International Association of Scientific Innovation and Research (IASIR)

ISSN (Print): 2279-0020

(An Association Unifying the Sciences, Engineering, and Applied Research) ISSN (Online): 2279-0039

International Journal of Engineering, Business and Enterprise

Applications (IJEBEA)
www.iasir.net
Comparison between ISO 9000 and CMM Software Quality Standards
Prashant R.Nair* and Pranesh Annamalai#
*Vice-Chairman – Information Technology, Amrita School of Engineering,
Amrita Vishwa Vidyapeetham University, Amrita Nagar P.O, PIN: 641112, Coimbatore, Tamil Nadu, India,
# System Analyst, Tata Consultancy Services, Velachery, Chennai

I. Introduction
The Capability Maturity Model for software (CMM) developed by the Software Engineering Institute of
Carnegie Mellon University and the ISO 9000 series of standards, developed by the International Standards
Organization (ISO), share a common concern with quality and process management. The two are driven by
similar concerns and intuitively correlated. The purpose of this paper is to contrast the CMM and ISO 9001,
highlighting their differences and similarities. The results of the analysis indicate that, although an ISO 9001-
complaint organization would not necessarily satisfy all of the level 2 key process areas; it would satisfy most of
the level 2 goals and many of the level 3 goals. Because there are practices in the CMM are not addressed in
ISO 9000, it is possible for a level 1 organization to receive ISO 9001 registration; similarly there are areas
addressed by ISO 9001 are not addressed in CMM.

II. Capability Maturity Model

The Capability Maturity Model for software describes the principles and practices underlying software process
maturity and is intended to help software organizations to improve the maturity of their software process in
terms of an evolutionary path from adhoc, chaotic processes to mature, disciplined software processes. The
CMM is organized into five maturity levels. A maturity level is a well defined evolutionary plateau toward
achieving mature software processes. Each maturity level provides a layer in the foundation for continuous
process improvement.

III. The Five Maturity Levels

Capability maturity model has five levels that highlight the process changes at each level.
Initial: The software process is characterized as adhoc and chaotic and success depends on individual efforts.
Focus is on doing the task to the best of the project team’s abilities. Software process capability is unpredictable.
Repeatable: Basic product management process is established to track the cost, schedule and functionality. The
necessary process discipline is in place to repeat earlier success on projects with similar applications. Planning
of project activities is done before execution and is evaluated after execution. Problems are recognized and
corrected as they occur. Software process capability is disciplined
Defined: The software process for both management and engineering activity is documented, standardized, and
integrated into a standard software process for the organization. All the projects use an approved tailored version
of the organizations standard software process for developing and maintaining software. The key process areas
at level3 address both project and organization establishes an infrastructure that institutionalizes effective
software and management process across all the projects. They are organization process, definition, Training
program, Integrated Software Management, Software Product engineering, Intergroup Coordination and peer
review. Software process capability is standard and consistent.
Managed: Detailed measures of the software process and the product quality are collected. Both the software
process and products are quantitatively understood and controlled. Projects achieve control over their products
and processes by narrowing the variation in their performance to fall within acceptable quantitative boundaries.
Organization provides a foundation for quantitative evaluation. Sources of problem are understood and
eliminated Software process capability is predictable
Optimizing: Continuous process improvement is enabled by quantitative feedback from the process and from
piloting innovating ideas and technologies. The software project management team analyzes defects, determine
their causes and evaluate processes to avoid known types of defects from recurring. Process improvements,
defect prevention and decision based on cost-benefit analysis and software process capability is continuously
improving

IV. Key Process Areas

Except for level 1, each maturity level is decomposed into several key process areas that indicate the areas; an
organization should focus on to improve its software process. Key process areas identify the issues that must be
addressed to achieve a maturity level. Each key process area identifies a cluster of related activities that, when
performed collectively, achieve a set of goals considered important for enhancing process capability. The key
process areas and their purposes are listed below. The name of each key process area is followed by its two-

