The International Standards Organization (ISO), Information Technology Infrastructure Library (ITIL) and other frameworks are completely optional for most enterprises. Privately held enterprises can use these frameworks to demonstrate levels of IT compliance such as Sarbanes-Oxley (SOX) when dealing with publicly-traded enterprises. These frameworks and accreditation processes regulate how an organization designs, implements, manages, maintains and enforces IT governance. WSN supports organizations and internally utilizes the frameworks and methodologies proposed in these certifications and accreditations to let the world know it is committed to high standards or quality. Quality is one of the most vague and poorly executed standards within organizations. However, failure to take quality initiatives seriously means risking significant loss in revenue as well as irreparable damage to brand image and reputation, customer satisfaction, loyalty and market share.

ISO 27001 is a relatively new, formalized standard for independent certification of enterprise IT security practices. Enterprises are free to choose the specific security requirements based on their computing environment. ISO 27001 policy sets cover a broad range of policies, including data classification, access control, software purchasing, legal compliance, physical security and many others. It incorporates a strong tie-in to SOX. SOX does not name a specific framework although COBIT and ISO are standards auditor accepted. ISO 27001 is also compatible with other quality management standards such as ISO 9000 and ISO 14000. It is not a replacement for risk management. Enterprises that lack strong risk management procedures should conduct thorough risk vulnerability assessments to determine what security controls are needed. Current ISO certified enterprises will feel minimal impact as they transition to the ISO 27001. ISO 27001 is a suitable accreditation for organizations with moderate to advanced security processes.

On the altar of speed, i.e. time to market, or budget, internal quality often gets sacrificed. Faults are not detected, much less remedied. A single fault or group of faults may, over time, slowly reduce the performance of a given application, making it harder and more costly to maintain, and exposing your business to the risk of a truly catastrophic failure.

In 2002, the U.S. government’s National Institute of Standards and Technology (NIST) released a 350-page study that indicated:

 “… Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated US$59.5 billion annually, or about 0.6 percent of the gross domestic product… The study also found that, although all errors cannot be removed, more than a third of these costs, or an estimated US$22.2 billion, could be eliminated by an improved testing infrastructure that enables earlier and more effective identification and removal of software defects. These are the savings associated with finding an increased percentage (but not 100 percent) of errors closer to the development stages in which they are introduced. Currently, over half of all errors are not found until “downstream” in the development process or during post-sale software use.” (Source: NIST)

IT leaders considering expenditures to improve software quality are faced with important decisions around whether and how much to invest in specific quality improvement initiatives. IT leaders must look at the cost of poor quality to quantify the benefits of quality initiatives for software projects