Tool Risk Calculation Details

Introduction:
This section provides guidance to the Rating Criteria and Guidance for Process
Assessment.
The guidance is based on the standard ISO/IEC 15504, also known as SPICE (Software
Process Improvement and Capability Determination), is an international standard that
provides a framework for assessing and improving the capability and maturity of
software development processes within organizations. The standard defines a set of
rating criteria and guidance that can be used to evaluate the implementation of these
processes.
When conducting a process assessment based on ISO 15504, it is essential to have a

rating criteria framework that enables consistent and objective evaluation. The rating
criteria are typically based on a scale of 0 to 4, with each rating representing a specific
level of implementation. The ratings and their corresponding levels of implementation
are as follows:
1. Not Applicable (0): This rating is given when a specific process is not
applicable to the organization or the assessed scope. In other words, the
process does not exist or is not relevant to the context being evaluated.
2. Not Implemented (1): This rating is assigned when the process is recognized as
necessary but has not been implemented or addressed adequately. The
organization has made minimal efforts, if any, to establish the process,
resulting in its absence or neglect.
3. Partially Implemented (2): This rating indicates that the process has been
implemented to some extent but falls short of being fully integrated within the
organization. Typically, this rating covers a range of 15 to 50% of the required
implementation.
4. Largely Implemented (3): This rating represents a significantly higher level of
process implementation compared to the previous rating. Processes receiving
this rating are largely established and practiced within the organization,
covering approximately 50 to 85% of the required implementation.
5. Fully Implemented (4): The highest rating signifies that the process is fully
implemented and consistently followed throughout the organization. This
rating is assigned when the process has been successfully integrated and
adhered to in at least 85% of the required implementation.
It is important to note that these ratings are not arbitrary, but rather based on a
comprehensive evaluation of the organization's processes, procedures, and
practices. The assessment team carefully analyzes the evidence and compares it against
the specific criteria defined in ISO 15504 to arrive at an objective rating for each
process.
By applying this rating criteria framework, organizations can gain valuable insights into
the maturity and capability of their software development processes. This information
can then be used to identify areas for improvement and guide targeted efforts towards
enhancing the overall efficiency and effectiveness of the organization's software
development practices.
Key characteristics of the following areas are explored within each of the rating criteria.
1. I. Documentation evidence
2. II. Leadership behaviors and practices
3. III. Policies
4. IV. Practices
5. V. Processes
6. VI. Training or Awareness
7. VII. Procedures
8. VIII. Measurements
9. IX. Process Management
10. X. Innovation culture
RATINGS
A. NOT APPLICABLE
1. i. DOCUMENTARY EVIDENCE
o The organization has not implemented any process capability in that area.
For a process to be rated as Not Applicable requires
 i. A statement from the organization indicating that the process area
is not implemented and the reasons for this decision.
 ii. An explanation of how the organization plans to address the
process area in the future
 iii. A record of any discussions or decisions related to the process
area, including minutes of meetings or other documentation.
 iv. Any relevant policies or procedures that demonstrate why the
process area is not applicable to the organization.
 v. Any other documentation that can demonstrate that the
organization has considered the process area and made a deliberate
decision not to implement it.
o It is important to note that while a process area may be determined to be
"Not Implemented," it does not mean that the organization
should ignore it altogether. Rather, the organization should consider
whether the process area is relevant to their business
II. LEADERSHIP BEHAVIORS AND PRACTICES
Following behaviors and practices are expected from the Leadership team.
1. Ensuring that the decision not to implement the process area is based on a
thorough analysis of the organization's needs and capabilities.
2. Providing clear and transparent communication to all stakeholders regarding the
decision not to implement the process area.
3. Ensuring that the decision not to implement the process area is documented and
supported by valid reasons.
4. Establishing a plan to address the process area in the future, if necessary.
5. Continuously monitoring the organization's needs and capabilities to
determine whether the decision not to implement the process area remains valid.
6. Ensuring that resources are allocated appropriately to support the implementation
of other process areas that have been identified as a priority.
7. Encouraging a culture of continuous improvement and a willingness to reassess
decisions regarding process implementation.
III. POLICIES
If the organization has determined that a particular process or sub-process is not

applicable, then it does not need to provide any policies or evidence for that process or
sub-process.
Some of the reasons that may be expected for "Not Applicable" criteria
under ISO 15504 include:
1. The process is not relevant to the organization's business or operations.

2. The organization has outsourced the process to a third party.
3. The organization is exempt from compliance with a specific regulatory
requirement related to the process.
4. The process is not necessary for achieving the organization's objectives.
5. The organization has already addressed the process in a different way, such as
through a different process or tool.
6. The process has not yet been implemented or is still in development.
In general, the organization should document its rationale for determining that a
particular process or sub-process is not applicable, and this documentation should be
available for review by the assessment team. If the rationale is not clear or the
assessment team has concerns, the organization may be asked to provide additional
explanation or evidence to support its determination.
IV. CXPRACTICES
The reason for not expecting any kind of practices under "Not Applicable"
criteria is that the organization has determined that the process or sub-process in
question is not relevant or applicable to its business or operations. Therefore, there are
no practices or evidence to be provided for that process or sub-process.
For example, if an organization operates in a specific industry that is exempt from

certain regulatory requirements, and it determines that a particular process or sub-
process related to that requirement is not applicable, then it would not need to provide
any practices or evidence for that process or sub-process.
It is important to note that the determination of "Not Applicable" should be

made based on a thorough analysis and evaluation of the organization's business
and operations, and the documentation of this analysis should be available for review by
the assessment team. If the assessment team has concerns about the organization's
determination of "Not Applicable," it may request additional explanation or
evidence to support the organization's rationale.
V. PROCESSES
The reason for not having any processes under "Not Applicable" criteria is
that the organization has determined that the process or sub-process in question is not
relevant or applicable to its business or operations. Therefore, there are no processes that
need to be defined or evaluated for that process or sub-process.
For example, if an organization operates in a specific industry that is exempt from

certain regulatory requirements, and it determines that a particular process or sub-
process related to that requirement is not applicable, then it would not need to define or
evaluate any processes for that process or sub-process.

VI. TRAINING OR AWARENESS
The reason for not having any training or awareness requirements under "Not
Applicable" criteria is that the organization has determined that the process or sub-
process in question is not relevant or applicable to its business or operations. Therefore,
there are no training or awareness requirements needed for that process or sub-process.
For example, if an organization operates in an industry where a particular technology is

not used, and it determines that a particular process or sub-process related to that
technology is not applicable, then it would not need to provide any training or awareness
requirements for that process or sub-process.

VII. PROCEDURES
The "Not Applicable" criteria in the ISO 15504 assessment refer to the
process areas or practices that do not apply to the organization or project being assessed.
These process areas may not be relevant or applicable to the specific context of the
organization, and therefore no procedures are expected to be in place.
There could be several reasons why an organization or project may have no procedures
under the "Not Applicable" criteria in the ISO 15504 assessment, such as:
1. The organization may not be performing the specific process area or practice due
to its business nature or the type of software development it is involved in. For
example, if the organization does not develop safety-critical systems, it may not
require the process area for Safety Management.
2. The organization may have implemented a different approach or method for the
process area or practice, which is not recognized by the standard. In this case, the
organization should provide evidence that the alternative method is effective and
meets the same objectives as the standard's requirements.
3. The organization may have outsourced or delegated the process area or practice to
a third-party supplier, and hence it is not performed by the organization itself.
4. The organization may not have reached a sufficient level of maturity to
implement the process area or practice. In this case, the organization should
identify the reasons for the lack of maturity and plan for improvement to achieve
the required level in the future.
In summary, the absence of procedures under the "Not Applicable" criteria in

the ISO 15504 assessment may indicate that the organization has a clear understanding
of its business needs and software development processes and has made a deliberate
decision not to implement certain process areas or practices that are not relevant to its
context.
VIII. MEASUREMENTS
When it comes to measurements, the reason for not having any measurements under the
"Not Applicable" criteria could be:
1. The organization does not perform the specific process area or practice that
requires measurements. For example, if the organization does not perform the
process area for Software Testing, it may not require any measurements related to
testing activities.
2. The organization may be in the early stages of implementing the process area or
practice, and it is not yet at a point where measurements can be effectively
captured. For example, if the organization has just started implementing the
process area for Configuration Management, it may not have established a
process for measuring the effectiveness of its configuration management
practices.
3. The organization may have implemented an alternative method or approach for
the process area or practice, which does not require the same measurements as
those specified in the standard. In this case, the organization should provide
evidence that the alternative method is effective and meets the same objectives as
the standard's requirements.
4. The organization may have outsourced or delegated the process area or practice to
a third-party supplier, and hence it is not responsible for capturing measurements
related to that process area or practice.
In summary, the absence of measurements under the "Not Applicable"