IJEBEA 13-204; © 2013, IJEBEA All Rights Reserved Page 10

 P. Nair et al., International Journal of Engineering, Business and Enterprise Applications, 5(1), June-August, 2013, pp. 10-14

letter abbreviation. By definition there are no key process areas for level 1.The key process areas at level 2 focus
on the software project's concerns related to establishing basic project management controls, as summarized
below:
A. Requirements Management:
Establishes a common understanding between the customer and the software projects of the customer
requirements that will be addressed by the software project.
B. Software Project Planning:
Establishes reasonable plans for performing the software engineering and for managing the software project.
C. Software project tracking:
Establishes adequate visibility into actual progress so that management can take effective actions when the
software project’s performance deviates significantly from the software plans
D. Software quality assurance & Configuration management:
Provides management with appropriate visibility into the process being used by the software projects and for the
products being built. Establishes and maintains integrity of the products of the software projects throughout the
projects life cycle.
V. ISO 9000 quality management system:
The ISO 9000 series of standards is a set of documents dealing with quality systems that can be used for
external quality assurance purposes. They specify quality system requirements for use where a contract between
two parties requires the demonstration of a supplier's capability to design and supply a product. The two parties
could be an external client and a supplier, or both could be internal.
ISO 9000, "Quality management and quality assurance standards – Guidelines for selection and use," clarifies
the distinctions and interrelationships between quality concepts and provides guidelines for the selection and use
of a series of international standards on quality systems that can be used for internal quality management
purposes (ISO 9004) and for external quality assurance purposes (ISO 9001, 9002, and 9003). The quality
concepts addressed by these standards are:
An organization should achieve and sustain the quality of the product or service produced so as to meet
continually the purchaser's stated or implied needs.
An organization should provide confidence to its own management that the intended quality is being
achieved and sustained.
An organization should provide confidence to the purchaser that the intended quality is being, or will
be, achieved in the delivered product or service provided. When contractually required, this provision
of confidence may involve agreed demonstration requirements.
ISO 9001, "Quality systems – Model for quality assurance in design/development, production, installation, and
servicing," is for use when conformance to specified requirements is to be assured by the supplier during several
stages, which may include design, development, production, installation, and servicing. Of the ISO 9000 series,
it is the standard that is pertinent to software development and maintenance.
VI. ISO and CMM Comparison:
There are 20 clauses in ISO 9001, which are summarized and compared to the practices in the CMM. There is
judgment involved in making this comparison, and there may be differences in interpretation for both ISO 9001
and the CMM. A common challenge for CMM-based appraisals and ISO 9001 certification is reliability and
consistency of assessments.
A. Management Responsibility
ISO 9001 requires that the quality policy be defined, documented, understood, implemented, and maintained
Responsibilities and authorities for all personnel specifying, achieving, and monitoring quality be defined; and
that in-house verification resources be defined, trained, and funded. A designated manager ensures that the
quality program is implemented and maintained. In the CMM, management responsibility for quality policy and
verification activities is primarily addressed in Software Quality Assurance, although software project planning
and software project tracking and oversight also include activities that identify responsibility for performing all
project roles. More generically, leadership issues are addressed in the commitment to perform common feature,
and organizational structure and resource issues are addressed in the ability to perform common feature.
B. Quality Systems
ISO 9001 requires that a documented quality system, including procedures and instructions, be established. ISO
9000-3 characterizes this quality system as an integrated process throughout the entire life cycle. Quality system
activities are primarily addressed in the CMM in Software Quality Assurance. The procedures that would be
used are distributed throughout the key process areas in the various activities performed practices.ISO 9001
discusses the supplier’s quality system, but it does not discuss the relationship between organizational support
and project implementation as the CMM does. ISO 9000-3, on the other hand, has two sections on quality
planning: clause 4.2.3 discusses quality planning across projects; clause 5.5 discusses quality planning within a
particular development effort.

