ISO 22549-2:2020

INTERNATIONAL ISO
STANDARD 22549-2
First edition
2020-10
Automation systems and
integration — Assessment on
convergence of informatization
and industrialization for industrial
enterprises —
Part 2:
Maturity model and evaluation
methodology
Systèmes d'automatisation et d'intégration — Évaluation de la
convergence de l'informatisation et de l’industrialisation pour les
entreprises industrielles —
Partie 2: Modèle de maturité et méthodologie d'évaluation
Reference number
©
ISO 2020
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Maturity model . 2
6 Principles of evaluation questionnaires for ACII reference model components .3
6.1 General . 3
6.2 Activity of ACII reference model component for evaluation . 5
6.2.1 Infrastructure aspect assessment . 5
6.2.2 Domain application aspect assessment . 6
6.2.3 Comprehensive integration aspect assessment .11
6.2.4 Collaborative integration aspect assessment .12
7 Guidance for maturity evaluation method .12
Annex A (informative) Examples of evaluation questionnaires for ACII reference model
components .16
Bibliography .43
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 184, Automation systems and integration,
Subcommittee SC 05, Interoperability, integration, and architectures for enterprise systems and
automation applications.
A list of all parts in the ISO 22549 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2020 – All rights reserved

Introduction
Convergence of informatization and industrialization (CII) refers to a process that integrates information
technology into industrial production. The purpose of convergence is to improve productivity and
resource allocation by digital transformation.
This improvement consists of:
— increasing the integration of production and resource allocation (internally and with each other);
— making production and resource allocation more dynamic and responsive to external changes;
— optimizing production and resource allocation.
The purposes of this document include is to provide industrial enterprises guidance for:
— assessing the current situation of CII
— finding weakness within the CII
— identifying ways to improve CII
The intended users of this document can be grouped into the following categories:
— independent third-party, e.g. a consulting company or government department, that assesses the
maturity of CII;
— organization in charge of production management department, quality management department,
inventory management department, etc., which sponsors an assessment of itself or a subordinate
organization;
— any other enterprises who have interest in digital transformation.
INTERNATIONAL STANDARD ISO 22549-2:2020(E)
Automation systems and integration — Assessment on
convergence of informatization and industrialization for
industrial enterprises —
Part 2:
Maturity model and evaluation methodology
1 Scope
This document defines the maturity model and the evaluation methodology on convergence of
informatization and industrialization in industrial enterprises. The scope of this document includes the
following:
— maturity model definition;
— principles of evaluation questionnaires; and
— guidance for a maturity evaluation method.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22549-1, Automation systems and integration — Assessment on convergence of informatization and
industrialization for industrial enterprises — Part 1: Framework and reference model
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22549-1 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
maturity model
set of information that indicate the maturity of CII, its descriptive name and characteristics
3.2
maturity level indicator
maturity level
identified extent of measured effect within the maturity model (3.1)
Note 1 to entry: The extent of measured effect is divided into segments, referred to as levels, of increasing
competence to achieve enterprise objectives.
3.3
evaluation questionnaire
list of questions used to evaluate and determine the maturity level (3.2)
3.4
maturity evaluation
method for determining the maturity level (3.2) of an industrial enterprise using responses to the
evaluation questionnaire (3.3)
4 Abbreviated terms
ACII assessment on convergence of informatization and industrialization
BOM bill of material
CAD computer aided design
E-BOM engineering BOM
ECO engineering change order
EHS environment, safety and health
ERP enterprise resource planning
IT information technology
M-BOM manufacturing BOM
MES manufacturing execution system
PLM product lifecycle management
SPC statistical process control
WIP work in process
5 Maturity model
The maturity model consists of maturity levels where each level consists of a maturity level indicator,
descriptive name, and characteristics relevant to the desired assessment information as shown in
Table 1. These characteristics guide to create questions to evaluate maturity levels, which are given in
Annex as examples.
Table 1 — Maturity model definition
Maturity level Descriptive name Characteristics
indicator
Level 0 Unidentified Little or no systematic documentation available
Level 1 Identified Tracking and traceability of materials, data and etc.