criteria in an ISO 15504 process assessment may indicate that the organization has a
clear understanding of its business needs and software development processes and has
made a deliberate decision not to implement certain process areas or practices that are
not relevant to its context. However, it is important for the organization to provide a
clear justification for why the process area or practice does not require any
measurements and how it is ensuring the effective implementation of that process area or
practice.
IX. PROCESS MANAGEMENT
The process management activities include establishing and maintaining a process

framework, planning and monitoring processes, and ensuring process improvement.
However, there could be several reasons why an organization or project may not have
any process management activities under the "Not Applicable" criteria, such
as:
1. The organization may be a small software development team, where the roles and
responsibilities are not clearly defined, and hence, there is no formal process
management activity in place.
2. The organization may have outsourced the software development activities to a
third-party supplier, and the supplier is responsible for the process management
activities.
3. The organization may have already established a well-defined and mature process
framework that requires no further improvement, and hence there is no need for
any process management activity.
4. The organization may have implemented an alternative approach or method for
process management activities that are not recognized by the ISO 15504 standard.
In this case, the organization should provide evidence that the alternative
approach is effective and meets the same objectives as the standard's
requirements.
It is important to note that if an organization does not have any process management
activities under the "Not Applicable" criteria, it is not necessarily an
indication that it does not have any process management activities at all. The
organization should provide a clear justification for why it does not have any process
management activities under the "Not Applicable" criteria and how it is
ensuring effective process management. If the organization does have process
management activities in place, it should be able to provide evidence of its
implementation and effectiveness.
X. INNOVATION
Innovation related activities are not explicitly required in the ISO 15504 standard.
However, the standard does recognize the importance of innovation and encourages
organizations to improve their processes continually. Therefore, an organization or
project may not have any innovation related activities under the "Not
Applicable" rating for several reasons, such as:
1. The organization may not consider innovation as a priority or may not have a
culture that fosters innovation. In such cases, the organization may not have any
formal innovation related activities in place.
2. The organization may already have established and mature processes that do not
require any further innovation-related activities. In such cases, the organization
may have already implemented innovative solutions or practices as part of its
standard processes.
3. The organization may not be in a position to invest in innovation-related activities
due to budget constraints, resource limitations, or other business priorities.
4. The organization may have implemented an alternative approach or method for
innovation-related activities that are not recognized by the ISO 15504 standard. In
this case, the organization should provide evidence that the alternative approach
is effective and meets the same objectives as the standard's requirements.
It is important to note that innovation-related activities can significantly benefit software

development processes by providing new ideas, technologies, and approaches to improve
software quality, reduce costs, and increase productivity. Therefore, organizations should
consider incorporating innovation-related activities as part of their process improvement
initiatives. If an organization does not have any innovation-related activities under the
"Not Applicable" rating, it should provide a clear justification for why it
does not have any such activities and how it is ensuring continuous improvement and
staying up-to-date with emerging technologies and industry trends.
XI. PROCESS IMPROVEMENTS
Process improvement is a key aspect of this framework, and it is essential for

organizations to continuously improve their processes to achieve better outcomes.
However, an organization or project may not have any process improvement efforts
under the "Not Applicable" rating for several reasons, such as:
1. The organization may not have a mature process framework in place, and hence
there is no need for any process improvement efforts.
2. The organization may have already implemented a well-defined and mature
process framework that requires no further improvement.
3. The organization may not have identified any specific process areas that require
improvement, or it may be satisfied with the current level of process performance.
4. The organization may not have the resources, budget, or management support to
invest in process improvement activities.
5. The organization may have already implemented innovative practices or solutions
that have significantly improved its processes and do not require any further
improvement.
It is important to note that while an organization may not have any process improvement
efforts under the "Not Applicable" rating, it does not necessarily mean that
the organization has no need for process improvement. Process improvement is a
continuous activity, and organizations should always strive to improve their processes to
achieve better outcomes. Therefore, if an organization does not have any process
improvement efforts under the "Not Applicable" rating, it should provide a
clear justification for why it does not have any such efforts and how it is ensuring
continuous improvement in its processes. If the organization has identified areas for
improvement but is not investing in process improvement efforts due to resource
constraints or other reasons, it should also explain its plan for addressing these
constraints and resuming process improvement activities in the future.
B. NOT IMPLEMENTED
I. DOCUMENTARY EVIDENCE
If a process area is determined to be "Not Implemented," there may be some
documentary evidence that is expected to be lacking. This is because a "Not
Implemented" determination means that the organization has not implemented any
process capability in that particular area.
1. Some documentary evidence that may be expected to be lacking for a "Not

Implemented" process area include:
o i. Documentation of procedures or work instructions related to the process
area.
o ii. Records of activities related to the process area, such as training
records, audit reports, or process performance data.
o iii. Evidence of compliance with relevant standards or regulations related
to the process area.
o IV. Evidence of process improvement activities related to the process area.
o v. Any other documentation that would demonstrate that the organization
has implemented process capability in the particular area.
o VI. It is important to note that even if there is a lack of documentary
evidence related to a "Not Implemented" process area, the
organization should still be able to provide evidence of their decision-
making process and their reasons for not implementing the process area.
This may include documentation of discussions, meetings, or other
relevant communications related to the process area.
o vii. It is also important to note that while a lack of documentary evidence
may be expected for a "Not Implemented" process area, the
organization should still be able to provide evidence of their capability in
other areas and demonstrate a commitment to continuous improvement.
Under ISO 15504, the Leadership process area includes practices related to the
establishment and communication of a clear vision and strategy, the provision of
resources and support, the identification and management of risks, and the measurement
and evaluation of performance.
1. When assessing the Leadership process area, if the criteria for a specific process
or sub-process is determined to be "Not Implemented," the
assessment team would not expect to see any evidence of policies or practices
related to that process or sub-process. However, there may still be some
Leadership behaviors and practices that are expected of the organization,
regardless of whether or not a specific process or sub-process is implemented.
2. The leadership behaviors and practices that may be expected to be lacking for a
"Not Implemented" criteria include:
o Lack of clear and transparent communication to all stakeholders regarding
the decision not to implement the process area.
o Lack of a thorough analysis of the organization's needs and
capabilities to support the decision not to implement the process area.
o Lack of a documented and supported rationale for the decision not to
implement the process area.
o Failure to establish a plan to address the process area in the future, if
necessary.
o Lack of continuous monitoring of the organization's needs and
capabilities to determine whether the decision not to implement the
process area remains valid.
o Failure to allocate resources appropriately to support the implementation
of other process areas that have been identified as a priority.
o Lack of a culture of continuous improvement and a willingness to reassess
decisions regarding process implementation.
3. If leadership behaviors and practices are lacking in these areas, it may indicate
that the organization has not prioritized process improvement or has not givens
ufficient attention to the decision-making process related to process
implementation. In such cases, the organization may need to reconsider its
approach to process improvement and ensure that it has effective leadership and
governance structures in place to support it.
4. Some Leadership behaviors and practices that may be expected, even when a
specific process or sub-process is not implemented, include:
o Clear communication of the organization's vision and strategy to all
stakeholders, including employees, customers, and partners.
o Allocation of appropriate resources, including budget, staff, and time, to
support the organization's goals and objectives.
o Identification and management of risks that could impact the
organization's ability to achieve its goals.
o Establishment of a culture of continuous improvement, where feedback is
encouraged and acted upon to drive improvement in all areas of the
organization.
o Measurement and evaluation of performance against established goals and
objectives.
5. It is important to note that while specific policies or practices may not be required
for a process or sub-process that is determined to be "Not
Implemented," the organization may still need to provide evidence that it
has implemented appropriate Leadership behaviors and practices to ensure the
success of its business and operations.
III. POLICIES
If a process area is determined to be "Not Implemented," there may be some

policies that are expected to be lacking. This is because a "Not Implemented"
determination means that the organization has not implemented any process capability in
that particular area.
1. Some policies that may be expected to be lacking for a "Not