IJEBEA 13-204; © 2013, IJEBEA All Rights Reserved Page 11

 P. Nair et al., International Journal of Engineering, Business and Enterprise Applications, 5(1), June-August, 2013, pp. 10-14

C. Contract Review:
ISO 9001 requires that contracts be reviewed to determine whether the requirements are adequately defined,
agree with the bid, and can be implemented. Review of the customer requirements, as allocated to software, is
described in them in Requirements Management. The software organization ensures that the system
requirements allocated to software are documented and reviewed and that missing or ambiguous requirements
are clarified. The CMM also explicitly addresses the acquisition of software through subcontracting by the
software organization, as described in Software Subcontract Management. Contracts may be with an external
customer or with a subcontractor, although that distinction is not explicitly made in this clause of ISO 9001.
D. Design Control
ISO 9001 requires that procedures to control and verify the design be established. This includes planning design
activities, identifying inputs and outputs, verifying the design, and controlling design changes. In the CMM, the
life cycle activities of requirements analysis, design, code, and test are described in software product
engineering. Planning these activities is described in software project planning. Software Project Tracking and
oversight describes control of these life cycle activities, and Software Configuration Management describes
configuration management of software work products generated by these activities.
E. Document Control
ISO 9001 requires that the distribution and modification of documents are to be controlled. In the CMM, the
configuration management practices characterizing document control are described in software configuration
management. The configuration management in the CMM is distributed throughout the key process areas in the
various activities performed practices.
F. Purchasing
ISO 9001 requires that purchased products conform to their specified requirements. This includes the
assessment of potential subcontractors and verification of purchased products. In the CMM, this is addressed in
Software Subcontract Management. Evaluation of subcontractors is described in Activity 2, while acceptance
testing of subcontracted software is addressed in Activity 12.
G. Purchaser-Supplied Product:
ISO 9001 requires that any purchaser-supplied material be verified and maintained. ISO 9000-3 discusses this
clause in the context of included software product (6.8), including commercial-off-the-shelf software. Activity
6.3 in Integrated Software Management is the only practice in the CMM describing the use of purchased
software. It does in the context of identifying off the shelf or reusable software as part of planning. Integration
of off-the-shelf and reusable software is one of the areas where the CMM is weak.
H. Product Identification and Traceability
ISO 9001 requires that the product be identified and traceable during all stages of production, delivery, and
installation. The CMM covers this clause primarily in Software Configuration Management, but Activity 10 of
Software Product Engineering states the specific need for consistency and traceability between software work
products.
I. Process Control:
ISO 9001 requires that production processes be defined and planned. This includes carrying out production
under controlled conditions, according to documented instructions. Special processes that cannot be fully
verified after the fact are continuously monitored and controlled. ISO 9000-3 clauses include design and
implementation (5.6); rules, practices, and conventions (6.5); and tools and techniques (6.6).The procedures
defining the software production process in the CMM are distributed throughout the key process areas in the
various activities performed practices. The specific procedures and standards that would be used are specified in
the software development plan, as described in Software Project Planning. It is also worth noting that clause 6.6
in ISO 9000-3 states that “the supplier should improve these tools and techniques as required,” which
corresponds to transitioning new technology into the organization as discussed in Technology Change
Management of CMM.
J. Inspection and Testing
ISO 9001 requires that incoming materials be inspected or verified before use and that in process inspection and
testing be performed. Final inspection and testing are performed prior to release of finished product. Records of
inspection and test are kept. The CMM describes testing in activities 5, 6, and 7 in software product engineering.
In-process inspections in the software sense are addressed in peer reviews.
K. Inspection Measuring and Test Equipment
ISO 9001 requires that equipment used to demonstrate conformance be controlled, calibrated, and maintained.
When test hardware or software is used, it is checked before use and rechecked at prescribed intervals. ISO
9000-3 clarifies this clause with clauses on testing and validation (5.7); rules, practices, and conventions (6.5);
and tools and techniques (6.6).This clause is generically addressed in the CMM under the testing practices in
Software Product Engineering. Test software is specifically addressed in Ability 1.2, which describes the tools
that support testing.

