ISO/IEC TS 19770-10:2025

Technical
Specification
ISO/IEC TS
19770-10
First edition
Information technology — IT asset
2025-06
management —
Part 10:
Guidance for implementing ITAM
Technologies de l'information — Gestion des actifs
informatiques —
Partie 10: Recommandations pour la mise en œuvre de l'ITAM
Reference number
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Possible terminology issues . 5
5 The ever-evolving world of ITAM . 6
6 Negative mindset issues for implementing IT asset management . 8
7 Selling the value of IT asset management .11
7.1 Building the business case .11
7.2 Alignment to key stakeholders . 12
7.3 Visibly maintaining value for the organization . 13
8 Approaches to implementing IT asset management . 14
8.1 Evaluation of current vs desired state .14
8.2 Big bang vs incremental .16
8.3 Waterfall vs adaptive approaches .16
8.4 Strategic decisions concerning mix of do-it-yourself and consultant-assisted .17
8.5 Strategic technology platform decisions .17
8.6 Where to start with implementation .18
9 Implementation scenarios . 19
9.1 General .19
9.2 The impact of the evolution of the organization’s other management systems . 20
9.3 Organizational scenarios . 22
9.3.1 General . 22
9.3.2 Culture and level of management support . 22
9.3.3 Degree of centralization or decentralization . 23
9.3.4 Size and complexity of organization .24
9.3.5 General legal requirements and international presence . 25
9.3.6 Industry verticals . 26
9.3.7 Departmental ITAM issues .27
9.3.8 New organizational models such as product-based using agile/DevOps . 28
9.3.9 ITAM system scope. 29
9.3.10 Other frameworks being used within the organization . 30
9.3.11 Outsourcing and services .31
9.3.12 Stakeholder engagement and management.32
9.4 ITAM technology scenarios . 33
9.4.1 General . 33
9.4.2 Technology risk overview . 33
9.4.3 Technology opportunity overview . 34
9.4.4 Emerging technologies. 36
9.4.5 Technology scenario examples .37
9.5 Change scenarios .45
9.5.1 General .45
9.5.2 Changed business models .45
9.5.3 Changed market conditions . . 46
9.5.4 Mergers, acquisitions and divestitures .47
9.5.5 Changes to the IT operating model .47
9.5.6 Technology migration . 48
9.5.7 Major integration with security and/or service management . 49
10 Management system processes .50
10.1 General . 50

© ISO/IEC 2025 – All rights reserved
iii
10.2 Understanding the external context and stakeholder needs . 50
10.3 Leadership, policy and organization . 50
10.3.1 Leadership. 50
10.3.2 Policy .51
10.3.3 Organizational roles, responsibilities and authorities .52
10.3.4 Mixed responsibilities between the organization and its personnel . 53
10.4 Establishing and maintaining the management system . 53
10.4.1 Scoping . 53
10.4.2 Information requirements . 55
10.4.3 Documented information . 56
10.4.4 Implementation .57
10.5 Planning (including risk assessment) .57
10.5.1 Actions to address risks and opportunities for the IT asset management system .57
10.5.2 IT asset management objectives and planning to achieve them . 58
10.6 Supporting management system processes . 58
10.6.1 Resources . 58
10.6.2 Competence . 60
10.6.3 Awareness .61
10.6.4 Communication.62
10.7 Executing functional and lifecycle processes .62
10.8 Performance evaluation and improvement . 64
11 Functional management processes .66
11.1 General . 66
11.2 Change management . 66
11.3 License management . 68
11.4 Security management . 69
11.5 Relationship and contract management .70
11.6 Financial management . 72
11.7 Service level management .74
11.8 Other risk management . 75
12 Life cycle processes . 76
12.1 General .76
12.2 Specification .76
12.3 Acquisition . 78
12.4 Development . 79
12.5 Release . 80
12.6 Deployment . 82
12.7 Operation . 82
12.8 Retirement . . 83
13 ITAM data .86
13.1 General . 86
13.2 Data governance . 87
13.3 Data management roles and data ownership . 87
13.4 Data model. 90
13.5 Data model management .91
13.6 Process integrations .91
13.7 Database and systems integration . 92
13.8 Data validation . 94
13.9 Data lifecycle management . . 94
14 Special topics .95
14.1 Assessments . . 95
14.2 Sustainability . 96
14.3 Tool and technology selection . 97
14.4 Roles and responsibilities . 99
14.5 Dimensions for analysis and planning . 100
14.6 Interfaces for analysis and planning . 101
14.7 Sources of additional guidance . 101

