ISO/IEC 27033-1 Updated – Network Security

ISO/IEC 27033-1, “Information technology – Security techniques – Network security – Part 1: Overview and concepts,” has just been updated.  The new 2nd Edition replaces the 1st Edition from 2009, with is now obsolete.  The 2015 update is reflective of the changes in network security issues from the time of the original release date as well as changes in the structure of the ISO/IEC 27033 series itself.

Implementing and maintaining adequate network security is essential in today’s world.  Numerous news reports of security failures have impacted the very nature of how we view the wired world today.  And the scope of information “violations” have caused many people to rethink how they will make use of online products and services.

First of all, the ISO/IEC 27033 is not intended to be a requirements set of standards.  There are too many regional, regulatory, and legal requirements that differ from jurisdiction to jurisdiction for that.  However, the series is intended to provide detailed implementation guidance on network security.  This supplements the basic standardization that is found in ISO/IEC 27002, “Information technology – Security techniques – Code of practice for information security controls.”

ISO/IEC 27033-1 is the overview document for this series.  It contains the definitions and conceptual details that you’ll need for your implementation of network security in your organization and products.  It also provides management guidance for oversight of this aspect of IT activities.  In this regards, it is not only for technical staff but also for managers and adminstrators tasked with security program responsibilities.

In ISO/IEC 27033-1 you’ll learn to identify and analize network security risks, including how to make requirements statements based on that analysis.  You learn about the controls available to support network security architectures, both technical and non-technical.  The standard reviews the quality aspects involved in the process, including various scenarios  and implementation issues.  And it discusses issues associated with operating and monitoring networks for continuous security vigilence.

The standard is 58 pages in length which is a reduction in page length from the previous edition’s 82 pages.  Most of this is due to smaller fonts and tightened page layouts.  However, the Annex C that is present in the previous 1st Edition has been removed from the new 2nd Edition.  Otherwise, all clauses remain the same.  Additionally, the bibliography has been reduced from 33 references down to 27.

One other item to note is that when the 1st Edition was released, the balance of the series was still in draft form or set up as work items.  So the actual series differs from the original concept.  At this time, five parts have been published and a sixth is in development.  There are no plans for a seventh part as originally envisioned.  Here is a list of the other 4 published parts along with the additional draft information:

  • ISO/IEC 27033-2, Information technology – Security techniques – Network security – Part 2: Guidelines for the design and implementation of network security
  • ISO/IEC 27033-3, Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues
  • ISO/IEC 27033-4, Information technology – Security techniques – Network security – Part 4: Securing communications between networks using security gateways
  • ISO/IEC 27033-5, Information technology – Security techniques – Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
  • ISO/IEC 27033-6 (not publicly available as yet), Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access

Now you’ll need to get copies.  Be sure to use an authorized distributor, as the ISO, IEC and ISO/IEC standards are all covered by the laws of copyright.  You can purchase your copies with confidence at the Document Center webstore,  They are available in both paper format and for pdf download.  Here’s a link directly to the order page for ISO/IEC 27033-1.

Interested in multi-user access for your company?  Contact our staff for more information on our Standards Online subscription service.  They can be reached by phone (650-591-7600), fax (650-591-7617) or email (  We’re here to help you so make us your Standards Experts!

Document Center has signed a distribution agreement with ASA

We are pleased to announce that Document Center has signed a distribution agreement with ASA, the Acoustical Society of America.  The new contract expands Document Center Inc. offerings to include all ASA standards in both paper format and for pdf download.  Additionally, the ASA standards collection is available for multi-user access via Document Center’s Standards Online subscription service.   You can find a complete listing of the ANSI/ASA standards here.

About ASA:

ASA is the ANSI Standards Developer for the S1, S2, S3 and S12 series of standards on acoustics, bioacoustics, noise and mechanical vibration and shock.  Additionally ASA operates as the U.S. TAG (Technical Advisory Group) for two ISO Technical Committees (TCs) and one IEC TC.  And in addition to standards, ASA publishes a journal (JASA, the Journal of the Acoustical Society of America) and other technical publications.