Registration and management of data using information collec-
tion devices and systems
Level 2 Measured Real time data acquisition of materials, machinery, process and
human roles, and data integration
Measurement, aggregation, classification and management of
data using information collection devices and systems
Synchronous history of data for the same time, same lot and
same product
Level 3 Analysed Data analysis based on aggregated data for support of deci-
sion making
2 © ISO 2020 – All rights reserved

Table 1 (continued)
Maturity level Descriptive name Characteristics
indicator
Level 4 Optimized Optimized automation of processes throughout the intra-enter-
prise and/or the inter-enterprises
Level 5 Autonomous Self-diagnosis and self-healing through cyber-physical system
(CPS), Internet of Things (IoT), artificial intelligence (AI), etc.
Flexible production of customized products through autono-
mous control
NOTE Because maturity level 0 is the same for every questionnaire table, level 0 is not included in the
separate tables.
Each maturity level is inclusive of the lower maturity levels (see Figure 1), such that the higher maturity
level also includes all the characteristics of the lower levels.
Figure 1 — Maturity level (inclusive)
Assessment of maturity level is done by evaluating assessment on convergence of informatization and
industrialization (ACII) reference model components based on the answers to the evaluation questions.
6 Principles of evaluation questionnaires for ACII reference model components
6.1 General
Figure 2 presents assessment reference model defined in ISO 22549-1. Four aspects are grouped by the
blue-dotted line which twenty-four subordinate components to four aspects are grouped by the red-
dotted line.
Key
aspect
component
informational object
Figure 2 — Assessment reference model (aspect and its subordinate component)
In general, each ACII reference model component consists of one or more activities, for example, product
design requires commodity planning, design automation, bill of material (BOM)/Parts management,
engineering change management, etc.
For ACII, each ACII reference model component has to be evaluated in the level of its activities, and each
activity has a set of questions to answer for each maturity level. Question answers shall be “YES” or “NO.”
Evaluation of maturity level using questionnaires is well-known and a common way, since it is easy to
make answers to the given questions and evaluate the maturity level based on the answers.
Table 2 shows the structure of questions for evaluation.
Table 2 — Structure of question for maturity evaluation
Activity Question Maturity level indicator
Activity name 1 Questions for maturity level 1. 1
Questions for maturity level 2. 2
Questions for maturity level 3. 3
Questions for maturity level 4. 4
Questions for maturity level 5. 5
4 © ISO 2020 – All rights reserved

Table 2 (continued)
Activity Question Maturity level indicator
Activity name 2 Questions for maturity level 1. 1
Questions for maturity level 2. 2
Questions for maturity level 3. 3
Questions for maturity level 4. 4
Questions for maturity level 5. 5
Activity name… Questions for maturity level 1. 1
Questions for maturity level 2. 2
Questions for maturity level 3. 3
Questions for maturity level 4. 4
Questions for maturity level 5. 5
Activity name N Questions for maturity level 1. 1
Questions for maturity level 2. 2
Questions for maturity level 3. 3
Questions for maturity level 4. 4
Questions for maturity level 5. 5
— Activity:
Activity of ACII reference model component.
This document specifies a number of activities to be evaluated for each ACII reference model
component.
— Question:
Questions to assess maturity level satisfaction, and the answer shall be “YES” or “NO”.
All questions in all activities in a given level need to be evaluated and all must be “YES” to proceed
to the next level questions by applying guidance for maturity evaluation method given in 7.
Annex A gives examples of a whole set of questions for all ACII reference model components.
— Maturity level indicator:
Maturity level used for maturity evaluation.
6.2 Activity of ACII reference model component for evaluation
6.2.1 Infrastructure aspect assessment
6.2.1.1 Capital investment
Capital investment should be evaluated in terms of construction of automation and informatization,
operation and maintenance of the information system as shown in Table 3.
Table 3 — Activity of capital investment for evaluation
Activity Description
Capital investment Investment to the IT equipment and systems
6.2.1.2 Organization and planning
Organization and planning should be evaluated in terms of team of personnel, establishment of the
organization, authority and defining of strategy related to the field of automation and informatization
as shown in Table 4.