Implemented" process area include:
o Policies related to the objectives and goals of the process area.
o Policies related to the roles and responsibilities of personnel with respect
to the process area.
o Policies related to the use of tools and techniques for the process area.
o Policies related to the measurement and analysis of process performance in
the area.
o Policies related to the management of process improvement activities for
the area.
2. It is important to note that while policies may be lacking for a "Not
Implemented" process area, the organization should still be able to provide
evidence of their decision-making process and their reasons for not implementing
the process area. This may include documentation of discussions, meetings, or
other relevant communications related to the process area.
3. It is also important to note that while a lack of policies may be expected for a
"Not Implemented" process area, the organization should still be able
to demonstrate a commitment to continuous improvement and a willingness to
reassess decisions regarding process implementation.
IV. PRACTICES
The "Not Implemented" rating in the ISO 15504 standard indicates that a
particular process attribute or capability level has not been implemented or is not
applicable to the organization or project being assessed. Here are some practices that are
expected and not expected when choosing the "Not Implemented" rating:
Expected Practices:
1. Clearly identify the reasons why the process attribute or capability level is not
implemented or not applicable.
2. Provide evidence to support the decision to rate the process attribute or capability
level as "Not Implemented."
3. Document the reasons for not implementing the process attribute or capability
level.
4. Identify any risks associated with not implementing the process attribute or
capability level and document how these risks will be managed.
Not Expected Practices:
1. Rating the process attribute or capability level as "Not Implemented"

without providing a clear justification.
2. Ignoring the importance of the process attribute or capability level and not
considering the impact of not implementing it.
3. Failing to document the reasons for not implementing the process attribute or
capability level.
4. Assuming that the process attribute or capability level is not important without
conducting a thorough analysis.
It is important to note that choosing the "Not Implemented" rating for a

particular process attribute or capability level does not mean that the organization or
project should ignore the importance of the attribute or level. Organizations should
always strive to continuously improve their processes and work towards implementing
all process attributes and capability levels to achieve better outcomes. If a process
attribute or capability level is not applicable, the organization should clearly document
the reasons for not being applicable and demonstrate that it has considered all the
relevant factors before making the decision.
V. PROCESSES
The decision to choose the "Not Implemented" rating in the ISO 15504
standard may vary depending on the process being assessed and the context of the
organization or project. However, in general, here are some processes that may be
expected or lacking when choosing the "Not Implemented" rating:
Expected:
1. A clear understanding of the process being assessed and its importance to the
organization or project.
2. A documented process improvement plan that identifies all the process attributes
and capability levels to be implemented.
3. A risk management plan that identifies and manages risks associated with not
implementing specific process attributes or capability levels.
4. A decision-making process that considers all the relevant factors before deciding
to rate a particular process attribute or capability level as "Not
Implemented."
5. A process for regularly reviewing and updating the process improvement plan to
ensure that all the relevant process attributes and capability levels are being
implemented.
Lacking:
1. A documented process improvement plan that does not identify all the relevant
process attributes and capability levels.
2. A lack of understanding of the importance of a particular process attribute or
capability level.
3. A lack of risk management plan that identifies and manages risks associated with
not implementing specific process attributes or capability levels.
4. A decision-making process that is based on incomplete or inaccurate information.
5. A lack of a process for regularly reviewing and updating the process improvement
plan to ensure that all the relevant process attributes and capability levels are
being implemented.
It is important to note that the decision to choose the "Not Implemented"

rating should be based on a thorough analysis of the process being assessed and the
context of the organization or project. The organization or project should provide a clear
and well-documented justification for the decision, and it should ensure that it is
continuously working towards implementing all the relevant process attributes and
capability levels to achieve better outcomes.
VI. TRAINING OR AWARENESS
When choosing the "Not Implemented" rating for a process attribute or

capability level in a process assessment based on ISO 15504, the organization should
have appropriate training and awareness practices in place to ensure that its personnel
have a clear understanding of the process being assessed and its importance. Here are
some training and awareness practices that may be expected or lacking when choosing
the "Not Implemented" rating:
Expected:
1. A documented training program that provides training to personnel on the
relevant processes and process improvement methodologies.
2. A process for ensuring that personnel are aware of the importance of the process
being assessed and the impact of not implementing specific process attributes or
capability levels.
3. A process for regularly reviewing and updating the training program to ensure
that it is up-to-date and relevant to the organization's needs.
4. A process for monitoring and evaluating the effectiveness of the training program
and making necessary improvements.
Lacking:
1. A lack of a documented training program that provides training to personnel on

the relevant processes and process improvement methodologies.
2. A lack of awareness among personnel regarding the importance of the process
being assessed and the impact of not implementing specific process attributes or
capability levels.
3. A lack of regular review and updating of the training program to ensure that it is
up-to-date and relevant to the organization's needs.
4. A lack of monitoring and evaluation of the effectiveness of the training program.

context of the organization or project. The organization should provide a clear and well-
documented justification for the decision, and it should ensure that its personnel are
adequately trained and aware of the importance of the process being assessed.
VII. PROCEDURES
When choosing the "Not Implemented" rating for a process attribute or

capability level in a process assessment based on ISO 15504, the organization should
have appropriate procedures in place to ensure that the process is effectively
implemented. Here are some procedures that may be expected or lacking when choosing
the "Not Implemented" rating:
Expected:
1. A documented procedure for implementing the relevant process attribute or

capability level.
2. A process for ensuring that the procedure is followed and implemented
consistently across the organization or project.
3. A process for regularly reviewing and updating the procedure to ensure that it is
up-to-date and relevant to the organization's needs.
4. A process for monitoring and evaluating the effectiveness of the procedure and
making necessary improvements.
Lacking:
1. A lack of a documented procedure for implementing the relevant proces attribute

or capability level.
2. Inconsistent implementation of the procedure across the organization or project.
3. A lack of regular review and updating of the procedure to ensure that it is up-to-
date and relevant to the organization's needs.
4. A lack of monitoring and evaluation of the effectiveness of the procedure.

context of the organization or project. The organization should provide a clear and well-
documented justification for the decision, and it should ensure that appropriate
procedures are in place to effectively implement the process.
VIII. MEASUREMENTS
To choose the "Not Implemented" rating for measurements during a process

assessment based on ISO 15504, the following evidence may be required:
1. Lack of documented measurement processes: There should be no documented

processes related to measurement, such as measurement plans, measurement
procedures, or measurement analysis processes.
2. Lack of measurement data: There should be no measurement data available to
demonstrate that measurements have been carried out or that any measurements
have been planned or identified.
3. Lack of measurement tools and techniques: There should be no evidence of the
use of measurement tools and techniques, such as statistical process control,
Pareto charts, or flowcharts.
4. Lack of analysis of measurement data: There should be no evidence of any
analysis of measurement data, such as root cause analysis, trend analysis, or
statistical analysis.
5. Lack of improvement actions based on measurement data: There should be no
evidence of any improvement actions taken based on measurement data, such as
corrective actions, preventive actions, or process improvement initiatives.
Overall, the evidence should demonstrate a complete absence of any measurement

activities within the organization.
When an organization chooses the "Not Implemented" rating for a process

attribute or capability level in a process assessment based on ISO 15504, it means that
they have not implemented the process attribute or capability level, and therefore, there
are no process management practices expected to be in place for reflecting an accurate
assessment of the "Not Implemented" criteria.
However, to ensure that the decision to choose the "Not Implemented" rating
is based on a thorough analysis of the process being assessed and the context of the
organization or project, the organization should ensure that it has appropriate process
management practices in place to effectively implement and manage the processes that
are important for achieving its goals and objectives. This includes:
1. Having a well-defined process management system in place, including policies,
procedures, and guidelines that provide guidance on how to implement and
manage processes effectively.
2. Ensuring that there is clear communication and understanding of the process
being assessed, including its purpose, scope, and objectives.
3. Establishing appropriate roles and responsibilities for implementing and
managing the process, including assigning accountability for process
performance.
4. Establishing appropriate metrics and measurement methods to monitor and track
the performance of the process, including its effectiveness, efficiency, and
compliance.
5. Providing training and awareness programs to ensure that staff members are
aware of the process and how to implement and manage it effectively.
6. Conducting regular process reviews and evaluations to identify areas for
improvement and implement necessary changes.
In summary, while there are no process management practices expected to be in place for
reflecting an accurate assessment of the "Not Implemented" criteria, the
organization should ensure that it has appropriate process management practices in place
to effectively implement and manage the processes that are important for achieving its
goals and objectives.
X. INNOVATION
When choosing the "Not Implemented" rating for innovation practices in a

process assessment based on ISO 15504, the following evidence may be required:
1. Documentation of the organization's innovation strategy: The organization

should provide documentation of its innovation strategy, including any plans or
goals for implementing innovation practices. If the strategy does not include any
specific innovation practices or plans for implementation, this would support a
rating of "Not Implemented."
2. Records of brainstorming or idea generation sessions: If the organization has
conducted any brainstorming or idea generation sessions, records of these
sessions should be provided. If no such sessions have been conducted, this would
support a rating of "Not Implemented."
3. Prototyping or testing documentation: If the organization has developed any
prototypes or conducted testing of innovative solutions, documentation of these
activities should be provided. If no such documentation exists, this would support
a rating of "Not Implemented."
4. Records of innovation-related training or workshops: If the organization has
provided any training or workshops related to innovation practices, records of
these activities should be provided. If no such training or workshops have been
provided, this would support a rating of "Not Implemented."
5. Innovation-related metrics: If the organization has established any metrics related
to innovation, such as the number of ideas generated or the success rate of
innovative solutions, records of these metrics should be provided. If no such
metrics exist, this would support a rating of "Not Implemented."
Overall, the evidence required to support a rating of "Not Implemented" for
innovation practices will depend on the specific context of the organization and the
process being assessed. However, the organization should provide clear and well-
documented evidence to support the rating, including any reasons for why innovation
practices have not been implemented and any plans for future implementation.
XI. PROCESS IMPROVEMENTS
To choose the "Not Implemented" rating for process improvement during a