IJEBEA 13-204; © 2013, IJEBEA All Rights Reserved Page 12

 P. Nair et al., International Journal of Engineering, Business and Enterprise Applications, 5(1), June-August, 2013, pp. 10-14

L. Inspection and Test status

ISO 9001 requires that the status of inspections and tests be maintained for items as they progress through
various processing steps. This clause is addressed in the CMM by the testing practices in Software Product
Engineering and by Activities 5 and 8 on problem reporting and configuration status respectively, in Software
Configuration Management
M. Control of Non Conforming Product:
ISO 9001 requires that nonconforming product be controlled to prevent inadvertent use or installation. ISO
9000-3 maps this concept to clauses on design and implementation (5.6); testing and validation (5.7);
replication, delivery, and installation (5.9); and configuration management (6.1).
In CMM, design, implementation, testing, and validation are addressed in Software Product Engineering. In
Software Configuration Management, Activity 8 addresses the status of configuration items, which would
include the status of items that contain known defects not yet fixed. Installation issue is not addressed in them.
N. Corrective Action:
ISO 9001 requires that the causes of nonconforming product be identified. Potential causes of nonconforming
product are eliminated; procedures are changed resulting from corrective action. ISO 9000-3 quotes this clause
verbatim, with no elaboration. The corrective action discussed in this clause is driven by customer complaints.
In CMM, mapping of this clause would be problem reporting, followed with controlled maintenance of baseline
work products. Problem reporting is described in Software Configuration Management in the CMM. The
corrective action is to address non compliances identified in an audit, whether external or internal. This would
be addressed in Software Quality Assurance in the CMM. In the current revision cycle for ISO 9001, the draft
international standard includes separate requirements for corrective and preventive action. Corrective action is
directed toward eliminating the causes of actual nonconformities, and preventive action is directed toward
eliminating the causes of potential nonconformities.
O. Handling Package Storage and Delivery:
ISO 9001 requires that procedures for handling, storage, packaging, and delivery be established and maintained.
ISO 9000-3 maps this to clauses on acceptance (5.8) and replication, delivery, and installation (5.9) Replication,
delivery, and installation are not covered in the CMM. Acceptance testing is addressed in Activity 7 of Software
Product Engineering, and Activity 7 of Software Configuration Management describes the creation and release
of software products. Delivering and installing the product, however, is not described in the CMM.
P. Quality Records
ISO 9001 requires that quality records be collected, maintained, and disposition. The practices defining the
quality records to be maintained in the CMM are distributed throughout the key process areas in the various
Activities Performed practices. Specifically pertinent to this clause is the testing and peer review practices in
Software Product Engineering, especially the collection and analysis of defect data in Activity 9. Problem
reporting is addressed by Activity 5 in Software Configuration Management, and the collection of peer review
data is described in Activity 3 of peer reviews.
Q. Internal Quality Audits:
ISO 9001 requires that audits be planned and performed. The results of audits are communicated to
management, and any deficiencies found are corrected. The auditing process is described in Software Quality
Assurance. Specific audits in the CMM are addressed in the auditing practices of the verifying implementation
common features
R. Training:
ISO 9001 requires that training needs be identified and that training be provided, since selected tasks may
require qualified personnel. Records of training are maintained. Specific training needs in the CMM are
identified in the training and orientation practices in the ability to perform common feature. Activity 6 describes
the general training infrastructure in described in training program which also includes guidelines to maintain
training records.
S. Servicing
ISO 9001 requires that servicing activities be performed as specified. ISO 9000addresses this clause as
maintenance (5.10).Although the CMM is intended to be applied in both the software development and
maintenance environments, the practices in the CMM do not directly address the unique aspects that
characterize the maintenance environment. Maintenance is embedded throughout the practices of the CMM, and
they must be appropriately interpreted in the development or maintenance contexts. Maintenance is not,
therefore, a separate process in the CMM.
T. Statistical Technique:
ISO 9001 states that, where appropriate, adequate statistical techniques are identified and used to verify the
acceptability of process capability and product characteristics. ISO 9000-3 simply characterizes this clause as
measurement (6.4).The practices describing measurement in the CMM are distributed throughout the key
process areas. Product measurement is typically incorporated into the various activities performed practices, and
process measurement is described in the measurement and analysis common feature. Activity 5 of organization