ASA was formed back in 1929 in New York, NY.  Currently it has about 7500 members from around the world.  They specialize in various fields related to sound including physics, electrical, mechanical, and aeronautical engineering, oceanography, biology, physiology, psychology, architecture, speech, noise and noise control, and music.  So standards development can be on topics that include terminology, measurement procedures, and criteria for determining the effects of noise and vibration.

The ASA standards collection is extensive.  If your organization is impacted by any of the following areas, you’ll be interested in this standards set:

  • architectural acoustics;
  • psychological and physiological acoustics;
  • applied acoustics;
  • instruments and apparatus;
  • music and musical instruments;
  • noise;
  • speech communication;
  • ultrasonics, radiation, and scattering;
  • mechanical vibrations and shock;
  • underwater sound;
  • aeroacoustics;
  • macrosonics;
  • acoustical signal processing;
  • bioacoustics

About Document Center Inc.

Document Center Inc. is a pioneer in the distribution of standards on the web, starting its webstore in 1993.  It was founded in 1982 and has been operated by Claudia Bach since 1985.  Based in Silicon Valley, the business has become a world-wide resource for standards and standards information.   It offers not only the delivery of standards, but a wide range of services geared to help you with your compliance requirements.  These services range from our superior notification service and standing orders all the way to our enterprise Standards Online subscription solution.

Document Center focuses on you, the customer.  You’ll get personal expert service when working our staff, who can help you with any number of questions you may have.  You’ll keep up with the latest standards information on our two blogs, and  And of course, all standards purchases come with free timely notification service.

You can access our standards collection online at  Or contact our staff by phone (650-591-7600), fax (650-591-7617) or email (  Make us your Standards Experts and your source for ASA Standards!

New ISO 24518 – Crisis Management for Water Utilities

ISO 24518, “Activities relating to drinking water and wastewater services – Crisis management of water utilities,” has just been released.  This is a companion document to the other ISO standards for water utilities, ISO 24510, ISO 24511, and ISO 24512.  It addresses both preparations and actions needed for adequate responses to both natural disasters and other catastrophies that could disrupt both drinking water and wastewater services.

ISO 24518 first of all describes the fundamentals of crisis management.  Often called the PDCA (Plan-Do-Check-Act) process, it is a management system that is used in any number of scenarios.  In fact, the terms and definitions section (clause 2) is organized into 4 parts: one for “plan,” one for “do,” one for “check,” and one for “act.”  This approach allows any organization to continuously confirm that it is able to respond successfully to any potential crisis.

Of course, if you’re in the water utilities industry, you’ll be glad to know that this PDCA system is tailored to the challenges you face in managing your organization.  So you’ll find references to such things as AWS (Alternative Water Supply) and AWWS (Alternative Wastewater Services) throughout the standard.

Beyond that, you’ll find sections on the context of the organization (that is, the organization and it’s relationship to all interested parties), leadership, planning, support, operation, performance evaluation and improvement.  These concepts are all core to both management systems and risk management.  However, this standard is not a requirements document.  It is not intended for certification but for use by management to improve both the preparation for and the response to any given crisis.

Lastly, let’s take a look at the three relevant referenced documents and also a fourth title under development right now:

  • ISO 24510, Activities relating to drinking water and wastewater services – Guidelines for the assessment and for the improvement of the service to users
  • ISO 24511, Activities relating to drinking water and wastewater services – Guidelines for the management of wastewater utilities and for the assessment of wastewater services
  • ISO 24512, Activities relating to drinking water and wastewater services – Guidelines for the management of drinking water utilities and for the assessment of drinking water services
  • Not yet numbered, “Activities relating to drinking water and wastewater services — Crisis management of water utilities — Good practice for technical aspects”

Management of infrastructure services like power and water during crisis situations is essential to protect human health and welfare.  These ISO standards are the foundation of processes that can make a real positive impact for your customer base in times of emergency.

