ISO/IEC 33002:2015

INTERNATIONAL ISO/IEC
STANDARD 33002
Second edition
2015-03-01
Information technology — Process
assessment — Requirements for
performing process assessment
Technologies de l’information — Évaluation du processus —
Exigences relatives à la réalisation d’une évaluation du processus
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2015 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Performing an assessment . 1
4.1 General requirements . 2
4.2 Assessment activities . 3
4.2.1 Plan the assessment . 3
4.2.2 Collect the data . 3
4.2.3 Validate the data . 4
4.2.4 Determine the results . 4
4.2.5 Report the assessment . . 4
4.3 Roles, responsibilities and competence . 5
4.4 Assessment inputs . 6
4.5 Assessment record. 7
4.6 Class of assessment . 7
4.6.1 General. 7
4.6.2 Specific requirements — Class 1 assessment . 8
4.6.3 Specific requirements — Class 2 assessment . 9
4.6.4 Specific requirements — Class 3 assessment .10
4.7 Assessment of process capability .10
5 Verifying conformity to process assessments .10
Annex A (normative) Categories of independence .12
Annex B (informative) Example content of an assessment report .13
Bibliography .16
© ISO/IEC 2015 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 7, Software
and systems engineering.
This second edition cancels and replaces clauses of ISO/IEC 15504-2:2003 and ISO/IEC/TR 15504-
7:2008, which have been technically revised.
iv © ISO/IEC 2015 – All rights reserved

Introduction
This International Standard defines the minimum set of requirements for performing an assessment
that will ensure assessment results are objective, consistent, repeatable, and representative of the
assessed processes. The requirements help to ensure that the assessment output is self-consistent and
to provide evidence to substantiate the ratings and to verify compliance with the requirements. Process
assessment is applicable in the following circumstances:
— by or on behalf of an organization with the objective of understanding the state of its own processes
for process improvement;
— by or on behalf of an organization with the objective of determining the suitability of its own
processes for a particular requirement or category of requirements;
— by or on behalf of one organization with the objective of determining the suitability of another
organization’s processes for a particular purpose, contract, or category of contracts.
This International Standard is applicable across all application domains and sizes of organizations.
Appropriate methods, techniques, and tools can be used to enable the assessment process to be effective
and efficient.
This International Standard is part of a set of International Standards designed to provide a consistent and
coherent framework for the assessment of process quality characteristics, based on objective evidence
resulting from implementation of the processes. The framework for assessment covers processes
employed in the development, maintenance, and use of systems across the information technology
domain and those employed in the design, transition, delivery, and improvement of services. The set of
International Standards, as a whole, addresses process quality characteristics of any type. Results of
assessment can be applied for improving process performance, or for identifying and addressing risks
associated with application of processes.
The ISO/IEC 330xx family of Standards defines the requirements and resources needed for process
assessment. The overall architecture and content of the series is described in ISO/IEC 33001:2015.
Several International Standards in the ISO/IEC 330xx family of standards for process assessment are intended
to replace and extend parts of the ISO/IEC 15504 series of Standards. ISO/IEC 33001, Annex A provides a
detailed record of the relationship between the ISO/IEC 330xx family and the ISO/IEC 15504 series.
© ISO/IEC 2015 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 33002:2015(E)
Information technology — Process assessment —
Requirements for performing process assessment
1 Scope
This International Standard defines the minimum set of requirements for performing an assessment
that will ensure assessment results are objective, consistent, repeatable, and representative of the
assessed processes.
The requirements defined in this International Standard can be used by or on behalf of an organization to
a) facilitate self-assessment,
b) provide a basis for improving process performance and mitigating process-related risk,
c) produce a rating of the achievement of the relevant process quality characteristic, and
d) provide an objective benchmark between organizations.
This International Standard is applicable across all application domains and sizes of organization.
NOTE An organization can implement a set of integrated processes in a system.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 33001:2015, Information technology — Process assessment — Concepts and terminology
ISO/IEC 33003:2015, Information technology — Process assessment — Requirements for process
measurement frameworks
ISO/IEC 33004:2015, Information technology — Process assessment — Requirements for process reference,
process assessment and maturity models
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 33001:2015; apply.
4 Performing an assessment
The purpose of process assessment is to understand and assess the processes implemented by an
organizational unit.
Figure 1 shows the key elements of the process assessment process.
© ISO/IEC 2015 – All rights reserved 1

Figure 1 — Key elements of the process assessment process
Clause 4 sets out the requirements for performing an assessment conformant with this International
Standard. The requirements help to ensure that the assessment output is self-consistent and provides
evidence to substantiate the ratings.
4.1 General requirements
The assessment shall be conducted according to a documented assessment process. The documented
assessment process shall be capable of meeting the assessment purpose and shall be structured in a
manner that ensures that the purpose for performing the assessment is satisfied, in terms of the rigour
and independence of the assessment and its suitability for the intended use.
The documented assessment process shall prescribe a set of activities and tasks to be performed
that meet all of the requirements defined in this International Standard. Specifically, the documented
assessment process shall:
— identify as a minimum, the assessment activities as defined in 4.2;
— identify as a minimum the roles, responsibilities and competencies as defined in 4.3;
— identify the classes of assessment for which the documented assessment process can be applied, and
the nature and extent of tailoring associated with each class addressed by the documented process;
— define the criteria for ensuring coverage for both the defined organizational scope and the defined
process scope for the assessment, in terms of the strategy for collecting and analysing data;
— identify the rating method(s) to be used in rating process attributes;
— identify or define the aggregation method(s) to be used in determining ratings.
Classes of assessment are described in 4.6. They reflect different levels of confidence in the results of
the assessment.
Different categories of independence for different types of bodies and personnel are described in Annex
A, with criteria
...