© ISO/IEC 2025 – All rights reserved
iv
Annex A (informative) Expected levels of ITAM understanding .103
Annex B (informative) Overview of ISO/IEC 19770-1:2017 .109
Annex C (informative) Overview of related standards .116
Annex D (informative) Checklists .119
Annex E (informative) Basic improvement implementation plan .122
Annex F (informative) Asset lifecycle stage suggestions . 124
Annex G (informative) Documented information references in ISO/IEC 19770-1:2017 .126
Annex H (informative) Metrics . 128
Annex I (informative) OTAM and ITAM .132
Annex J (informative) Cross-references with ISO ITAM . 134
Bibliography .143

© ISO/IEC 2025 – All rights reserved
v
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC1, Information technology,
Subcommittee SC7, Software and system engineering.
A list of all parts in the ISO/IEC 19770 series can be found on the ISO and IEC website.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
vi
Introduction
0.1  Purpose
The purpose of this document is to provide guidance for implementing an information technology asset
management (ITAM) system, meeting current market demand (determined by a survey and subsequent
validation activities). The guidance given in this document is aligned with the requirements for IT asset
management systems in ISO/IEC 19770-1.
In this document, the term ITAM by itself is used in a generic sense applicable to all ITAM implementations.
The term ISO ITAM is used to describe an ITAM implementation which fully conforms to ISO/IEC 19770-1.
This document is intended to address the most important needs of the majority of ITAM practitioners, but it
cannot be fully comprehensive for all situations.
Because this document provides guidance, it does not specify any requirements itself. However, it cites
requirements or external constraints in some cases, for example:
— where requirements from ISO/IEC 19770-1 are being cited or discussed;
— where requirements of the organization or its stakeholders are being discussed, or where suggestions
are made for how users can specify mandatory requirements of their own, e.g. for use within their own
organizations or for requests for proposal (RFPs).
— where requirements of the ITAM system are being discussed, as determined by the organization or by its
environment.
0.2  Target audience
The primary audience for this document is organizations that want to improve their ITAM. It is assumed that
this audience has a basic knowledge of ITAM and of ISO/IEC 19770-1. This document is focused on guidance
for making incremental improvements to an organization's ITAM. Organizations wishing to conform to
ISO/IEC 19770-1 are a secondary target audience for this document. However, the content and structure of
this document are determined primarily by the needs of ITAM improvers.
For organizations looking for the simplest possible approach to improving their IT asset management
system, Annex E should be followed.
For organizations able to fully analyse their environment and requirements, which is the primary target
audience of this document, all the guidance in this document should be followed.
For the sake of clarity, it can be helpful to identify certain audiences that are not targeted by this document.
These are:
— organizations that are effectively beginners in ITAM;
— organizations that are not directly implementing ITAM for their own use; while such organizations can
benefit from the guidance, this document does not address specific issues unique to their requirements,
for example:
— software publishers;
— ITAM tool and technology vendors;
— ITAM managed service providers.
0.3  Related documents
Users of this document should also have copies of ISO/IEC 19770-1 and ISO/IEC 19770-5.
— ISO/IEC 19770-1: Given the close alignment of this document to ISO/IEC 19770-1 and to avoid the
repetition of large sections of content from ISO/IEC 19770-1, this document assumes that it is being used
together with ISO/IEC 19770-1.