process assessment based on ISO 15504, the following evidence may be required:
1. Lack of documented processes: There should be no documented processes related

to process improvement, such as process improvement plans, change management
processes, or process performance measurement processes.
2. Lack of training and awareness: There should be no evidence of training and
awareness activities related to process improvement, such as training sessions,
workshops, or internal communication campaigns.
3. Lack of process improvement initiatives: There should be no evidence of any
process improvement initiatives, such as process assessments, process audits,
process reviews, or process maturity assessments.
4. Lack of process improvement metrics: There should be no metrics or
measurements related to process improvement, such as process cycle time,
process cost, or process quality metrics.
5. Lack of process improvement tools and techniques: There should be no evidence
of the use of process improvement tools and techniques, such as statistical
process control, lean manufacturing, or Six Sigma.
s
Overall, the evidence should demonstrate a complete absence of any process

improvement activities within the organization.
C. PARTIALLY IMPLEMENTED
For choosing a "Partially Implemented" rating with regard to documentation

in a process assessment based on ISO 15504, the following evidence would be required:
 Existence of some documentation, but not all the required documents or

incomplete documents
 Evidence of partially implemented document control procedures, such as version
control, review and approval processes
 Evidence of incomplete or partially implemented document templates or
standards
 Evidence of partially implemented procedures for document distribution and
communication
On the other hand, the following evidence would not be required for a "Partially
Implemented" rating with regard to documentation:
 Evidence of other process areas or practices that are not related to documentation
 Evidence of measurements or process management activities if they are not
specifically related to documentation
 Evidence of innovation or training and awareness practices if they are not
specifically related to documentation
Overall, the evidence required for a "Partially Implemented" rating with

regard to documentation should focus on the completeness and effectiveness of
documentation practices, procedures, and controls.
As an example, for the "Partially Implemented" criteria of the question

"Are contacts with relevant authorities defined?" in ISO 27002, the
following documentary evidence is expected:
 A description of the process for identifying relevant authorities and determining

the scope of their involvement.
 Documentation of any existing contacts with relevant authorities, such as
agreements or contracts.
 Evidence of communication with relevant authorities, such as emails or meeting
minutes.
 Additionally, the following documentary evidence may also be useful to
demonstrate partial implementation:
o A list of relevant authorities and their contact information.
o Procedures for notifying authorities in the event of a security incident or
breach.
o Evidence of training or awareness-raising for employees on the importance
of contacting relevant authorities.
 However, the following documentary evidence is not expected for partially
implemented criteria:
o Comprehensive guidelines or procedures for all possible scenarios
involving relevant authorities.
o Evidence of formal agreements or contracts with all relevant authorities.
o Evidence of regular communication or engagement with relevant
authorities.
o In summary, for partially implemented criteria, the focus is on
demonstrating that the process has been partially implemented, with some
evidence of identifying and engaging with relevant authorities, rather than
on providing extensive documentation or achieving full compliance.
To choose a "Partially Implemented" rating on Leadership behaviors and

practices, the following evidence would be required:
1. Evidence that the leadership team has established a clear vision and mission for
the organization, but there are some gaps in how that vision is communicated and
implemented throughout the organization.
2. Evidence that the leadership team has defined roles and responsibilities for its
members, but there are some instances where those roles are not clearly
understood by everyone.
3. Evidence that the leadership team has established a culture of continuous
improvement, but there are some areas where improvements have not been made
or have been slow to materialize.
The following evidence would not be required for a "Partially Implemented"

rating:
 Evidence of formal training or certification in leadership practices by the

leadership team members.
 Evidence of specific leadership practices being used consistently across the
organization.
 Evidence of a high level of employee engagement or satisfaction with leadership
practices.
It's important to note that the evidence required for a particular rating may vary
depending on the context and specific requirements of the assessment. The assessment
team should use their professional judgment and expertise to evaluate the evidence and
assign an appropriate rating.
III. POLICIES
In the context of ISO 15504, a "Partially Implemented" rating means that

some of the practices described in a process model are being followed, but there are still
significant gaps or deficiencies in implementation. To choose this rating, the following
evidence would be required:
1. Documentation of the processes being partially implemented, including any

policies or procedures that are in place.
2. Evidence that some of the practices described in the process model are being
followed, such as completed checklists or audit reports.
3. Evidence of gaps or deficiencies in implementation, such as incomplete or
missing documentation, or incomplete implementation of key practices.
The following evidence would not be required for choosing a "Partially

Implemented" rating:
1. Evidence of compliance with regulations or standards that are not relevant to the
process being assessed.
2. Evidence of successful outcomes or performance measures that are not related to
the process being assessed.
3. Evidence of training or qualifications of staff members that are not directly
related to the process being assessed.
It's worth noting that the evidence required for an ISO 15504 assessment can vary
depending on the specific process being assessed and the maturity of the
organization's processes. The assessment team should work closely with the
organization being assessed to determine the appropriate evidence for each rating.
IV. PRACTICES
In an ISO 15504 process assessment, a "Partially Implemented" rating on
practices means that some of the practices within a specific process area are being
followed, but there are significant gaps or deficiencies in their implementation. To
choose this rating, the following evidence would be required:
1. Documentation of the process area being assessed, including any policies,

procedures, and work instructions that are in place.
2. Evidence that some of the practices within the process area are being followed,
such as completed checklists or audit reports.
3. Evidence of gaps or deficiencies in the implementation of practices, such as
incomplete or missing documentation, or incomplete implementation of key
practices.
Additionally, the following evidence could be considered when determining a

"Partially Implemented" rating:
1. Evidence of the effectiveness of the partially implemented practices, such as

performance metrics or customer feedback.
2. Evidence of the root cause
On the other hand, the following evidence would not be required for choosing a
process area being assessed.
the process area being assessed.
related to the process area being assessed.
It's important to note that the specific evidence required for an ISO 15504 process
assessment may vary based on the context and the maturity of the organization's
processes. The assessment team should work closely with the organization being
assessed to determine the appropriate evidence for each rating.
V. PROCESSES

processes means that some of the processes within a specific process area are being
followed, but there are significant gaps or deficiencies in their implementation.
To choose this rating, the following evidence would be required:

2. Evidence that some of the processes within the process area are being
followed,such as completed checklists or audit reports.
3. Evidence of gaps or deficiencies in the implementation of processes, such as
processes.
1. Evidence of the effectiveness of the partially implemented processes, such as

2. Evidence of the root cause of the gaps or deficiencies, such as process bottlenecks
or lack of resources.
VI. TRAINING AND AWARENESS

Training and Awareness activities means that some training and awareness activities
related to the process being assessed have been implemented, but there are significant
gaps or deficiencies in their implementation. To choose this rating, the following
evidence would be required:
1. Documentation of the training and awareness activities being assessed, such as

training plans, course materials, or communication plans.
2. Evidence that some training and awareness activities have been implemented,
such as completed training records or communication logs.
3. Evidence of gaps or deficiencies in the implementation of training and awareness
activities, such as incomplete or missing training materials, or ineffective
communication of key messages.

4. Evidence of the effectiveness of the partially implemented training and awareness

activities, such as employee feedback or performance metrics.
5. Evidence of the root cause of the gaps or deficiencies, such as lack of resources or
inadequate training materials.
the training and awareness activities being assessed.
8. Evidence of the qualifications or experience of the trainers or instructors, unless it
directly impacts the quality of the training.
VII. PROCEDURES

procedures means that some procedures within a specific process area are being
followed, but there are significant gaps or deficiencies in their implementation. To
choose this rating, the following evidence would be required:

2. Evidence that some of the procedures within the process area are being followed,
such as completed checklists or audit reports.
3. Evidence of gaps or deficiencies in the implementation of procedures, such as
procedures.

4. Evidence of the effectiveness of the partially implemented procedures, such as

5. Evidence of the root cause of the gaps or deficiencies, such as process bottlenecks
or lack of resources.
VIII. MEASUREMENTS

Measurements means that some measurements related to the process being assessed have
been implemented, but there are significant gaps or deficiencies in their implementation.
To choose this rating, the following evidence would be required:
1. Documentation of the measurements being assessed, such as measurement plans

or data collection procedures.
2. Evidence that some measurements have been implemented, such as completed
measurement records or data reports.
3. Evidence of gaps or deficiencies in the implementation of measurements, such as
incomplete or missing measurement data, or ineffective use of measurement
results.

4. Evidence of the effectiveness of the partially implemented measurements, such as

their ability to provide meaningful data for decision-making or process
improvement.
inadequate data collection methods.
the measurements being assessed.
8. Evidence of the qualifications or experience of the personnel responsible for the
measurements, unless it directly impacts the quality of the measurements.

Process Management means that some of the process management practices related to
the process being assessed have been implemented, but there are significant gaps or
deficiencies in their implementation. To choose this rating, the following evidence would
be required:
1. Documentation of the process being assessed, including any policies, procedures,

and work instructions related to process management.
2. Evidence that some of the process management practices have been implemented,
such as risk management or quality management practices.
3. Evidence of gaps or deficiencies in the implementation of process management
practices, such as incomplete or missing documentation, or ineffective use of
process management practices.

