In February 2023, Brand Compliance, in collaboration with ITAM Forum, was able to issue the first 2 certificates in the world for ISO 19770-1 (ITAM). This is a management system standard that focuses on controlling IT assets. The standard offers an overview of the different categories of IT assets and views these categories in a process-based way.
Our ITAM auditor
We interviewed our ITAM auditor, the one who has been responsible for these first audit processes. It is an auditor who originally operates within the field of Information Security, i.e. who performs ISMS audits. In this interview you can read about his experiences with auditing ISO 19770-1. He explains what challenges he has encountered, talks about his expectations for the future and for which type of organizations an ITAM certification can be relevant.
What do you like most about auditing the (new) ISO 19770-1?
It is special to be involved in a new certification process in an industry that has not yet been certified. The field of IT asset management offers completely new perspectives. Where there is usually a focus on information security and quality, here the focus is on financial objectives and a completely different group of stakeholders is involved. In addition, it opens doors to experts and organizations that are passionate about their profession and with this certification we can give them recognition for their work.
Have you encountered any challenges during the audit process?
The biggest challenge was that asset management now needs to be assessed on a much larger scale. There are many processes that were previously indirectly involved in information security and quality, but now have to be verified with much more depth. In addition, the concept of the management system is not as ingrained in this field, which puts the application of verifiable samples and audit expectations to the test.
Which competences does an ITAM auditor need?
Since ISO 19770-1 has been converted into a management system certification, knowledge of management systems is an absolute must. In addition, it is important to have experience and insight in large organizations with many different departments, processes and interests. Connections must be made during the preparation of the audit in order to be able to speak to the right people during the audit. I am becoming more and more familiar with the ITAM processes themselves. This can be learned with the support of experts from the field, with whom a competent audit team can be formed.
Based on your recent experience, is IT asset management relevant for any type of organization?
IT asset management is absolutely relevant for all organizations, large and small. However, the certification will only become relevant when the impact of these resources increases. Efficiency of processes and financial objectives form the basis of the IT asset management system, and where this may integrate well with other management systems, not all organizations have the same diversity or volumes to focus on.
Is ISO 19770-1 certification the future and why?
Typically, certifications are requested by the market to give confidence to customers and other external stakeholders. This certification focuses more on internal stakeholders and suppliers. Where large organizations may be subject to vendor audits, an ISO 19770-1 certification should give confidence that these audits will have no, or no major, negative consequences. For now, this will mainly serve as reassurance for management, but also for financiers, that the available resources in the organization are used wisely and efficiently. Ultimately, the hope is that suppliers will become sensitive to ISO 19770-1 certification, with the aim that audits will become less frequent and less impactful for certified organizations.