Sample Pages

ISO/IEC 90003:2004 

Evidence Product Checklist

ISO/IEC 90003:2004  Software engineering - guidelines for the application of ISO 9001 to computer software

Available in MS WORD format or PDF format


The process of defining what is necessary for compliance with a quality management process standard such as “ISO/IEC Standard 90003:2004” is often confusing and laborious because the directions contained in the standards are unclear or ambiguous. This checklist was produced to aid in determining what is actually “required” by the document in the way of physical evidence of compliance. This checklist is constructed around a classification scheme of physical evidence comprised of policies, procedures, plans, records, documents, audits, and reviews.  There must be an accompanying record of some type when an audit or review has been accomplished.  This record would define the findings of the review or audit and any corrective action to be taken. For the sake of brevity this checklist does not call out a separate record for each review or audit.  All procedures should be reviewed but the checklist does not call out a review for each procedure, unless the standard calls out the procedure review.  In this checklist, “manuals, reports, scripts and specifications” are included in the document category.  When the subject standard references another standard for physical evidence, the checklist does not call out the full requirements of the referenced standard, only the expected physical evidence that should be available.  

The author has carefully reviewed the document “ISO/IEC Standard 90003:2004 Software Engineering: Guidelines for the application of ISO 9001:2000 to computer software " and defined the physical evidence required based upon this classification scheme. A second review was conducted of the complete list to ensure that the documents’ producers did not leave out a physical piece of evidence that a “reasonable person” would expect to find. It could certainly be argued that if the document did not call it out then it is not required; however if the standard was used by an organization to improve its process, then it would make sense to recognize missing documents.  Therefore, there are documents specified in this checklist that are implied by the standard or in common use in software engineering, though not specifically called out in the document, and they are designated by an asterisk (*) throughout this checklist.  If a document is called out more than one time, only the first reference is stipulated.  Additionally, there are many references to ISO/IEC 12207 in ISO/IEC 90003:2004 so ISO/IEC 12207 required items have been included and are denoted by a (#).

There are occasional situations in which a procedure or document is not necessarily separate and could be contained within another document.  For example, the "Design and Development Verification Plan" could be a part of the "Design and Development Plan".  The author has called out these individual items separately to ensure that the organization does not overlook any facet of physical evidence.  If the organization does not require a separate document, and an item can be a subset of another document or record, then this fact should be denoted in the detail section of the checklist for that item.  This should be done in the form of a statement reflecting that the information for this document may be found in section XX of Document XYZ.  If the organizational requirements do not call for this physical evidence for a particular project, this should also be denoted with a statement reflecting that this physical evidence is not required and why.  The reasons for the evidence not being required should be clearly presented in this statement.  Further details on this step are provided in the Detail Steps section of the introduction.  The size of these documents could vary from paragraphs to volumes depending upon the size and complexity of the project or business requirements.

General Principles of the ISO/IEC Standard 90003:2004 Software engineering – Guidelines for the application of ISO 9001:2000 to computer software - Requirements Checklist
This checklist was prepared by analyzing each clause of this document for the key words that signify a:
  • Policy
  • Procedure
  • Plan
  • Record
  • Document ( Including Manuals, Reports, Scripts and Specifications)
  • Audit
  • Review

This checklist specifies evidence that is unique.  After reviewing the completed document, the second review was conducted from a common sense “reasonable man” approach:

  • Required items are denoted by an underline to aid use of the checklist
  • Documents cited in ISO/IEC 12207 are denoted with a (# - ISO/IEC 12207 item)
  • If a document or other piece of evidence appeared to be required, but was not called out in the document, then it is added with an asterisk (* - Suggested) after its notation in the checklist
  • Some items in common use in software engineering were considered missing in the standard.  These have also been included and are denoted also with an asterisk (* - Suggested). 

Note:  These notations are listed in the footnotes for each section.

The information was transferred into checklist tables, based on the type of product or evidence.  Because software forms part of a “system”, some system documents are identified that are necessary to define inputs to software development or are associated with acceptance of software against defined requirements.  These are not specifically cited in the standard but are included for completeness.  Related procedures and plans to develop these system level items are omitted in the checklist.

Using the Checklist
When a company is planning to use "ISO/IEC 90003:2004" (and by implication ISO 9001:2000) standard, the company should review the evidence checklist.  If the company’s present process does not address an ISO/IEC 90003:2004 (or ISO 9001:2000) standard product, then this question should be asked:  Is the evidence product required for the type of business of the company?  If in the view of the company the evidence is not required, the rationale should be documented and inserted in the checklist and quality manual.  This rationale should pass “the reasonable person rule.”  If the evidence is required, plans should be prepared to address the missing item(s).