4. Evidence of the effectiveness of the partially implemented process management

practices, such as their ability to mitigate risks or improve process quality.
inadequate training of personnel.
the process management practices being assessed.
3. Evidence of the qualifications or experience of the personnel responsible for the
process management practices, unless it directly impacts the quality of the
practices.
X. INNOVATION
To rate the Innovation process area as "Partially Implemented," the

following evidence would be required:
1. The organization has established an innovation process that defines the activities,
roles, responsibilities, and resources required to identify, develop, and implement
innovative ideas.
2. The organization has identified and assessed potential opportunities for
innovation, considering its business needs, customer requirements, and market
trends.
3. The organization has implemented some innovation activities, such as
brainstorming sessions, idea generation, and concept development.
4. The organization has documented its innovation process, including procedures,
guidelines, and templates.
5. The organization has defined metrics to measure the effectiveness of its
innovation process, such as the number of ideas generated, the percentage of
ideas implemented, and the impact on business results.
On the other hand, the following evidence would NOT be sufficient to justify a
"Partially Implemented" rating for the Innovation process area:
1. The organization has a few innovative ideas but does not have a defined process
to manage them effectively.
2. The organization has not implemented any innovation activities but plans to do so
in the future.
3. The organization has not established metrics to measure the effectiveness of its
innovation process.
Overall, a "Partially Implemented" rating would indicate that the

organization has some basic capabilities in innovation, but there is room for
improvement in terms of the scope, effectiveness, and maturity of its innovation process.
XI. PROCESS IMPROVEMENT
ISO 15504, also known as SPICE (Software Process Improvement and Capability
Determination), provides a framework for assessing and improving software
development processes. The framework provides a rating scale from 0 (incomplete) to 5
(optimizing) to evaluate the capability of a process. The rating of "Partially
Implemented" falls in the middle of this scale.
RatingCriteria_p95
1. Evidence of some processes being implemented: The assessment team would need
to see that some parts of the process have been implemented and that the
organization has made an effort to follow the process.
2. Evidence of a plan for improvement: The organization should have a plan for
improving the process, and evidence that steps have been taken to implement this
plan should be provided.
3. Evidence of process measurement: The organization should be measuring the
performance of the process and have data to demonstrate where improvements are
needed.
4. Evidence of non-compliance: The assessment team should find evidence of non-
compliance with the process that needs to be addressed.
On the other hand, the following evidence would not be sufficient to assign a
A verbal commitment to improvement: A verbal commitment to

improvement without any actual implementation or progress would not be
sufficient.
Limited implementation of the process: If only a small portion of the
process has been implemented, it may not be enough to assign a
"Partially Implemented" rating.
Lack of measurement: If the organization is not measuring the process, it
would be difficult to assess the effectiveness of the process and assign a
rating.
Ad-hoc process implementation: Ad-hoc implementation of the process
without a plan for improvement or monitoring would not be sufficient to
assign a "Partially Implemented" rating.
In summary, to assign a "Partially Implemented" rating for a process

improvement assessment based on ISO 15504, the organization needs to provide
evidence that the process has been partially implemented, there is a plan for
improvement, process measurement is being performed, and there are areas of non-
compliance that need to be addressed.
D. LARGELY IMPLEMENTED
When conducting a process assessment based on ISO 15504, if a process area is

determined to be Largely Implemented," there is expected to be some documentary
evidence that demonstrates the organization"s implementation of process capability in
that area. However, not all types of documentary evidence may be expected or required.
Some examples of documentary evidence that may be expected for a

"Largely Implemented" process area include:
Policies and procedures related to the process area, including
documentation of any changes or updates made over time.
Records of training and competence assessments related to the process
area.
Evidence of process improvement activities related to the process area,
such as documentation of process performance data, process improvement
plans, and progress reports.
Evidence of compliance with relevant standards or regulations related to
the process area.
Reports from audits or reviews of the process area.
Other documentation that demonstrates the implementation of process
capability in the particular area.
It is important to note that the specific types of documentary evidence that
are expected may vary depending on the specific process area and the
organization"s implementation of that area.
On the other hand, some types of documentary evidence may not be
expected or required for a "Largely Implemented" process area. For
example, if the organization has fully implemented process capability in
the area, there may be no need for evidence of corrective actions or
improvement plans. Similarly, if the organization has already
demonstrated compliance with relevant standards or regulations, there may
be no need for further evidence of compliance.
In general, the type and amount of documentary evidence expected for a
"Largely Implemented" process area will depend on the specific
circumstances and the organization"s implementation of that area.

ISO 15504 is a process assessment standard, and the Leadership category within this
standard evaluates the behaviors and practices of the organization"s leaders that
influence the process performance. A "Largely Implemented" rating for Leadership
behaviors and practices would indicate that the organization has mostly implemented the
relevant practices and behaviors in this category. Here are some examples of the
evidence that would be required and not required to support a "Largely Implemented"
rating:
Required Evidence:
1. Evidence of a well-defined leadership structure, with clear roles and

responsibilities for leaders at all levels of the organization.
2. Evidence of regular communication from leaders to their teams, including clear
and consistent messaging around process performance expectations and priorities.
3. Evidence of leadership involvement in setting process performance goals and
objectives, and in defining strategies and plans to achieve these goals.
4. Evidence of leadership commitment to process improvement, including the
allocation of resources and support for process improvement initiatives.
5. Evidence of leadership involvement in monitoring and evaluating process
performance, and in taking corrective action when necessary.
6. Evidence of leadership support for the development of process improvement
skills and capabilities within the organization.
Not Required Evidence:
1. Personal opinions or perceptions about the effectiveness of specific leaders or

their management style.
2. Details about specific events or incidents where leadership actions had a positive
or negative impact on process performance.
3. General statements about the importance of leadership for process improvement
without specific examples or evidence of related actions.
In summary, a "Largely Implemented" rating for Leadership behaviors and practices in

ISO 15504 would require evidence of a well-defined leadership structure, regular
communication from leaders, leadership involvement in setting goals and strategies,
commitment to process improvement, leadership involvement in monitoring and
evaluating process performance, and support for development of process improvement
skills and capabilities. Personal opinions or perceptions, specific events or incidents, or
general statements without specific examples would not be sufficient evidence to support
this rating.
III. POLICIES
A "Largely Implemented" rating for Policies would indicate that the organization has
mostly implemented the relevant policies and procedures in this category. Here are some
examples of the evidence that would be required and not required to support a "Largely
Required Evidence:
1. Evidence of well-documented policies and procedures for process performance,
including policies that define the organization's approach to process
improvement, risk management, and quality management.
2. Evidence that policies and procedures are regularly reviewed and updated to
reflect changes in the organization's environment or to address gaps in process
performance.
3. Evidence of a process for ensuring that policies and procedures are communicated
effectively to relevant stakeholders and that they are followed consistently.
4. Evidence that policies and procedures are aligned with the organization's goals
and objectives for process performance.
5. Evidence of a process for monitoring and evaluating the effectiveness of policies
and procedures and taking corrective action when necessary.
1. Personal opinions or perceptions about the effectiveness of specific policies or

procedures.
2. Details about specific events or incidents where policies or procedures had a
positive or negative impact on process performance.
3. General statements about the importance of policies and procedures without
specific examples or evidence of related actions.
In summary, a "Largely Implemented" rating for Policies in ISO 15504 would require
evidence of well-documented policies and procedures for process performance, regular
review and updating of policies and procedures, effective communication and consistent
implementation of policies and procedures, alignment of policies and procedures with
organizational goals, and a process for monitoring and evaluating their effectiveness.
Personal opinions or perceptions, specific events or incidents, or general statements
without specific examples would not be sufficient evidence to support this rating.
IV. PRACTICES
To assign a "Largely Implemented" rating for a process assessment based on ISO 15504,
evidence is required that demonstrates that the process has been implemented
consistently and effectively across the organization. The evidence should show that the
process is well-defined, understood, and followed by the staff responsible for executing
the process.
Some examples of evidence that could be used to support a "Largely Implemented"

rating include:
1. Documentation that describes the process and how it is implemented, including

policies, procedures, and work instructions.
2. Evidence that staff have been trained on the process and understand their roles
and responsibilities.
3. Metrics that demonstrate the effectiveness of the process, such as defect rates,
customer satisfaction scores, or cycle time.
4. Audit reports that show the process is being followed consistently and that any
issues or deviations are being addressed promptly.
On the other hand, evidence that is not sufficient to support a "Largely Implemented"
rating includes:
1. Ad hoc or sporadic implementation of the process that is not consistently

followed across the organization.
2. Lack of documentation or unclear documentation that does not provide a clear
understanding of how the process is implemented.
3. Poorly defined metrics that do not effectively demonstrate the effectiveness of the
process.
4. Evidence of significant deviations or non-compliance with the process that are not
addressed promptly.
In summary, to assign a "Largely Implemented" rating for a process assessment based on

