This article was written by me, Huan Pang, Mubeen Arshid and Noman Latif. I wish to share this article with all those who seek information about ISO and CMMI. Of course, if you feel somewhere I am wrong in this article, don't hesitate to point me out.
Abstract— Capability Maturity Model-Integrated (CMMI) and International Organization for Standardization (ISO) are standards that are widely being used in the industries. While ISO is more like a general standard that is applicable to any type of organization, CMMI focuses purely on the software developing or systems developing firms. In this article the authors discuss and state the weaknesses and strengths of each of this standard.
I. Introduction
Software process improvements (SPI) methods assure the delivery of successful software project. There are two different types of SPI:
1. Model Based SPI
2. Inductive SPI
Model based SPI is based on the external knowledge, pre-packaged and best practices. On the other hand inductive SPI is based on the internal knowledge of the organization e.g. Quality Improvement Paradigm (QIP) [1]. Both CMMI and ISO are the examples of model based SPI. This report will give overall reflection of both ISO and CMMI in depth.
The structure of the report is given as below:
· Section II gives the detail characteristics of CMMI and ISO.
· Section III explains the main differences between CMMI and ISO.
· Strength and weaknesses of both CMMI and ISO have been explained in the section IV.
· In section V, three most important process areas of CMMI have been discussed in detail.
A conclusion has been made at the end of the report for discussing the overall goal of SPI in this article.
II. Characteristics of CMMI and ISO
This section explains the intentions for developing ISO and CMMI. It also explains how it helps in improving the final product quality.
A. International Organization for Standardization (ISO)
ISO is a global organization which identifies and creates the required international standards for organizations, government bodies. Next, these standards are implemented, adopted and made available worldwide [2]. It was started in 1947. There are more than 18000 defined international standards at the moment. The purpose of developing international standards was to make international coordination and unification between organizations in order to have better quality and compatible products [3][4].
ISO 9000 series are quality and process management standards which were launched to reduce the problem of large number of standards [5][3]. ISO 9001 is a standard in the 9000 series which specifies the requirements. These requirements enable the organizations to provide the products according to customer and regulatory requirement [6]. ISO defines standards which tell “what” to do not “how” to do. They are general in nature and not specific to any application domain, development paradigm, life-cycle model, process model, type of development and type of product [3].
In order to get ISO certificate, the company need to fulfill all the requirements mentioned in ISO document. Then a certifier does the audit and gives the certificate to the organization. However it requires a lot of time and effort to fulfill ISO requirements It works as following [7].
· Plan to get ISO and gain commitment of people, particularly of the higher management.
· Assign the responsibility of the process to someone either from the company or consultant.
· Perform the assessment of current processes and find the gaps. This analysis figures out where the organization currently stands and what are the required changes to meet ISO requirements.
· Fill the gap by revising, adding or improving the processes and documenting the system to meet the ISO requirements. This is the most difficult and time consuming part. Plan-Do-Check (Study)-Act (PDCA or PDSA) is very useful model at this stage for improvement and analysis.
· Perform internal audit and if any problem is found, resolve them.
· Find the certifier and perform an external audit. The auditor will check all the ISO requirements whether or not it fulfills the requirements. After all requirements are verified, a certificate is given to the organization.
B. Capability Maturity Model-Integrated (CMMI)
CMMI is an approach for process improvement which provides organizations, essential element of effective processes to improve their performance [8]. It particularly focuses on system engineering and software engineering [9]. It was first published in 2000 as a collaborative effort of Software Engineering Institute (SEI), government representatives and industry representatives. The purpose of developing CMMI was to develop an integrated model, by merging popular and successful models, which is consistent with many other well known models [4]. According to Software Engineering Institute (SEI)
“It helps integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes”
Many people have misunderstanding that it is a methodology which tells the organizations how to implement processes. CMMI is a model not a methodology. It only tells what should be done, not how it should be done [4].
CMMI has two flavors: Staged and continuous. Selection of flavor depends on the organization’s goal. Staged model has five levels: Level 1 Initial, Level 2 Managed, Level 3 Defined, Level 4 Quantitatively managed and Level 5 Optimizing.
Each level is associated with process areas which must be met to achieve a certain level. Figure 1 shows staged levels like a stair of improvement for an organization.
In continuous model, each level is composed of practices related to one process which allow organizations to select a process area to concentrate upon [4]. For example if one organization wants to focus more on support process, they can use continuous model to focus on support. Figure 2 shows the CMMI continuous Levels. In order to get CMMI, companies assess their processes according to the level they want to achieve. Then fill the gaps by revising, adding or improving the processes.
II. Differences between CMMI and ISO
There are many differences between CMMI and ISO. Some of them are given below:
A. 1st Difference (CMMI VS ISO)
CMMI has been developed by Software Engineering Institute. It’s an improvement of the previous CMM model. The basic use of CMM model was to determine whether the software intensive systems are mature enough or not. CMMI V 1.3 is the most recent version which has been released on November 1, 2010. CMMI addressed three different areas [10]:
· Development (CMMI-DEV)
· Services (CMMI-SVC)
· Acquisition (CMMI-ACQ)
For example, CMMI-DEV is used for checking the organizational maturity in development process by making a comparison with some best industry practices available [11].
ISO belongs to a family of quality management standards. These standards have been developed by International Organization for Standardization (ISO). There are different standards of ISO for different things and there is change in specification of ISO with time [11].
B. 2nd Difference (Conceptual Difference)
The main difference between CMMI and ISO is the conceptual difference [11].
CMMI is referred to as process model. On the other hand, ISO is referred to as an audit standard [11]. In CMMI, different organizations can get rating from level 1 to level 5 depending upon the maturity of processes defined in every process level [12]. ISO is a certification tool and one organization can get this certification after confirming some standards [11].
C. 3rd Difference (Scope Difference)
There is also scope difference between CMMI and ISO. CMMI is considered only to improve businesses related to software industry [12]. Main focuses of CMMI are on project management and other engineering disciplines. There are 22 process areas in CMMI (V1.2) and organizations can select any process area relevant to organization’s own need [11]. ISO is generic in nature. ISO is very flexible and can be implemented in any manufacturing industry. ISO certification requirements are same for all organizations and industries [11].
D. 4th Difference (Approach Difference)
There is requirement in the CMMI for an organization to adopt ingraining processes [12].
The main purpose of this adoption is that all processes can become the part of the organizational culture and these processes can’t be affected with pressure of deadlines as well [11]. There are also organized and technical disciplines in CMMI for managing risk. There was a neutral approach in ISO for risk management before ISO 31000:2009. This ISO standard now provides some general guidelines for risk management [11].
The main purpose of this adoption is that all processes can become the part of the organizational culture and these processes can’t be affected with pressure of deadlines as well [11]. There are also organized and technical disciplines in CMMI for managing risk. There was a neutral approach in ISO for risk management before ISO 31000:2009. This ISO standard now provides some general guidelines for risk management [11]. 
CMMI links processes to different business goals for getting maturity and ISO gives emphasis to customer satisfaction. E. 5th Difference (Implementation Difference)
For implementation, CMMI makes a comparison between existing processes and industrial best practices [11]. On the other end, ISO makes an adjustment between existing processes and specific ISO requirements [11].
