ISO/IEC 90003:2014

INTERNATIONAL ISO/IEC
STANDARD 90003
Second edition
2014-12-15
Software engineering — Guidelines
for the application of ISO 9001:2008
to computer software
Ingénierie du logiciel — Lignes directrices pour l’application de l’ISO
9001:2008 aux logiciels informatiques
Reference number
ISO/IEC 90003:2014(E)
©
ISO/IEC 2014

---------------------- Page: 1 ----------------------
ISO/IEC 90003:2014(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 90003:2014(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
1.1 General . 1
1.2 Application . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Quality management system . 5
4.1 General requirements . 5
4.2 Documentation requirements. 6
5 Management responsibility . 8
5.1 Management commitment . 8
5.2 Customer focus . 9
5.3 Quality policy . 9
5.4 Planning . 9
5.5 Responsibility, authority and communication .10
5.6 Management review .11
6 Resource management .12
6.1 Provision of resources .12
6.2 Human resources .12
6.3 Infrastructure .13
6.4 Work environment .14
7 Product realization .14
7.1 Planning of product realization .14
7.2 Customer-related processes .16
7.3 Design and development .21
7.4 Purchasing .29
7.5 Production and service provision .32
7.6 Control of monitoring and measuring devices .38
8 Measurement, analysis and improvement .39
8.1 General .39
8.2 Monitoring and measurement .40
8.3 Control of nonconforming product .42
8.4 Analysis of data .43
8.5 Improvement .44
Annex A (informative) Summary of guidance in the implementation of ISO 9001:2008 available in
ISO/IEC JTC 1/SC 7 and ISO/TC 176 standards .46
Annex B (informative) Planning in ISO/IEC 90003 and ISO/IEC 12207 .48
Bibliography .53
© ISO/IEC 2014 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 90003:2014(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT), see the following URL: Foreword — Supplementary information.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 7, Software and system engineering.
This second edition of ISO/IEC 90003 cancels and replaces the first edition. It has been updated for
conformity to ISO 9001:2008 and to reference recent editions of other relevant standards.
iv © ISO/IEC 2014 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 90003:2014(E)

