ISO IEC 12207 2008 Systems and Software Life Cycle Processes Overview

In our previous blogs we have been discussing about the available frameworks and standards set by different organization for software Development processes. Another industry standard related with Secure SDLC process and practices is from ISO (International Organization for Standardization).

Summarizing OpenSAMM Requirements 
BSIMM7 Software Security Framework A Quick Walk through 
NIST SP 800 64 Secure SDLC Consideration High Level Summary

The International Organization for Standardization (ISO) along with IEC (The International Electro Technical Commission) provides an international standard for software Lifecycle Processes as ISO/IEC 12007. This International Standard sets a common framework comprises of Process activities and tasks to be utilized by all software practitioners to develop and manage software products or services during the different phase of development lifecycle.

ISO 12007 provides the Lifecycle Process Reference Model, which can act as the adoptable reference model by an organization based on Business needs and Application domain. This assist process assessors to determine capability of the organization’s implemented process and to provide source material for further improvement in same.

This Standard Categories itself in 2 subdivision of processes

1. System Lifecycle Processes dealing with Software System

2. Software Specific Processes dealing with software product or services related processes.

Let’s walk through these processes in brief

1. System Context Processes

1.1 Agreement Processes

It describes a set of Agreement processes which happens from the start of the software till its retirement. It involves several key parties in the process like Acquisition, supply, development, operation and maintenance. Each process is defined in terms of its activities and tasks.

1.1.1 Acquisition Process 
The purpose of the Acquisition Process is to ‘obtain’ product/service requirements that satisfies need of the acquirer (Client). It begins with identifying the customers need and ends with the acceptance of the Product/Service needed by the acquirer. And continues with tasks like issuance of proposal, selecting a supplier, and defining the management for the acquisition process.

This process results in clearly defined agreement for the acquirers requirement and expectations, selection of the product/service that satisfies the acquirers need, defining the cost, schedule to meet the need, and any other requirement to be agreed between the acquirer and supplier.

This Process consists of certain activities and task that can be seen below in the chart.Acquisition_Process

1.1.2 Supply Process 
This life cycle process contains the activities and tasks to provide the product/service to the acquirer that has been agreed upon in the requirements. This process is initiated by entering into the contract with the acquirer with the agreed requirements to provide a software service. The process then continues with the identification of the procedure and resources to manage the services. Then the product is installed depending upon the agreed requirements.

This Process consists of certain activities and task that can be seen below in the chart.

1.2 Organizational Project-Enabling Processes

Organizational Project-Enabling Processes consists of different processes to initiate the system procedure.

1.2.1 Life Cycle Model Management Process 
This process defines the policies, procedures, Lifecycle model and processes that can be adapted and applied using effective measures and tools, with respect to the scope of this international standard.

The successful implementation of this model ensures a well-defined policies and procedure, and accountability for lifecycle management. This process includes activities like:

a.Process Establishment, where suite of organizational processes for all software life cycle processes and models according to business activities are established, documented and published
b. Process Assessment, where procedure to assess/review records and activities are developed, documented and applied
c. Process Improvement, ensures required activities related with suggested improvements are collected, evaluated and analyzed for further process changes

1.2.2 Infrastructure Management Process 
This process defines the activities, tools and facilities needed to acquire, establish and maintain an enabling infrastructure services to the project throughout the lifecycle.

1.2.3 Project Portfolio Management Process: 
This purpose of this process is to initiate and sustain the necessary projects to meet the organization’s objective. Under this process, investment authorities, resources and budget are selected, and continued monitoring is done to confirm they justify continue investment or not.

1.2.4 Human Resource Management Process: 
This process helps in identifying the skilled resources to perform the activities of the life cycle to meet the organization’s, project and customer’s objective. It also defined the ways to develop, maintain and enhance their skills and competencies.

1.2.5 Quality Management Process 
This process defines the framework for objectively assuring the compliance and quality objectives of product/services with their requirements and to monitor the customer satisfaction with those quality objectives. Corrective Actions are taken if these are not met.