ISO 15504, the evidence must demonstrate that the process is well-defined, consistently
implemented, and effective.
V. PROCESSES
To assign a "Largely Implemented" rating for a process assessment based on ISO 15504,
the evidence must demonstrate that the process is well-defined, consistently
implemented, and effective.
Here are some examples of evidence that could be used to support a "Largely
Documentation that describes the process and how it is implemented,

including policies, procedures, and work instructions.
Evidence that staff have been trained on the process and understand their
roles and responsibilities.
Metrics that demonstrate the effectiveness of the process, such as defect
rates, customer satisfaction scores, or cycle time.
Audit reports that show the process is being followed consistently and that
any issues or deviations are being addressed promptly.
However, there are some types of evidence that are not sufficient to support a "Largely
Ad hoc or sporadic implementation of the process that is not consistently

followed across the organization.
Lack of documentation or unclear documentation that does not provide a
clear understanding of how the process is implemented.
Poorly defined metrics that do not effectively demonstrate the
effectiveness of the process.
Evidence of significant deviations or non-compliance with the process that
are not addressed promptly.
It's also important to note that evidence should be collected from multiple sources, such
as interviews with staff, review of documentation, and analysis of process data. The
evidence should be evaluated objectively and against established criteria to ensure
consistency and accuracy in the assessment process.
To assign a "Largely Implemented" rating for Training and Awareness, the evidence
must demonstrate that the organization has implemented the process consistently and
effectively across the organization.
Here are some examples of evidence that could be used to support a "Largely
Implemented" rating for Training and Awareness:
Documentation that describes the training and awareness process,

including policies, procedures, and training materials.
Evidence that staff have been trained on the relevant processes and
technologies and are aware of their roles and responsibilities.
Metrics that demonstrate the effectiveness of the training and awareness
program, such as improved quality, productivity, and staff satisfaction.
Feedback from staff on the effectiveness of the training and awareness
program.
In addition, the evidence should show that the training and awareness program is
integrated with the organization's overall process improvement program, including the
process improvement objectives and strategies. The program should also be continuously
evaluated and updated based on feedback from staff and changes in the business
environment.
However, there are some types of evidence that are not sufficient to support a 'Largely
Implemented' rating for Training and Awareness, such as:
A lack of documentation or unclear documentation that does not provide a

clear understanding of the training and awareness process.
Evidence that staff have not been adequately trained or are not aware of
their roles and responsibilities.
Metrics that do not effectively demonstrate the effectiveness of the
training and awareness program.
Feedback from staff that indicates that the training and awareness program
is not effective.
VII. PROCEDURES
To assign a 'Largely Implemented' rating for a process assessment based on ISO 15504
for procedures, the evidence must demonstrate that the procedures are well-defined,
consistently implemented, and effective.
Here are some examples of evidence that could be used to support a 'Largely
Implemented' rating for procedures:
Documentation that describes the procedures, including policies,
procedures, and work instructions.
Evidence that staff have been trained on the procedures and understand
their roles and responsibilities.
Metrics that demonstrate the effectiveness of the procedures, such as
reduced defects, improved quality, or increased efficiency.
Audit reports that show the procedures are being followed consistently and
that any issues or deviations are being addressed promptly.
In addition, the evidence should show that the procedures are aligned with the
organization's overall process improvement program, including the process improvement
objectives and strategies. The procedures should also be continuously evaluated and
updated based on feedback from staff and changes in the business environment.
Implemented' rating for procedures, such as:
Ad hoc or sporadic implementation of the procedures that is not

consistently followed across the organization.
clear understanding of how the procedures are implemented.
Poorly defined metrics that do not effectively demonstrate the
effectiveness of the procedures.
Evidence of significant deviations or non-compliance with the procedures
that are not addressed promptly.
VIII. MEASUREMENTS
for measurements, the evidence must demonstrate that the organization has well-defined
and consistently applied measurement practices that are aligned with the organization's
overall process improvement program.
Implemented' rating for measurements:
Documentation that describes the measurement process, including policies,

procedures, and measurement plans.
Evidence that staff have been trained on the measurement process and
understand their roles and responsibilities.
Metrics that demonstrate the effectiveness of the measurement process,
such as improvements in quality, productivity, or customer satisfaction.
Evidence of consistent collection, analysis, and use of metrics in decision-
making processes.
In addition, the evidence should show that the measurement practices are integrated with
the organization's overall process improvement program, including the process
improvement objectives and strategies. The measurement practices should also be
continuously evaluated and updated based on feedback from staff and changes in the
business environment.
Implemented' rating for measurements, such as:

clear understanding of the measurement process.
Inconsistent or ad hoc collection and analysis of metrics.
Poorly defined or irrelevant metrics that do not effectively support the
organization's process improvement objectives.
Metrics that are not being effectively used in decision-making processes.
for process management, the evidence must demonstrate that the organization has well-
defined and consistently applied process management practices that are aligned with the
organization's overall process improvement program.
Implemented' rating for process management:
Documentation that describes the process improvement practices,

including policies, procedures, and guidelines.
Evidence of a defined process improvement cycle, including planning,
execution, measurement, and evaluation phases.
Metrics that demonstrate the effectiveness of the process improvement
practices, such as improvements in quality, productivity, or customer
satisfaction.
Evidence of process improvement projects that have been completed and
the results achieved.
Evidence that staff have been trained on process improvement practices
and understand their roles and responsibilities.
In addition, the evidence should show that the process improvement practices are
integrated with the organization's overall process improvement program, including the
process improvement objectives and strategies. The process improvement practices
should also be continuously evaluated and updated based on feedback from staff and
changes in the business environment.
Implemented' rating for process improvement, such as:

clear understanding of the process improvement practices.
Inconsistent or ad hoc application of the process improvement practices.
Poorly defined or irrelevant metrics that do not effectively support the
organization's process improvement objectives.
Lack of evidence that the process improvement practices are being
effectively used to drive process improvement.
E. FULLY IMPLEMENTED
To assign a 'Fully Implemented' rating for a process assessment based on ISO 15504 for
documentary evidence, the evidence must demonstrate that the organization has well-
defined and consistently applied practices for managing and using documentary evidence
that are aligned with the organization's overall process improvement program.
Here are some examples of evidence that could be used to support a 'Fully Implemented'
rating for documentary evidence:
Documentation that describes the practices for managing and using

documentary evidence, including policies, procedures, and guidelines.
Evidence that the organization has a document management system or
process that includes version control, access controls, and other relevant
features.
Evidence that staff have been trained on the use of the document
management system or process.
Evidence of documented processes, including process flows, procedures,
and work instructions, that are up-to-date and easily accessible.
Evidence that documentary evidence is regularly reviewed and updated as
needed.
In addition, the evidence should show that the practices for managing and using
documentary evidence are integrated with the organization's overall process
improvement program, including the process improvement objectives and strategies. The
practices should also be continuously evaluated and updated based on feedback from
staff and changes in the business environment.
However, there are some types of evidence that are not sufficient to support a 'Fully
Implemented' rating for documentary evidence, such as:
clear understanding of the practices for managing and using documentary
evidence.
Inconsistent or ad hoc application of the practices for managing and using
documentary evidence.
Evidence of outdated or inaccurate documents that have not been reviewed
or updated as needed.
Evidence of staff using undocumented or informal processes instead of the
documented processes.
Assigning a 'Fully Implemented' rating for leadership behaviors and practices for a
process assessment based on ISO 15504 would require evidence that shows the
organization has strong leadership that is committed to process improvement and is
actively engaged in supporting and promoting it throughout the organization.
rating for leadership behaviors and practices:
Evidence that the leadership has defined and communicated a clear vision
and goals for process improvement.
Evidence that the leadership actively participates in the process
improvement program by providing resources, support, and guidance.
Evidence that the leadership sets expectations for staff to follow the
defined processes and monitors compliance with those expectations.
Evidence that the leadership regularly reviews and evaluates the process
improvement program and makes adjustments as needed.
Evidence that the leadership actively promotes a culture of continuous
improvement and fosters a collaborative and innovative work environment.
On the other hand, there are some types of evidence that are not sufficient to support a
Fully Implemented rating for leadership behaviors and practices, such as:
Lack of communication or unclear communication of the vision and goals

for process improvement.
Evidence that the leadership is not actively engaged or does not provide
adequate resources or support for process improvement.
Evidence of inconsistency in leadership behaviors and practices, such as
not following defined processes or not holding staff accountable for
noncompliance.
Evidence of a culture that does not support or prioritize process
improvement, such as a lack of innovation or collaboration.
In summary, to assign a 'Fully Implemented' rating for leadership behaviors and

