ISO/IEC 19770-1:2017 IT Asset Management (ITAM)



This standard specifies the requirements for the establishment, implementation, maintenance, and improvement of a management system for IT asset management (ITAM), referred to as an IT asset management system. 

When an organization is certified to ISO/IEC 20000-1:2018 and ISO/IEC 27001:2013 they have many types of software assets they are using to support their business and their clients. To manage those assets, many organizations implement ISO/IEC 19770-1:2017 ITAM to ensure they are actively and safely managing these assets.

ISO 19770-1:2017 specifies the requirements for the establishment, implementation, maintenance and improvement of a management system for asset management, referred to as an “asset management system”. 

This standard includes additional or more detailed requirements that are considered necessary for the management of IT assets. 

Assets that Need to be managed

There are a number of characteristics of IT assets which create these additional or more detailed requirements. As a result of these characteristics of IT assets, a management system for IT assets will consequently have explicit requirements dealing with: 

  1. Controls over software modification, duplication and distribution, with particular emphasis on access and integrity controls;
  2. Audit trails of authorizations and of changes made to IT assets;
  3. Controls over licensing, underlicensing, overlicensing, and compliance with licensing terms and conditions;
  4. Controls over situations involving mixed ownership and responsibilities, such as in cloud computing and with ‘Bring-Your-Own-Device’ (BYOD) practices;
  5. Reconciliation of IT asset management data with data in other information systems when justified by business value, in particular with financial information systems recording assets and expenses.

Intended Users

This document can be used by any organization and can be applied to all types of IT assets.
The organization determines to which of its IT assets this document applies. This document is primarily intended for use by:

  1. those involved in the establishment, implementation, maintenance, and improvement of an IT asset management system;
  2. those involved in delivering IT asset management activities, including service providers;
  3. internal and external parties to assess the organization’s ability to meet legal, regulatory and contractual requirements and the organization’s own requirements.

Software Asset Management (SAM) Tools

Software Asset Management (SAM) markets are dominated by some vendor-specific approaches for licensing, license management and asset optimization. 

Each approach is unique and employs its terminology and technology. While this approach may foster innovation, it also results in a software consumer being required to deal with each of those vendors on a separate basis, which leads to significant inefficiencies and prevents easy comparisons. 

Adopting 19770-1:2017 can greatly assist in limiting these inefficiencies and allowing comparisons due to an internationally-recognized framework for adopting and implementing ITAM. 

This ISO standard allows for standardization in IT asset management by allowing for a common, standardize­d, and measurable approach. But the standard simultaneously allows organizations to adopt a flexible tier-based approach to ITAM. It is useful for every organization looking to ensure maximum value from IT assets while reducing a variety of IT-related risk, including security-related risks. 

Having a standardized approach also allows for certification which will be useful for ensuring partners and potential partners have these processes in place; thereby reducing your risk. 

ISOP Premier


(All inclusive, 36 Month Plan)

This Platform is a 90-day ISO Implementation process which ISOP performs a 3-step ISO implementation. This means ISOP creates, delivers and trains the client on how to use the clients ISO manuals and completes a one-time 3rd party accredited registration audit. Each deferred Platform includes: 

  • Two ISOP audit manager licenses
  • Two ISOP LMS licenses (continuing online education)
  • Unlimited online scheduled support
  • One 3rd party accredited registration audit
  • Two 3rd party online surveillance audits
  • Six semi-annual online internal audits

All which are invoiced over a 36-month payment plan.

ISOP Premiere is designed for the businesses that want both implementation and cash flow assistance, continued ISO audit support and a online Learning Management System (LMS) to continually educate their employees.

Additional ISOP Audit Manager and Learning Management System Licenses may be purchased separately.

How long is an ISO Certification valid?


Short Answer

4 audits over 3 years:

1. Certification audit;

2. First Annual surveillance audit; 

3. Second Annual surveillance audit;

4. Re-certification audit. 

These are performed in this sequence only if the company passes each audit.

Official ISO/IEC 17021-1:2015 answer:

Clause 9.1.3 Audit Program The audit program for the initial certification shall include a two-stage initial audit, surveillance audits in the first and second years following the certification decision, and a re-certification audit in the third year prior to expiration of certification. The first three-year certification cycle begins with the certification decision. Subsequent cycles begin with the re-certification decision. Surveillance audits shall be conducted at least once a calendar year, except in re-certification years. The date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date.


Sign up to hear from us about specials, sales, and events.