JTC 1/SC 7 Chair, Dr Sundeep Oberoi and SC 7/ WG 21 Convenor, Ron Brill

IT Asset Management (ITAM) encompasses the system, processes and technology used to detect, track, manage and optimize IT assets throughout all stages of their lifecycle. IT Assets are defined as any IT-related hardware, software, subscriptions or services which the organization owns, is paying for, or is otherwise utilizing directly or indirectly. This definition of an IT Asset is broad, and includes not only servers, desktops and mobile devices, but also IoT, network and storage devices, and cloud services such as Software as a Service, Infrastructure as a Service, and Platform as a Service (SaaS/IaaS/PaaS), amongst many others. 

Effective ITAM is important for organizations of all types and sizes, for three main reasons:

  1. ITAM is an enabling competency for IT. Many key IT functions are dependent on complete and accurate ITAM information. Examples include the following (partial list):
  • Information Security: you cannot secure what you don’t know. The first task within Information Security is to understand what devices are connecting to your network, how they are configured (down to the patch-level), is the hardware and software genuine and authorized, etc. This is all ITAM information.  The dependency between Information Security and ITAM is so material that Gartner had predicted that “By 2022, 50% of ITAM initiatives will be primarily driven by information security needs and concerns
  • Configuration Management and Change Management: without knowing what IT assets exist and how they are configured (all ITAM information), the organization cannot determine whether that configuration is correct, and that no unauthorized changes are being made to it
  • Disaster Recovery: without knowing what IT assets exist, where they are, how they are configured, and what business functions are they supporting (all ITAM information), it would be difficult to reconstruct these assets (and therefore company operations) following a disaster
  • IT Financial Management: without knowing how much money the organization is spending on what IT assets, and the ability to manage future requisitions for IT assets (all ITAM information), it is difficult to budget and forecast for IT with any accuracy

2. ITAM is key for IT risk mitigation. One type of risk unique to ITAM is software license compliance. The software industry is known for software license compliance audits. Without effective ITAM it is easy even for a well-intentioned organization to over-deploy software beyond the organization’s license entitlements, thus exposing the organization to legal, financial, and repetitional risks. This is due to multiple factors including the following:

  • Complexity of ever-changing licensing rules
  • New technologies impacting licensing (e.g. virtualization, cloud, and edge computing)
  • The number of different software vendors under management (which may exceed 1,000 for a large organization)
  • Mergers & acquisitions on both the organization’s side and the software publisher’s side
  • Inherent limitations of tools available to assist in the process
  • Inability to control rogue end-user actions, to name just a few challenges

3. ITAM is key for IT cost savings: lack of complete and accurate ITAM information may lead organizations to spend a lot more on IT Assets than they need to, particularly on software which is taking an ever-increasing share of IT budgets. Examples include the following:

  • Shelf-ware: this situation occurs where the organization is paying for software (or maintenance renewal) that is not in use and isn’t needed. SaaS is actually prone to shelf-ware more than traditional on-prem software. Effective ITAM prevents shelf-ware from occurring
  • Re-harvesting: when hardware is retired, the software licenses consumed by that hardware should become available for re-deployment within the organization; however, this is only possible with effective ITAM in place
  • Architecture optimization: without effective ITAM, organizations may configure their environments in an unoptimized way from a licensing standpoint, resulting in more licenses being needed without any functional or operational benefits to the organization
  • Negotiation from a position of knowledge: without effective ITAM, organizations lack information about their needs, and are at the mercy of software publishers when negotiating software contracts

IT Asset Management is addressed in the ISO/IEC series of standards (under JTC1/SC7/WG21). There are three types of standards within that series:

  1. ITAM System – currently, this group includes one standard:
  • ISO/IEC 19770-1 – currently in its third (2017) edition, ISO/IEC 19770-1 is the primary ITAM standard. It is a Management Systems Standard (MSS) which was designed to be implemented jointly with other relevant MSSs, specifically ISO/IEC 27001 for information security. ISO/IEC 19770-1 addresses the overall management system that needs to be in place for effective ITAM. The standard also discusses 15 process areas that are expected to be managed in any ITAM system, and presents an optional tiered approach for their implementation:
    • Tier 1: Trustworthy Data
    • Tier 2: Life Cycle Integration
    • Tier 3: Optimization

2. ITAM Information Structure – this group of standards provides technical specifications for facilitating the exchange of information between software publishers, ITAM tool vendors, and end-user organizations. It does this by providing data structures/schemas for capturing, storing, detecting, and exchanging ITAM information. These standards currently include the following:

3. Overview & Vocabulary – currently this group includes one standard:

  • ISO/IEC 19770-5 Overview and Vocabulary – currently in its second (2015) edition. This is the only freely-available ITAM standard

In Summary, IT Asset Management (ITAM) is a key enabling IT competency for supporting other IT functions, mitigating risks, and saving costs. The ISO/IEC 19770 series of standards addresses ITAM from the perspective of both a management system (ISO/IEC 19770-1) and data structure for the exchange of ITAM information.