Table 4 — Activity of organization and planning for evaluation
Activity Description
Organization and planning Team, organization, authority and strategy for automation and
informatization
6.2.1.3 Equipment and facilities management
Equipment and facilities management should be evaluated in terms of management of information
equipment and facilities, industrial equipment and facilities as shown in Table 5.
Table 5 — Activity of equipment and facilities management for evaluation
Activity Description
Equipment and facilities management Management of information and industrial equipment and
facilities
6.2.1.4 Information resources management
Information resources management should be evaluated in terms of construction of the information
resources as shown in Table 6.
Table 6 — Activity of information resources management for evaluation
Activity Description
Information resources management Collection, standardization, accumulation, integration, analysis,
and management of information resources
6.2.1.5 Information security management
Information security management should be evaluated in terms of protection of information security
as shown in Table 7.
Table 7 — Activity of information security management for evaluation
Activity Description
Computer and network security management Implementation of protection of computer and networking
security
System and application security management Implementation of protection of system security, application
security and construction of the prevention mechanism
6.2.2 Domain application aspect assessment
6.2.2.1 Product design
Product design should be evaluated in terms of digitalized model of the product, digital examination,
comprehensive design and optimization, and intelligent design of a product as shown in Table 8.
6 © ISO 2020 – All rights reserved

Table 8 — Activity of product design for evaluation
Activity Description
Design environment analysis Analysis of IT environment for product design to collect and
analyse product design information
Product planning Process of identifying and articulating market requirements
that define a product's feature set such as creation of a product
idea, price, distribution and promotion, etc
Design automation Use of designing software systems and smart connected technol-
ogy for design such as computer aided design (CAD), computer
aided engineering (CAE), augmented reality and virtual reality
BOM/parts management Management of both engineering BOM (E-BOM) and manufac-
turing BOM (M-BOM) using IT systems
Engineering change management Management of both engineering change order (ECO) and engi-
neering change request (ECR) using IT systems
Prototyping Use of IT systems and applications for prototyping and its
validation
Advance quality management Quality management of product in prototyping stage
6.2.2.2 Process design
Process design should be evaluated in terms of design of process flow or planning, analysis of dynamic
simulation, process control and parameter optimization and integrated process design as shown in
Table 9.
Table 9 — Activity of process design for evaluation
Activity Description
Process design Use of IT systems and applications for supporting design of
process flow or planning, analysis of dynamic simulation,
process control and parameter optimization and integrated
process design
6.2.2.3 Production management
Production management should be evaluated in terms of production planning and scheduling,
production management, material requirement planning, distribution management, and outsource
planning and management as shown in Table 10.
Table 10 — Activity of production management for evaluation
Activity Description
Master production scheduling Use of IT systems and applications for scheduling master pro-
duction, and optimization and customization
Work in process (WIP) management Use of IT systems and applications for managing work-in-process
Monitoring and control Use of IT systems and applications for monitoring and con-
trolling production
Process control Use of IT systems and applications for automatic process control,
and optimization and customization
Process analysis and enhancement Use of IT systems and applications for process analysis and
enhancement
6.2.2.4 Materials management
Material management should be evaluated in terms of purchasing, inbound logistics, and management
of suppliers in the materials management of product as well as the e-commerce purchasing as shown in
Table 11.
Table 11 — Activity of materials management for evaluation
Activity Description
Material order Use of IT systems and applications for integrated material order
with master production schedule, BOM and inventory status, etc
Material receipt Use of IT systems and applications for management of received
material
Warehouse management Use of IT systems and applications for managing warehouse and
optimization
Weighing management Use of IT systems and applications for weighing management,
and automatic calibration
Material release and process input Use of IT systems and applications for material release and pro-
cess input, and integration with production control system
6.2.2.5 Sales management
Sales management should be evaluated in terms of management of sales, management of the inventory
of finished products, logistics distribution, after-sales services and management of suppliers in the
sales management of the product as well as the e-commerce sale as shown in Table 12.
