Software Development Standards: ISO compliance and Agile

11 min read
Software Development Standards: ISO compliance and Agile

Agile software methods have created a heated discussion between promoters of big-design-upfront (BDUF) and promoters of agile development methodologies. What appears to be at the heart of the discussion is a worry about the lack of documentation that is expected to be created as part of the agile development process.

Processes that assure compliance with defined standards can be included in agile processes, although there are essentially no recommendations for doing so in practice. To do that, agile teams must consider a list of criteria, including process optimization, increased operational speed, high-quality software solutions, and client satisfaction. Numerous businesses get certification in order to adhere to established standards, with ISO being the most prominent and well-known.

However, there are various ISO certifications applicable to software companies – which one does your business require?

What are software development standards?

A software engineering standard may be defined as any standard, protocol, or similar document that outlines the rules and processes for the creation of software products. A typical software development company will have such documents on hand, and they will be intended for usage only by that specific organization.

What dose compliance with software development standards mean?

Standard compliance frequently requires the drafting of documentation. The agile philosophy of "working software over comprehensive documentation" [Fowler & Highsmith 2001; Agile Manifesto URL] appears to be in conflict with this. It's necessary to emphasize that the agile movement isn't anti-documentation per se; rather, it's anti-documentation that adds no actual value to a project's fundamental purpose of producing good software.

Agile approaches are very adaptive by definition and may thus adhere to standards when necessary. However, it appears that there are essentially no rules for embedding procedures that assure compliance with stated standards into agile techniques. Based on an examination of currently utilized ISO software standards, this article proposes a few such principles. For software engineering, ISO advises starting with a quality manual. This can help you maintain and improve the quality of your software life cycle, as well as track client satisfaction.

The next stage is to put the quality manual that explains the software development process into action. The implementation uses e.g. the Scrum framework. The product owner, scrum master, and scrum team are the three major positions in Scrum. They are in charge of putting the process into action. ISO also suggests creating a hierarchy to aid in the improvement of overall process performance. ISO emphasizes continuous improvement, and scrum does as well. All QMS should be designed, executed, measured, and improved, according to ISO. Scrum follows a similar pattern, with sprint planning, execution, review, and retrospective.

In a broad sense, auditing is a procedure in which an impartial agent examines the operations of the audited party and issues a formal report on the results. The requirement for auditing is most common in situations when actions are carried out independently and/or privately.

ISO standards for software development

ISO and IEEE are two of the most well-known international standards that enable software businesses all around the globe better structure their operations by providing a well-defined and effective framework.

ISO - International Organization for Standardization

IEEE - Electrical and Electronics Engineers

These standards are a list of principles and good practices that are used to help software companies increase the quality of their services and organisation of processes to reach better results. The ISO is a global standard-setting organization that spans sectors including software and food. ISO's major purpose is to assist businesses to improve their processes and therefore their services by offering a set of standards and norms to follow:

  • ISO/IEC 12207 and ISO/IEC 15288 standards are the most important for software development and can be replaced by each other, both referring to the Software life cycle processes. Other standards that are relevant to software development:
  • ISO/IEC 15939 (Software measurement process) specifies the activities and tasks that are required to create, implement, and enhance the software measurement process. It doesn't provide a list of software metrics or give tools for estimating the qualities of a software product or process.
  • ISO/IEC 14143 (Software measurement - Functional size measurement). Although these standards are used to assist software development, they are unrelated to the current issue and will not be discussed further.

ISO 12207 Software life cycle processes

ISO/IEC 12207 describes the following parts as:

  • Software product - “The set of computer programs, procedures, and possibly associated documentation and data.”
  • Software service - “Performance of activities, work, or duties connected with a software product, such as its development, maintenance, and operation.”
  • System - “An integrated composite that consists of one or more of the processes, hardware, software, facilities, and people, that provides a capability to satisfy a stated need or objective.”

ISO/IEC 12207 standard establishes a framework for software life cycle procedures that spans all stages of the software development life cycle, from conception through retirement. Primary life cycle processes, supporting life cycle processes, and organizational life cycle processes are divided into three categories in the framework. In each of these domains, relevant subprocesses are defined, and specific actions are outlined for each subprocess.

ISO 12207 Compliance

Complying with ISO 12207 standard “is defined as the performance of all the processes, activities, and tasks selected from this International Standard in the Tailoring Process ... for the software project.” [ISO 12207].

An annex to the standard discusses how to modify ISO 12207 for a specific project. The first step is to determine the project environment's attributes. Project criticality and team size may be factors. All project stakeholders must be consulted on how the ISO 12207 procedure should be customized to their specific project needs.

The project's methods, activities, and tasks should be selected based on this consultation. Not described in ISO 12207 but included in the contract are processes, activities, and tasks. Also, record who is accountable for each process, activity, or task. All customization decisions should be documented with explanations.

To comply with ISO 12207, an organization must identify what procedures, actions, and tasks are necessary to be performed in order to meet the standard's minimal requirements. Compliance can be improved and discussed as the acquirer and supplier define the contract.

ISO 12207 in agile software development

As stated earlier, ISO 12207 is the most significant ISO standard for software engineering. This part inspires and guides the adoption of the standard in an agile environment.

