You may have stumbled upon this blog and wondered, “What is ISO 19770-1:2017? Am I in the wrong place, or should I have prior knowledge in order to keep reading further?” Don’t worry, while this blog will be applicable to those who have experience, it’s all about how to manage your IT assets effectively. ISO 19770-1:2017 specifies requirements, or a set of standards, for an IT asset management system within the context of the organization.
I first had a chance to work with ISO 19770-1:2017 (Edition 3) within the last two years and have spent a fair amount of time understanding the key principles and context as to how it works in the real software asset management (SAM) and IT asset management (ITAM) world. Speaking with many in the industry, the majority agreed that it’s vastly different from Edition 2 (2012), but you can’t really differentiate them unless you start reading through the full details.
The ISO committee has published an overview of what the changes were made and why. More commonly:
- To bring ISO 19770-1 standard into alignment with other major ISO standards which are utilizing Management System Standard (MSS) structure.
- To address the greater complexity and control the challenges of ever-expanding IT assets (hardware and software) across infrastructure (on-prem, SaaS, PaaS, IaaS).
- To enable closer integration with other major ISO standards and bring SAM/ITAM objectives to coexist with other IT initiatives. For example, you can now have a common design approach between information security management (ISO 27001).
In this blog, I focus on how SAM can benefit from following the 14 key competency areas:
|ISO 19770-1 (2017) category||Capability area||Example competency question|
|Trustworthy data||Change management||How do you currently manage your audit trail of asset record changes (e.g. user-device allocation) within the different business units?|
|Data management||How often do you reconcile software and hardware inventories with other sources to verify the accuracy of assumed license metrics? (e.g., user counts based on HR employee records, consolidating IT asset data from different server inventory sources.)|
|License management||How are software contracts digitalized and how are the relevant T&Cs captured to prepare you for your renewals?|
|Security management||How are End of Life (EOL)/End of Support (EOS) software identified, reported and prioritized within security vulnerability and patch management?|
|Lifecycle management||Specification||What is your approach to identifying and specifying requirements for new software/hardware requests?|
|Acquire||Are software purchases managed centrally through your procurement process?|
|Development||What is the process for defining and reviewing your technology stack for software development?|
|Release||How frequently are new releases planned and how is this agreed to with business owners?|
|Deployment||Do you have full understanding of software applications, platforms and infrastructure being delivered and used across your organization?|
|Operate||How do you currently manage provisioning, resizing and reclamation of your assets?|
|Retirement||What percentage of retired hardware assets are tracked in a way that enables software on them to be reused?|
|Optimization||Relationship management||How often do you review your software requirements and contracts with your business units, software vendors and service providers?|
|Financial management||How do you identify software wastage on-prem and cloud?|
|SLA management||How do you measure the service level relating to your SAM value chain?|
Here are 4 practical steps to help you get started:
1. Understand how SAM can help achieve better business outcomes
It’s important for the SAM team to drive this from the top-level organizational objectives and be cross-functional (for example, with information security, procurement, finance, IT service management, enterprise architecture, cloud and others). This is consistent with what we’re seeing in our clients’ worlds today, where SAM is no longer an isolated operational practice. It’s about demonstrating a unified approach and driving value across the organization’s value chain. Once objectives and business outcomes are aligned, get further insight into the current state and operating model to help the SAM team grow the maturity of the software asset management practice with wider stakeholders in the business.
2. Get visibility into your IT assets
Do a phased approach, and start with low-hanging fruit. Define the perimeter of your IT estate and asset scoping (for example, prioritize based on a combination of factors, including contract types, high risk metrics and renewal timescale), look at your “as-is” or what’s often called the baseline position and review the approaches used to prepare key management information to drive actionable insights.
We have also seen an increase in internally-driven governance reports that now extend to bring your own license (BYOL) in the cloud, SaaS and cloud containerization. As the SAM key owner and other stakeholders who have a vetted interest come to grips with the completeness and accuracy of this information at the right time, the result can be either transformational (if handled proactively and correctly) or costly (if mishandled).