Table 12 — Activity of sales management for evaluation
Activity Description
Demand forecasting Use of IT systems and applications for supporting integrated de-
mand forecasting with other system such as enterprise resource
planning (ERP), manufacturing execution system (MES), prod-
uct lifecycle management (PLM) and supply chain management
(SCM), and its analysis
Delivery to promise Use of IT systems and applications for delivery promise in con-
junction with production plan
Order management Use of IT systems and applications for managing order and stra-
tegic decision making based on contract information and cost
information
Shipment management Use of IT systems and applications for supporting shipment man-
agement and its optimization
6.2.2.6 Financial management
Financial management should be evaluated in terms of accounting management, capital management,
accounting statement and analysis, cost management and financial budgeting management as shown in
Table 13.
Table 13 — Activity of financial management for evaluation
Activity Description
Budget management Use of IT systems and applications for budget management and
its optimization
Accounting management Use of IT systems and applications for accounting management
and its optimization
8 © ISO 2020 – All rights reserved

6.2.2.7 Security management
Security management should be evaluated in terms of information technology construction and
application of security management, emergency response for the forecast and early warning about
major sources of hazard as shown in Table 14.
Table 14 — Activity of security management for evaluation
Activity Description
Physical protection and regulation manage- Use of IT systems and applications for physical protection and
ment regulation management
Risk management Use of IT systems and applications for risk management
Infringement response management Use of IT systems and applications for infringement response
management
6.2.2.8 Project management
Project management should be evaluated in terms of research and manufacturing of product, project
planning, project design, etc as shown in Table 15.
Table 15 — Activity of project management for evaluation
Activity Description
Project management Use of IT systems and applications for project management includ-
ing analysis of project performance and prediction of future plans
6.2.2.9 Maintenance management
Maintenance management should be evaluated in terms of management of the equipment maintenance
using IT as shown in Table 16.
Table 16 — Activity of maintenance management for evaluation
Activity Description
Equipment maintenance Use of IT systems and applications for supporting equipment
maintenance including monitoring, preventive maintenance,
automatic update of facilities, etc
Jigs and tools management Use of IT systems and applications for managing jigs and tools
for support of locating and customizing design of jigs and tool
Spare parts management Use of IT systems and applications for managing spare parts
supporting locating, lifetime management and guaranteeing
safety stock of spare parts
Mould management Use of IT systems and applications for mould management pro-
viding monitoring, locating and lifetime management, etc
6.2.2.10 Human resource management
Human resource management should be evaluated in terms of management of human resource planning
and recruiting, training and development of the human resources, emoluments, benefits, achievement
and employee relationship as shown in Table 17.
Table 17 — Activity of human resource management for evaluation
Activity Description
Human information management Use of IT systems and applications for promotion, and support-
ing of collaboration of personnel, etc
Table 17 (continued)
Activity Description
Payroll management Use of IT systems and applications for payroll management
Performance management Use of IT systems and applications for managing the perfor-
mance of personnel
Competency management Use of IT systems and applications for competency management
such as qualification evaluation and training, etc
Recruiting management Use of IT systems and applications for supporting recruit and its
management
6.2.2.11 Document management
Document management should be evaluated in terms of management of the documents collected from
the enterprise as shown in Table 18.
Table 18 — Activity of document management for evaluation
Activity Description
Document management Use of IT systems and applications for managing the documents
6.2.2.12 Quality management
Quality management should be evaluated in terms of assurance of proper product quality as shown in
Table 19.
Table 19 — Activity of quality management for evaluation
Activity Description
Inspection and quality analysis Use of IT systems and applications to support inspection and
quality analysis
Experiment management Use of IT systems and applications to manage experiment such
as experimental data management and experimental data asso-
ciation with the real time in-house system
6.2.2.13 Environment, Health and Safety (EHS) management
EHS management should be evaluated in terms of providing healthy, safe and sustainable manufacturing
environments as shown in Table 20.