Introduction
This International Standard provides guidance for organizations in the application of ISO 9001:2008 to
the acquisition, supply, development, operation, and maintenance of computer software.
It identifies the issues that should be addressed and is independent of the technology, life cycle models,
development processes, sequence of activities, and organizational structure used by an organization. The
guidance and identified issues are intended to be comprehensive but not exhaustive. Where the scope of
an organization’s activities includes areas other than computer software development, the relationship
between the computer software elements of that organization’s quality management system and the
remaining aspects should be clearly documented within the quality management system as a whole.
Clauses 4, 5, and 6 and parts of Clause 8 of ISO 9001:2008 are applied mainly at the “global” level in the
organization, although they do have some effect at the “project/product level”. Each project or product
development may tailor the associated parts of the organization’s quality management system to suit
project/product-specific requirements.
Throughout ISO 9001:2008, “shall” is used to express a provision that is binding between two or more
parties, “should” to express a recommendation among possibilities, and “may” to indicate a course of
action permissible within the limits of ISO 9001:2008. This International Standard (ISO/IEC 90003)
provides guidance to assist in understanding how the provisions of ISO 9001:2008 apply in the context
of software.
Organizations with quality management systems for developing, operating, or maintaining software
based on this International Standard may choose to use processes from ISO/IEC 12207 to support
or complement the ISO 9001:2008 process model. The related paragraphs of ISO/IEC 12207:2008
are referenced in each clause of this International Standard; however, they are not intended to imply
requirements additional to those in ISO 9001:2008. Further guidance to the use of ISO/IEC 12207 may
be found in ISO/IEC 24748–3. For additional guidance, references are provided to the International
Standards for software engineering defined by ISO/IEC JTC 1/SC 7. Where these references are specific
to a clause or subclause of ISO 9001:2008, they appear after the guidance for that clause or subclause.
Where they apply generally across the parts of a clause or subclause, the references are included at the
end of the last part of the clause or subclause.
Where text has been quoted from ISO 9001:2008, that text is enclosed in a box, for ease of identification.
© ISO/IEC 2014 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 90003:2014(E)
Software engineering — Guidelines for the application of
ISO 9001:2008 to computer software
1 Scope
1.1 General
ISO 9001:2008, Quality management systems requirements
1.1  General
This International Standard specifies requirements for a quality management system where an
organization
a)  needs to demonstrate its ability to consistently provide product that meets customer and
applicable statutory and regulatory requirements, and
b)  aims to enhance customer satisfaction through the effective application of the system, including
processes for continual improvement of the system and the assurance of conformity to customer and
applicable statutory and regulatory requirements.
NOTE 1  In this International Standard, the term “product” only applies to
     a)  product intended for, or required by, a customer,
     b)  any intended output resulting from the product realization processes.
NOTE 2  Statutory and regulatory requirements can be expressed as legal requirements.
This International Standard provides guidance for organizations in the application of ISO 9001:2008
to the acquisition, supply, development, operation, and maintenance of computer software and related
support services. It does not add to or otherwise change the requirements of ISO 9001:2008.
Annex A (informative) provides a table pointing to additional guidance in the implementation of
ISO 9001:2008, available in ISO/IEC JTC 1/SC 7 and ISO/TC 176 International Standards.
The guidelines provided in this International Standard are not intended to be used as assessment criteria
in quality management system registration/certification.
1.2 Application
ISO 9001:2008, Quality management systems requirements
1.2  Application
All requirements of this International Standard are generic and are intended to be applicable to all
organizations, regardless of type, size, and product provided.
Where any requirement(s) of this International Standard cannot be applied due to the nature of an
organization and its product, this can be considered for exclusion.
Where exclusions are made, claims of conformity to this International Standard are not acceptable
unless these exclusions are limited to requirements within Clause 7, and such exclusions do not affect
the organization’s ability, or responsibility, to provide product that meets customer and applicable
statutory and regulatory requirements.
The application of this International Standard is appropriate to software that is
— part of a commercial contract with another organization,
© ISO/IEC 2014 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 90003:2014(E)

— a product available for a market sector,
— used to support the processes of an organization,
— embedded in a hardware product, or
— related to software services.
Some organizations may be involved in all of the above activities; others may specialize in one area.
Whatever the situation, the organization’s quality management system should cover all aspects
(software related and non-software related) of the business.
2 Normative references
ISO 9001:2008, Quality management systems requirements
2  Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 9000:2005, Quality management systems — Fundamentals and vocabulary
3 Terms and definitions
ISO 9001:2008, Quality management systems requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 9000 apply.
Throughout the text of this International Standard, wherever the term “product” occurs, it can also
mean “service”.
For the purposes of this document, the terms and definitions given in ISO 9001:2008, and certain terms
(repeated here for convenience) given in ISO/IEC 12207 apply.
However, in the event of a conflict in terms and definitions, the terms and definitions specified in
ISO 9000:2005 apply.
NOTE ISO/IEC 12207:2008 provides detailed provisions for software life cycle processes. This International
Standard will make reference to terms defined in it.
3.1
activity
set of cohesive tasks of a process
[SOURCE: ISO/IEC 12207:2008, 4.3]
3.2
baseline
specification or product that has been formally reviewed and agreed upon, that thereafter serves as the
basis for further development, and that can be changed only through formal change control procedures
[SOURCE: ISO/IEC 12207:2008, 4.6]
2 © ISO/IEC 2014 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 90003:2014(E)

