Evolution of TickITplus

TickITplus was launched in 2011 by the British Standards Institute (BSI)'s Joint TickIT Industry Steering Committee (JTISC). The principal aims of the Scheme were to capitalize on the strengths of the existing TickIT scheme whilst recognizing the changes in today's world of software development.

What was TickIT?

In 1987, ISO 9001 was introduced as a standard for Quality Management Systems, based on the British Standard, BS 5750. The TickIT scheme was created by the Department of Trade and Industry (DTI) in the early 1990s when it was found that ISO 9001, which worked well as a manufacturing standard, did not work so well for software development. The TickIT Scheme provided guidance for ISO 9001 in the production of software and it was also possible to gain Certification in ISO 9001 with TickIT. Its reference documents included ISO 9000-3:1997 (Guidelines for the application of ISO 9001:1994 to the development, supply, installation and maintenance of computer software) and the TickIT Guide.

From its launch, TickIT only ever provided guidance and, although the use of processes was encouraged because it was tied to ISO 9001, it was still predominantly requirements-driven. The 2000 edition of ISO 9001 significantly strengthened the process-based approach, but in essence it still remained requirements-driven, even though the TickIT Guide Issue 5 incorporated the process definitions of ISO/IEC 12207 to provide guidance on the use of good software lifecycle processes. By comparison, newer requirements standards, such as ISO/IEC 20000-1 and ISO/IEC 27001, had emerged which were more clearly process-based.

The TickIT scheme was controlled by the Joint TickIT Industry Steering Committee (JTISC), formed in 2006 to bring together all the committees who had governed the scheme with the groups who had an interest in it. The Committee was accountable to the BSI’s Standards Policy and Strategy Committee and jointly administered by the British Computer Society (BCS), BSI Standards Development, and Intellect (The IT Industry Trade Body, now called Tech-UK).

Why was TickITplus needed?

TickITplus grew from the desire of JTISC, soon after its formation, to enhance the TickIT scheme following a survey of scheme users. The survey had indicated that users would like recognition of their improvements, similar to the five levels of capability and maturity in the Capability Maturity Model Integration (CMMI) from the Software Engineering Institute (SEI) in USA, and that they would like to include other standards like those for IT Service Management.

Another consequence of being tied to ISO 9001 was that TickIT assessments could only result in a pass or a fail and this was seen as a serious limitation. Customers were starting to need, and even demand, clearer indications of supplier performance in key business processes, such as risk management, to provide better criteria for supplier selection. One very strong indication of process performance can be established through capability assessments complying with ISO/IEC 15504-2.

The result was a set of requirements that could be used to allow achievement of ISO 9001 and, if required, ISO/IEC 20000 (Information Technology: Service Management) and ISO/IEC 27001 (Information Technology: Security Techniques) with five levels to be used to indicate capability:

  • Foundation - for those companies taking the initial step into TickITplus,
  • Bronze - the processes are written down, but specific to each project or department. It is for new entrants and the first step from Foundation,
  • Silver - the processes are available and projects tailor them to suit,
  • Gold - the processes are measured and controlled,
  • Platinum - metrics are used for process improvement.

TickIT was permanently retired at the end of November 2014, with all organisations moving to TickITplus.

Moving Forward

TickITplus has continued to grow and to evolve. It is now managed by the International TickIT Association (ITA) with a Committee drawn from expert representatives from the UK Accreditation Service, certification bodies, organisations offering TickITplus training, industry associations and academics.

The Requirements for the scheme are stated in the Core Scheme Requirements (CSR), which is supported by the Requirements for Assessors and Practitioners (RAP) and the Requirements for Training and Examinations (RTEX). The information about processes is described in the Base Process Library (BPL).

The key goals of TicKITplus are to:

  • adopt a full process-driven approach to business systems management
  • introduce capability assessment concepts
  • accommodate multiple requirement standards, e.g. ISO 9001, ISO/IEC 20000-1 (IT service management) and ISO/IEC 27001 (information security management)
  • incorporate additional reference standards such as ISO 26262 (Road vehicles – Functional safety), BS 10754 (Information technology. Systems trustworthiness - Governance and management specification), and ISO/IEC/IEEE 12207 (Systems and software engineering Software life cycle processes)
  • strengthen the commitment to improvements
  • enable collaborative assessments to be undertaken more formally.

To that end, more standards were added to the original baseline of ISO 9001, ISO/IEC 20000-1 and ISO/IEC 27001. Version 1.3.1 of the Base Process Library also included PAS754: 2014 (now known as BS 10754) and ISO 26262.

With Version 1.4.1 of the Base Process Library (BPL) there was a step change. The release provided a mapping to both ISO/IEC/IEEE 12207 (Systems and software engineering. Software life cycle processes) and ISO/IEC/15288 (Systems and software engineering. System life cycle processes). However as the number of mapped standards had continued to increase, the BPL was becoming extensive and it was decided that an alternative approach was needed. However, the fundamental concept of a document that clearly shows the mappings between the Base Processes, Base Practices and the requirements of the mapped standards in a simple manner was something that the ITA committee wanted to maintain. The solution was to introduce the concept of a main BPL and several BPL variants. All variants include ISO 9001 as it is the core standard used by TickITplus.

For Version 1.4.1 of the BPL, they are:

  • The Main BPL covers the core ISO 9001 standard and two very closely aligned standards: ISO/IEC 20000-1 and ISO/IEC 27001.
  • Variant A (Advanced Software Engineering) covers ISO 9001, ISO/IEC/IEEE 12207, ISO/IEC/IEEE 15288 and BS 10754 for Information technology. Systems trustworthiness - Governance and management specification.
  • Variant B (Safety) covers ISO 9001 and ISO 26262 Road vehicles functional safety.

The TickITplus Product Roadmap shows the intended progress over the next two years, which is likely to produce Variant C covering ISO 9001, AQAP 2210 (NATO Supplementary software quality assurance requirements to AQAP-2110 OR AQAP-2310) and AS9115 (Quality Management Systems – Requirements for Aviation, Space and Defence Organizations – Deliverable Software - Supplement to 9100) along with ISO/IEC/IEEE 122207 and ISO/IEC/IEEE 15288 with a working title of Software Engineering in Defence.