An Integrated Model of ISO 9001:2000 and CMMI

for ISO Registered Organizations

Chanwoo Yoo1, Junho Yoon1, Byungjeong Lee2,

Chongwon Lee1, Jinyoung Lee1, Seunghun Hyun1, and Chisu Wu1
1
School of Computer Science and Engineering, Seoul National University
{chanwoo, junoyoon, jylee, ljw, shhyun, wuchisu}@selab.snu.ac.kr
2
School of Computer Science, University of Seoul
bjlee@venus.uos.ac.kr

Abstract one mapping) especially in comparing standards. But,

ISO 9001 is a standard for quality management
systems while CMMI is a model for process
improvement. If an organization that has achieved
ISO registration wishes to improve processes
continuously, CMMI can be a strong candidate
because it provides a more detailed roadmap for
process improvement. However, with respect to
adopting CMMI in organizations that are familiar
with ISO 9001, there are some issues that need to be
resolved. For example, ISO 9001 and CMMI have
different targets, intent, and quantity of detail. In this
paper, we present an integrated model of ISO
9001:2000 and CMMI, which would resolve the above
problems. We expect that this model will be a useful
tool for ISO registered organizations aim to attain
higher CMMI levels.
Keywords : ISO 9001:2000, CMMI, Integrated Model,
Process Improvement
1. Introduction
If ISO 9001 registered organizations are not likely
to implement CMMI with ISO 9001:2000 because
such implementation would cause extra efforts brought
about by the difference between the two. Therefore it
would be a priority to identify the similarities and
differences between ISO 9001:2000 and CMMI.
Generally, a mapping table between standards to
transition one to another is used.
There is a N-N mapping (many to many mapping)
between ISO 9001:2000 and CMMI[1]. N-N mappings
are usually more reasonable than 1-1 mapping (one to
it is not practical in the field, because when CMMI is
implemented in an organization, changes in processes
of the organization must be reflected in quality manual
as it is a prerequisite in ISO 9001:2000. When
reflecting changes in quality manual, N-N mapping
may cause some confusion. It is not easy to decide
where to place these changes in quality manual by
using N-N mapping. A mapping close to 1-1 mapping
(Later, we call it “concise N-N mapping”) would, thus,
be helpful in decision making.
A simple mapping between standards is not
sufficient. This mapping can be complemented by
additional descriptions. There are some delicate
differences between ISO 9001:2000 and CMMI in
terms of context. Therefore, the mapping must be
explained by some description on the detailed
difference between ISO 9001:2000 and CMMI.
Once an organization has achieved ISO registration
by satisfying the necessary requirements of ISO
9001:2000, it is relatively simple to implement ISO
9004:2000 to achieve further improvements, because
ISO 9004:2000 has been developed as a
complementary guideline for ISO 9001:2000 and thus
share similar structures with respect to assisting their
application as a consistent pair.
In the same context, if there is a superset of ISO
9001:2000 and CMMI in the structure of ISO
9001:2000, it will be easy to introduce CMMI into the
organization with ISO registration.
In this paper, we present an ISO 9001:2000 and
CMMI integrated model constructed in ISO
9001:2000 structure, in which the interpretation of N-
N mapping is clearly described to eliminate confusion.
Additionally, the integrated model provides an

Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)