© ISO/IEC 2025 – All rights reserved
vii
— ISO/IEC 19770-5: ISO/IEC 19770-5 is part of the expected base level of understanding for using this
document, providing an overview of ITAM and ISO ITAM, and also providing definitions for many of the
terms used in this document.
0.4  Expected base level of understanding
A base level of understanding is expected in order to use this document. See Annex A for a detailed
explanation of what is expected as a base level of understanding.
0.5  Mature ITAM and ISO ITAM
0.5.1 Benefits of mature ITAM compared to ISO ITAM
ISO/IEC 19770-5 includes a description of the benefits which can be obtained by implementing
ISO/IEC 19770-1, i.e. conforming to ISO/IEC 19770-1, which is referred to in this document as ISO ITAM.
However, ITAM can be implemented to achieve many of these benefits without meeting the full requirements
of ISO ITAM. This document refers to an effective implementation of ITAM which does not meet the full
requirements of ISO ITAM, as mature ITAM. The discussion below differentiates those benefits which can
be obtained from mature ITAM, from those further benefits which can be obtained from ISO ITAM. See the
detailed discussion of these different types of benefits in ISO/IEC 19770-5.
The benefits listed in ISO/IEC 19770-5 which can be achieved in large part by mature ITAM, i.e. by an
effective implementation of ITAM, and which however does not meet the full requirements of ISO ITAM, are:
— cost optimization;
— time and efficiency savings;
— enhanced security;
— software license compliance;
— agility;
— risk management;
— facilitating mergers/acquisitions/divestitures;
— facilitating internal organizational changes;
— improved position with vendors, for contract negotiations and license compliance audits, and for
proactive vendor management;
— improved management information;
— improved interoperability;
— facilitation of sustainability improvements;
— increased IT asset utilization and value.
The benefits listed in ISO/IEC 19770-5 which are more directly related to implementing ISO ITAM, i.e. fully
meeting the requirements of ISO/IEC 19770-1, are:
— demonstrating good governance;
— enforcing trustworthy data;
— enforced linking to corporate objectives;
— strong coordination with other ISO systems such as information security;
— improved credibility with board-level decision-makers;
— reduced likelihood of license compliance audits from vendors;

