Information Technology Asset Management System – ISO 19770-1

Organizations rely heavily on software and information technology to manage their businesses effectively. They also rely on technology to communicate with customers and partners, track business plans and finances, and compete with their peers. Given this high dependency, it is important for organizations to manage their IT assets correctly and strategically.

Therefore, the International Organization for Standardization (ISO) issued a standard that helps organizations manage their technical assets and implement best practices in this regard within their work systems, which is the ISO 19770-1 standard, which specifies the requirements for an information technology asset management system (ITAM).

A set of controls and practices that define the requirements for establishing, implementing, maintaining and improving an ITAM asset management system, designing asset management processes in terms of methods, procedures and plans, and defining specific policies and perspectives for them; with the aim of maximizing the value of assets and achieving a balance between costs, risks, opportunities and performance, and enabling organizations to align and integrate the IT asset management system with related management systems, such as ISO/IEC 27001 and ISO/IEC 20000-1

This standard is part of the core standard ISO 19770, which represents a framework for ITAM processes and the overall management system that needs to be established in order to demonstrate that the organization follows specific and standardized approaches in the management of its technical assets to a sufficient standard to meet corporate governance requirements and ensure effective support for IT service management in general. The organization that proves its compliance with the requirements specified in the standard obtains an official accreditation certificate.

This standard covers all IT assets. For example, it can apply to IT hardware, executable software (such as application software and operating systems), and non-executable software (such as configuration information). It can be applied to all technology environments and computing platforms, including cloud computing.

In addition, this standard is an extension of ISO 55001, which specifies the requirements for establishing and implementing an asset management system. The fundamental difference between them is that the ISO 19770 standard focuses more on software asset management and specifies additional more detailed and relevant requirements in this regard, and also follows a tiered approach to enable organizations to adopt ICT processes appropriate to the needs and size of the organization, while the requirements of the ISO 55001 focus on physical asset management.

A set of business practices that combine finance, inventory, and contracting functions to optimize spending and support lifecycle management and strategic decision-making for IT assets. ITAM is often a subset of the IT Service Management (ITSM) process.

The IT asset management process typically involves gathering a detailed inventory of an organization’s hardware, software and network assets and then making informed business decisions about IT procurement and redeployment.

Assets are defined as any IT-related equipment, software, subscriptions, or services that the organization owns, pays for, or otherwise uses, directly or indirectly. This definition of an IT asset is broad, and includes not only servers, desktop computers, and mobile devices, but also IoT, network devices, storage, and cloud services such as software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS), among many others.

IT Asset Management (ITAM) also includes the system, processes and technologies used to discover, track, manage and improve IT assets at all stages of their life cycle. An asset management system is not limited to creating and editing an asset inventory, but rather about the continuous use of collected asset data to maximize returns, reduce risks and increase business value, by avoiding unnecessary asset purchases and making optimal use of existing resources, eliminating waste and improving efficiency.

Implementing the ISO 19770-1 standard has many advantages, some of which are mentioned as follows:

1. Managing and reducing the risks of interruption in the provision of IT services
2. Reduce overall software costs by implementing various processes
3. Improving the availability of information, leading to improved decision-making based on accurate and specific data
4. Meet legal, regulatory and contractual requirements
5. Extracting maximum value from IT assets
6. Ensure asset security through effective asset tracking and support across the entire IT asset life cycle
7. The scope of application of the standard is broad enough to be applied in a variety of technology environments, including cloud computing
8. By providing a common standard that all organizations can comply with, even if managing licenses requires intensive work, organizations can benefit from processes such as recycling existing licenses within the organization, thus saving organizations money.
9. This standard allows for standardization in IT asset management by allowing a standardized and measurable common approach.
10. Information Security: You can’t secure what you don’t know. The first task within information security is to understand which devices are connected to your network, how they are configured, which hardware and software are real and licensed, etc. ITAM provides all this information.
11. Configuration and Change Management: Without knowing the existing IT assets and how they are configured, the organization cannot determine whether this configuration is correct and that unauthorized changes are not being made to it.
12. Disaster recovery: Without knowing what IT assets exist, where they are located, how they are configured, and what business functions they support, it will be difficult to rebuild these assets (and thus company operations) after a disaster.
13. IT Financial Management: Without knowing how much money an organization is spending on IT assets, and the ability to manage future demands for its technology assets, it is difficult to develop an effective IT budget.

In addition, the benefits to end-user organizations are many, as the forms of IT Asset Management (ITAM) and Software Asset Management (SAM) are dominated by some vendor-specific approaches to issuing licenses, managing licenses, and optimizing assets. Each approach is unique and uses its own terminology.

While the former approach may foster innovation, it also results in the software consumer being required to deal with each of these vendors on a separate basis, creating significant inefficiencies and preventing easy comparisons. Compliance with the ISO 19770-1 standard can contribute to reducing these shortcomings and allowing logical comparisons due to the existence of an internationally recognized framework for the adoption and implementation of an IT Asset Management (ITAM) system.

The International Organization for Standardization (ISO) launched the ISO 19770-1 standard for the first time in 2006, and subsequently followed it with several updates, starting with the 2012 update. The standard then retained its original content (with only minor changes), but the 2012 version divided the standard into four levels that can be achieved sequentially, these levels are:

1. Level 1: Trustworthy data
2. Level 2: Practical management
3. Level 3: Operational integration
4. Level 4: Compliance of the IT asset management system with the full requirements of ISO standards

The latest version is the current version, known as ISO 19770-1:2017, which was published in December 2017. It specifies requirements for establishing, implementing, maintaining, and improving an Information Technology Asset Management (ITAM) system. It was a major update and was rewritten to align with the format of ISO Management System Standards (MSS).

Although ISO 55001 can be used for software asset management, if organizations define its scope and related requirements appropriately, it focuses primarily on physical assets while providing minimal resources for software asset management. Unlike ISO 19770-1, which addresses the following:

• Impose controls on software modification, duplication, and distribution, with particular emphasis on access and safety controls
• Audit Trail, permissions and changes made to IT assets
• Controls on licensing and compliance with licensing terms and conditions
• Controls over situations involving mixed ownership and responsibilities, such as cloud computing and “bring your own device” (BYOD) practices
• Match IT asset management data with data in other information systems when justified by business value, particularly with financial information systems that record assets and expenses.

Moreover, since the information associated with IT assets is typically large, highly complex, and rapidly changing, organizations that have this information will likely need to use automated information systems.

At RMG, we provide you with the appropriate support during your compliance journey, starting from the system planning and design phase, through the implementation and awareness phase, and ending with the auditing phases and obtaining international accreditation, through the following services:

• Conducting a gap analysis: analyzing the current situation of the organization, identifying the problems facing the existing (old) system, and determining the goals that must be achieved and the benefits required from the new system.

• Providing advice during all stages of building the system: from the design and development stage of the ITAM information technology asset management system within the organization, to the external audit stage; for the purpose of qualifying you to obtain international accreditation ISO/IEC 19770-1:2017
• Conducting training programs and workshops: we provide you with training programs and awareness sessions that help you understand, implement, and audit administrative systems established according to designated standards.
• Internal audit: our specialized team examines the system implemented within the organization, evaluates its compatibility with industry requirements and standards, makes suggestions for its improvement, and advise on necessary improvement actions.
• Providing appropriate technical solutions.

If you need to know more details about the ISO standard, contact us to discuss and answer all your inquiries during a free consultation session; By filling out the contact form below 👇