1530-1362/04 $ 20.00 IEEE
 explanation of the differences between ISO 9001:2000
requirements and the practices of CMMI.
This paper is organized as follows. Section 2 briefly
explains ISO 9001:2000 and CMMI. Section 3
presents an integrated model of ISO 9001:2000 and
CMMI. Section 4 discusses related work and finally,
Section 5 provides some conclusions.
2. ISO 9001:2000 and CMMI
2.1. ISO 9001:2000
ISO 9001:2000 is a necessary requirement for
quality management system. It is a part of ISO 9000
family that consist of ISO 9000 (fundamentals and
vocabulary), ISO 9001 (requirements), ISO 9004
(guidelines for performance improvements) and ISO
19011 (guidelines for quality and environmental
management systems auditing). ISO 9001:2000 is an
abstract and sparse document that can be applied to
any category of business. ISO 9001 could be
interpreted by ISO 9000-3[2] or TickIT[3] when
applied to organizations in the software industry. For
every requirement in ISO 9001, an organization can
choose to have two status, ‘satisfied’ or ‘not satisfied’.
If every requirement is satisfied, then ISO registration
is achieved. Compared with ISO 9001:2000, ISO
9004:2000 is not a requirements document, but rather
a guidance document for process improvement of a
greater level compared with ISO 9001:2000. ISO
9001:2000 and ISO 9004:2000 are both similar in
terms of structure and terminology used to allow easy
conversion from one to the other.
2.2. CMMI
CMMI (Capability Maturity Model Integration) is
an integrated model of many CMMs intended to
achieve process improvement. CMM is a model that
contains the essential elements of effective processes
for one or more disciplines and describes an
evolutionary improvement path from ad hoc,
immature processes to disciplined, mature processes
with improved quality and effectiveness[4].
CMMI has two representations. One is the staged
representation. The other is the continuous
representation. In the staged representation maturity
level of an organization ranges from level 1 to 5. In
the continuous representation each process capability
level ranges from 0 to 5. The staged representation is
most suitable for an organization that does not know
which processes need to be improved first because the
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
staged representation offers process areas applicable to
each maturity level. The continuous representation
provides flexibility for selecting processes fit for
achieving business goal of the organization[5].
CMMI provides 25 process areas (Process area
means a cluster of related practices in an area that,
when implemented collectively, satisfies a set of goals
considered important for making significant
improvement in that area[4].
Goals are classified as generic goals and specific
goals. A generic goal describes the characteristics that
must be present to institutionalize the processes that
implement a process area. A specific goal describes
the unique characteristics that must be present to
satisfy the process area[4].
Practices are expected components for satisfying
goals. Practices are classified as generic practices and
specific practices. A generic practice is the description
of an activity that is considered important in achieving
the associated generic goal. A specific practice is the
description of an activity that is considered important
in achieving the associated specific goal[4].
3. Integrated model
3.1. Purpose of the integrated model
ISO 9001 requires that processes to be continuously
improved even after achieving ISO registration.
CMMI can be a good to an organization in the
software and systems industry to achieve further
process improvement, because CMMI is quite detailed
and contains more concepts of ‘improvement of
process’ than ISO 9001:2000. Furthermore,
considering that many ISO 9001:1994 registered
organizations are trying to introduce SW-CMM[6][7],
it is expected that many ISO 9001:2000 registered
organizations will want to adopt CMMI into their
systems.
As we described in the Introduction, it is simple to