© ISO/IEC 2025 – All rights reserved
viii
— support of benchmarking to other organizations.
0.5.2  Common misunderstandings about mature ITAM
Mature ITAM is frequently misunderstood. The following are some of the common misunderstandings.
— It’s all about license compliance. Wrong. License management is included in the scope of generic ITAM,
which should result in license compliance. However, ITAM is much more in scope and benefits e.g. cost
savings, risk mitigation, better management information, and competitive advantage. See 0.5.1 for
benefits of mature ITAM compared to ISO ITAM.
— ITAM is a cost centre, i.e. a specific unit. Wrong. While there can be a unit with the label “ITAM”, The
ITAM system (ITAMS) should be implemented throughout the organization, e.g. to provide reliable and
trustworthy data, plus the identification and mitigation of risks, and the identification of cost-saving
opportunities.
— ITAM is the responsibility of the ITAM manager. Wrong. The ITAM manager has some of the responsibility
for ITAM, but ITAM is an integrated discipline, requiring participation by management and many other
areas of the organization, as well as external parties (e.g. service providers). The ITAM manager may not
be accountable or responsible for many of the aspects related to ITAM, but may need to provide input to
or influence related practices in support of the organization's ITAM objectives.
0.5.3  Common misunderstandings about ISO ITAM
There are also misunderstandings about ISO ITAM. ISO ITAM goes beyond mature ITAM. As explained in
0.5.1, ISO ITAM additionally indicates conformity to ISO/IEC 19770-1. The following are some of the common
misunderstandings about ISO ITAM.
— ISO ITAM is costly and time-consuming to implement. Compared to what? With the right frameworks
and technologies, organizations will significantly reduce the time and resource normally associated
with implementation and be able to concentrate on the important practices needed for early success.
— ISO ITAM is only about processes. Wrong. ISO ITAM ensures that all dimensions of the management
system work together to achieve desired ITAM outcomes; see 14.5.
— ISO ITAM is a single process. Wrong. ISO ITAM defines a management system which governs how a
collection of processes support desired ITAM outcomes. The processes that contribute to ISO ITAM are
performed throughout the IT asset lifecycle within IT and the organization, many of which ITAM does
not own, but should influence to meet ITAM’s requirements.
— Only processes which are to be certified need to be implemented; tiers dictate the process implementation
sequence. Wrong. What is certified does not limit what is implemented. For any certification, all processes
in the main body of ISO/IEC 19770-1 (including ITAM Tier 1 processes) have to be implemented. However,
it is not credible that these would be the only ITAM-specific processes implemented. In general, most of
the additional processes from ISO/IEC 19770-1:2017, Annex A will be implemented by any organization,
formally or informally, regardless of whether they wish to obtain certification or not, and additional
ones not defined there can also be implemented. The main process which some organizations will not
implement formally is possibly “development”. The concept of tiers is related only to certifications,
and not to implementations. Tiers are merely recommended groupings of processes for certification.
As such, they may be used for determining priorities of which processes to review and improve, in
preparation for such certifications. But the organization can choose which additional processes from
ISO/IEC 19770-1:2017, Annex A to include in a certification, irrespective of the tier definitions. See also
Annex B.
0.6 Types of assets
The organization determines to which of its IT assets this document applies. For example, it can be applied
to not only IT hardware but also to executable software (such as application programs and operating
systems) and non-executable software (such as fonts and configuration information). It can be applied to
all technological environments and computing platforms (e.g. infrastructure-as-a-service, platform-as-a-
service, virtualized software applications, on-premises datacentres or software-as-a-service); it is equally
relevant in cloud computing as it is in legacy computing environments.

© ISO/IEC 2025 – All rights reserved
ix
Figure 1 indicates the principal IT asset types diagrammatically. This is an updated version of the diagram
included in ISO/IEC 19770-1.
Each implementation of ITAM should clearly define the IT assets which it will include in its scope. There can
be significant implications for ITAM in how the scope is defined, including in particular which organizational
units will need to be involved. For example, if cloud assets are included, then it will probably be necessary
to have close involvement with the engineering teams which typically manage cloud services. Likewise, if
open-source software is involved, especially if it is to be distributed outside of the organization, then it will
probably be necessary to have close involvement with the development teams responsible for open source to
help ensure that they discharge their responsibilities properly. See also 10.4.1 (scoping).

© ISO/IEC 2025 – All rights reserved
x
Key
a
Organizations can also implement private cloud services on-prem.
b
Combinations of IT assets and non-IT assets, typically externally supplied, such as hardware maintenance and
training.
c
Shown reflecting how these are managed, rather than as services; include similar products, such as storage as a
service and function as a service.
d
Includes applications, systems, and tools.
e
Information about IT assets, and about non-IT assets needed for the management of IT assets, such as information
about personnel and organization.
f
Includes fonts, configuration information, dictionaries etc. used by executable software.