You’ll need to purchase your ISO standards from an authorized distributor, since they are covered by the laws of copyright.  Use the Document Center Inc. webstore at to get copies in either paper format or for pdf download.  Here’s the direct link for the ISO 24518 order page.

You may want to add this standard to our multi-user Standards Online subscription service so more than one person in your organization can use a standard online.  Get in touch with our staff for more information.  They can be reached by phone (650-591-7600), fax (650-591-7617) or email (  We’ve been selling standards since 1982.  Make us your Standards Experts!

New FDA Refuse to Accept 510(k) Policy Guidance

The FDA has released a new Guidance Document titled “Refuse to Accept Policy for 510(k)s – Guidance for Industry and Food and Drug Administration Staff.”  This new 76-page guidance on the FDA Refuse to Accept Policy replaces the previous 2012 Edition as well as the “510(k) Refuse to Accept Procedures, 510(k) Memorandum K94-1,” from 5/1994 and the “Center for Devices and Radiological Health’s Premarket Notification (510(k)) Refuse to Accept Policy” from 6/1993.

The document provides you with guidance on the FDA Refuse to Accept Policy.  That is, it explains the criteria that the FDA uses in order to determine if a 510(k) submission for medical device approval as a  substantially equivalent device meets the minimum requirements for acceptability.  If so, then the submission can be moved into the deeper review process itself.

What could be some triggers that would result in a 510(k) submission being refused?  Well, the submission might be administratively incomplete.  In this case the FDA would reject your submission but let you know what the missing elements are.  However, it’s best to avoid this outcome in the first place, so this guidance document contains checklists in the appendices that can help you with the contents and elements you’ll need to pass this barrier.  Over 80% of the document consists of these three appendices:  Appendix A, 24 pages, for the checklist for traditional 510(k)s, Appendix B, 26 pages, for abbreviated 510(k)s, and Appendix C, 10 pages, for special 510(k)s.

What else is included in this FDA Refuse to Accept Guidance document?  It starts out with a section on the purpose of the guidance, then discusses the background of this new edition.  You’ll also get an overview of the actual 510(k) process and rationale, since there are specific requirements that substantially equivalent medical devices must meet.

The next section in the publication covers it’s scope.  This explains the use of the Guidance and it’s Appendices for specific kinds of 510(k) submissions in order to insure a consistent approach for the acceptance review process itself.  Section 4 provides you with an overview of the pre-submission interaction.  You might wonder about this, but the FDA encourages this type of pre-submittal contact as a way to familiarize a submitter with the process in general and to discuss any “novel” issues their submission may contain.  You’ll also find links to a wide range of other resources in this section as well.

Section 5 directly addresses the issues surrounding the FDA Refuse to Accept policies and procedures themselves.   Here you’ll learn what the administrative process is when the FDA first receives 510(k) submissions.  This includes how much time is required for the first review and acceptance or rejection, what criteria are using at that time, and how they communicate with you regarding the results.  It also provides you with possible actions you can take should your submission be rejected.

Section 6 is a review of the principles that drive the refuse to accept decision making process.  These principles are:

  • Acceptance should not be based on a substantive review of the information provided in the 510(k) notification.
  • FDA staff should determine whether the submitter provided a justification for any alternative approach.
  • Device-specific and cross-cutting guidance documents, applicable recognized standards, and applicable regulations will be considered when making an RTA determination.

Lastly, Section 7 is a list of preliminary questions that are found on the first page of each of the checklists and are used for initial screening.  Section 8 in contrast reviews the balance of the process engendered by the checklists.

Now to get a copy.  FDA Guidance documents are widely available.  However, you get the added bonus of our free notification service when you purchase your FDA publications from Document Center Inc.  You can get the FDA Guidance Documents in either paper format or for pdf download at our website,  Here’s a link directly to the order page for the FDA Refuse to Accept Policy Guidance.

