02 Sep 2015 |
Research article |
Software Systems, Multimedia and Cybersecurity
Effort and Positive Outcomes following the ISO/IEC 29110 certification of an IT Startup in Peru





Editor’s Note
This article is following the preceding article Implementation of ISO/IEC 29110 Standard to Improve the Quality of Services in an IT Startup in Peru and presents a real certification case of ISO/IEC 29110, a standard aiming to improve the quality of software products in very small entities (VSE). The process of certification was quite affordable and has been a genuine engine for growth.
____________________________________
Introduction
For most businesses, but particularly for very small entities (VSEs), international certifications can enhance credibility, competitiveness, and access to national and international markets (Laporte, Houde, and Marvin 2014).
The Peruvian VSE, called Bit Perfect Solutions, selected to implement the project management (PM) and software implementation (SI) processes, as illustrated in figure 1, of ISO/IEC 29110, was created in 2012 by two alumni of the UPC Software Engineering program. The company consists of four people and specializes in providing software development services and automation of business processes with information system solutions. It used agile practices to implement software solutions such as Web 2.0 responsive design systems, mobile applications (using the iOS platform, Android, Windows Phone, or Multiplatform), cloud applications (cloud computing) systems using emerging technologies, and platforms such as Microsoft Kinect, Leap Motion, and Oculus Rift. They also carried out design projects and developed hardware solutions that integrate electronics and software.

Figure 1 Activities of the 2 processes of the Basic profile of ISO/IEC 29110
Description of the Certification Process
A certification is carried out by specialized organizations known as certification bodies. These independent organizations are also identified as “third party” because they are independent of companies that provide implementation services and the companies that demand these services.
Accreditation bodies evaluate and certify the technical competence and independence of the certification bodies. An accreditation body is an organization that, usually by a national government, assesses certification bodies and certifies their technical competence to carry out the certification process. Each country independently organizes its rules and conformity assessment and metrology regulations. In the case of Peru, the national accreditation body is INDECOPI through its National Accreditation Service (INDECOPI-SNA). In the case of Brazil, the national accreditation body is the National Institute of Metrology, Quality, and Technology (INMETRO).
In order to promote the recognition of qualifications between countries, there are international organizations such as the International Accreditation Forum (IAF). The IAF is the world association of conformity assessment accreditation bodies in the fields of management systems, products, and services, and to date, it has more than 60 member countries. Both the INDECOPI-SNA and INMETRO accreditation bodies are members of this organization. This establishes a global certification infrastructure.
The ISO/IEC 29110 standard has an established certification process. This process has been created taking into account the needs of software and systems development VSEs, so that audits should not be too expensive or time consuming. The certification scheme described in ISO/IEC 29110 is based on ISO standards for certification bodies requirements and auditor capability requirements (see Figure 2).

Figure 2 ISO standards referenced in the ISO/IEC 29110 certification scheme
The ISO/IEC 29110 certification process is composed of four stages. In the first stage, the VSE applies for the audit process and if it is successful, a commercial and technical agreement is entered into with the accreditation body. Then the second stage begins, and if it is successful, the final result is the initial certification of the VSE for a period of three years. The third stage involves the completion of two surveillance audits one and two years after obtaining the initial certification. Finally, the fourth stage is the recertification of the VSE once the three-year certification cycle has elapsed.
Description of the Audit Process
After implementing the Basic profile of ISO/IEC 29110 at the Peruvian VSE, it was time to look for an organization that was part of the global infrastructure of the certification system. That organization would certify the quality of the processes implemented and ensure the international recognition of the certification. The auditing organization selected was a Brazilian organization. The audit process to which the Peruvian VSE was subjected is summarized in Figure 3.

