Your company’s adherence to industry quality standards, such as the ISO 9001 and Capability Maturity Model (CMM), could determine if you land that new lucrative contract. What should these standards mean to your organization? Find out what three experts think, and then add your two cents.

A quick overview of ISO 9001 and CMM
ISO 9001 is the creation of the International Organization for Standardization (ISO), a Swiss-based federation of national standards bodies. Carnegie Mellon University’s Software Engineering Institute (SEI) created CMM.

ISO 9001 is part of the ISO 9000 family of standards. The new ISO 9001:2000 designation comprises the ISO 9001, ISO 9002, and ISO 9003 standards. ISO 9001 targets the manufacturing process, although it also includes manufacturing services and software development.

CMM offers a model for judging the software processes of an organization and for identifying key practices required to increase the maturity of these processes. It establishes a successful means for modeling, defining, and measuring the maturity of the processes used by software professionals.

More on ISO 9001

Check out these articles for more information on ISO 9001:

ISO started out as a European standard. If your company didn’t have ISO 9000 certification, it wasn’t permitted to bid on a proposal. In particular, many European telecom companies require ISO 9000. ISO 9000 shows customers and potential customers that you have a basic quality system in place to produce a consistent product.

“Once you get the ISO stamp, you can put it on your company propaganda,” said Ron Weidemann, director of quality for Teradata, a database software producer in San Diego.

ISO 9000 can be likened to the Good Housekeeping Seal of Approval. The United States, however, is not as stringent about ISO certification. Weidemann noted that, while some American companies require ISO certification, many others do not. Weidemann found that CMM was better for his company. “We needed a basic system, and CMM met our needs,” he said. “We adopted it, but we also use ISO in order to sell in Europe.”

What’s the difference between ISO 9001 and CMM?
Understanding the difference between ISO and CMM means recognizing a cultural understanding of quality. “Microsoft and many other software companies govern quality with the 80-20 rule,” said David Smith, vice president of Technology Futures, a technology forecasting company in Austin, TX. “The rationale is, ‘it’s a real product if 80 percent of the problem can be addressed and the remaining 20 percent is part of the business model.’ But the reality is the software industry’s business model is not a business model of total quality. And that is part of the challenge when you compare a CMM model against an ISO model.”

The problem, as Smith sees it, is a conflict between the approaches to quality of ISO and CMM programs, on the one hand, and the business model that corporations use on the other. “When you’re developing a product, the hardest problems to fix are the last 20 percent,” noted Smith.

Smith highlights three critical elements for understanding ISO 9001 and CMM:

  • Understanding and documenting the true requirements is a key element in both standards.
  • Document how you write the software code so other people can understand its value.
  • Understand the requirements outlined in the program management and business models. It means understanding the maximum payback from the ISO and CMM levels. This is difficult to achieve because it requires both management and supervisory hats.

Software in the original description of ISO 9001 is different from software that runs on a computer, explains Mark Paulk, a senior member of the technical staff at Carnegie Mellon’s SEI.

Paulk’s advice: Understand the essence of ISO 9001 so you can compare it to CMM. ISO 9001’s definition of software is more general and includes music, entertainment, or anything involving the creation of an intangible product.

“But the original bias of the standard was strongly toward the manufacturing environment, where all the historical work had been done,” said Paulk. “And that is one of the criticisms of the early releases of the standards. One of the objectives of the ISO 9000 revisions was it failed to make the standard more comfortable to users in other environments.”

CMM goes further
But the problem, and goal, is balancing ISO and CMM against the business model, says Smith. “The key difference between ISO 9001 and CMM is understanding that the software process is both a software process and a manufacturing process,” he explained. “ISO 9001 and the whole ISO process approaches software from a manufacturing standpoint. CMM approaches it from a development standpoint.”

The CMM model was designed with five levels of maturity, notes Weidemann. “ISO does not have them. CMM’s level 5 is the ultimate level, and [there are] only about 200 companies in the world that are at level 4 or above. It is pretty elite. CMM standards are more stringent that ISO standards. ISO standards are very loose. ISO does not say you have to have certain standards, but CMM says you must meet these standards and here is what they are,” he said.

Smith added, “CMM was designed to ensure bug-free development. And ISO is designed to put quality into the manufacturing process. Their purposes are different. Some versions of CMM and ISO have been merged together.”

ISO 9001 vs. CMM

What do you think about ISO 9001 and CMM? Offer your comments below or send us an e-mail.