© ISO/IEC 2025 – All rights reserved
xi
g
Digital assets with information content, including documents, audio, video, graphics, databases, and free-standing
dictionaries; often licensed. ITAM may include management of these assets overall, e.g. for license compliance, but
excludes management of the content.
h
Includes contracts, agreements, purchase orders and invoices.
i
Includes proof of license and license keys.
Figure 1 — Common types of IT assets
0.7 ISO/IEC 19770-1 process overview
The overall set of processes in ISO/IEC 19770-1 comprise a Deming cycle of Plan-Do-Check-Act (PDCA).
Annex B gives an overview of this cycle. However, the detail of that cycle expands considerably to cover what
is needed for a comprehensive management system for ITAM.
Figure 2 below shows the detailed basis for how processes are described in this document, related to where
they are specified in ISO/IEC 19770-1. Each implementation of ITAM generally should implement most of
these processes. However, for an ITAM system to conform to ISO/IEC 19770-1, there should be a selection of
the processes to be included, as documented in a statement of applicability.
Figure 2 — The IT asset management system
0.8  Structure of this document
While this document is intended to be used together with ISO/IEC 19770-1, it is organized differently
— Clause 4 specifies possible terminology issues (related to Clause 3).

© ISO/IEC 2025 – All rights reserved
xii
— Clause 5 specifies the ever-evolving world of ITAM, emphasizing that ITAM practitioners need to evolve
with it.
— Clauses 6 and 7 specify mindset issues and provide guidance on selling ITAM.
— Clause 8 specifies major considerations before beginning an ITAM implementation.
— Clause 9 specifies different scenarios which can impact how the organization implements ITAM,
including:
— organizational scenarios;
— technology scenarios;
— change scenarios.
— Clauses 10 to 12 specify three major groups of processes as defined by ISO/IEC 19770-1, and as illustrated
in Figure 2.
— Clause 10 specifies management system processes.
— Clause 11 specifies functional management processes.
— Clause 12 specifies life cycle processes.
— Clause 13 specifies ITAM data.
— Clause 14 covers special topics to be considered such as assessment or sustainability.
— Annex A specifies expected levels of ITAM understanding.
— Annex B: provides an overview of ISO/IEC 19770-1.
— Annex C provides an overview of related standards.
— Annex D provides checklists.
— Annex E specifies a basic improvement implementation plan.
— Annex F provides asset lifecycle stage suggestions.
— Annex G specifies documented information references in ISO/IEC 19770-1.
— Annex H specifies metrics.
— Annex I specifies OTAM (operational technology asset management) and ITAM.
— Annex J provides cross-references between ISO/IEC 19770-1 and ISO/IEC TS 19770-10.

© ISO/IEC 2025 – All rights reserved
xiii
Technical Specification ISO/IEC TS 19770-10:2025(en)
Information technology — IT asset management —
Part 10:
Guidance for implementing ITAM
1 Scope
This document covers the following information technology asset management (ITAM) system processes:
a) management system processes for the overall system of IT asset management (not described in
ISO/IEC 19770-1 in detail), which are specified in this document for comprehensive coverage and
consistency of explanations; these include:
— understanding the external context and shareholder needs (7.1, 7.2 and 10.2);
— leadership, policy and organization (10.3);
— establishing and maintaining the management system (10.4);
— planning and risk management (10.5);
— support (including resources, competence, awareness, and communication – 10.6);
— executing functional and life cycle processes (10.7);
— performance evaluation and improvement (10.8);
b) functional management processes for IT assets (not described in ISO/IEC 19770-1 in detail), which are
cross-cutting processes that integrate with life-cycle processes for IT assets and which are shared with
most IT management system standards, though sometimes slightly differently grouped; these include:
— change management (11.2; also required by ISO/IEC 19770-1);
— data management;
— license management;
— security management;
— relationship and contract management;
— financial management;
— service level management;
— other risk management;
c) life cycle management processes for IT assets as specified in ISO/IEC 19770-1, which are grouped and
named slightly differently by different methodologies; these include:
— specification;
— development;
— acquisition;
— release;
© ISO/IEC 2025 – All rights reserved
— deployment;
— operation;
— retirement.
This document is applicable to all ITAM implementations. This document can be applied to all types of IT
assets and by all types and sizes of organizations.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 19770-5, Information technology — IT asset management — Part 5: Overview and vocabulary
ISO/IEC 22123-1, Information technology — Cloud computing — Part 1: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19770-5, ISO/IEC 22123-1 and
the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at
...