practices, the evidence should demonstrate a strong commitment and active engagement
from the leadership, and the practices should be integrated and consistent with the
organization's overall process improvement program.
III. POLICIES
Assigning a 'Fully Implemented' rating for policies for a process assessment based on
ISO 15504 would require evidence that shows the organization has established policies
that support and promote process improvement, and those policies are consistently
followed and enforced throughout the organization.
rating for policies:
Evidence that the policies are clearly defined, communicated, and readily
available to all staff.
Evidence that the policies are regularly reviewed and updated to ensure
they remain relevant and effective.
Evidence that the policies are integrated with the organization's overall
process improvement program and align with the organization's goals and
objectives.
Evidence that staff are trained on the policies and understand their roles
and responsibilities in adhering to them.
Evidence that the policies are enforced consistently and violations are
addressed promptly.
It's important to note that evidence should be collected from multiple sources, such as
interviews with staff, review of documentation, and analysis of process data. The
'Fully Implemented' rating for policies, such as:
Policies that are not clearly defined, communicated, or readily available to

all staff.
Policies that are outdated or not aligned with the organization's goals and
objectives.
Evidence of inconsistent enforcement of policies or lack of consequences
for violating them.
Evidence that staff are not trained on the policies or do not understand
their roles and responsibilities in adhering to them.
In summary, to assign a 'Fully Implemented' rating for policies, the evidence should
demonstrate that the organization has established policies that are relevant, effective, and
consistently enforced, and staff are trained and understand their roles and responsibilities
in adhering to them.
IV. PRACTICES
Assigning a 'Fully Implemented' rating for practices for a process assessment based on
ISO 15504 would require evidence that shows the organization has implemented its
processes in a consistent and effective manner and that the processes are continuously
monitored and improved.
rating for practices:
Evidence that the processes are consistently followed across the

organization.
Evidence that the processes are effective in achieving their intended
outcomes.
Evidence that the processes have been documented, reviewed, and updated
to ensure they remain relevant and effective.
Evidence that the processes are integrated with the organization's overall
process improvement program and align with the organization's goals and
objectives.
Evidence that the processes are monitored and measured, and the data is
analyzed to identify areas for improvement.
Evidence that process improvements are identified, prioritized, and
implemented in a timely manner.
Evidence that staff are trained on the processes and understand their roles
and responsibilities in following them.
It's important to note that evidence should be collected from multiple sources, such as
interviews with staff, review of documentation, and analysis of process data. The
'Fully Implemented' rating for practices, such as:
Evidence of inconsistent adherence to the processes.

RatingCriteria_p153_ol2
Lack of documentation or outdated documentation for the processes.
Evidence that process improvements are not identified or implemented in a
timely manner.
Evidence that staff are not trained on the processes or do not understand
their roles and responsibilities in following them.
In summary, to assign a 'Fully Implemented' rating for practices, the evidence should
demonstrate that the organization has implemented its processes in a consistent and
effective manner, continuously monitors and improves the processes, and staff are
trained and understand their roles and responsibilities in following the processes.
V. PROCESSES
To choose a 'Fully Implemented' rating for processes in a process assessment based on

ISO 15504, the following evidence would be required:
Evidence that the processes have been consistently implemented across the
organization.
Evidence that the processes are effective in achieving their intended
outcome
Evidence that the processes have been documented and are up to date.
Evidence that the processes have been integrated with the organization's
overall process improvement program and aligned with the organization's
goals and objectives.
Evidence that the processes are monitored and measured, and the data is
analyzed to identify areas for improvement.
Evidence that process improvements are identified, prioritized, and
implemented in a timely manner.
Evidence that staff are trained on the processes and understand their roles
and responsibilities in following them.
It is important to collect evidence from multiple sources, such as interviews with staff,
review of documentation, and analysis of process data. The evidence should be evaluated
objectively and against established criteria to ensure consistency and accuracy in the
assessment process.
Some examples of evidence that are not sufficient to support a 'Fully Implemented' rating
for processes include:
Evidence of inconsistent implementation of the processes across the

organization.
Evidence that the processes are not effective in achieving their intended
outcomes.
Lack of documentation or outdated documentation for the processes.
Evidence that process improvements are not identified or implemented in a
timely manner.
Evidence that staff are not trained on the processes or do not understand
their roles and responsibilities in following them.
In summary, a 'Fully Implemented' rating for processes in a process assessment based on

ISO 15504 would require evidence that the processes are consistently implemented,
effective in achieving their intended outcomes, documented, monitored and measured,
integrated with the organization's overall process improvement program, and staff are
trained and understand their roles and responsibilities in following them.

To choose a 'Fully Implemented' rating for Training and Awareness in a process
assessment based on ISO 15504, the following evidence would be required:
Evidence that a training needs analysis has been conducted to identify the
training needs of staff and that the training plan addresses these needs.
Evidence that the training plan has been implemented, and staff have
received the necessary training.
Evidence that training effectiveness has been evaluated, and improvements
have been made to the training plan as needed.
Evidence that there are processes in place to ensure ongoing training and
awareness, such as refresher training, awareness campaigns, and regular
communication with staff.
Evidence that staff are aware of their roles and responsibilities related to
the process, including their contribution to the process, the benefits of the
process, and the consequences of non-compliance.
It is important to collect evidence from multiple sources, such as interviews with staff,
review of training records and documentation, and analysis of training effectiveness data.
The evidence should be evaluated objectively and against established criteria to ensure
Some examples of evidence that are not sufficient to support a 'Fully Implemented' rating
for Training and Awareness include:
Evidence that the training needs analysis has not been conducted or is
incomplete.
Evidence that the training plan has not been implemented or is incomplete.
Evidence that staff have not received the necessary training or that training
effectiveness has not been evaluated.
Evidence that there are no processes in place to ensure ongoing training
and awareness.
Evidence that staff are not aware of their roles and responsibilities related
to the process.
In summary, a 'Fully Implemented' rating for Training and Awareness in a process

assessment based on ISO 15504 would require evidence that the training needs analysis
has been conducted, the training plan has been implemented, training effectiveness has
been evaluated, there are processes in place to ensure ongoing training and awareness,
and staff are aware of their roles and responsibilities related to the process.
VII. PROCEDURES
To assign a 'Fully Implemented' rating on Procedures for a process assessment based on

ISO 15504, the following evidence would be required and not required:
Required Evidence:
The procedures are clearly defined, documented, and available to all

relevant stakeholders.
The procedures are followed consistently and effectively by all team
members.
The procedures are periodically reviewed and updated to ensure that they
remain relevant and effective.
The procedures are aligned with the organization's objectives, policies, and
standards.
The procedures are regularly monitored to identify areas for improvement
and to ensure that they continue to meet their intended purpose.
The procedures are not integrated with other processes in the organization.
The procedures are not optimized for efficiency or effectiveness.
There are minor deviations from the procedures that do not impact the
overall effectiveness of the process.
There are no formal training programs in place to support the procedures.
The procedures are not supported by appropriate tools or technologies.
To assign a 'Fully Implemented' rating on Procedures, it is necessary to provide evidence

that the procedures are effectively implemented and are meeting their intended purpose.
This may be demonstrated through evidence of clear and comprehensive documentation,
consistent and effective adherence to procedures, and regular monitoring and review of
the procedures. It is also important to demonstrate that the procedures are aligned with
the organization's objectives and are regularly updated to ensure they remain relevant
and effective. It is recommended to gather evidence from multiple sources, such as
interviews, documentation reviews, and process performance data, to make an accurate
assessment.
VIII. MEASUREMENTS
To assign a 'Fully Implemented' rating on Measurements for a process assessment based

on ISO 15504, the following evidence would be required and not required:
Required Evidence:
The measurements are clearly defined and aligned with the organization's
objectives and goals.
The measurement process is well-documented and standardized across the
organization.
The measurement process is well-documented and standardized across the
organization.
The measurements are consistently collected, recorded, and analyzed.
The measurements are used to support decision-making and process
improvement efforts.
The measurements are not used to support decision-making or process

improvement efforts.
The measurements are not aligned with the The procedures are not
supported by appropriate tools or technologies.'s objectives and goals.
The measurements are not consistently collected, recorded, or analyzed.
The measurements are not supported by appropriate tools or technologies.
To assign a 'Fully Implemented' rating on Measurements, it is necessary to provide

evidence that the measurements are effectively implemented and are meeting their
intended purpose. This may be demonstrated through evidence of clear and
comprehensive documentation, consistent and effective collection, recording, and
analysis of measurements, and regular review and updating of the measurement process.
It is also important to demonstrate that the measurements are aligned with the
organization's objectives and are used to support decision-making and process
improvement efforts. It is recommended to gather evidence from multiple sources, such
as interviews, documentation reviews, and process performance data, to make an
accurate assessment.
To assign a 'FullyThe procedures are not supported by appropriate tools or technologies.

