Demings Principles - CMM Together

By Hari Krishna

For the production of quality software products, a disciplined interaction among people involved in a project is

warranted. This can best be achieved through a process framework like the CMM which, too, addresses all the
Deming’s 14 quality principles

Deming’s principles are directly applicable to any industry, including software. However, the implementation framework for

the software industry needs to be designed with special attention because software products are unique and complex in many

respects, when compared to other manufacturing products/services. They involve substantial intelligence, skills, creativity,

engineering work behind their creation.

The people who create software products are themselves unique by many factors such as logical thinking, viewing real-world

problems at the required level of abstraction, providing automated solutions to complex environments, etc. It is management’s

responsibility to bring discipline in the interaction between these intelligent people to facilitate the production of

quality software products. This discipline is best achieved through a process framework like the CMM.
The evolutionary nature of CMM reinforces the fact that improvements in a system should occur gradually, in manageable parts,

rather than all at once.

Deming and CMM together

Let us see how Deming’s principles are adopted by and implemented with CMM. Before directly mapping Deming’s principles to

the CMM, it is wise to see some interfaces and relationships between the two.

• Deming’s principles are requirement specifications for building a TQM culture. Where as, CMM framework provides the
  
  required design, construction and implementation support


• Deming has “listed” 14 principles, which when followed concurrently will establish the TQM culture. On the other hand,
  
  CMM is incremental in nature, that is, it prioritizes the improvement actions based on their complexity and interdependencies
  
  and guides in orderly progression


• CMM also follows the popular Deming’s PDCA cycle (Plan, Do, Check, Act) in the form of its “commitment to perform,
  
  ability to perform, activities, verifying implementation, measurements and analysis” common features.

The mapping

Let us see how each of Deming’s principle is addressed by the CMM framework

Deming's principle 1

Create constancy of purpose focused on improvement of product and service

How CMM addresses it...?

This principle says that quality should be the cornerstone of the organization and every individual’s and group's

responsibilities should be focused on achieving quality. All units within the organization should work towards common goals

and purposes. This translates into CMM as follows:

• SQA people assure quality of products by checking their compliance to applicable processes and standards


• Software configuration management group establishes and maintains the integrity of the software products that are
  
  produced by the software engineering group and thus assures quality of those products


• Defect Prevention Board for a project works on preventing defects from reoccurring and thus assures quality of the
  
  products


• System test group tests the products produced by the software engineering group for compliance to respective requirements
  
  and thus assures quality of products.

Deming’s principle 2

Adopt the new philosophy

How CMM addresses it...?

This principle states that we should neither live with acceptable levels of quality nor allow our clients to do so.

Acceptance of defective systems and poor workmanship as a way of life is one of the most effective roadblocks to better

quality and productivity. Overcoming this requires having mature processes, which have the ability to produce predictable

results. CMM framework as a whole improves the process maturity in the evolutionary way (in 5 levels which are reasonably

placed one after the other).

Deming’s principle 3

Cease dependence on inspection to achieve quality and build quality into the product in the first place

How CMM addresses it...?

This is one of the important principles of all. Performing this requires high maturity in the processes we follow. The

keyword here is: prevention. Prevention is something that we undertake to avoid known or unknown defects. CMM supports

prevention activity in a big way. The first prevention activity in CMM starts at the Defined Level by defining processes

(Just experience doing things without having a disciplined process…!!!). All activities carried out at CMM Level 4 and Level

5 are preventive activities.

Deming’s principle 4

End the practice on awarding business solely on price. Instead, minimize total cost. Move toward a single supplier for

any one item, developing a long-term relationship of loyalty and trust

How CMM addresses it...?

This principle states that the only criteria for selecting contractors should be the Quality of products they can

guarantee.

CMM requires organizations to achieve this objectivity by following a documented procedure to select

qualified subcontractors and to subcontract the work to them (refer to the KPA Software Subcontract Management).

Deming’s principle 5

Improve constantly and forever the system of production and service, to improve quality and productivity, and thus

constantly decreasing costs

How CMM addresses it...?

CMM directly covers this point in one of its Level 5 Key Process Areas (KPAs) called process change management.

Deming’s principle 6

Institute on-the-job training to make use of all employees

How CMM addresses it...?