3.3
configuration item
entity within a configuration that satisfies an end use function and that can be uniquely identified at a
given reference point
[SOURCE: ISO/IEC 12207:2008, 4.7]
3.4
COTS
Commercial-Off-The-Shelf
available for purchase and use without the need to conduct development activities
3.5
implementation
software life cycle process that contains activities of requirements analysis, design, coding, integration,
testing, installation, and support for acceptance of software products
3.6
life cycle model
framework of processes and activities concerned with the life cycle that may be organized into stages,
which also acts as a common reference for communication and understanding
Note 1 to entry: The requirements of ISO 9001:2008 would apply to maintenance, only if contractually required,
after acceptance of the product by the customer. However, generally, the requirements do not apply to maintenance.
[SOURCE: ISO/IEC 12207:2008, 4.17]
3.7
measure
make a measurement
[SOURCE: ISO/IEC 15939:2007, 2.16]
3.8
measure
variable to which a value is assigned as the result of measurement
[SOURCE: ISO/IEC 15939:2007, 2.15]
3.9
measurement
set of operations having the object of determining a value of a measure
[SOURCE: ISO/IEC 15939:2007, 2.17]
3.10
process
set of interrelated or interacting activities which transforms inputs into outputs
Note 1 to entry: Inputs to a process are generally outputs of other processes.
[SOURCE: ISO 9000:2005, 3.4.1]
3.11
regression testing
testing required to determine that a change to a system component has not adversely affected
functionality, reliability, or performance, and has not introduced additional defects
© ISO/IEC 2014 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 90003:2014(E)

3.12
release
particular version of a configuration item that is made available for a specific purpose
Note 1 to entry: The term “release” used in the ISO 9001:2008 text quoted in this International Standard is used
in the context of the definition provided in ISO 9000:2005, 3.6.13, which is different from the ISO/IEC 12207
definition quoted above.
EXAMPLE Test release
[SOURCE: ISO/IEC 12207:2008, 4.35]
3.13
replication
copying a software product from one medium to another
3.14
software item
identifiable part of a software product
3.15
software product
set of computer programs, procedures, and possibly associated documentation and data
Note 1 to entry: A software product may be designated for delivery, an integral part of another product, or used
in development.
Note 2 to entry: This is different from a product in ISO 9000.
Note 3 to entry: For the purposes of this International Standard, “software” is synonymous with “software
product”.
[SOURCE: ISO/IEC 12207:2008, definition 4.42]
4 © ISO/IEC 2014 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 90003:2014(E)

4 Quality management system
4.1 General requirements
ISO 9001:2008, Quality management systems requirements
4.1  General requirements
The organization shall establish, document, implement and maintain a quality management system
and continually improve its effectiveness in accordance with the requirements of this International
Standard.
The organization shall
a)  determine the processes needed for the quality management system and their application
throughout the organization (see 1.2),
b)  determine the sequence and interaction of these processes,
c)  determine criteria and methods needed to ensure that both the operation and control of these
processes are effective,
d)  ensure the availability of resources and information necessary to support the operation and
monitoring of these processes,
e)  monitor, measure where applicable, and analyse these processes, and
f)  implement actions necessary to achieve planned results and continual improvement of these
processes.
These processes shall be managed by the organization in accordance with the requirements of this
International Standard.
Where an organization chooses to outsource any process that affects product conformity to
requirements, the organization shall ensure control over such processes. The type and extent of
control to be applied to these outsourced processes shall be defined within the quality management
system.
NOTE 1  Processes needed for the quality management system referred to above include processes
for management activities, provision of resources, product realization, measurement, analysis and
improvement.
NOTE 2  An “outsourced process” is a process that the organization needs for its quality management
system and which the organization chooses to have performed by an external party.
NOTE 3  Ensuring control over outsourced processes does not absolve the organization of the
responsibility of conformity to all customer, statutory and regulatory requirements. The type and
extent of control to be applied to the outsourced process can be influenced by factors such as
     a)  the potential impact of the outsourced process on the organization’s capability to provide
product that conforms to requirements,
     b)  the degree to which the control for the process is shared,
     c)  the capability of achieving the necessary control through the application of 7.4.
Guidance is provided for items a) and b) of ISO 9001:2008, 4.1, in relation to the organizational processes
as follows (see 5.4.2, and 7.4.1 for additional guidance on outsourcing).
a) Process identification and application
The organization should also identify the processes for software development, operation or maintenance.
b) Process sequence and interaction
The organization should also define the sequence and interaction of the processes in:
1) life cycle models for software development, e.g. waterfall, incremental and evolutionary, and
© ISO/IEC 2014 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 90003:2014(E)