1.3 Project Processes

The Standards is written for general, large or complex projects. The standard is valid to be applied in projects of any size. It consists of several processes to be applied.

1.3.1 Project Planning Process 
Primary purpose of Project Planning process is to produce and communicate effective and workable project plans, determining scope of project Management and Technical activities

1.3.2 Project Assessment and Control Process 
This process helps in assessing the project work as per the plan and scheduling. It also determines that the project is working under estimated budget and satisfies the project objectives.

1.3.3 Decision Management Process
This process determines the most valuable and accurate action for the project and their alternatives by taking desirable decisions for the project.

1.3.4 Risk Management Process
The scope of this process is to define strategies to identify, monitor and mitigate the risks that occurs during the life cycle process. Some of the important activities includes

a. Risk Management Planning, which provides policies and guidelines under which Risk Management needs to be performed. It also defines roles and responsibilities of involved parties along with evaluation metrics
b. Risk Profile Management, provides context of Risk Management Process including threshold conditions under which Risk may be accepted
c. Risk Analysis, describes Categories, probability of occurrence and consequences of each risk identified.
d. Risk Treatment, contains recommended measures, actions and alternatives to different stakeholders.
e. Risk Monitoring activity provides measures to evaluate effectiveness of Risk treatment along with process to monitor for new risk and sources throughout its lifecycle.
f. Risk Management Process Evaluation, contains activities related with Information collection for purpose of process improvement and generating Case Studies accordingly. It also defines periodic review outcome for identifying systematic project and organizational risks.

1.3.5 Configuration Management Process
This process is employed to identify, define, and baseline software items in a system, to control changes and releases of the items, to record and report the status of the items and modification requests; handling and delivery of the items.

1.3.6 Information Management Process 
The scope of this process is to manage and provide the valid, complete and confidential information to relevant parties. It also make sure that the information is transformed and disposed-off when needed.

1.3.7 Measurement Process
The purpose of this process is to identify the information needs of the project, to identify appropriate set of measures, to collect and analyses the data, and to demonstrate the quality of the product.

1.4 Technical Processes

This consists of different technical procedure that defines the technical aspect of the project.

1.4.1 Stakeholder Requirements Definition Process 
The scope of this purpose is to identify the stakeholders and their needs and requirements and validate the operational serves to confirm that it meets those needs. Project should implement following activities and task according to Business requirements:

a. Stakeholder Identification, process is about identifying stakeholders who are interested in the system throughout its life cycle
b. Requirements identification, providing details of stakeholder requirements, also including constrain/unavoidable conditions and consequences of existing agreements and (management & technical) decisions. 
c. Requirements Evaluation, to analyze complete set of elicited requirements
d. Requirements Agreement, to provide detailed requirement and expectation set
e. Requirement Recording, in form of suitable requirements management through lifecycle and beyond to provide traceability to source of stakeholders need.

1.4.2 System Requirements Analysis Process 
This process transforms the stakeholder’s requirement into technical requirements that will be used to design the system. The selected techniques are performed to finalize the solution, cost and schedule is also determined and selected requirements are communicated to respective parties.

1.4.3 System Architectural Design Process
The purpose is to identify the system elements that meets the defined requirements. It includes establishing top-level architecture of the system with allocated all system requirements, followed by a systematic evaluation process for proper traceability, consistency, appropriateness of standards and feasibility of operation and maintenance.

1.4.4 Implementation Process
This process helps in defining the specific system element.

1.4.5 System Integration Process
This process helps in integrating the specified system elements in project to produce a complete system defined as per defined requirements and customer expectations.

1.4.6 System Qualification Testing Process
This process is about testing the system to ensure the implementation of each requirement for compliance and assure the readiness of the system for delivery.

1.4.7 Software Installation Process
This process defines the installation of the software product and assure the readiness of the product to be used in the target environment.

