Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29110-3-2: Conformance Framework for Very Small Entity Software Profiles
A comprehensive guide to ISO/IEC 29110-3-2 conformance assessment for Very Small Entity (VSE) software engineering profiles
1. Understanding ISO/IEC 29110-3-2 and the VSE Conformance Framework
ISO/IEC 29110-3-2 defines the conformance requirements for Very Small Entities (VSEs) implementing software engineering profiles as specified in the ISO/IEC 29110 series. A VSE is defined as an enterprise, organisation, department, or project with up to 25 people — a category that encompasses the vast majority of software development organisations worldwide. The 29110 series recognises that traditional software process standards (such as ISO/IEC 12207 or ISO/IEC 15288) are often too heavyweight for small teams, and therefore defines a set of progressively more capable profiles (Entry, Basic, Intermediate, Advanced) that VSEs can adopt incrementally. Part 3-2 establishes the conformance assessment framework that determines whether a VSE’s processes meet the requirements of a given profile.
For VSEs new to process standards, the Entry profile (Profile 1) is the recommended starting point. It requires only two processes: Project Management (PM) and Software Implementation (SI). Conformance to this profile typically requires 3-6 months of process deployment and can deliver immediate improvements in project visibility and delivery predictability.
The conformance framework defined in ISO/IEC 29110-3-2 is built upon three pillars: process outcomes, work products, and assessment methodology. Each profile specifies a set of process outcomes that must be demonstrably achieved. For example, the Basic profile (Profile 2) requires that the Software Implementation process demonstrate outcomes such as “software requirements are defined and agreed,” “software components are verified,” and “software is validated against customer requirements.” The conformance assessment examines objective evidence — documented work products, process records, and stakeholder interviews — to determine whether these outcomes are consistently achieved across the VSE’s projects.
A key innovation of ISO/IEC 29110-3-2 is its use of a tiered conformance model. Rather than a binary pass/fail assessment, the standard defines conformance levels that reflect the extent to which the VSE’s processes satisfy the profile requirements. This graduated approach allows VSEs to demonstrate progressive capability improvement over successive assessment cycles, which is particularly valuable when the entity is pursuing certification for procurement or regulatory purposes.
2. Conformance Requirements and Assessment Methodology
2.1 Process Outcomes and Work Products
ISO/IEC 29110-3-2 defines conformance requirements in terms of process outcomes rather than prescriptive procedures, giving VSEs the flexibility to implement processes that fit their specific context, culture, and project types. For each profile, the standard specifies a set of mandatory work products that provide objective evidence of process achievement. These include the Project Plan (defining scope, tasks, resources, and schedule), the Software Requirements Specification (capturing functional and non-functional requirements), the Verification Report (documenting testing results), and the Product Operation Guide (providing user and operational documentation). The conformance assessment examines these work products for completeness, consistency, and adherence to the format and content guidelines specified in the profile.
| Profile Level | Required Processes | Key Work Products | Typical Deployment Effort |
|---|---|---|---|
| Entry (Profile 1) | PM, SI | Project Plan, Requirements, Software, Test Results | 3-6 months |
| Basic (Profile 2) | PM, SI, Verification | + Verification Report, Traceability Matrix, User Guide | 6-12 months |
| Intermediate (Profile 3) | PM, SI, QA, Validation | + Quality Assurance Plan, Validation Results, Audit Records | 12-18 months |
| Advanced (Profile 4) | Full process set | + Organisational Process Assets, Measurement Repository | 18-36 months |
One common pitfall in VSE conformance assessments is the over-production of documentation. Remember that ISO/IEC 29110 explicitly values “just enough” process — work products should be fit for purpose and proportionate to project risk. A two-page Project Plan for a 2-week sprint is perfectly acceptable; a fifty-page plan is excess overhead that defeats the purpose of the VSE profile approach.
2.2 Assessment Methodology and Conformance Grades
The assessment methodology in ISO/IEC 29110-3-2 follows the principles of ISO/IEC 15504 (now ISO/IEC 33001 series) but is adapted for the VSE context. Assessments are performed by qualified assessors who review objective evidence, conduct interviews with project stakeholders, and evaluate the degree to which each process outcome is achieved. The standard defines four conformance grades: Full Conformance (all mandatory outcomes achieved), Substantial Conformance (most outcomes achieved with minor gaps), Partial Conformance (some outcomes achieved but significant gaps remain), and Non-Conformance (critical outcomes not achieved). This graded approach enables VSEs to receive recognition for their process achievements while identifying specific improvement areas.
VSEs that achieve ISO/IEC 29110-3-2 conformance often report significant business benefits beyond the certification itself. These include improved on-time delivery performance (typically 20-30% improvement), reduced defect rates in production (30-50% reduction), and enhanced customer confidence that translates into higher win rates for competitive bids.
