Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29110-2-1:2015 — Software Engineering — VSEs — Part 2-1: Framework and Taxonomy
A Comprehensive Framework for VSE Lifecycle Profile Definition and Conformity Assessment
Framework and Taxonomy for VSE Lifecycle Profiles
ISO/IEC 29110-2-1:2015 is the most technically detailed document in the 29110 series, providing the complete framework for defining, constructing, and assessing VSE lifecycle profiles. While Parts 1-1 and 1-2 explain WHAT the VSE profiles are and WHY they exist, Part 2-1 specifies HOW profiles are formally defined, HOW conformity is assessed, and HOW new profiles (sector-specific or organization-specific) can be constructed within the taxonomy. This framework document is essential reading for process engineers, conformity assessment bodies, and VSE support organizations that need to implement the 29110 series beyond the standard generic profiles.
Part 2-1 introduces the Process Reference Model (PRM) for VSEs — a carefully scoped set of process outcomes derived from ISO/IEC 12207 but expressed at a level of granularity appropriate for micro-enterprises. The PRM is the engine that drives profile definition, conformity assessment, and capability evaluation across the entire 29110 ecosystem.
The framework defined in Part 2-1 has three major components. First, the Process Reference Model (PRM) defines the complete set of process outcomes that can be included in any VSE profile, organized into process categories and groups. Unlike ISO/IEC 12207 which defines hundreds of detailed practices, the VSE PRM uses outcome-based statements — each outcome is a concise description of what must be achieved (e.g., “Software requirements are documented and approved by the customer”) without prescribing how. This outcome orientation is critical for VSEs because it provides flexibility in implementation methods while maintaining rigor in results.
Profile Definition and Conformity Assessment Methodology
The taxonomy framework in Part 2-1 defines profiles as structured selections of PRM outcomes organized into profile groups (Entry, Basic, Intermediate, Advanced) and profile categories (generic, sector-specific, organization-specific). Each profile is formally specified in a Profile Specification document that includes: the list of mandatory outcomes, the list of optional outcomes, the list of excluded outcomes from the PRM, the profile group and category identifiers, and the target VSE characteristics. The Profile Specification uses a standardized template to ensure that profiles from different sources (e.g., a medical device profile from ISO/TC 210 and an automotive profile from ISO/TC 22) can be compared and potentially harmonized.
| Framework Component | Purpose | Key Content | Usage |
|---|---|---|---|
| Process Reference Model (PRM) | Defines the outcome universe | ~60 process outcomes across 4 categories | Profile building blocks |
| Profile Specification Template | Standardized profile definition | Mandatory/optional/excluded outcomes | Profile creation & documentation |
| Conformity Assessment Framework | Verification of profile compliance | Assessment process, evidence requirements | Certification & self-declaration |
| Process Assessment Model (PAM) | Capability level evaluation | Rating scales, capability indicators | Process improvement measurement |
| Profile Equivalence Table | Cross-profile comparison | Mapping between profile groups | Supply chain qualification |
The most common misunderstanding about the 29110 conformity assessment framework is equating “profile conformance” with “process capability level.” Profile conformance (per Part 2-1) is a binary determination: does the VSE achieve the outcomes specified in the profile or not? Process capability (per ISO/IEC 15504/33020) is a multi-level rating: how well are the processes performed? The 29110 Basic profile conformance corresponds approximately to Capability Level 1 (Performed) with elements of Level 2 (Managed) — but the assessment methodologies are different.
The conformity assessment methodology in Part 2-1 defines three assessment modes: self-assessment (internal evaluation by the VSE itself), third-party assessment (independent certification body), and peer assessment (evaluation by another VSE under the coordination of a support organization). For micro-enterprises with limited budgets, self-assessment using the standardized checklist is the most practical entry point. The standard provides detailed guidance on evidence collection, including acceptable evidence types (project plans, requirements documents, test reports, meeting minutes, version control logs) and the minimum evidence set required for each profile outcome.
Engineering Design Insights for Framework Implementation
ISO/IEC 29110-2-1 embodies several sophisticated engineering design decisions that are relevant beyond the VSE domain. The first is the outcome-based PRM architecture. By defining processes in terms of outcomes (what must be achieved) rather than practices (how to do it), the framework achieves separation of concerns between process definition and process implementation. This architectural pattern is directly applicable to any standard or framework that needs to accommodate diverse implementation contexts — a principle that also appears in ISO/IEC 20000-1 (service management) and ISO 27001 (information security) but is executed with particular elegance in the VSE context due to its minimalist scope.