2) quality and development planning, which should be based upon a life cycle model.
NOTE For further information, see the following:
[5]
     — ISO/IEC 12207:2008 (Software Life Cycle Processes) which defines a set of software life cycle
processes that may be used for reference;
[21] [22]
     — ISO/IEC/TR 24748–1 and ISO/IEC/TR 24748–3 which provide guidance on how to use processes
from ISO/IEC 12207 in different life cycles.
4.2 Documentation requirements
4.2.1 General
ISO 9001:2008, Quality management systems requirements
4.2.1  General
The quality management system documentation shall include
a)  documented statements of a quality policy and quality objectives,
b)  a quality manual,
c)  documented procedures and records required by this International Standard, and
d)  documents, including records, determined by the organization to be necessary to ensure the
effective planning, operation and control of its processes.
NOTE 1  Where the term “documented procedure” appears within this International Standard, this
means that the procedure is established, documented, implemented and maintained. A single
document may address the requirements for one or more procedures. A requirement for a docu-
mented procedure may be covered by more than one document.
NOTE 2  The extent of the quality management system documentation can differ from one organiza-
tion to another due to
     a)  the size of organization and type of activities,
     b)  the complexity of processes and their interactions, and
     c)  the competence of personnel.
NOTE 3  The documentation can be in any form or type of medium.
Documents for the effective planning, operation, and control of processes for software [ISO 9001:2008,
4.2.1, item d)] may cover the following:
1) descriptions of processes, such as those identified in implementing 4.1;
2) descriptions of procedural instructions and/or templates used;
3) descriptions of life cycle models used, such as waterfall, incremental and evolutionary;
4) descriptions of tools, techniques, technologies, and methods such as those identified in implementing
4.1;
5) technical topics such as standards or guidance documents for coding, design and development, and
testing.
NOTE For further information on document identification as part of configuration management, see 7.5.3.
6 © ISO/IEC 2014 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 90003:2014(E)

4.2.2 Quality manual
ISO 9001:2008, Quality management systems requirements
4.2.2  Quality manual
The organization shall establish and maintain a quality manual that includes
a)  the scope of the quality management system, including details of and justification for any
exclusions (see 1.2),
b)  the documented procedures established for the quality management system, or reference
to them, and
c)  a description of the interaction between the processes of the quality management system.
4.2.3 Control of documents
ISO 9001:2008, Quality management systems requirements
4.2.3  Control of documents
Documents required by the quality management system shall be controlled. Records are a special
type of document and shall be controlled according to the requirements given in 4.2.4.
A documented procedure shall be established to define the controls needed
a)  to approve documents for adequacy prior to issue,
b)  to review and update as necessary and re-approve documents,
c)  to ensure that changes and the current revision status of documents are identified,
d)  to ensure that relevant versions of applicable documents are available at points of use,
e)  to ensure that documents remain legible and readily identifiable,
f)  to ensure that documents of external origin determined by the organization to be necessary for
the planning and operation of the quality management system are identified and their distribution
controlled, and
g)  to prevent the unintended use of obsolete documents, and to apply suitable identification to them
if they are retained for any purpose.
NOTE For further information on document control as part of configuration management, see 7.5.3.
4.2.4 Control of records
ISO 9001:2008, Quality management systems requirements
4.2.4  Control of records
Records established to provide evidence of conformity to requirements and of the effective operation
of the quality management system shall be controlled.
The organization shall establish a documented procedure to define the controls needed for the
identification, storage, protection, retrieval, retention and disposition of records.
Records shall remain legible, readily identifiable and retrievable.
4.2.4.1 Evidence of conformity to requirements
Evidence of conformity to requirements may include:
a) documented test results,
b) problem reports, including those related to tools problems,
© ISO/IEC 2014 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC 90003:2014(E)

c) change requests,
d) documents marked with comments,
e) audit and assessment reports, and
f) review and inspection records, such as those for design reviews, code inspections, and wal
...