3. Engineering and Organisational Insights for VSE Conformance
Implementing ISO/IEC 29110-3-2 conformance in a VSE requires a pragmatic, risk-based approach. Rather than attempting to deploy all processes simultaneously, successful VSEs typically adopt an iterative implementation strategy aligned with the profile progression. Start with the Entry profile to establish basic project management and software implementation disciplines. Once these are embedded in the team’s daily workflow, add the Basic profile’s verification and user documentation practices, followed by the quality assurance and validation practices of the Intermediate profile. This stepwise approach minimises disruption to ongoing project delivery and allows the team to internalise each set of practices before moving to the next.
A critical risk in VSE process implementation is treating conformance as a documentation exercise rather than a process improvement initiative. If the Project Plan is written after the project is complete, or the Verification Report is fabricated to satisfy the assessor, the VSE gains none of the business benefits of process discipline while incurring all of the overhead. Leadership commitment to genuine process adherence is non-negotiable for successful conformance.
Tooling can significantly reduce the overhead of maintaining conformance evidence. Many VSEs find that lightweight project management tools (such as Trello, Jira, or Redmine) can be configured to automatically generate work products in conformance with ISO/IEC 29110-3-2 requirements. For example, a Kanban board with appropriate custom fields can serve as both the Project Plan and the Status Tracking mechanism, eliminating the need for separate documentation while providing the objective evidence required for assessment. Similarly, version control systems (Git) with pull request templates can automate the capture of verification and validation evidence.
Finally, consider the human factors. Engineers in VSEs often wear multiple hats — developer, tester, project manager, support engineer — and process overhead is disproportionately burdensome when it falls on a small number of individuals. Successful VSEs distribute process responsibilities across the team and integrate process activities into the natural workflow rather than treating them as separate administrative tasks. This integration is the hallmark of a mature VSE process culture and is the ultimate goal of the ISO/IEC 29110 profile progression.
4. Frequently Asked Questions
Q: How does ISO/IEC 29110-3-2 differ from ISO/IEC 29110-3-1?
A: ISO/IEC 29110-3-1 provides a more general assessment and certification framework applicable across all VSE profiles and domains. ISO/IEC 29110-3-2 is the specialised conformance-focused companion that drills down into the specific conformance requirements, work product expectations, and assessment methodology for software engineering profiles. In practice, both documents are used together during a VSE assessment.
A: ISO/IEC 29110-3-1 provides a more general assessment and certification framework applicable across all VSE profiles and domains. ISO/IEC 29110-3-2 is the specialised conformance-focused companion that drills down into the specific conformance requirements, work product expectations, and assessment methodology for software engineering profiles. In practice, both documents are used together during a VSE assessment.
Q: Can a VSE claim conformance to multiple profiles simultaneously?
A: Yes. A VSE may be assessed as conformant to multiple profiles, typically starting with Entry or Basic and progressively adding higher-level profiles as its process capability matures. The assessment report will clearly identify which profiles the VSE conforms to, along with the conformance grade for each.
A: Yes. A VSE may be assessed as conformant to multiple profiles, typically starting with Entry or Basic and progressively adding higher-level profiles as its process capability matures. The assessment report will clearly identify which profiles the VSE conforms to, along with the conformance grade for each.
Q: How long does an ISO/IEC 29110-3-2 conformance assessment take?
A: For a typical VSE with 5-15 people, an Entry or Basic profile assessment takes 1-2 days of on-site (or remote) assessment activity, followed by 1-2 weeks for report preparation and quality assurance. The total elapsed time from application to certification decision is typically 4-8 weeks, depending on assessor availability and the completeness of the VSE’s process evidence.
A: For a typical VSE with 5-15 people, an Entry or Basic profile assessment takes 1-2 days of on-site (or remote) assessment activity, followed by 1-2 weeks for report preparation and quality assurance. The total elapsed time from application to certification decision is typically 4-8 weeks, depending on assessor availability and the completeness of the VSE’s process evidence.
Q: Is ISO/IEC 29110-3-2 applicable to non-software VSEs (e.g., systems engineering, service management)?
A: The standard is specifically scoped for software engineering profiles. ISO/IEC 29110 provides separate documents for systems engineering profiles (29110-3-3 for certification) and service management profiles. However, the conformance framework principles — outcomes-based assessment, graduated conformance grades, proportionate evidence — are broadly applicable and have been adapted for other domains.
A: The standard is specifically scoped for software engineering profiles. ISO/IEC 29110 provides separate documents for systems engineering profiles (29110-3-3 for certification) and service management profiles. However, the conformance framework principles — outcomes-based assessment, graduated conformance grades, proportionate evidence — are broadly applicable and have been adapted for other domains.