Many of our Document Center Inc. customers add FDA Guidance documents to their Standards Online multi-user subscription service as well.  This is a way for all your staff to be able to review your standards collection online and is very popular with our clients.  For more information on this or any standards question, just contact our staff by phone (650-591-7600), fax (650-591-7617) or email (  We’re your Standards Experts!

New ISO 19136-2 expands GML Geography Mark-up

ISO 19136-2, “Geographic information – Geography Markup Language (GML) – Part 2: Extended schemas and encoding rules,” has just been released.  This new standard extends the work started back in 2007 with the release of ISO 19136, “Geographic information — Geography Markup Language (GML).”  A future ISO 19136-1 will eventually replace the ISO 19136.

It’s amazing to me how many mobile applications make use of geographic data.  But of course, with those of us with inquiring minds, the question of how that data is transported is always of interest.  And since I’ve been following mark-up languages since the earliest days of SGML, I’m always struck how the original concept has been flexible enough to go through so many iterations.  Where would we be without HTML and all the rest?

So here we are with GML, an XML grammar written in an XML schema for the transport and storage of geographic information.  This new ISO 19136-2 extends the original concepts of the ISO 19136 by providing you with specific XML encodings.  It supports two different methodologies for such applications.  First you can use the schema presented in this standard.  Second, you can construct schemas according to ISO 19109 and map them to GML application schemas of ISO 19136-2.

What exactly will you find in the ISO 19136-2?  The standard defines the XML Schema syntax, mechanisms and conventions for GML.  It contains a scope clause that defines the requirements of such a schema.  Clause 2 covers conformance.  And Clause 3 is for the usual referenced standards.  Next is your section on terms, symbols, and abbreviations.  Clause 5 covers conventions such as MIME types, XML namespaces, and so on.

Clauses 6 through 12 specify conformance classes.  These include additional base types, compact encodings of GML geometries, triangulated irregular networks, linear referencing, ReferenceableGrid, code lists, directories and definitions, and the encoding rule.  Various types of geographical information is defined and turned into code in these clauses.  Here’s where you’ll find examples of tag after tag after tag!  And you’ll find tables that specify the various requirements class as well.

The standard is completed with Annex A for linear referencing method examples.  And then finally there’s a 13-item Bibliography with resources including additional ISO standards of interest, a W3C reccomendation,  and a W3C Team submission.

Now to get your copy of this 88-page standard.  Since it’s a copyright document, you’ll want to purchase your copy of ISO 19136-2 from an authorized dealer like Document Center Inc.  You can easily order either a paper format or pdf download copy of the standard at our webstore,  Here’s a link directly to the order page for ISO 19136-2.

You may prefer to have multi-user access to this document.  Contact the Document Center staff for more information on our Standard Online subscription service for this functionality.  We can be reached by phone (650-591-7600), fax (650-591-7617) or email (  We’ve been selling standards since 1982 so make us your Standards Experts!

Replacements for Elsmar Cove

It’s been a few weeks since Elsmar Cove closed and folks are starting to regroup to continue the work that Marc Timothy Smith started.  Face it, pursuing quality within your organization can only benefit from open discussion with others, particularly in today’s global economic environment.  So you’re probably looking for replacements for Elsmar Cove and here’s my suggestions so far:

As I noted in my comments to my blog on the closing of Elsmar Cove, the first place that the moderators congregated was Ohio Bay Specialists at LinkedIn.  This remains a great first go-to site to get in touch with the moderators you “knew” in the past.  You have two choices to find them.  You can log into your account at LinkedIn and search for Ohio Bay Specialists.  Or you can go directly to their public LinkedIn Page at

Now, it’s no easy task to operate a forum.  It takes time, expertise, and a topic that folks are interested in.  And all of the “replacements for Elsmar Cove” are in the early stages which means that there is not the depth of information that the long history of Elsmar Cove had generated.  However, each of the following forums has a good number of participants already.  One or more of them should be able to provide you with access to others interested in quality and quality issues!