1.4.8 Software Acceptance Support Process
This process helps to derive the acquirer acceptance of the product by certain tests and reviews and if any problems are detected during acceptance that needs to be communicated to the respective party.

1.4.9 Software Operation Process
The purpose of this process is to test and operate the software product in its intended environment and provide consultation and assistance to the customer. 

Primary activities included in this process are:

a. Preparation for operation, where operator develop well documented plan and set operational procedures for performing activities and task of this process.
b. Operation Activation and Check-Out, this includes performing acceptable operational testing before release of product in production environment.
c. Operational use, includes activities related with setting up required environment as defined under user documentation
d. Customer support, should be established to provide assistance and consultation to users as requested.
e. Operation Problem Resolution, includes process related with forwarding identified problems to related stakeholder and setting-up Software Problem Resolution process for same.

1.4.10 Software Maintenance Process
This process helps in modifying the system product and provide cost effective support to the software product as and when required.

Primary activities to be implemented by Maintainer should include:

a. Process Implementation, for Software Maintenance with documented executable plans and procedures.
b. Problem and Modification Analysis, process to analyze problem report or modification request for its impact on organization and related systems
c. Modification Implementation, process to determine which system component needs modification. Further Technical processes to be considered for modification implementation.
d. Maintenance Review/Acceptance, includes reviews and required approval for satisfactory completion of modification request
e. Migration, process and activities to be considered if environmental changes are considered. Plan needs to be developed, documented and systematically executed.

1.4.11 Software Disposal Process
This is the end of the process, describing the effective handling over of the product to the customer and disposing off or storing of any software elements in lieu of compliance, leaving the environment in an acceptable condition.

2. Software Specific Processes

2.1 Software Implementation Processes

This consists of different processes to be used on the produced software.

2.1.1 Software Implementation Processes
This process helps in producing the system element also known as “system item” to be implemented as a software product or services that satisfies the architectural design requirements.

2.1.2 Software Requirements Analysis Process
This process defines the requirements to be allocated to the system which is further tested to analyses their impact on the system.

2.1.3 Software Architectural Design Process
This process provides a design for the software that will implement the specified requirements.

2.1.4 Software Detailed Design Process
During this process a detailed design of each software component is developed which can be available for testing and coding.

2.1.5 Software Construction Process
Here all software units are verified against their requirements and constructed as per the defined design.

2.1.6 Software Integration Process
This process defines the integration of the software unit and software components to produce software items, consistent with software design demonstrating functional and non-functional software requirements on complete operational platform. 

2.1.7 Software Qualification Testing Process
This process helps in identifying that the software product meets the requirements established in sync with the compliance.

2.2 Software Support Processes

These processes lists the number of processes to support the produced software

2.2.1 Software Documentation Management Process
This demonstrate the process of identifying the documentation of the produced software, develop and maintain the recorded information produced during the process.

2.2.2 Software Configuration Management Process
This process helps in maintaining the integrity of the software items, storing, handling and delivering them to the concerned parties. Primary activities implemented by the project as a part of this process are:

a. Process implementation, includes Software Configuration management plan describing related activities, procedures and schedule along with roles and responsibilities of stakeholders performing these activities
b. Configuration Identification, scheme for proper identification of Software items requiring version control and related management activities
c. Configuration Control, provides process to identify, record and evaluate change request.
d. Configuration Status Accounting, includes management records and status reports showcasing status and history of controlled Software items.
e. Configuration evaluation, to ensure functional completeness of Software items against requirements.
f. Release Management and Delivery related activities including required documentation of same.

2.2.3 Software Quality Assurance Process
During this process quality assurance check is done on the product and assurance is provided that the product meets the pre-defined plans and requirements.

Primary activities defined as a part of process are:

a. Process Implementation, includes establishment of Quality assurance process suited to the project and in compliance with established requirements and plans
b. Product assurance, process ensuring all plans as per contract are documented and delivered. It also assures acceptable delivery of Software Product to acquirer (client).
c. Process Assurance, process to ensure all software lifecycle processes are as per contract and plans.
d. Assurance of Quality Systems, includes activities accordance to ISO 9001 clauses.

