Issue 29 – July 2011
SC 7 creates a wide range of Standards, including Standards for international governance, service management, and testing, which are of particular relevance to New Zealand. SC 7, 'Software systems and engineering', is Subcommittee 7 of the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Joint Technical Committee (JTC) 1, 'Information technology'.
New Zealand participates on SC 7 via an international review group comprised of New Zealand information technology (IT) stakeholders from government and industry. These stakeholders are involved in a number of Working Groups (WG) within SC 7, including WG 40, 'IT Governance frameworks', WG 26, 'Software testing', and WG 25 'IT service management'. In May 2011, several New Zealand IT stakeholders went to Paris to attend an SC 7 meeting on software systems and engineering Standards. Updates from some of these stakeholders are included below.
Head of the New Zealand delegation to SC 7 – Alison Holt
Holt is also Convener of WG 40, with Co Convener Myles Ward from the Inland Revenue Department. 'A key question managers are asking now is 'should we use the cloud?',' says Holt. 'At the Plenary meeting we agreed that later this year WG 40 will publish the output of a 2-year Study Group on Cloud Computing as an ISO/IEC 'Technical Report on cloud governance'. This will be a very useful document, which will help to answer questions that boards and senior executives are asking on the safety of putting their IT services in the cloud, and how risks can be mitigated.'
Oliver Bell – Director of Standards (Southeast Asia, Australia, and New Zealand), Microsoft
Bell has been involved in SC 7 for 2 years and says, 'SC 7's work on governance of IT technology at board level helps the world to understand why governance is important and helps to define what IT governance is.
'Being involved in SC 7 helps me in two ways. One, to work out what matters in the New Zealand environment, and two, to take this information to Microsoft Corporation so they recognise what's going on in New Zealand when designing products.
'Standards work is a discreet way to get a picture of the global IT requirements. SC 7 is a large international working group, which provides a great opportunity to understand what's happening in all sorts of areas in software and systems engineering, and a fantastic networking opportunity.'
At the Plenary, Bell presented on 'interoperability' and the 'consumerisation of IT'. 'People now bring technology to work and expect it to work – they are making choices for themselves – rather than the CIO outlining what can be used in an organisation,' says Bell. 'At the Plenary we agreed to form a Study Group to look at the Governance of Consumer IT in Business Domains, to tackle this new challenge. We'll look at how to provide better governance guidance in this environment where consumers are making the choices.'
Bell is the Chair of the study group, which includes representatives from The Netherlands, South Africa, India, Japan, South Korea, Australia, and the UK. The study group will have its first formal meeting in London in September 2011.
Dr Brian Cusack – Director, AUT University Digital Forensic Research Laboratories
'AUT sponsors my involvement in SC 7, which means that I can keep them up to date on Standards development and they can ensure teaching materials reflect current trends, and that IT developers in training are exposed to industry best practice and the concepts of standardisation,' says Cusack. 'I'm a member of WG 40 and WG 6 'Corporate governance of IT', Project editor of the 'Governance of digital forensic risk' Standard, and I participate in four new work items (NWIs). There's a sense of contributing to a greater good by participating in Standards development. The potential to achieve harmonisation, better industry communication, and optimised economic performance through standardisation are key drivers.'
At the Plenary meeting, Cusack presented a NWI update on 'Governance guidelines for digital forensics'. Digital forensics preparedness helps directors of enterprises to assure the enterprise from the certainty of legal risk. The proposed Standard provides five strategic portfolios for directors to assure readiness and a four step framework of 'Establish, monitor, evaluate, and direct'. 'The NWI relates to governance level standardisation so that directors of enterprises can assure the forensic risk against a set of principles, an implementation framework, and a set of five strategies,' says Cusack. 'Digital forensics may be implemented in any organisation for best practice at board level.
'At the Plenary we agreed to send the NWI for ballot, to invite a co-editor from SC 27 'IT security techniques', and to continue work on the 'Governance guidelines for digital forensics'. WG 40 is making good progress on a range of governance related work items.'
Steve Willsher, Business Development Manager, Qual IT Solutions Limited
Willsher became involved in SC 7 through Matt Mansell at the Department of Internal Affairs. 'Qual IT is a software testing services company and we have a made a considerable investment in being involved in SC 7 – it's a good way to give something back to the testing community,' says Willsher. 'I'm an engineer and I really believe in Standards for engineering. In my previous work I saw the value of quality management Standards and I can see parallels between quality management Standards and software testing Standards.'
At the Plenary meeting, the WG 26 meeting was attended by about 25 people representing Brazil, UK, New Zealand, France, Germany, Malaysia, Canada, America, India, China, Japan, South Korea, Sweden, Finland, Denmark, and Australia. Attendees reviewed comments on the draft international Standard ISO 29119 Software and systems engineering – Software testing – Part 1, 2, 3, and 4, and reached consensus on updates to the Standard. Mansell is one of the official editors of ISO 29119 and Willsher is providing editing support and managing the vocabulary section of the new Standard.
'The development of a core Standard for software testing will have a positive effect on IT in New Zealand and in government in particular,' says Willsher. 'The International Software Testing Qualifications Board (ISTQB) has helped raise tester professionalism in the industry and in New Zealand; however this is a syllabus and not a Standard. The IEEE and British Standards are too narrow in their focus and industry models such as test process improvement have not been widely adopted in New Zealand. This leaves a gap for overarching frameworks like ISO 29119. The development of ISO 29119 will help to standardise the quality of testing services provided by vendors in New Zealand.'
Willsher was also asked to join an 'application management' study group, which was initiated at the Plenary meeting.
For more information about SC 7 please email firstname.lastname@example.org.
- AS/NZS ISO/IEC 38500:2010 Corporate governance of information technology
- AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements
- AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information management
- HB 327:2010 Communicating and consulting about risk
- AS/NZS 8016(INT):2010 Corporate governance of projects involving information technology investments
- AS/NZS ISO/IEC 16085:2007 Information technology – Systems and software engineering – Life cycle processes – Risk management
Related Touchstone articles
- ISO international software systems Standards – participation by New Zealand IT stakeholders critical for government and industry, July 2011
- Cloud security – Cloud Security Alliance and ISO/IEC to work together to develop Standards, May 2011
- Cloud computing services – New Zealand to form NZ 'international review' group, February 2011
- Cloud computing ISO Standards in the pipeline, September 2010
- Standards New Zealand workshop on corporate governance of IT, August 2010
- Standards for corporate governance of information technology, April 2010
- IT Governance – howzat?, December 2008