Implemented' rating on Process Management for a process assessment based on ISO
15504, the following evidence would be required and not required:
Required Evidence:
The organization has a well-defined and documented process management

framework that includes policies, procedures, and guidelines.
The process management framework is consistently applied across the
organization.
The organization has a process for identifying and managing process-
related risks and opportunities.
The process management framework includes a mechanism for measuring
and monitoring process performance.
The organization has established roles and responsibilities for process
management, including senior management involvement.
The process management framework is periodically reviewed and updated
to ensure its continued effectiveness.
The organization does not have a well-defined or documented process

management framework.
The process management framework is not consistently applied across the
organization.
The organization does not have a process for identifying and managing
process-related risks and opportunities.
The process management framework does not include a mechanism for
measuring and monitoring process performance.
The organization has not established roles and responsibilities for process
management, including senior management involvement.
The process management framework is not periodically reviewed and
updated to ensure its continued effectiveness.
To assign a 'Fully Implemented' rating on Process Management, it is necessary to

provide evidence that the organization has a well-defined and documented process
management framework that is consistently applied across the organization. The
framework should include policies, procedures, and guidelines for managing processes,
identifying and managing process-related risks and opportunities, and measuring and
monitoring process performance. The organization should also have established roles and
responsibilities for process management, including senior management involvement, and
periodically review and update the framework to ensure its continued effectiveness. It is
recommended to gather evidence from multiple sources, such as interviews,
documentation reviews, and process performance data, to make an accurate assessment.
X. INNOVATION
The evidence required and not required for choosing a 'Fully Implemented' rating on
Innovation for a process assessment based on ISO 15504 would be:
Required Evidence:
Evidence of a documented innovation process that is consistently followed

and has produced successful innovations in the past.
Evidence of a culture that encourages and rewards innovation, such as
documented innovation goals, rewards, and recognition programs.
Evidence of a mechanism for capturing and evaluating innovative ideas
from all levels of the organization, such as an innovation portal or
suggestion box.
Evidence of a process for implementing and scaling successful
innovations, such as documented procedures for piloting and deploying
new ideas.
Evidence of the use of appropriate tools and techniques for supporting
innovation, such as design thinking, brainstorming, or prototyping.
Evidence of every innovation being successful.

Evidence of a high volume of innovations being generated.
Evidence of large investments in research and development.
It's important to note that the evidence requirements may vary depending on the specific
process being assessed and the context of the organization being assessed.
XI. PROCESS IMPROVEMENT
The evidence required and not required for choosing a 'Fully Implemented' rating on
Process Improvement for a process assessment based on ISO 15504 would be:
Required Evidence:
Evidence of a documented process improvement methodology that is

consistently followed and has produced tangible improvements in the past.
Evidence of a culture that supports and encourages process improvement,
such as documented improvement goals, rewards, and recognition
programs.
Evidence of a mechanism for identifying improvement opportunities, such
as process audits, customer feedback, or data analysis.
Evidence of a process for prioritizing and implementing process
improvements, such as documented procedures for assessing and
prioritizing improvement opportunities, and implementing changes
through appropriate change management processes.
Evidence of the use of appropriate tools and techniques for supporting
process improvement, such as root cause analysis, process mapping, or
statistical process control.
Evidence of every improvement initiative being successful.

Evidence of a high volume of improvements being implemented.
Evidence of large investments in improvement initiatives.
It's important to note that the evidence requirements may vary depending on the specific
process being assessed and the context of the organization being assessed

Tool Risk Calculation Details

Uploaded by

Copyright:

Available Formats

You might also like

Tool Risk Calculation Details

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tool Risk Calculation Details

Uploaded by

Copyright:

Available Formats

Introduction:

When conducting a process assessment based on ISO 15504, it is essential to have a

II. LEADERSHIP BEHAVIORS AND PRACTICES

If the organization has determined that a particular process or sub-process is not

1. The process is not relevant to the organization&#39;s business or operations.

For example, if an organization operates in a specific industry that is exempt from

It is important to note that the determination of &quot;Not Applicable&quot; should be

For example, if an organization operates in a specific industry that is exempt from

It is important to note that the determination of &quot;Not Applicable&quot; should be

VI. TRAINING OR AWARENESS

For example, if an organization operates in an industry where a particular technology is

It is important to note that the determination of &quot;Not Applicable&quot; should be

In summary, the absence of procedures under the &quot;Not Applicable&quot; criteria in

In summary, the absence of measurements under the &quot;Not Applicable&quot;

IX. PROCESS MANAGEMENT

The process management activities include establishing and maintaining a process

It is important to note that innovation-related activities can significantly benefit software

XI. PROCESS IMPROVEMENTS

Process improvement is a key aspect of this framework, and it is essential for

1. Some documentary evidence that may be expected to be lacking for a &quot;Not

II. LEADERSHIP BEHAVIORS AND PRACTICES

If a process area is determined to be &quot;Not Implemented,&quot; there may be some

1. Some policies that may be expected to be lacking for a &quot;Not

Not Expected Practices:

1. Rating the process attribute or capability level as &quot;Not Implemented&quot;

It is important to note that choosing the &quot;Not Implemented&quot; rating for a

It is important to note that the decision to choose the &quot;Not Implemented&quot;

VI. TRAINING OR AWARENESS

When choosing the &quot;Not Implemented&quot; rating for a process attribute or

1. A lack of a documented training program that provides training to personnel on

It is important to note that the decision to choose the &quot;Not Implemented&quot;

When choosing the &quot;Not Implemented&quot; rating for a process attribute or

1. A documented procedure for implementing the relevant process attribute or

1. A lack of a documented procedure for implementing the relevant proces attribute

It is important to note that the decision to choose the &quot;Not Implemented&quot;

To choose the &quot;Not Implemented&quot; rating for measurements during a process

1. Lack of documented measurement processes: There should be no documented

Overall, the evidence should demonstrate a complete absence of any measurement

IX. PROCESS MANAGEMENT

When an organization chooses the &quot;Not Implemented&quot; rating for a process

When choosing the &quot;Not Implemented&quot; rating for innovation practices in a

1. Documentation of the organization&#39;s innovation strategy: The organization

XI. PROCESS IMPROVEMENTS

To choose the &quot;Not Implemented&quot; rating for process improvement during a

1. Lack of documented processes: There should be no documented processes related

Overall, the evidence should demonstrate a complete absence of any process

For choosing a &quot;Partially Implemented&quot; rating with regard to documentation

 Existence of some documentation, but not all the required documents or

Overall, the evidence required for a &quot;Partially Implemented&quot; rating with

As an example, for the &quot;Partially Implemented&quot; criteria of the question

 A description of the process for identifying relevant authorities and determining

II. LEADERSHIP BEHAVIORS AND PRACTICES

To choose a &quot;Partially Implemented&quot; rating on Leadership behaviors and

The following evidence would not be required for a &quot;Partially Implemented&quot;

 Evidence of formal training or certification in leadership practices by the

In the context of ISO 15504, a &quot;Partially Implemented&quot; rating means that

1. Documentation of the processes being partially implemented, including any

1. The process is not relevant to the organization's business or operations.

It is important to note that the determination of "Not Applicable" should be

It is important to note that the determination of "Not Applicable" should be

It is important to note that the determination of "Not Applicable" should be

In summary, the absence of procedures under the "Not Applicable" criteria in

In summary, the absence of measurements under the "Not Applicable"

1. Some documentary evidence that may be expected to be lacking for a "Not

If a process area is determined to be "Not Implemented," there may be some

1. Some policies that may be expected to be lacking for a "Not

1. Rating the process attribute or capability level as "Not Implemented"

It is important to note that choosing the "Not Implemented" rating for a

It is important to note that the decision to choose the "Not Implemented"

When choosing the "Not Implemented" rating for a process attribute or

It is important to note that the decision to choose the "Not Implemented"

When choosing the "Not Implemented" rating for a process attribute or

It is important to note that the decision to choose the "Not Implemented"

To choose the "Not Implemented" rating for measurements during a process

When an organization chooses the "Not Implemented" rating for a process

When choosing the "Not Implemented" rating for innovation practices in a

1. Documentation of the organization's innovation strategy: The organization

To choose the "Not Implemented" rating for process improvement during a

For choosing a "Partially Implemented" rating with regard to documentation

Overall, the evidence required for a "Partially Implemented" rating with

As an example, for the "Partially Implemented" criteria of the question

To choose a "Partially Implemented" rating on Leadership behaviors and

The following evidence would not be required for a "Partially Implemented"

In the context of ISO 15504, a "Partially Implemented" rating means that

The following evidence would not be required for choosing a "Partially

In an ISO 15504 process assessment, a "Partially Implemented" rating on

In an ISO 15504 process assessment, a "Partially Implemented" rating on

In an ISO 15504 process assessment, a "Partially Implemented" rating on

In an ISO 15504 process assessment, a "Partially Implemented" rating on

In an ISO 15504 process assessment, a "Partially Implemented" rating on

To rate the Innovation process area as "Partially Implemented," the

Overall, a "Partially Implemented" rating would indicate that the

In summary, to assign a "Partially Implemented" rating for a process