CSA Preface

Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).

For brevity, this Standard will be referred to as "CAN/CSA-ISO/IEC 16350" throughout.

At the time of publication, ISO/IEC 16350:2015 is available from ISO and IEC in English only. CSA Group will publish the French version when it becomes available from ISO and IEC.

Scope

1.1 General

This International Standard establishes a common framework for application management processes with well-defined terminology that can be referenced by the software industry. It contains processes, activities, and tasks that apply during the stage of operation and use from the point of view of the supplier organization that enhances, maintains, and renews the application software and the software-related products such as data-structures, architecture, designs, and other documentation.

This International Standard applies to the supply, maintenance, and renewal of applications, whether performed internally or externally with respect to the organization that uses the applications.

Application management comprises all of the tasks, responsibilities, and activities with the aim that the support of business processes by applications continues to meet the requirements and needs of the organizations that use these applications throughout the entire life span of their business processes.

This International Standard therefore focuses on the following:

- day-to-day management of applications (the software) and the related data structures and support of costumer organizations, including handling calls such as incidents and service requests;

- maintenance and renewal of applications and data structures in accordance with changing requirements and needs;

- opportunities, threats, and changes in the business and/or technology that influence the future of the applications and, based on that, the strategy for maintaining and renewing the applications;

- organization and strategy of application management organizations.

Before retirement, the life cycle of an application consists of two important stages: the stage of initial development of the application and the stage of operation and use (when the software is in use, in operation, supported, modified, and renewed). This stage of operation and use is the subject of this International Standard. The initial development of an application is not within the scope of this International Standard, however the project that is responsible for the initial development has to take the requirements of the application management organization that will enhance and maintain the application into consideration. This means that the application management organization will ask the project to deliver initial requirements, architecture products, design, standards, and other documentation, in order to use these products during enhancement and maintenance.

In the stage of operation and use, the following three domains play a role:

a) business information management representing the business and end users of the application (use);

b) IT infrastructure management hosting the application (operation) and maintaining the technical infrastructure;

c) application management

1) supporting the use and the operation;

2) maintaining and renewing the application software and data structures.

Business information management constitutes the demand side of information technology (IT) and information provisioning. Business information management is responsible for supporting users in the use of the information provisioning and represents the business organization as the client of the IT-suppliers. Business information management acts as the customer of the IT organizations (application management plus IT infrastructure management).

Specific tasks of business information management include the following:

- support of end users in how the information provisioning are to be used;

- define how information and IT are to look like (the functionality, the appearance, etc);

- advise and support business management with the prioritization of requirements and management of their budgets for IT;

- assign work to IT providers and monitor their delivered services;

- define long term policy and plans regarding the information provisioning.

IT infrastructure management is responsible for managing the operation of the information system, including maintaining the infrastructure (e.g. network, hardware), running the software, and data processing. In brief, this is the organization that runs the information systems and aims to keep the infrastructure in good order.

The activities of business information management and IT infrastructure management are closely related to application management but not within the scope of this International Standard.

Application management is responsible for the management and maintenance of the application and definition of the data structures used in databases and data files. This form of management requires knowledge of software programming, information system development, design, day-to-day management of applications, and application maintenance. Core qualities of the application management personnel are in-depth knowledge of the customer or (at least) in-depth knowledge of the customer's business processes and in-depth knowledge of the existing applications (application objects), design, architecture, etc.

This International Standard consists of the following three levels of processes:

- operational;

- managerial;

- strategic.

These process levels and the processes are interconnected with one another.

There are no separate processes defined for security, issues, risks, and/or vulnerability. These topics form an important part of the Continuity Management Process, but they are also part of other processes. Security, for instance, is an important part of the functionality of the application, so it is addressed in the Impact Analysis process and dealt with within the specifications of the application and defined in the Software Design Process and also within the service levels and, therefore, specified in the Agreement Management and Supplier Management Processes. Other processes which deal with these topics are the management processes planning and control, quality management and financial management, and, for instance, the strategic process technology definition, where risk and vulnerability are important features.

1.2 Applicability

1.2.1 Audience

This International Standard is intended to be used by application management organizations. The application management service providers that enhance, maintain, and/or renew applications or application objects and that support infrastructure management organizations and user organization in the stage operation and use.

Other users of this International Standard can be application software developers, quality assurance managers (or consultants), and customers of application management organizations.

The purpose of this International Standard is to provide a defined set of processes to facilitate communication among all parties involved in application management.

Different parties can carry out different activities in the field of application management. For example, some parties are responsible for maintenance of the application after the development stage while others also support the user organization and the IT infrastructure management organization. Some parties just change the software items while others are responsible for the entire chain of impact analysis, design, build, test, and release of changes. These different parties can be all in one organization or in different internal and external organizations.

The following are examples of different types of application management organizations shown in Figure 4:

- organization that produces and maintains a specific component;

- organization that supplies and maintains standard products or standard components;

- organization that delivers custom services to an individual customer, either with or without integration with other systems or the infrastructure;

- organization that manages and maintains a custom application;

- organization that implements software.

The following are other examples of application management organizations:

- integrator that merges or combines services;

- producer of configurable software platforms;

- organization that configures and maintains such platforms for customers.

These types of application management organizations have a strong impact on the way in which the processes are implemented and operated. The processes shown in Figure 3 therefore vary in importance and characteristics.

1.2.2 Field of application

This International Standard is applicable to all the following organizations using the processes that play a role in application management within the scope mentioned in 1.1:

- anyone performing application management activities;

- those responsible for establishing and continuously improving application management processes;

- those responsible for executing application management processes at a project level;

- customers and suppliers involved in subcontracting application management activities;

- those responsible for assessing application management processes.

Annex C provides information regarding the use of the application management processes as a process reference model. It defines the basic activities needed to perform tailoring of this International Standard. It has to be noted that tailoring might diminish the perceived value of a claim of conformance to this International Standard. An organization asserting a single-party claim of conformance to this International Standard might find it advantageous to claim full conformance to a smaller list of processes rather than tailored conformance to a larger list of processes.

1.3 Limitations

The initial development of an application is not within the scope of this International Standard.

The activities of business information management and IT infrastructure management are not within the scope of this International Standard.

This International Standard does not detail the application management processes in terms of methods or working procedures required to meet the requirements and outcomes of a process.

This International Standard does not detail documentation to be used or produced within the activities described in the processes in Clause 5 in terms of name, format, explicit content, and recording media. The International Standard might require development of documents of similar class or type. The International Standard, however, does not imply that such documents have to be developed or packaged separately or combined in some fashion. These decisions are left to the user of this International Standard.

This International Standard does not prescribe a specific application management methodology, design methodology, development methodology, test methodology, project management method, or other methods, models, or techniques. The users of this International Standard are responsible for selecting these methods and mapping the processes, activities, and tasks in this International Standard onto those methods. The users of this International Standard are also responsible for selecting and applying the methods and for performing the activities and tasks suitable for application management.

This International Standard is not intended to be in conflict with any organization's policies, procedures, and standards or with any national laws and regulations. Any such conflict has to be resolved before using this International Standard.