Regardless, we believe the question can be answered positively. Towards this end, we present implementation recommendations that will ensure an agile-based project meets ISO 12207. These rules are based on both the standard and the features of agile approaches.

One way to ensure an agile development team adheres to the ISO12207 standard is to delegate that responsibility to one or more persons. Thus, this individual helps the team to develop the appropriate artifacts in accordance with the standard.

To guarantee that developers, notable programmers, are not burdened by the documentation and administrative chores required to comply with the standard, an organizational model similar to Brooks's [Brooks 1995] is suggested. An administrator (who manages all administrative issues such as resources and legalities), an editor (who ‘translates' the surgeon's documentation for general usage), an administrator's secretary, an editor's secretary, and a program clerk (who maintains changing artifacts through version and configuration control) make up this model of a so-called Surgical Team (who is an expert on programming language usage and other specifications).

The above development team organization concept was proposed in the 1960s. While it may not be applicable for some current software engineering projects, it does offer some important concepts.

The idea that programmers should be kept away from administrative activities and documentation is worth examining. In an agile project, this means ensuring compliance with the ISO standards specified should create the relevant documentation without burdening the developers. So the documentation sub-team should collect data in a non-intrusive manner.

ISO 29119: Software Testing

The ISO 29119 set of standards outlines best practices for software and systems engineering, including software testing. These best practices aren't tied to any particular development model, but many of them resemble a V-model approach.

For software testing, ISO 29119 is divided into five sections:

  • Testing based on keywords
  • Documentation for testing
  • Techniques and techniques for testing
  • Definitions and concepts

The core tenet of ISO 29119 is that testing is the most important tool for risk mitigation and avoidance. As a result, all of the standards use a risk-based approach and urge businesses to concentrate on the most critical operations.

ISO 29119 Compliance

Documenting your test automation with the ISO29119 standard might help you comply with the standard:

  • "Session sheet" containing a software test case specification
  • A defect report detailing the acceptance criteria and test findings.
  • Daily Test Progress Report, including a burn-down graphic and a summary of open and finished tests, as well as their results
  • A report on the results of the test.

ISO 29119 in agile software development

In agile software development, the following questions frequently arise:

  • Are you consistent with the needs of the ISO 29119 standards if you adopt agile development best practices?
  • In agile development, how do you implement the requirements of this family of standards?
  • Evaluate the two process criteria to translate it to ISO 29119 agile development
  • Evaluation process would be developed as a test model that outlines the atomic requirements that must be completed before a user narrative is considered "done".
  • Testing team contribute to burn-down and burn-up charts by running test cases to ensure that each user story's acceptance requirements are satisfied. - The monitor (TMC2) activity, task a, would be used to track the daily test execution progress. This task focuses on gathering metrics to measure progress toward completion.
  • The report activity would be used to report on the state of testing, including progress toward testing on each user story.

ISO 27001: Information Security

The ISO 2700 family, which encompasses information security requirements inside an enterprise, is another prominent standard among software development organizations. ISO 2700's major purpose is to secure a company's assets and enhance its security procedures.

The most significant advantage of an ISO 27001 accreditation for a firm is the assurance of the security of its operations and data. In this approach, a firm seems more dependable and trustworthy to customers while maintaining a competitive edge over other enterprises.

The following are some of the most important ISO 27001 clauses:

  • Management of information security
  • System design for information security management
  • Risk assessment and management
  • A performance evaluation of the system
  • Developing and implementing a corrective action strategy

ISO 27001 Compliance

Identification, classification, and labeling of significant information assets are the first steps in ensuring information security. It is necessary to define the user groups who have access. Mechanisms for data access and protection must be developed. Production data and document assets, as well as engineering-owned assets, are the two forms of information assets. The business, the legal and compliance department, and risk management all collaborate on production data and paperwork. They categorize the assets and establish rules for their management. Policies are influenced by data privacy legislation, particularly in Europe. The rules specify if consumer data is sensitive, who has access to it, and so on.

According to ISO27001, an information security framework is required, and the Chief Security or Chief Compliance Officer is responsible for these issues. The bulk of the 114 controls must be implemented by the IT department as a whole. Some are sole of interest to developers, testers, and change managers.

ISO 27001 in agile software development

For software development processes, ISO27001 specifies contains many controls but the most important from our point of view are:

  • Acceptance testing is required — against both functional and non-functional criteria, the latter of which includes security needs.
  • Security testing must be performed throughout the development process.
  • Separate the development, test, and operational environments.

Many software development approaches, such as Agile, are compatible with these restrictions. The controls listed below assist that production systems are stable:

  • Standard change management for IT and business changes - Refusing to make modifications to vendor-supplied software packages
  • Strict change management processes, even throughout development, to avoid undesirable changes
  • Specific testing requirements for operating system updates, which need the testing of mission-critical applications on a new platform - Mandatory software and operating system installation processes, as well as who may do what
  • Integrating development, testing, and functional areas, as well as having access control over the source code, prevents even "minor" modifications from circumventing testing or the change process.


The most important, undeniable benefits resulting from the implementation of ISO standards are data security, greater reliability for clients, clear procedures and security of software development lifecycle.

At SoftKraft we constantly work on making our full-cycle software product development ISO compliant. With an ISO system in place, we benefit from regularly identifying and managing current and future risks, thereby minimizing the impact of potential incidents.