IJEBEA 13-204; © 2013, IJEBEA All Rights Reserved Page 13

 P. Nair et al., International Journal of Engineering, Business and Enterprise Applications, 5(1), June-August, 2013, pp. 10-14

process definition describes the establishment of an organization process database for collecting process and
product data
VII. Differences in ISO 9001 and the CMM
The CMM is a way to communicate capabilities. The ISO is a way to communicate the process. CMM is a very
specific way of classifying an organization's software development methods but, ISO procedures describe a
definite development and process but give no indication of the likely quality of the designs or whether multiple
software efforts are likely to produce software of similar quality.
Some issues in ISO 9001 are not covered in CMM, and vice versa, The levels of detail differ
The clause such as customer-supplied products and handling, packaging, preservation and delivery as
stated in the ISO 9001 has no strong relationship to CMM KPAs
The biggest difference is the emphasis in CMM on continuous process improvement. ISO only
addresses minimum criteria for an acceptable quality system.
The clause in ISO 9001 that addresses in CMM in a completely distributed fashion is servicing. There
is significant debate about the exact relationships to CMM for corrective and preventive action and
statistical techniques
CMM focuses strictly on software, while ISO 9001 includes hardware, software, processed materials
and services.
For both CMM and ISO 9001, the bottom line is “Say what you do; do what you say.”
Every Level 2 KPA is strongly related to ISO 9001. Every KPA is at least weakly related to ISO 9001.
A CMM Level-1 organization can be ISO 9001 certified; that organization would have significant
Level-2 process strengths and noticeable Level-3 strengths.
Given a reasonable implementation of the software process, an ISO 9001 certified organization should
be at least close to CMM Level-2.
Even a Level-3 organization would need to ensure that delivery and installation are addressed, but even
a Level-2 organization would have comparatively little difficulty in obtaining ISO 9001 certification.
VIII. Comparison between ISO VS CMM
ISO CMM
ISO certification is usually prompted CMM review is usually done to improve and
because certification is needed to get involves a more detailed study than does an
contracts ISO review
Continuous improvement is almost totally absent. It merely Software products are inherently complex and challenging to
addresses the control of a nonconforming product and scope, develop, implement, verify, validate, and maintain. This
recommends corrective and preventive action requires a total quality approach focused on customer
satisfaction and continuous improvement
With ISO 9001, once you are certified, your challenge is only to The challenge here is to maintain and continuously improve
maintain certification
For an organization that develops and manufactures embedded CMM is a more comprehensive model to measure software
software products, an ISO 9001 certification tells very little development capability. It covers more processes and has a
about its software development capability. Certification means five-level rating system that emphasizes continuous
only that some basic practices are in place. improvement.
ISO 9001 certification requires auditors, which places emphasis CMM can be used as a self-assessment tool
on opinions of outsiders whose capabilities may be unknown or
marginal
IX. Conclusion
Although there are specific issues that are not adequately addressed in the CMM in general the concerns of ISO
9001 are encompassed by the CMM. The converse is less true. ISO 9001 describes the minimum criteria for an
adequate quality management system rather than process improvement, although future revisions of ISO
9001may address this concern. The differences are sufficient to make the mapping impractical, but the
similarities provide a high degree of overlap.
It is also true that addressing the concerns of the CMM would help organizations prepare for an ISO9001 audit.
Although either document could be used to structure a process improvement program, the more detailed
guidance and greater breadth provided to software organizations by the CMM suggest that it is the better choice.
In any case, building competitive advantage should be focused on improvement, not on achieving a score,
whether the score is a maturity level or a certificate. It is better to address in a larger context encompassed by
the CMM.
References
[1]. Carnegie Mellon University, (2013). About the SEI - Welcome, Retrieved July 19, 2013 from
http://www.sei.cmu.edu/about/about.html.
[2]. Dorfman, M., Thayer, R. (Eds.). (1997). Software Engineering, Los Alamitos, CA: IEEE Computer Society Press.
[3]. Paulk, M., (1995, Jan.). How ISO 9001 Compares With the CMM, IEEE Software, January 1995
[4]. Pressman, R., (2001). Software Engineering: A Practitioner’s Approach (5th ed.). New York: McGraw-Hill
[5]. Schulz, Y. (2000). IT is not alone with Failure, Info Systems Executive, November 2000
[6]. Yourdon, E. (1997). Death March, New Jersey: Prentice Hall PTR
[7]. Tingey, M. (1997). Comparing ISO 9000, Malcolm Baldridge, and the SEI CMM for Software, New Jersey: Prentice Hall PTR

IJEBEA 13-204; © 2013, IJEBEA All Rights Reserved Page 14