, 2023 by

Andrew Sweeney

There’s little debate on the advantages of a business being ISO certified, both from an internal and customer perspective. As operations are digitalized, there’s also little doubt about the growing importance of having a robust software asset management (SAM) process in place.

With capabilities such as virtual desktop (VDI), unified endpoint management (UEM) and public and private clouds enabling end users to connect to their workplace and be productive from anywhere over any device, it’s never been so important to ensure that the software they are using is updated, secure, and relevant to meet their digital needs and achieve the goals of the business.

The need for 19770-1: 2017

ISO 19770-1:2017 specifies best-in-class standards for the establishment, implementation, maintenance, and improvement of an IT asset management (ITAM) system, providing a framework for managing software assets within the context of the business.

Introduced because of the complex nature of software and reflecting the way SAM is implemented, not in isolation, but used to achieve a business goal or goals, the intention is to:

  • Provide control over software modification, duplication, and distribution.
  • Ensure control over licensing, so that licenses align with usage.
  • Deliver control for mixed ownership/relationship situations such as ‘bring your own device’ (BYOD) and the cloud.
  • Reconcile ITAM systems with other business systems, including financial.

ISO 19770-1 Structure

ISO published a video overview of changes in the latest iteration of the standard, 19770-1: 2017. Processes are grouped as follows:

  • Group 1: Management system processes for ITAM – common to all management systems standards.
  • Group 2: Functional Management processes for IT assets - specific to ITAM standards.
  • Group 3: Lifecycle Management processes for IT assets - also specific to ITAM standards.

ISO introduced tiers into these groupings to allow companies to implement the processes relevant to them – with most wanting to implement the most critical processes (Tier 1). ISO suggests the following but indicates companies should add processes in line with their needs, such as to deal with sustainability goals:

icon-shield-01TIER 1:

Trustworthy data. Do you know what assets you have so you can manage them? This is the base standard that must be implemented, and includes:

  • Change management: how you manage change and record activities for audit and compliance purposes.
  • Data management: how you reconcile software licenses with ownership using data from other sources.
  • License management: how license renewals should be handled based on individual agreements.
  • Security management: how vulnerabilities are identified, ensuring timely patching and OS updates to keep data secure.

icon-lifecycleTIER 2:

Lifecycle integration. How do you ensure efficiency and cost effectiveness across the asset lifecycle? This is divided into:

  • Specification: how new software requests are assessed.
  • Development: process for reviewing software in line with how it meets business needs.
  • Acquisition: how software acquisition is managed.
  • Release: the frequency and approval process for releasing software.
  • Deployment: ensuring awareness of interdependencies between software, platforms, and physical assets.
  • Operation: provisioning and optimization of assets.
  • Retirement: the processes for retiring or reusing software assets as part of the hardware end of life (EoL) process.

icon-performanceTIER 3:

Optimization. How can you achieve greater efficiency and cost effectiveness through functional focus? The areas of focus here are:

  • Relationship management: focused on agreements with third-party vendors.
  • Financial Management: optimizing asset costs across your IT environment (cloud and on-prem)
  • Service level management: measurement of service levels.
  • Other risk management
Solution Brief CTA ThumbNAIL for the ISO brief

Learn how ReadyWorks can help you achieve and maintain ISO 19770-1:2017 compliance.


Achieving your business goals

What do you want to achieve using SAM? Do you want to strengthen your processes around tracking and inventorying software to align license usage with ownership? Do you want to optimize cloud costs? Are you interested in tracking usage and costs per department?

Once you’ve defined your goals, then, as with any ISO certification program, you should start by auditing existing processes and identify gaps or areas of improvement.

Going back to basics is key. Ask yourself:

  • Do you know where all your software asset data is stored?
  • Can you easily see dependencies between your software and other IT assets, including software?
  • How do you reconcile this data with information from other systems, such as software license details, IT service management tools and other data?
  • How do you identify unpatched or outdated software versions?
  • How do you record change management for audits?
  • How do you manage reporting?

Growing IT complexity creates process challenges and risk

Given the ever-more diverse nature of your IT environment, as you move workloads to the public and private clouds, connect IoT devices at the edge cloud and evolve IT maturity to manage evolving needs, such as cybersecurity asset management (CSAM) or digital experience monitoring (DEX), it’s getting harder to locate and gain access to data. The reason is that each new capability or domain comes with its own distinct management tool creating silos of data across your estate.

To manage any SAM-related program to achieve business goals, you’ll need your tools to gain access to data held in other areas of your estate. That means, for example, analyzing CSAM monitoring data using all data dependencies to understand the real impact of any potential risk. You’ll need to understand information about users, including their level and location before you can begin to roll out software patches.

Even when you know where the data is held – and that could be outside of IT’s control in HR or another business area - to manage any program you’ll need to aggregate and normalize that data for a clear view. Given the lack of interaction between tools, that traditional means doing that manually. This takes time, and any errors in recording add risk to your program, potentially derailing it.

That carries through to planning, execution, and program reporting, adding further delays and errors, that could disrupt the business and scupper your efforts. And, when it comes to managing an external audit, can you be sure that records are complete? For many it’s a last-minute scramble with time spent on calls and emails to fill in data gaps and resolve inconsistencies.

Simplify your journey with a digital platform conductor

How do you move away from manual processes if HDIM tools don’t interact? The answer is by using a digital platform conductor (DPC), a tool highlighted in four Gartner Hype Cycles in 2022. A DPC helps you achieve best practices for software asset management and ISO 19770-1:2017 certification by:

  • Integrating all your hybrid digital infrastructure management (HDIM) tools as well as other data sources held by IT and other areas of the business.
  • Automating data aggregation and normalization.
  • Orchestrating those tools to automate workflows end-to-end.

Using a DPC  you can:

  • Leverage a real-time view of all your software assets and interdependencies, from any angle to simplify tasks such as understanding software license usage vs ownership.
  • Benefit from real-time integration of this data with other tool data, for example, augmenting real-time monitoring data from your DEX tools with all interdependencies for a holistic view, or assigning software costs by department usage.
  • Create regular scans that highlight vulnerabilities that could scupper programs, for example identifying unpatched software for CSAM programs.
  • Automate workflows across your tools and estate, with task completion recorded in real time, providing transparent records for audits and simplified reporting.

Book a demo to see how a digital platform conductor can help you manage SAM-related programs using best-in-practice processes to achieve your business goals.