implement ISO 9004:2000 to ISO registered
organizations because the structure of ISO 9004:2000
is similar to that of ISO 9001:2000. Therefore, it
would be ideal for ISO registered organizations to
adopt CMMI if the structure of CMMI is similar to
that of ISO 9001:2000.
3.2. Method to make the integrated model
We applied the concise N-N mapping for the
integrated model while the concise N-N mapping was
derived by using a N-N mapping table [1] between
 ISO 9001:2000 and CMMI. However, some changes When ISO 9001:2000 CMMI practices are inserted.
need to be made to the mapping table. First, many shall-statements do not Relationships between CMMI
practices have dependencies among one another, and satisfy CMMI practices, and the integrated model are
the N-N mapping table does not preserve these but there is an appropriate recorded.
dependencies. Therefore, we need to place dependent
position to insert CMMI
practices in an adequate place together. Second, the
practices
concise N-N mapping may possibly make the
relationship between CMMI practices and ISO When ISO 9001:2000 New clauses are created in the
9001:2000 requirements too simple. Thus, in order to shall-statements do not integrated model. CMMI
resolve this, some additional explanations on the satisfy CMMI practices, practices are inserted and
relationships between CMMI practices and ISO and there is no appropriate relationships between CMMI
9001:2000 requirements should be added to the position to insert CMMI and the integrated model are
integrated model. Third, granularity of the integrated practices recorded.
model is another issue. CMMI assesses that a process
area is satisfied only when all the goals in the process
3.3. Structure of the integrated model
area are satisfied. In other words, each goal in the
process area is a primitive unit to be assessed.
Because we can not show the complete integrated
However, if the goals in CMMI are selected for the
model in this paper, we summarized the integrated
target of the integrated model, then the relationship
model’s structure, approximately, in Table 2. The
between ISO 9001:2000 and CMMI can become “All
complete integrated model is available at
Match”. Therefore, practices in each process area are
http://selab.snu.ac.kr/Library/TechReport/ISOCMMII
selected as the CMMI-side target of the integrated
ntegration.html
model.
After developing a concise N-N mapping, CMMI Table 2. Structure of the integrated model
practices were merged with ISO 9001:2000
requirements using the method in Table 1. Targets of Integrated model’s contents CMMI
our integrated model were CMMI-SE/SW/IPPD/SS 4. Quality management system
and ISO 9001:2000.
GP 2.1, 2.2, 2.3,
4.1 General requirements 2.4, 2.5, 2.6, 2.8,
Table 1. Method for integration classified 2.9, 2.10, 3.1, 3.2
according to the correspondence types 4.2 Documentation Requirements
4.2.1 General OPD
Types of correspondence Methods to integrate models 4.2.2 Quality manual OPD
When ISO 9001:2000 ISO 9001:2000 shall- 4.2.2.1 Organization’s set of
OPD, GP 3.1
standard process
shall-statements statements are kept and the
4.2.2.2 Organization’s set of
(requirements) fully relationships between CMMI standard process tailoring criteria OPD, GP 3.1
satisfy CMMI practices and the integrated model are and guidelines
recorded. 4.2.3 Control of documents IPM, GP 3.2
When ISO 9001:2000 ISO shall-statements are 4.2.4 Control of records
shall-statements can or modified – ISO requirements’ 4.2.5 Process assets management OPD, IPM, GP 3.2
can not satisfy CMMI focus are calibrated by using 4.2.6 Measurement management OPD
practices by interpretation square brackets ([ ]). 4.3 Decision analysis and resolution DAR
Relationships between CMMI 5. Management responsibility
and the integrated model are
5.1 Management commitment GP 2.10, OEI
recorded.
5.2 Customer focus
When ISO 9001:2000 Relationships between ISO
5.3 Quality policy GP 2.1
shall-statements partially 9001:2000 shall-statements and
5.4 Planning
satisfy CMMI practices CMMI are recorded.
5.4.1 Quality objectives OPF

Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)

1530-1362/04 $ 20.00 IEEE
 5.4.2 Quality management system 7.3.6 Design and development
VAL
planning validation
5.5 Responsibility, authority and 7.3.7 Control of design and
CM
communication development changes
5.5.1 Responsibility and authority GP 2.4 7.4 Purchasing
5.5.2 Management representative 7.4.1 Purchasing process SAM, ISM
5.5.3 Internal communication 7.4.2 Purchasing information
5.6 Management review 7.4.3 Verification of purchased
SAM, ISM
5.6.1 General GP 2.10 product
5.6.2 Review input GP 2.10 7.5 Production and service provision
5.6.3 Review output GP 2.10 7.5.1 Control of production and
service provision
6. Resource management
7.5.2 Validation of processes for
6.1 Provision of resources GP 2.3 production the service provision
6.2 Human resources 7.5.3 Identification and
CM, GP 2.6
6.2.1 General GP 2.5 traceability
6.2.2 Competence, awareness and 7.5.4 Customer property
OT, OEI, GP 2.5
training 7.5.5 Preservation and delivery of
PI
6.3 Infrastructure GP 2.3 product
6.4 Work environment OEI 7.6 Control of monitoring and
measuring devices
7. Product realization
8. Measurement, analysis and
7.1 Planning of product realization GP 2.2 improvement
7.2 Customer-related processes 8.1 General
7.2.1 Determination of 8.2 Monitoring and measurement MA
requirements related to the RD 8.2.1 Customer satisfaction
product
OPF, GP 2.9,
7.2.2 Review of requirements to 8.2.2 Internal audit
RD, REQM PPQA
the product
8.2.3 Quantitative project
7.2.3 Customer communication GP 2.7 QPM
management
7.3 Design and development 8.2.3.1 Monitoring and
GG 2, PP, VAL, MA, GP 2.8, QPM
7.3.1 Design and development measurement of processes
VER, PMC, GP 8.2.3.2 Monitoring and
planning MA, QPM
2.4, OEI measurement of product
7.3.1.1 Establishing design and 8.2.4 Monitoring and
GP 3.1, PP, IPM MA
development plan measurement of product
7.3.1.2 Team composition and 8.3 Control of nonconforming
IPM, IT, OEI
operation product
7.3.1.3 Risk management RSKM 8.4 Analysis of data MA, OPP
7.3.2 Design and development 8.4A Measurement management OPF, MA
inputs
8.5 Improvement
7.3.A Design and development
8.5.1 Continual improvement OPF
process
8.5.1.1 Selecting
7.3.A.1 Design and development OID
IPM, REQM improvements
process management
8.5.1.2 Deploying
7.3.A.2 Technical solution TS OID
improvements
7.3.A.3 Product integration PI
8.5.2 Casual Analysis and
7.3.4 Design and development PMC, IPM, CAR
Resolution
review RSKM
8.5.2.1 Corrective action OPF, CAR
7.3.5 Design and development
VER 8.5.2.2 Preventive action CAR
verification

Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)

1530-1362/04 $ 20.00 IEEE

3.4. Form
The integrated model is organized as Table 3.
Table 3. Form of the integrated model
ISO-CMMI Integrated
ISO CMMI Explanation
Model
ࣜࣜ ࣜࣜ ࣜࣜ
ISO-CMMI Integrated Model column in Table 3
shows the contents of the integrated model, a
combination of CMMI practices and ISO 9001:2000’s
requirements. ISO and CMMI column shows whether
or not the contents in ISO-CMMI Integrated Model
column is mapped to ISO or CMMI. Explanation
column gives helpful comments to understand how to
adopt CMMI and the integrated model.
Table 4 shows an example as a part of the
integrated model.
3.5. Advice for Understanding the Integrated
Model
Explanation column in the integrated model
describes what ISO registered organizations must do
to adopt CMMI. But ISO registered organizations may
implement more requirements than ISO 9001:2000
demands. Therefore the organization should first
evaluate the process status of the organizations
accurately.
In the integrated model, granularity of CMMI is a
practice and not requirements. But as we all know,
one needs practice in order to achieve goals. An
organization considering to adopt CMMI should
consider that they have substitution for practices
ࣜࣜ
described in the integrated model.
The integrated model includes inserted practices of
CMMI which are inserted into an appropriate position.
But because of the differences between ISO 9001:2000
and CMMI, the following will need to be considered.
The prime goal of technical solution process area is to
identify and implement solutions about product and
product components, but also applied to selecting and
applying processes related to products. Practices of
technical solution process area are inserted into
“Design and development” as it’s prime goal. In case
of organizational training process area, the view of
ISO 9001:2000 is different from that of CMMI. While
ISO 9001:2000 is focused on the competencies of
people related to products, CMMI is focused on how to
provide education on an organizational level. These
differences should be considered by organizations.

Table 4. Partial example of the integrated model

‫ٻ‬
ISO-CMMI Integrated Model ISO CMMI Explanation
4.2.4 Control of records CMMI requires evidences of
Records shall be established and maintained to provide evidence of ࣜࣜ ࣜࣜ achieving goals. A type of evidence
conformity to requirements and of the effective operation of the can be a record. Records are
quality management system. Records shall remain legible, readily maintained as reports,
identifiable and retrievable [as process assets]. A documented management records, meeting
procedure shall be established to define the controls needed for the minutes. These records should be
identification, storage, protection, retrieval, retention time and stored as an appropriate type in
disposition of records. process assets libraries.
4.2.5 Process assets management Organizations shall add data
Organizations shall establish and maintain process asset libraries that derived from projects or
OPD SP
contain quality management system, measurements, documents, organizational process execution
1.5-1
records. into process assets continuously.
Organizations shall make work products, measurements, This satisfies IPM SP 1.5-1 and
IPM SP 1.
improvement instruction, documented experiences derived from GP 3.2
5-1
organizational activities to be contained in process asset libraries for
GP 3.2
continuous contribution to process assets.

Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)

1530-1362/04 $ 20.00 IEEE

3.6. Discussion
Our integrated Model is expected to be useful to
ISO registered organizations that plan to adopt CMMI
in two ways.
First, it is expected to be useful to gap analysis.
Because the model is based on concise N-N mapping
and describes differences between CMMI practices
and ISO 9001:2000 requirements, organizations will
be able to perceive without difficulty the gap between
the organizations’ status according to ISO 9001:2000
and CMMI as demonstrated by the integrated model.
Second, it will help to write out a quality manual.
A quality manual contains contents of a quality
management system in an organization. When CMMI
is introduced into an organization, process changes
will need to be reflected into the organization’s quality
manual. As the structure of the quality manual is
generally the same as ISO 9001:2000, it will be easy
to reflect the changes in organization’s quality manual
by using the integrated model written in the structure
of ISO 9001:2000 when introducing CMMI.
Organizations can easily distinguish what is in the
integrated model but not in the quality manual.
An example of writing out a quality manual by
using the integrated model can be summarized as
follows. Table 5 shows the 4.3 clause in the integrated
model. This clause contains contents of DAR in
CMMI and is not contained in ISO 9001:2000.
Organizations can add this clause next to the 4.2
clause in the quality manual as shown in Table 6.
Table 5. Clause 4.3 of the integrated model
4.3 Decision analysis and resolution requirements
An organization shall perform decision analysis and
resolution for critical decision items.
Selecting decision items shall conform to documented
guidelines.
Selected decision items shall be evaluated by evaluation
criteria, appropriate alternatives shall be selected by
evaluation results. Decision analysis and resolution shall
contain next activities.
a) Establishing and maintaining criteria for evaluation of
alternatives and relative importance of criteria
b) Identifying alternative solutions treating problems
c) Selecting evaluation methods.
d) Evaluating alternative solutions by using established
criteria and methods
e) Selecting a solution from alternatives based on evaluation
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
criteria
Table 6. Example of quality manual
corresponding to 4.3 clause
in the integrated model
4.3 Decision analysis and resolution requirements
Each chief of department guarantee that formal decision
analysis is performed for every important decision item. Each
chief of department guarantee that selected decision items
are evaluated by evaluation criteria, appropriate alternatives
are selected by evaluation results.
Selecting decision items conform to guidelines for selecting
decision items.
Decision analysis and resolution conform to decision analysis
and resolution guidelines.
Related documents:
(1) Decision analysis and resolution procedure documents
(2) Guidelines for selecting decision items
4. Related work
There are fewer studies on the comparison of ISO
9001:2000 with CMMI on the comparison of ISO
9001:1994 with SW-CMM. Because of ISO 9001:2000
and CMMI, there have been less comparison done
between ISO 9001:1994 and SW-CMM. But since
these studies can provides hints to understanding the
relationships between ISO 9001:2000 and CMMI, we
present some related studies below.
M.C. Paulk compared ISO 9001:1994 with SW-
CMM to answer the following questions[8][9]
• At what level in the CMM would an ISO 9001-
compliant organization be?
• Can a level 2(or 3) organization be considered
compliant with ISO 9001?
• Should a software-quality-management and process-
improvement efforts be based on ISO 9001 or on the
CMMI?
This study shows that SW-CMM has more
requirements than ISO 9001:1994 when ISO
9001:1994 is mapped onto SW-CMM. He further
asserts that ISO 9001:1994 compliant organization
should satisfy most of the level 2 and many of the level
3 goals in CMMI. Figure 3 shows ISO 9001 compliant
organization’s level of satisfaction of SW-CMM.