Detail Steps
An organization should compare the proposed output of their organization against the checklist.  In doing this, they will find one of five conditions that exist for each item listed in the checklist.  The following five conditions and the actions required by these conditions are listed in the table below.  


Action Required
1. The title of the documented evidence specified by the checklist (document, plan, etc) agrees with the title of the evidence being planned by the organization.  Record in checklist that the organization is compliant.
2. The title of the documented evidence specified by the checklist (document, etc) disagrees with the title of the evidence planned by the organization but the content is the same.  Record in the checklist the evidence title the organization uses and record that the organization is compliant, and the evidence is the same although the title is different. 
3. The title of the documented evidence specified by the checklist (document, etc) is combined with another piece of evidence.  Record in the checklist the title of the evidence (document, etc) in which this information is contained.
4. The title of the documented evidence specified by the checklist (document, etc) is not planned by the organization because it is not required. Record in the checklist that the evidence is not required and the rationale for this decision.
5. The title of the documented evidence called out by the checklist (document, etc) is not planned by the organization and should be planned by it. Record in the checklist when this evidence will be planned and reference a plan for accomplishing the task. 

Components of the Checklist 

This checklist is composed of 9 sections:
  • Section 1.  Introduction
  • Section 2.  Checklist of all required and suggested “ISO/IEC 90003:2004” evidence products, together with ISO/IEC 12207 required items
  • Sections 3-7.  Individual checklists for each evidence type
  • Section 8.  Names used in ISO/IEC 12207 that are different in this checklist
  • Section 9.  “About the Author”
4 Quality management system          
4.1 General requirements
  • Outsourcing Plan Procedure*
  • Outsourcing Procedure *
  • Quality Management System Document Procedure*
  • Quality Management System Improvement Plan Procedure*
  • Quality Management System Processes Used Document Procedure*
  • Software Development, Operation and Maintenance Processes Used 
  • Document Procedure*
  • Software Life Cycle Model Document Procedure# 
  • Outsourcing Plan*
  • Quality Management System Improvement Plan*
  • Quality Management System Document
  • Quality Management System Processes Used Document
  • Software Development, Operation and Maintenance Processes Used Document#
  • Software Life Cycle Model Document#
  • Outsourcing Plan Review*
  • Outsourcing Review*
  • Quality Management System Document Review
  • Quality Management System Improvement Plan Review*
  • Quality Management System Processes Used Document Review
  • Software Development, Operation and Maintenance Processes Used Document Review#
  • Software Life Cycle Model Document Review*
4.2 Documentation requirements          
4.2.1 General
  • Documentation Plan Procedure*
  • Documentation Procedure#
  • List of Control Documents Procedure*
  • List of Documented Procedures and Templates*
  • List of Operation Documents Procedure*
  • List of Planning Documents Procedure*
  • Methods, Techniques and Tools Used Document Procedure#
  • Quality Manual Document Procedure*
  • Quality Objective Document Procedure*
  • Quality Policy
  • Software Quality Policy*
  • Technical Standards Used Document Procedure*
  • Documentation Plan#
  • Quality Management System Records (All)#
  • List of Control Documents*
  • List of Operation Documents*
  • List of Planning Documents*
  • Methods, Techniques and Tools Used Document#
  • Quality Manual Document
  • Quality Objective Document
  • Technical Standards Used Document*
  • Documentation Plan Review*
  • List of Control Documents Review*
  • List of Operation Documents Review*
  • List of Planning Documents Review*
  • Methods, Techniques and Tools Used Document Review#
  • Quality Manual Document Review
  • Quality Objective Document Review
  • Quality Policy Review
  • Software Quality Policy Review*
  • Technical Standards Used Document Review*
4.2.2 Quality manual
  • Process Interaction Description Document Procedure*
  • Process Interaction Description Document
  • Process Interaction Description Document Review
4.2.3 Control of documents
  • Document Control Procedure
4.2.4 Control of records
  • Record Management Plan Procedure*
  • Record Management Procedure
  • Virus Checking Plan Procedure*
  • Record Management Plan*
  • Virus Checking Plan*
  • Assessment Report Records#
  • Change Request Records#
  • Design and Development Review Records#
  • Estimating Records*
  • Management Problem Report Records#
  • Marked Up Document Records#
  • Meeting Minutes Records*
  • Problem Report Records#
  • Project Audit Records#
  • Quality Management System Management Review Records#
  • Record Management Plan Review*
  • Record Management Review*
  • Virus Checking Plan Review*

RCGLOBAL / Contact us: