From Martin Thompson, founder of the ITAM Forum
We recently recorded a podcast episode with Brian Adler from Flexera, discussing the 2022 State of ITAM Report published late last year. I found one area of the report particularly relevant to the ITAM Forum – the amount of time SAM teams spend responding to audits.
As you would expect, audits come in different flavours:
- internal audits assessing risk
- publisher audits assessing consumption against terms and conditions in the software contract
- regulatory audits ensuring assets are managed throughout their lifecycle according to standards set by the industry regulator. For example, for healthcare, ensuring assets are managed properly to protect sensitive medical data.
Certification – Reducing audit workloads
This is particularly relevant to the ITAM Forum. One of the key deliverables for ISO/IEC 19770-1 certification is reducing the overall workload associated with audits. Certification won’t reduce the number or burden of audits, but it should reduce the amount of resources required to respond to them. This will free up ITAM teams to work on more strategic activities that deliver business value.
- A regulator will appreciate the quality of an organization that has secured and maintained ISO/IEC 19770-1 certification. It will therefore be able to check off a lot of requirements. Similarly, an organization looking to achieve ISO/IEC 27001 certification will be able to check off a lot of the ITAM requirements by achieving ISO/IEC 19770-1.
- A publisher presented with consumption data from an organization that is ISO/IEC 19770-1 certified will be more assured that the data is credible. The auditor will know the organization seriously manages assets and has a credible management system in place for managing risks.
I’m not suggesting that ISO/IEC 19770-1 certification will be a ‘shield of steel’ against all forms of audits. It will however, demonstrate the credibility and quality of an ITAM team’s work. It’s also a major foundational step in checking off a lot of requirements.
At the time of writing, several organizations are going through the audit process – for the first time – against ISO/IEC 19770-1. We hope to soon announce the first certifications.
Once the certification is in market, the ITAM Forum must then build the reputation of the standard amongst auditors and regulators. It needs to be understood, appreciated and valued by those conducting audits.
We clearly have lot of work ahead of us. We’re proud of the continued evolution of ITAM and the increasing momentum for certification.
It will be interesting to track and monitor the ‘responding to audits’ stat within Flexera’s annual report. Hopefully, the percentages will decrease and with help from the certification scheme.
To learn more about the upcoming ISO/IEC 19770-1 certification scheme, please visit our dedicated webpages.