Figure 1. Key process area profile for an ISO
9001-compliant organization[8][9]
P. Jalote proposed a way for transitioning from ISO
9001:1994 to SW-CMM level 4 based on actual
organization’s experience of transitioning[10]. In this
study, he pointed out that simple mapping between
ISO 9001:1994 and SW-CMM are not useful to field
staffs and it is useful to describe what additional
things to do for typical ISO 9001 compliant
organization transitioning to SW-CMM.
Works on simultaneously implementing ISO
9001:2000 and CMMI have been conducted by B.
Mutafelija and H. Stromberg[5]. In these works, they
insisted that CMMI satisfied most of ISO 9001:2000
requirements, and so, proposed a way of introducing
two frameworks simultaneously by implementing
CMMI and adding new requirements for ISO
9001:2000. Figure 4 illustrates how CMMI process
areas are mapped to ISO 9001:2000. For example,
ISO 9001:2000’s 6th clause, resource management
has some of its contents mapped onto CMMI’s OPF,
OPD and PP process areas. This method focuses on
CMMI organization adopting the ISO 9001:2000
rather than ISO registered organization adopting
CMMI. Therefore it is not useful to ISO registered
organization that intends to introduce CMMI.
B. Mutafelija and H. Stromberg also studied about
the mapping between ISO 9001:2000 and CMMI[1].
They explain that a mapping should be subjective and
according to granularity of mapping, degree of
correspondence is different. In this work, practices of
CMMI are mapped to requirements of ISO 9001:2000.
And mechanically inverted mapping is also provided.
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
Figure 2. Mapping CMMI process areas
according to clauses of ISO 9001:2000[5]
5. Conclusion
In this paper, we proposed an integrated model by
inserting CMMI practices into ISO 9001:2000
requirements. We expect that this model will be
helpful to ISO registered organizations as it will allow
existing ISO assets to be re-used without redundant
efforts. In addition, the model will help organizations
to perform gap analysis and maintain their quality
manual without any difficulty when adopting CMMI.
And, even if an organization does not have ISO
registration but plans to adopt CMMI only, the
organization will be able to implement ISO 9001:2000
and CMMI simultaneously by this integrated model.
In future research, we plan to conduct experiments to
confirm how effective this model will be real
application..
6. References
[1] B. Mutafelija and H. Stromberg, Mappings of ISO
9001:2000 and CMMI Version 1.1,
http://www.sei.cmu.edu/cmmi/adoption, July 2003.
[2] Department of Trade and Industry, British Standards
institute, The TickIT Guide Issue 5, London-DISC TickIT
Office, 2001.
[3] ISO, Quality management and quality assurance
standards ˂ Part 3: Guidelines for the application of ISO
9001:1994 to the development, supply, installation and
maintenance of computer software, ISO 9000-3, 1997.
 [4] M. B. Chrissis, M. Konrad and S. Shrum, CMMI ˀ
Guidelines for Process Integration and Product
Improvement, Addison-Wesley, 2003.

[5] B. Mutafelija and H. Stromberg, Systematic Process

Improvement Using ISO 9001:2000 and CMMI, Artech
House, 2003.

[6] M. C. Paulk, C. V. Weber and B. Curtis, The Capability

Maturity Model for Software, Addison-Wesley, 1995.

[7] W. Humphrey. "Characterizing the software process : A

maturity framework", IEEE Software, Vol.5, No.2, pp.73-79,
Mar. 1988.

[8] M. C. Paulk, "Comparing ISO 9001 and the capability

maturity model for Software", Software Quality Journal, Vol.
2, No. 4, pp.245-256, Dec. 1993.

[9] M. C. Paulk, "How ISO 9001 Compares with the CMM",

IEEE Software, Vol.12, No.1, pp.74-83, Jan. 1995.

[10] P. Jalote, CMM in Practice: Processes for Executing

Software Projects at Infosys (The SEI Series in Software
Engineering), Addison-Wesley, 1999.

Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)

1530-1362/04 $ 20.00 IEEE