QualityForumOnline was an early entry into the replacements for Elsmar Cove group of forums.  It’s located at and uses the tag “Continuing in the Spirit of People Helping People” that resonates with Elsmar Cove users.  Here you’ll find your areas of interest divided up by specific standards and specific organizational topics.  So there’s sections for Quality and Environment Standards, Automotive Quality Standards, Aerospace Standards, Medical Device Standards and Regulations, and so on.  Since it’s been online since early July, there’s about 300 participants.  With the nice layout, good membership and thoughtful organization, it’s sure to be an easy forum to use.

QualityRecord started up in mid-July.  It’s located at and has a variety of sections of interest.  You can check out the topical interest items, daily questions or a selection of quality management standards and other topics like statistics.  A library of non-copyright information is provided.  And there is a section for off-topic discussions as well.  A section for lean manufacturing has been set up, but no activity there as of this review.  And if you’re interested, there’s a promotion area for book reviews, consultant listings and so on.  There are over 200 registered users, with about 25% of them posting so far.  There’s about 75 threads that have been generated in the month that the forum has been operational.  It is a forum for all types of quality issues, with no specific area of specialization at this point.

Next on our list is The Quality Connection.  It’s URL is and is more limited in scope than the previous two suggestions.  You’ll find sections on 4 quality standards, general discussion, management, CMM programming and funny pictures.  Participation is limited at the moment as the forum was only recently begun.

To round up our list of replacements for Elsmar Cove, there is the more focused Medical Devices Expert Forums.  It’s at and stays true to it’s name — medical devices and their standards rule the day.  There’s a section on essentials, then the site is organized by Medical Device regs, standards, health informatics, other meddev topics and miscellaneous topics.  Nicely organized, you’ll find it a breeze to use.  It’s another early contender, having been started at the beginning of July, and was the first of the replacement forums I was alerted to.  Again, you’ll find that the moderators are from Elsmar Cove so there’s that sense of continuity you’re looking for.

Of course, there’s no true replacement for Elsmar Cove.  The history of information that it contained has now been removed and is unlikely to ever be reposted.  However, you’ll be glad to know that the folks who worked behind the scenes to make it so valuable are continuing to have an active role within the community at large through these new forums.  I hope that you’ll soon find one or more that appeal to you and make use of them on a regular basis.

Meantime, when you need standards, be sure to obey the rules of copyright and purchase your publications from an authorized distributor like Document Center Inc.  You can order your paper format or pdf copies of over 500,000 different titles from our webstore,  Or check in with our staff about starting a multi-user Standards Online subscription service for a complete standards solution for your business.  You’ll reach them by phone (650-591-7600), fax (650-591-7617) or email (  We’re your Standards Experts!

New MIL-STD-769 Revision K – Naval Vessel Insulation

MIL-STD-769 Revision K, “Insulation Requirements for U.S. Naval Vessels,” has just been released.  This is the first update of the standard since 1990 and includes a title change (Revision J was titled “Thermal Insulation Requirements For Machinery And Piping.”)  The new edition represents the efforts of NAVSEA’s chief engineer to create a comprehesive standard for all types of insulation materials and applications.  It relies on inch-pound measurements.

One of the primary goals in issuing this new MIL-STD-769 K is to improve the use of approved materials for anti-sweat pipe insulation to bulkheads or compartments.  So there are updates to the requirements for piping, acoustic, transmission loss, fire and anti-sweat treatments.  This insulation is used in compartments, hulls, vent ducts, and overheads.  And of course, this means that the installation requirements have changed as well.

The changes to MIL-STD-769 K are extensive, so you will not find the usual lines in the margins that are sometimes used to alert you to the location of updates.

What’s included in the new MIL-STD-769?  The 117-page standard starts out with the usual scope, referenced documents, and definition clauses.  There is a 4-page section on General Requirements, then the Clause 5 on Detailed Requirements takes over.  Requirements covered in clude anti-sweat and refrigerant insulation, refrigerated store spaces, surface piping and piping components insulation, thermal and acoustic insulation and so on.  The document is completed by a short notes clause.

