ISO 9000

ISO 9000 is not a standard by itself, rather, it is a family of standards defined by the ISO. The standards are referred to as ISO 9000 so as not to use confusing alternatives such as ISO 9001/9002/9003 and ISO 900x. ISO 9000, like ISO 14000, is a family of standards and guidelines related to managing systems, as well as related supporting standards in terminology and tools.

Unlike many other ISO standards, ISO 9000 is a generic standard. This means it can be applied to any organization, regardless of size, products (or services), and purpose (enterprise, non-profit, government). ISO 9000 is a management system, meaning it deals with what an organization does to manage its processes. Having procedures increasingly benefits an organization as it gets larger. These procedures make an organization more efficient and effective.

ISO 9000 is primarily concerned with quality management. The term "quality" is subjective, but in the context of the standards, refers to the features in product or service that are required by the customer. Therefore, quality management is what an organization does to ensure its products or services fit the customer's requirements.

The standards deal only with how an organization performs its work, and not directly the products and services that result from this. ISO 9000 is not a product or service standard, and thus should not be used to gauge their quality.

It should be noted that there is no ISO 9000 certificate. ISO itself only creates standards, but does not perform assessments. There are other (third party) bodies that will perform this. Therefore, it is misleading to declare an organization as "ISO Certified" or "ISO Registered".

information from http://www.iso.ch/9000e

ISO 9000 helps companies to work and interact with each other by providing a set of defined interfaces. This allows corporations with multiple internal structures and varying businesses to do business with each other. In some ways ISO 9000 is akin to protocols in object oriented programming, or likened to computer networking: all computers in a network know how to talk to each other, but their own internal hardware can be very different. ISO 9000 standard complaint companies promise to implement a set of interfaces to allow other companies to easily understand how certain levels of communcation need to be handled, and what processes need to be done in order to communicate different types of messages. Along with this, ISO 9000 also defines a set of internal processes relating to quality control and management procedures.

The ISO 9000 shares an objective with the Capability Maturity Model (CMM). They both seek to improve the software (project) development process. The CMM provides a progressive-stage model of an organization growing in its capability to manage processes. The ISO takes a different approach.

The ISO 9000's general purpose is to provide a system for monitoring an organization's internal quality system. It also provides guidance on assuring the quality system of the organization's suppliers. It is a series of documents describing a set of criteria to achieve a minimum level of quality assurance in an organization's product or services. The quality assurance flows in two directions: from the organization to its customers; and second from the organization to its suppliers to ensure they provide quality in the components or materials supplied to the organization.

Unlike the CMM, ISO 9000 is a pass-fail system. It is not a progressive model by which an organization may grow in its competencies such as provided by the CMM.

A clause-by-clause comparison performed in 1994 by the Software Engineering Institute (SEI), concluded

1. an ISO 9000 compliant organization would not necessarily satisfy all the key process areas of Level 2, Repeatable, in the CMM;
2. But it would satisfy most of Level 2 and many of the goals of Level 3;
3. However, there are elements in each of the two systems that are not contained in the other;
4. A CMM Level 3 compliant organization will have no trouble obtaining ISO 9000 Certification;
5. A Level 2 organization will have distinct advantages to obtaining the ISO certification.¹

The more significant differences between the two are:

1. CMM emphasizes continuous process improvement.
2. ISO 9000 sets the minimum criteria for an acceptable quality system;
3. CMM focuses strictly on software while ISO 900 covers more territory including hardware, software, materials, and services.
4. ISO 9000 only specifies in general terms that quality objectives be defined and documented, but not that those objectives be quantitatively measured - as in Level 4, Managed, of the CMM.²

This analysis was performed in 1994. The similarities may have been increased over the last 10 years. CMM has evolved to CMMI, the Capability Maturity Model Integration, which broadened its scope to areas more general than just software development. The ISO 9000 standards have been updated to ISO 9000:2000 and "continuous quality improvement" is now part of the new standard.

I prefer the CMM because of my background in public school education. I have a world-view that assumes entities may grow in their skill and knowledge and should do so. The CMM provides a progressive-growth model that fits my world-view while the ISO 9000 provides only a minimum level to achieve.

In summary, the ISO 9000 shares a similar goal to the CMM in providing guidance on achieving quality control. ISO 9000 provides a set of standards that, if implemented, will ensure a minimum level of quality in an organization's products and services.

---

Footnotes:

1. Paulk, page 1.
2. Paulk, page 19.

References:

• Paulk, Mark, Comparison of ISO 9001 and the Capability Maturity Model for Software, Pittsburg, PA: Software Engineering Institute, Carnegie Mellon University, 1994.