Table 20 — Activity of EHS management for evaluation
Activity Description
Environment management Use of IT systems and applications to manage environment in-
formation and control environmental risks, etc
Health management Use of IT systems and applications to manage employees’
health data
Safety management Use of IT systems and applications to support safety management
6.2.2.14 Energy management
Energy management should be evaluated in terms of assuring low energy consumption as shown in
Table 21.
10 © ISO 2020 – All rights reserved

Table 21 — Activity of energy management for evaluation
Activity Description
Energy-saving management Use of IT systems and applications to manage energy consumption
6.2.3 Comprehensive integration aspect assessment
6.2.3.1 Product design and manufacturing integration
Product design and manufacturing integration should be evaluated in terms of the bidirectional flow of
information between research and design, and manufacturing of product, such as data definition, data
exchange and management of product specification as shown in Table 22.
Table 22 — Activity of product design and manufacturing integration for evaluation
Activity Description
Exchange of process information between Use of IT systems and applications to exchange and integrate
design and production information between design process and production process
Exchange of material information between Use of IT systems and applications to exchange and integration
design and production information of material between design process and produc-
tion process
6.2.3.2 Production management and control integration
Production management and control integration should be evaluated in terms of the integration
between operation management, manufacturing execution of the plant and process control of the
manufacturing enterprises as shown in Table 23.
Table 23 — Activity of production management and control integration for evaluation
Activity Description
Routing management and dispatching Use of IT systems and applications to support routing manage-
ment and dispatching
Recipe management Use of IT systems and applications to manage recipe supporting
item-specific process or facility control
Resource allocation Use of IT systems and applications to allocate manufacturing
resources and its optimization
6.2.3.3 Production, supply and marketing integration
Production, supply and marketing integration should be evaluated in terms of the integration of
production, supply and marketing such as production according to the order, optimization of production
arrangement and dynamic scheduling, integrated operation of the supply chains and the traceability on
the entire process of product quality as shown in Table 24.
Table 24 — Activity of production, supply and marketing integration for evaluation
Activity Description
Logistics management Use of IT systems and applications to support real time logistics
information management
Sales management Use of IT systems and applications to manage sales information
and integrate it with production system
6.2.3.4 Operation decision support
Operation decision support should be evaluated in terms of the analysis of business information,
knowledge mining and accumulation, business decision of the enterprises, building of the credibility of
enterprises and risk management and control as shown in Table 25.
Table 25 — Activity of operation decision support for evaluation
Activity Description
Decision support system management Use of IT systems and applications to support decision making
based on the real time analysis of company operation
6.2.4 Collaborative integration aspect assessment
Collaborative integration should be evaluated in terms of the convergence of information, resources,
businesses and marketing between different enterprises as shown in Table 26.
Table 26 — Activity of collaborative integration for evaluation
Activity Description
Planned-order collaboration Use of IT systems and applications to support planned-order col-
(partner’s perspective) laboration from partner’s perspective, such as support of coop-
eration to guarantee delivery commitment based on customer's
production plan in conjunction with all the customers' system
Procurement collaboration Use of IT systems and applications to support procurement
(customer’s perspective) collaboration from customer’s perspective such as checking the
production status, process status, and logistics status of partner
company in real time and manage the risks
Production collaboration Use of IT systems and applications to support production
collaboration from partner’s perspective such as providing the
(partner’s perspective)
customer with statistical process control (SPC) data acquired
from the machinery and processes in real time
Development collaboration Use of IT systems and applications to support development
collaboration such as sharing and verifying the development in-
formation in stages and carrying out mass production approval
7 Guidance for maturity evaluation method
Stakeholders for maturity evaluation are enterprises that wish to assess their level of CII, therefore
they shall answer to evaluation questionnaires.
Maturity evaluation shall be conducted by assessing the maturity of each activity of each component.
The principle of assessment is to guide enterprises to assess the current situation of CII, to find the
weakness, and to set up the milestone for improving CII.
The basic rule for assessment is that maturity evaluation shall be conducted on the activities of ACII
reference model components resulting maturity level of the activities. This shall not derive any overall
maturity level of each ACII reference model component, overall maturity level of four aspects and finally
overall maturity level of an enterprise either.