If you use the MIL-STD-769, you’ll want to get a copy of the new Revision K.  One great source is Document Center Inc.  You’ll get our free notification service when you purchase your standards at our webstore,, or by contacting our staff.  Here’s a link to go directly to the order page for MIL-STD-769.  You’ll find you can get your copy in either paper format or for pdf download.  And for multi-user access, try our Standards Online subscription service!

To learn more, you can reach our staff by phone (650-591-7600), fax (650-591-7617) or email (  We’ve been selling Mil Specs and Standards since 1982 and have an extensive catalog of industry standards from around the world available for you.  Make us your Standards Experts!

New IEC PAS 62878-2-5 – Data Format for Device Embedded Substrates

IEC PAS 62878-2-5, “Device embedded substrate – Guidelines – Data format,” has just been released.  This is a publicly available specification taken directly from the JPCA (Japan Electronics Packaging and Circuits Association) standard JPCA-EB02 from 2011.  The IEC PAS 62878-2-5 is published as a dual logo standard (with both IEC and JPCA noted on the cover).  It will be valid for 3 years as it is considered a “pre-standard.”

So what exactly is IEC PAS 62878-2-5 about?  It defines the data format for active and passive devices that are embedded inside an organic board.  The electrical connections are made using via, electroplating, conductive paste or conductive material printing.  This type of structure is described in JPCA’S EB01, “Standard of device embedded substrate.”

This type of substrate is interesting since it is connected in a 3D way.   Although several suggestions have been made for methodologies for describing this 3D format, they can’t describe structures that have been defined by the JCPA EB01.  Only the EB02 does this successfully, using a new format called FUJIKO V-1.0.  This format allows for the design data to be used as CAM data in actual production.

So the IEC PAS 62878-2-5 describes the FUJIKO V-1.0 format and the expression of 3D data, the layer concept, the structure of the board data and definitions of repeatly used information it provides.  It is a 42-page specification with many color diagrams to help you understand the concepts it covers.

What information will you get from the IEC PAS 62878-2-5?  In the scope material, the features of this format are introduced.  Then Clause 2 discusses the file description used.  This includes 3D expression, the various layers and the data associated with them.  Clause 3 is terminology and Clause 4 is commentary, with additional information.

However, the much of the material is presented as a series of figures and tables.  These include such topics as the construction of mounting layers, bonding wire information, definitions of SiP, module and MEMS, and a list of data.  These figures and tables are featured throughout the publication.

What does the PAS designation mean?  A PAS (Publicly Available Specification) is the IEC publication designation for a technical specification that has not gone through the requirements for a standard.  However, because of some technical or other need, the document is being made available on a limited-time basis.  The document is considered to be “in line” for completing the adoption process as a standard (pre-standard).

How can you get an authorized copy of the IEC PAS 62878-2-5?  You’ll use Document Center Inc.  You can easily order any IEC publication at our webstore,  Here’s a link directly to the order page for IEC PAS 62878-2-5.  It can be ordered online in either paper format or for pdf download.

Want your copy for use by more than one person?  Contact our staff for information on including it in a Standards Online subscription service.  You can reach them by phone (650-591-7600), fax (650-591-7617) or email (  We’re always happy to help you with any question you may have on this type of conformance material.  We’re your Standards Experts!

New ISO/TR 17522 – Mobile Device Health Apps

ISO/TR 17522, “Health informatics – Provisions for health applications on mobile/smart devices,” has just been released.  It addresses the challenges faced by those developers working on health and healthcare applications for smart phones, tablets and other mobile devices.  Industry expects such applications to vastly improve the quality of health and healthcare the world over.  This technical report covers a broad array of capabilities like health sensors, information systems, and support for call center services.

What does the ISO/TR 17522 address?  The Technical Report takes a look at the current status of these types of applications and the architectural requirements they’ll need.  Since this is a new area, the report does not provide you with concrete definitions of requirements but is more investigative in nature.

What material is in the ISO/TR 17522?  It has the usual scope section.  There’s no referenced standards, since this is a new area of interest for the committee ISO/TC 215, which deals with health informatics.  Then  a lengthy definitions section follows along with a symbols and acronyms clause.    The real “meat” of the standard is found in the balance of the clauses.