When building a conformity assessment program for any standard, adopt the outcome-based approach from 29110-2-1. For each requirement, define the observable evidence that demonstrates achievement. This evidence-centric approach reduces assessment disputes because both the assessor and the assessed agree on what constitutes proof of compliance before the assessment begins. It also enables efficient “evidence packages” — small collections of documents that simultaneously satisfy multiple outcomes.
The second design insight is the taxonomy’s support for profile evolution. The framework explicitly defines how a VSE can transition between profiles (e.g., from Basic to Intermediate) and how profiles can be extended for specific domains. The transition path is defined as a superset relationship: the Intermediate profile includes all outcomes of the Basic profile plus additional outcomes for organizational management and infrastructure. This superset design ensures that process assets created under the Basic profile remain valid under the Intermediate profile — a critical property for protecting the VSE’s process investment.
Third, the framework introduces the concept of process outcome weighting for conformity decisions. Not all outcomes in a profile carry equal significance. Critical outcomes (typically those related to requirements agreement, product delivery, and customer acceptance) are designated as “gate” outcomes — failure to achieve any single gate outcome results in overall profile non-conformance. Non-critical outcomes allow for partial achievement with a corrective action plan. This weighted approach prevents the entire conformity determination from being invalidated by a minor documentation gap while maintaining rigor on the outcomes that directly affect product quality and customer satisfaction.
Frequently Asked Questions
Q1: Can a VSE create its own profile using the Part 2-1 framework?
Yes. Part 2-1 provides the complete methodology for constructing organization-specific profiles. The VSE selects outcomes from the PRM, documents the selections using the Profile Specification template, and validates the profile against the framework’s consistency rules. Organization-specific profiles can then be assessed using the same conformity assessment framework as the standard generic profiles.
Yes. Part 2-1 provides the complete methodology for constructing organization-specific profiles. The VSE selects outcomes from the PRM, documents the selections using the Profile Specification template, and validates the profile against the framework’s consistency rules. Organization-specific profiles can then be assessed using the same conformity assessment framework as the standard generic profiles.
Q2: How does the 29110 conformity assessment differ from a CMMI appraisal?
A 29110 assessment determines conformance to a specific profile (binary pass/fail per outcome), while a CMMI appraisal assigns a maturity level rating (1–5) based on capability levels across process areas. 29110 assessments are typically less expensive and faster (1–2 days for micro-enterprises) compared to CMMI SCAMPI appraisals (3–5 days minimum).
A 29110 assessment determines conformance to a specific profile (binary pass/fail per outcome), while a CMMI appraisal assigns a maturity level rating (1–5) based on capability levels across process areas. 29110 assessments are typically less expensive and faster (1–2 days for micro-enterprises) compared to CMMI SCAMPI appraisals (3–5 days minimum).
Q3: Is the PRM in 29110-2-1 specific to software, or does it cover systems engineering?
The PRM primarily addresses software engineering outcomes derived from ISO/IEC 12207. For system-level outcomes, Part 2-1 provides additional annexes with outcomes from ISO/IEC 15288 that can be incorporated into system-oriented VSE profiles. The framework is designed to accommodate both.
The PRM primarily addresses software engineering outcomes derived from ISO/IEC 12207. For system-level outcomes, Part 2-1 provides additional annexes with outcomes from ISO/IEC 15288 that can be incorporated into system-oriented VSE profiles. The framework is designed to accommodate both.
Q4: What supporting infrastructure does a VSE need to implement the conformity assessment framework?
Minimal. The framework is designed for resource-constrained environments. Typical evidence is collected from existing project management tools (issue trackers, version control systems, document repositories). No specialized assessment software is required. The standard provides spreadsheet-based checklists that VSEs can use for self-assessment.
Minimal. The framework is designed for resource-constrained environments. Typical evidence is collected from existing project management tools (issue trackers, version control systems, document repositories). No specialized assessment software is required. The standard provides spreadsheet-based checklists that VSEs can use for self-assessment.