Figure 3 Summary of the audit process followed by the Peruvian VSE
The audit process was conducted in two phases. During phase 1, the existing documentation of the software development process life cycle of the VSE was assessed. During phase 2, the implementation and use of the project management (PM) and software implementation (SI) processes of the ISO/IEC 29110 Basic profile were evaluated. At the end of each phase, the certification body issued a report with any observations and nonconformities, if applicable.
The VSE received comments from the auditors regarding the recording of test results and the corrective actions taken. The VSE technical team implemented the comments; procedures were updated and disseminated within the development team.
Phase 1 and phase 2 of the audit were conducted in April 2014, and in July 2014 the auditing organization issued the conformity certificate for the project management and software implementation processes of the ISO/IEC 29110 Basic profile. The certificate is valid for three years. A surveillance audit has successfully been performed in 2015, another one will be performed 2016, and the recertification process will be initiated in 2017.
In Figure 4 the authors list the cost and the effort of the VSE for phase 1 of the audit process. The audit cost does not include the auditor’s travel expenses. The VSE spent 22 hours for phase 1 of the certification process.

Figure 4 Cost and effort for phase 1 of the audit
Figure 5 lists the cost and the effort of the VSE for phase 2 of the audit process. The cost of the auditor was $1000. The audit cost does not include the auditor’s travel expenses. The VSE spent 63 hours for phase 2 of the certification process.

Figure 5 Cost and effort for phase 2 of the audit
The total cost of the audit, that is, $1500, is quite small compared to an audit for a CMMI-DEV Level 2 assessment. For example, the cost in the Brazilian market is about $25,000. As illustrated in Figure 6, it is estimated that the cost of each one of the two surveillance audits, excluding the travel costs of the auditor, will be about $1200.

Figure 6 Cost and effort of the surveillance audits
The 85 hours spent by the management and employees of the VSE for the audit, that is, 22 hours for phase 1 and 63 hours for phase 2, is quite small compared to preparing for a CMMI-DEV Level 3 assessment. For example, in the Brazilian market, assessment preparation involves recording hundreds of pieces of evidence, a team of six people working full time for about three months, which is over 2000 hours of effort in total.
Positive Outcomes
The Peruvian VSE became the first organization in South America (outside of Brazil) to obtain an ISO/IEC 29110 certification for its software development processes.
Currently, the VSE continues to optimize its processes as part of its continuous improvement process and will be prepared for the surveillance audit to be carried out in 2016.
The ISO/IEC 29110 conformity certificate has become a major differentiator with regard to the main competitors of the VSE. The VSE has gained access to larger software development projects and increased its customer base. Given the growth evidenced by the organization, the VSE has also increased its number of workers to date, from four to 10 employees.
Conclusions
The authors recommend the use of ISO/IEC 29110 in VSEs that wish to improve their management engineering and software development practices. ISO/IEC 29110 is a standard that does not prescribe the use of any particular software development life cycle or method; on the contrary, it offers VSEs the ability to use a framework tailored to their needs.
The ISO/IEC 29110 certification gave the Peruvian VSE access to new clients and larger projects. For a country such as Peru, the implementation and certification of ISO/IEC 29110 could help change the country’s productivity index. VSEs could increase software product exports and improve the quality of life of Peruvians. VSEs that are looking for investors, partners, or customers should think about implementing ISO/IEC 29110 and aiming to obtain certification.
Additional Information
We invite you to read the following research paper to get more information regarding this project:
Garcia, L., Laporte, C.Y., Arteaga, J., Bruggmann, M., Implementation and Certification of ISO/IEC 29110 in an IT Startup in Peru, Software Quality Professional Journal, ASQ, vol. 17, no. 2, pp16-29, 2015.

Luis Hernan Garcia Paucar
Luis Hernán García Paucar is a full-time professor at the School of Engineering Systems and Computing at the Universidad Peruana de Ciencias Aplicadas (Lima) where he is the coordinator of the Software Engineering program.

Claude Laporte
Claude Y. Laporte was a Professor of software engineering at ÉTS before retiring. He is the Project Editor of the systems and software engineering ISO / IEC 29110 standards for Very Small Entities developing systems or software products.
Program : Software Engineering Information Technology Engineering

Jaylli Arteaga
Jaylli Arteaga is a software engineer and a professor at the Universidad Peruana de Ciencias Aplicadas (UPC), and CTO and software architect at Bit Perfect Solutions.
Program : Software Engineering

Marco Bruggmann
Marco Bruggmann is a software engineer at the Universidad Peruana de Ciencias Aplicadas (UPC), with a specialization in cybercrime and information assurance at Utica College. He is CEO and CPM at Bit Perfect Solutions.