However, it might be necessary to use a mechanism for averaging maturity level or weighing the
importance of each activity to overall assessment. It is dependent on the situation of the enterprise
conducting assessment, therefore this document does not define that kind of mechanism.
A maturity evaluation method is illustrated in Figure 3 and shall start at the Level 1 questions.
12 © ISO 2020 – All rights reserved

Figure 3 — Maturity level evaluation method
1) If all answers of the Level 1 questions are YES,
— then shall proceed to the Level 2 questions
— otherwise, maturity shall be Level 0
2) If all answers of the Level 2 questions are YES,
— then shall proceed to the Level 3 questions
— otherwise, maturity shall be Level 1
3) If all answers of the Level 3 questions are YES,
— then shall proceed to the Level 4 questions
— otherwise, maturity shall be Level 2
4) If all answers of the Level 4 questions are YES,
— then shall proceed to the Level 5 questions
— otherwise, maturity shall be Level 3
5) If all answers of the Level 5 questions are YES,
— then maturity Level shall be 5
— otherwise, maturity shall be Level 4
As described above, the principle of assessment is to guide an enterprise to assess the current situation
of CII, to find the weakness, and to identify ways to improve CII. Therefore, it may be beneficial to
visualize the result of evaluation. The use of spider charts is an appropriate means of displaying the
relative maturity without mathematically manipulating the evaluation result.
Figure 4 illustrates an example of maturity evaluation result with a spider chart.
Key
maturity level
Figure 4 — EXAMPLE: Maturity evaluation on activities of production design component —
strength
In Figure 4, it has a relatively high level of maturity in engineering change management and design
automation.
On the other hand, Figure 5 illustrates an example of a relatively low level of maturity in recruiting
management. Through this evaluation and visualizing the result, an assessing enterprise can easily
find the weakness, and identify ways of improvement.
14 © ISO 2020 – All rights reserved

Key
maturity level
Figure 5 — EXAMPLE: Maturity evaluation on activities of human resource management
component — weakness
Annex A
(informative)
Examples of evaluation questionnaires for ACII reference model
components
A.1 Infrastructure aspect assessment
A.1.1 Capital investment
For evaluation of capital investment, questions in Table A.1 can be answered.
Table A.1 — Questions for assessment of capital investment
Activity Questions Maturity level indicator
Capital — Do you invest in IT equipment? 1
investment
— Do you register the invested IT equipment to the systems?
— Do you make an IT investment plan? 2
— Do you carry out maturity Level 1 according to the plan?
— Do you have a system to provide IT investment plan 3
automatically?
— Do you have a system to help investing IT equipment, for 4
example, optimal time and prices?
— Do you have a system for evaluating the performance 5
against the IT investment plan and make improvements to
the planning process?
A.1.2 Organization and planning
For evaluation of organization and planning, questions in Table A.2 can be answered.
16 © ISO 2020 – All rights reserved

Table A.2 — Questions for assessment of organization and planning
Activity Questions Maturity level
indicator
Organization — Do you assign and register personnel when an IT job 1
and planning becomes available?
— Do you establish IT job standards? 2
— Do you assign and categorize personnel according to the
standards?
— Do you establish IT job standards with review and 3
approval?
— Do you establish a human resource growth roadmap with
review and approval?
— Do you place personnel according to the standards and the
roadmap?
— Do you circulate personnel to different roles according to
the standards and the roadmap?
— Do you train personnel according to the standards and the
roadmap?
— Do you evaluate the result of maturity Level 3? 4
— Do you continuously improve the IT job standards? 5
— Do you continuously improve the human resource growth
roadmap?
— Do you continuously improve the placement of personnel?
— Do you continuously improve the circulation of personnel?
— Do you continuously improve the training of personnel?
A.1.3 Equipment and facilities management
For evaluation of equipment and facilities, questions in Table A.3 can be answered.
Table A.3 — Questions for assessment of equipment and facilities management
Activity Questions Maturity level
indicator
Equipment and — Do you have the documented processes in place to register 1
facilities IT HW and IT SW in an equipment master registry?
— Do you make an inspection plan? 2
— Do you execute the inspection plan?
— Do you review the inspection plan? 3
— Do you approve the inspection plan?
— Do you execute the inspection plan?
— Do you make a retirement and replacement plan? 4
— Do you execute the retirement and replacement plan?
— Do you evaluate IT H/W, IS S/W and related equipment?
— Do you have a system in place for evaluating inspection 5
and retirement and replacement plans and for making
improvements to the plans?
A.1.4 Information resources management
For evaluation of information resources management, questions in Table A.4 can be answered.
Table A.4 — Questions for assessment of information resources
Activity Questions Maturity level
indicator
Information — Do you collect the necessary data from unit system, online, 1
resources etc., for business use?
— Do you standardize the collected data according to business 2
rules to guarantee data quality for business use?
— Do you accumulate the standardized data on both an event- 3
by-event basis and time-driven basis for business use?
— Do you have systems in place to provide useful information, 4
present conclusions, and build and use decision support
systems through inspecting, organizing, transforming, and
modelling enterprise data?
— Do you have a system in place to evaluate and improve 5
management, standardization, and integration of
information resources?
A.1.5 Information security management
For evaluation of information security management, questions in Table A.5 can be answered.
18 © ISO 2020 – All rights reserved

Table A.5 — Questions for assessment of information security management
Activity Questions Maturity level
indicator
Computer and — Do you manage the list of assets such as network, major asset list, 1
network security configuration diagram, IP status?
— Do you use access control according to services, user groups, 2
information asset importance?
— Do you have an intrusion prevention system according to services,
user groups, information asset importance?
— Do you conduct periodic inspections using server vulnerability
analysis tools or security systems?
— Do you operate anti-malware solutions mainly for business PCs?
— Do you separate the network area logically? 3
— Do you use access control using intrusion blocking system and
VPN system?
— Do you monitor the operation status of your wireless network and
internal network assets?
— Do you operate a vulnerability check tool or system?
— Do you operate a malicious code prevention solution in important
information systems?
— Do you operate an automatic patching solution in important
information systems?
— Do you use access control using mobile network access control? 4
— Do you operate a blocking system such as unauthorized wireless
network?
— Do you manage server vulnerability patch automation tool?
— Do you operate an anomalous symptom monitoring system to 5
detect abnormal conditions such as network connection of illegal
terminals that occur during network operation?
— Do you test the patches for system availability before automatic
patching server vulnerabilities?
— Do you operate a system to establish security measures in
conjunction with analysis of anomalies by malicious code?
Table A.5 (continued)
Activity Questions Maturity level
indicator
System and — Do you set a password for a personal computer? 1
application
— Do you have management systems for server, application, user 2
security
account and access rights of the data base?
— Do you operate a unit security solution such as password program
mainly for personal business PC?
— Do you monitor operating status of information system related 3
assets such as hardware, operating system, commercial software
package, etc?
— Do you use cryptographic programs such as DB encryption
systems to protect important data?
— Do you have an associated system enforcing authentication other 4
than password authentication separately?
— Do you have an associated system monitoring the server,
applications, and any anomalies that occur during database
operation?
— Do you use automated tools to manage information system 5
assets such as hardware, operating system, commercial software
packages, etc?
— Do you measure the performance and security impact of asset
changes?
— Do you analyse the result of monitoring?
— Do you apply the result of analysis to the establishment of the next
security measures?
A.2 Domain application aspect assessment
A.2.1 Product design
For evaluation of product design, questions in Table A.6 can be answered.
Table A.6 — Questions for assessment of product design
Activity Questions Maturity level
indicator
Design — Do you register information for product planning to the 1
environment system, for example, markets, customers, and competitors?
analysis
— Do you manually analyse the collected information? 2
— Do you register the result to the system?
— Do you analyse the collected information using specialized 3
analysis tools, e.g., statistical analysis, etc?
— Do you have a system that supports internal step-by-step 4
process and reflects them in decision making based on the
results of the environmental analysis?
— Do you have a system that shares the latest product 5
roadmaps and the latest technology roadmaps, and
maintains the
...