Some of the common examples that drive the top priorities for this are:
- Too many data lakes and data silos to work out what is your single point of truth (or to justify multiple sources with well-accepted processes)
- Increased (manual) effort in normalizing software and hardware asset data that drives down the accuracy and delivery of the information
- Contract and license information stored in your contract management system, but not to the level of detail that will help you understand your risk position
- Lack of audit trail and traceability of how assets enter or are removed from the organization and the overall impact to security and vulnerability
- Not knowing which users are using what applications (on-prem/SaaS)
- Lack of visibility into resources and utilization across business services in the multi cloud/hybrid cloud environment (for example, zombie servers, unused storage, instances running after hours, containerization and dockers).
Having a complete and accurate view of your estate and entitlements enables you to prepare for what lies ahead.
3. Increase operations control of the assets
Review the effectiveness of your processes in managing your asset lifecycle. Strictly speaking, many organizations have some way to record basic software asset information. In some cases, software is managed separately from hardware lifecycle due to pre-defined internal processes. There is often a lack of unified approach or process to track the dynamic aspect of the asset and how it provides value to the rest of your business because this requires proper buy-in and cooperation with the rest of your stakeholders. Some of the common drivers for this are:
- Do you have visibility of software stacks (white/black list)?
- Are critical applications factored into the operational resilience plan?
- How do you ensure business services are not impacted by migration of legacy software from on-prem to cloud?
- How do you support scenario planning on hypothetical future business scenarios and develop suitable action plans?
- How do you report charge back or show back?
- How do retired assets get treated? Are there ways to drive further benefit from them?
- How are you driving consistency on tagging your cloud resources and services tagged in a multi-cloud environment?
The business benefit of managing the software asset well is to ensure the organization gains efficiency and cost effectiveness in its IT operations.
4. Getting to the total cost of ownership
Perform your optimization in phases. I’ve seen organizations wanting to do this up front without having full details of what they owned across the business and how it’s treated in the business. It is both challenging and risky to optimize what you don’t know and what we call the “black hole.” Optimization comes in many forms and approaches. Some may start from a contract optimization , some may look at the discovery data and start to forecast on usage.
There are options for starting optimization early while simultaneously maturing the lifecycle operations of the assets. The key to optimization is to have full visibility over usage data to help drive cost savings and cost reduction.
Some of the common questions that drive the need for these areas are:
- How do you optimize the budget spend on technology assets across the infrastructure (for example, asset refresh, asset migration, asset in the cloud)?
- How do you leverage EOL and EOS to help with application rationalization and align EUC refresh cycle?
- Are you able to prepare your contract renewals in advance and take advantage of the volume discount benefit from your enterprise software vendors?
- Are you able to rightsize your SaaS usage across your managed/unmanaged portfolios and negotiate a better deal (with SaaS renewals typically shorter than enterprise software renewals)?
- How do you leverage your optimized view of the estate to build better, integrated relationships with your stakeholders?
- How can you merge and manage hybrid on-prem and SaaS license optimization and governance (for example, O365 and Salesforce) while controlling costs at the same time?
Optimization of software on-prem may take slightly longer due to the complexity and legacy estate that comes with it. Conversely, for the same organization that has already started their journey to the cloud, they may look at optimization in the cloud in parallel as part of the low-hanging-fruit strategy (for example, SaaS). In a recent Gartner publication on CIO 2020 Agenda, strategy, cost and talent were the three pillars for resilience during disruptions. Severe operating cost pressure continues to top the type of disruptions over the past four years. Leaders armed with a proactive view of optimization across their technology assets will emerge stronger, more competitive and better prepared.
With businesses going through digital changes, their software asset management practice and wider ecosystem will need to engage, adapt and shift in order to deliver optimal business value.
For more information on business value insight using ITAM best practices, please contact Flexera to find the solutions that are right for your organization.