2.2.4 Software Verification Process
The purpose of this process is to verify the software work products or services and identify any defects. This explains the product meet the requirement and then it is made available to the customer. Primary activities includes Verification of all Requirements, Design, Code, integration needs and Documentation. 

2.2.5 Software Validation Process
Under this process all work products are validated for the specific intended use according to the requirements.

2.2.6 Software Review Process
The scope of this process is to review the management and technical progress against the objective throughout the life of the product. Problems during review are identified and recorded as well. Primary activities of this process includes

a. Process Implementation, process and setting resource requirements for periodic reviews. It also includes process to document and distribute result to required stakeholders.
b. Project management reviews, to evaluate project status as per applicable project plans, schedules, standards and guidelines.
c. Technical Reviews, to ensure product or service under consideration are complete, comply with Standards and specifications, Properly implemented suggested changes (as per Change Management plan) and  adhere with applicable schedules.

2.2.7 Software Audit Process
The product then goes through the audit process to determine that the software work products meets the compliance, plans and agreement.

2.2.8 Software Problem Resolution Process
This process demonstrate that all the problems are identified, analyzed and resolutions are implemented.

2.3 Software Reuse Processes

These consists of three processes

2.3.1 Domain Engineering Process
This process helps to develop and maintain domain model, domain architecture, build relationship with other domains, and assets belonging to domain are identified.

Primary activities includes

a. Process Implementation, involving creation and execution of Domain engineering Plan. 
b. Domain Analysis, includes activities like defining Domain Boundaries, building Domain Models, constructing Definitions and Terminologies and conducting Reviews. Domain Models and analysis reports should be submitted to Asset Manager.
c. Domain Design, includes creation and documentation of Domain Architecture along with selected Asset evaluation.
d. Asset Provision, should include activities like documentation and Classification of Assets. Asset Evaluation as per Organization’s acceptance and certification procedures.
e. Asset Maintenance, includes analysis of Asset modification request and choosing implementation options according to impact, Business requirements and Organization Policies.

2.3.2 Reuse Asset Management Process
The purpose of the Reuse Asset Management Process is to manage the life of reusable assets from conception to retirement. Primary activities includes

a. Process Implementation, like Asset Management Plan to define resources and required procedures for managing assets.
b. Asset Storage and Retrieval Definition
c. Asset Management and Control, related task based on asset acceptance and certification criteria. If asset is accepted, it can be made available for reuse through Asset storage and Retrieval mechanism.

2.3.3 Reuse Program Management Process
This process defined the reuse strategy for potential reuse opportunities, and manage and control organization’s reuse program.

Primary activities in this process includes:

a. Initiation, includes task like implementation of Reuse Program as per organization’s reuse strategy and scope.
b. Domain identification, includes identification and documentation of domains which require and investigate reuse opportunities. Further these identified domains are evaluated, reviewed and scoped for future usage.
c. Reuse Assessment, process to assess organization’s reuse capability, domain reuse potential, recommendations and improvement plans
d. Planning, involves activities related with proper creation, documentation and maintenance of Reuse program implementation Plan. This plan should be reviewed and evaluated for required implementation feasibility as per organization’s reuse strategy
e. Execution and Control, includes activities required for reuse program implementation, progress monitoring and re-structuring requirements
f. Review and Evaluation, process for periodic assessment to get reuse program align with organization’s strategy. It also involves, required changes to reuse program and improvement in same accordingly. 

The ISO/IEC 12207 is the first International Standard that provides a complete set of processes for acquiring and supplying software products and services. These processes helps in improvement of software throughout its lifecycle by evolving modern software methods, tools and techniques and engineering environment. This International standard will help organizations to indulge themselves in acquiring the proper development process and develop a product which will be accepted internationally.

At US Cybersecurity, We work closely with organizations to improve their Software Development Lifecycle processes and assist them in adopting and implementing role of Security in these processes. 

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.