Clause 5 covers the concept of registry and repository issues used in these types of applications.  Clause 6 reviews applications that a health provider might rely on, like scheduling office visits, managing chronic care, etc.  Clause 7 is focused on the end user, with discussion of mobile medical applications and the differences between processing patient information and actually functioning as a medical device.  Clause 8 is an analysis of the probable required architectures for what’s called “mHealth.”  The 24-page report finishes up with a 42-item bibliography, which I’m sure all document users will find to be exceptionally helpful.

This new Technical Report is covered by the laws of copyright, so you’ll need to get your copy from an authorized standards distributor like Document Center Inc.  We sell copies of standards at our webstore,  To order in either paper format or for pdf download, here’s the direct link to the page to purchase ISO/TR 17522.

Would you like to get multi-user access for this publication?  Ask our staff about our Standards Online subscription service.  You can reach us via phone (650-591-7600), fax (650-591-7617) or email (  We’ve been selling standards since 1982.  Make us your Standards Experts!

New ISO/IEC 16350 – IT Application Management

ISO/IEC 16350, “Information technology — Systems and software engineering — Application management,” has just been released.  The new 1st Edition is available from Document Center Inc. in paper format, for pdf download, and as part of our Standards Online subscription service.  It provides software developers with a framework for supporting software applications throughout the entire life-cycle of the product.

Life-cycle support is a concept that has become “top of mind” in many disiplines over the last several years.  It’s no different in the world of IT, where programs may be used for decades!  So software developers should be aware that just because the initial release of an application has been made, there are still on-going management concerns and costs that will occur as long as the application is supported.

First, the organization must support the use and operation of the application.  Then the organization must update the application for various reasons.  These updates can be fixes, patches, and new releases with additional features.  In this standard, these activities are termed “application management.”

While I think of software development as the happy scenario of write the code, sell the product, and watch the money roll in, the standard suggests that in fact more money, time and effort is spent maintaining a software application than is spent generating it in the first place.  So having a process for identifying necessary activities and the associated work flows is essential to success.

Your ISO/IEC 16350 standard starts with the usual scope, definitions and referenced documents sections.  However, early in the publication a section on conformance is added.  These first 4 sections really pack in a lot of material on the basic concepts of actions, challenges and opportunities found in taking an active management oversight stance for the application’s lifecycle.  And although there are no referenced documents at all, the text has extensive links with both ISO/IEC 20000-1 and ISO/IEC 12207.   So you’ll be able to use this new release in support of your ISO certification requirements if you’re registered.  FYI: Annex D reviews the relationship of this standard with ISO/IEC 15504-8 as well.

The main body of the ISO/IEC 16350 covers application management processes in detail.  It has sections on support, software maintenance and renewal, application change, control and distribution, management processes, strategy, and organizational concerns.   Exerpts from the two ISO/IEC “referenced” documents are found in boxed format, with detailed information on where the external requirements match up with the system found in this document.

I’ve already mentioned Annex D.  Annex A is informative, covering explanatory statements.  Annex B has required information on the tailoring process.   Annex C is on the Process Reference Model used for assessment purposes.  Annex E is a table like Annex D, this time on where the references to ISO/IEC 20000-1 and ISO/IEC 12207 are made. A 15-item bibliography completes the document.

Interestingly enough, the ISO/IEC 16350 started out as a Dutch standard, NEN 3434.  Now that the ISO/IEC publication has been made, the Dutch national standard will be withdrawn.

How can you get your copy of the new ISO/IEC 16350?  You’ll need to use an authorized distributor since the standard is covered by copyright.  Document Center Inc. is such an organization with our standards catalog and store located at  Here is a link directly to the order page for ISO/IEC 16350.  Want more information or help with your order?  Contact our staff by phone (650-591-7600), fax (650-591-7617) or email (  We’re here to help you, so make us your Standards Experts!