Soft Audit overview・Method 4: Add ISO9001 and CMMI and divide by 2
- 1. What is the difference between ISO9001 and CMMI? (A little detour)
- 2. Add ISO9001 and CMMI and divide by 2
- 3. A checklist is prepared separately from the process audit to audit the development technology.
- 4. For development technology, see three requirements definition, design / coding, and testing.
- 5. See individual articles for a little more detail
What is the difference between ISO9001 and CMMI? (A little detour)
Well, I gave you a brief overview of ISO9001 and CMMI, but could you somehow get an idea of it? I think that you can understand that there is a difference that ISO9001 aims to improve the development management process and CMMI aims to evaluate the development management process.
So, since ISO9001 and CMMI have different purposes, are they different methods? To tell the truth, it’s a bit rough, but both have almost the same idea and method.
What is the same is that the practical procedure is the same: (1) check if there is a rule for development management, and (2) check that the actual development management is carried out according to that rule . .. Well, the purpose is different, but in both cases it is important to grasp the current state of development management of the organization concretely, so the methods of checking the rules and checking the implementation status are similar. After understanding the current situation, it is easy to understand that the difference between ISO9001 that focuses on improvement and CMMI that focuses on evaluation will come out.
ISO90001 promotes the improvement of development management ability by pointing out problems as a result of audits and requesting improvement measures. CMMI provides an objective measure of an organization’s management capabilities by assessing what level the organization has reached as a result of audits. Although there are some differences, the methods used to understand the current situation are very similar.
That means that it is better to use CMMI when selecting a software outsourcer, and ISO9001 when you want to improve the development management ability of a company that has already outsourced development, isn’t it? I think it’s a street.
It is best to use ISO9001 and CMMI properly depending on the situation of software development audit, but it is enough to use the two audit methods properly, and management resources (in short, personnel) that can be invested in improving the quality of software development management. In the real world, there is no such thing as an ideal situation, so I added ISO9001 and CMMI and divided them by 2 so that they could be used for both . That is Gutara’s father-style software development audit.
Add ISO9001 and CMMI and divide by 2
However, if you add ISO9001 and CMMI and divide them by two, you will not be able to understand what is going on, so after deciding the following policy, add them and divide by two.
- Select and use important items from CMM level 2 confirmation items to be confirmed in the audit
- Use the ISO9001 method for auditing (planning, implementation, reporting, improvement requests, follow-up)
In short, it is a method of checking the check items of CMMI according to the procedure of ISO9001 . There is no particular reason to base it on CMM Level 2 rather than CMMI. When I came up with the software development audit, only CMM existed, because if Level 2 is possible, the minimum required development management ability can be determined.
Using ISO9001 as the method of auditing is also easy to explain to the company being audited. Even if I say that I will do a software development audit, I can not proceed if the other party does not respond. So, there is no activity called software development audit in the world, so we have to start by explaining the purpose and outline.
At that time, if the procedure is ISO90001, the other company often receives ISO90001, so you can talk relatively smoothly.
On the other hand, for the check items that are the contents of the audit, it is more effective to use CMM that specializes in software, so I decided to use this.
A checklist is prepared separately from the process audit to audit the development technology.
Regarding the management ability of software development, adding CMMI and ISO9001 and dividing by 2 was quite good, but unfortunately this alone is not enough information to judge whether the software development ability of the development contractor is good or bad. Hmm.
In software development, the manufacturing equipment itself, which actually designs and codes, is also an engineer. And the technical strength of each engineer becomes the technical strength of the organization as it is. Development management ability and technical ability are generally not related to each other, so no matter how good the development management ability is, good software cannot be made if the technical ability is low. Well, even in a manufacturing factory, if the capacity of the manufacturing equipment is poor, no matter how good the manufacturing control is, it will not be possible to produce a product, so it is not a problem peculiar to software development.
In order to judge the development ability of the software of the development contractor, it is also necessary to have a means to confirm the technical ability of the software development of the organization .
For development technology, see three requirements definition, design / coding, and testing.
It is impossible to judge whether everything is good or bad because it is a very wide range even if it goes to the technical power of software development. Therefore, in the software development audit of Gutara’s father , specific checks are made on three technical areas , which are especially important in the development of embedded software: ( 1) requirement definition technology, (2) design and code manufacturing technology, and (3) test technology . I make items and check with a glance how much I understand & implement the importance of each technical area.
The requirement definition technology of ① is the entrance to software development. If you do not clearly define the specifications here, you will end up with irrelevant software no matter how hard you try in the subsequent processes. The test technology of ③ is the exit of software development. The final barrier to software quality is how to confirm that the software is finished according to the required specifications.
Then, (2) design and code manufacturing technology is the actual design / implementation work that connects (1) at the entrance and (3) at the exit. In this actual work, we will look at what kind of mechanism, including reviews, maintains the necessary technology and uses it for software development.
Regarding the audit of development technology, the checklist is actually quite narrow. Since the software development technology is very wide-ranging , I have not considered covering it from the beginning . However, since all software development is done by people, I make a checklist focusing on the problems that my father Gutara has seen and heard in the past, according to the law that you will make mistakes .
The actual checklist is explained in the detailed explanation article, so if you are interested, please see that.
See individual articles for a little more detail
If you would like to know more about the practice of software development auditing, please return to the top page of software development auditing displayed by the development auditing link at the top of the article and see each article. You can also follow the individual articles on software development auditing practices in order from the links below, so you can reach the same article by reading this.