This principle states that training needs to be given to all employees to enhance their skills and help them contribute to

the success of the organization. CMM addresses this issue throughout its framework by mentioning the specific training to be

given under the Ability to Perform common feature for almost all of the KPAs.

Deming’s principle 7

Institute leadership. The aim of leadership should be to help people and machines do a better job

How CMM addresses it...?

The word leadership is directly related to process improvement for software industry. When defects occur, leaders first

try to correct the underlying process which produced that product, that is, they recognize the fact that 95 per cent of the

problems are due to defective processes and the rest are due to human mistakes. This makes them assume responsibility for the

defective products and correct the processes involved in their production. CMM actually facilitates (automates to be precise)

the creation of this kind of leadership behavior by mandating the improvement of every process at the optimizing level with

the process change management KPA. The KPA, Defect Prevention, supports this activity.

Deming’s principle 8

Drive out fear, so everyone may work effectively for the company

How CMM addresses it...?

Driving out fear among employees requires providing them with understandable and reasonable processes and setting their

goals which are achievable by those processes. This objectivity is achieved only when there is a shared vision between

management and employees of what to do and how to do. CMM addresses this by requiring all the plans and commitments to be

reviewed by all affected groups before actually carrying them out.

Another dimension to this principle is clearly visible during reviews. If review results are used for evaluation of

individual’s performance, reviews don’t reveal any defects. The purpose of reviews should be to detect and correct defects

early and efficiently and not to punish the producer for those defects. This is the reason why CMM calls reviews as peer

reviews, where the producer’s peers review the product not their managers. CMM also says explicitly that the review results

should never be used for evaluating individual’s performance.

Deming’s principle 9

Breakdown barriers between departments

How CMM addresses it...?

Breaking down barriers between various departments means, giving people an opportunity to look beyond their departmental

activities, understand other departments’ problems and thus facilitating the formation of a shared vision of what needs to be

done for effective problem solving. This concern is directly addressed by the CMM KPA called “Intergroup Co-ordination”.

Deming’s principle 10

Eliminate slogans, exhortations and targets for the workforce that ask for zero defects or new levels of productivity without providing methods

How CMM addresses it...?

This principle says that, it is management’s responsibility to provide employees with the necessary procedures which guide
them in performing their work. Doing this also brings in, the required discipline, and reduces the risk of unpredictable results coming out. SW-CMM views this as a fundamental issue to be addressed and hence process definition occurs at the
Defined Level (Level 3) in a formal way.

Deming’s principle 11

Eliminate work standards (quotas) on the factory floor. Substitute leadership
Eliminate management by objective. Eliminate management by numbers or numerical goals. Substitute leadership

How CMM addresses it...?

Please see the explanation given for the principle 7. The same applies here

Deming’s principle 12

Remove barriers that rob hourly workers of his right to pride of workmanship. The responsibility of supervisors must be

changed from sheer numbers to quality

How CMM addresses it...?

This principle says that management should never divert their attention from making products that meet customer’s needs

and requirements. This is covered by the policies & procedures of the Requirements Management & Software Quality Management

KPAs in the CMM.

Deming’s principle 13

Institute a vigorous program of education and self-improvement

How CMM addresses it...?

This principle says that, besides training employees to perform their duties (as stated in the 6th principle), there is

also a need to educate them to make them more productive and self-contained. This includes training in statistical methods,

communication skills improvement, etc. Interestingly, this aspect of training is not covered by the SW-CMM due to the reason

that it goes beyond the scope of a particular project’s training needs. However, SEI’s Personal Software Process (PSP)

provides methods to make individuals more productive in their work and SEI’s P-CMM (People CMM) addresses the area of

employee self-improvement in a few of its KPAs namely performance management, competency development and Career

Development.

Deming’s principle 14

Clearly define top management's permanent commitment to quality and productivity and its obligation to implement these

principles

How CMM addresses it...?

This is probably the most important principle of all. This principle states that it is management’s responsibility to

establish, implement and maintain the commitment to quality and productivity in the organization. The establishment of

commitment is covered by the CMM in all its KPAs through one of its common feature called Commitment to Perform, which

mandates the establishment of a policy for every KPA. Implementation of these commitments is done by their associated defined

processes. Maintenance of these commitments is addresses by all the Level 5 KPAs.

Conclusion

There are many organizations in US (possibly other countries as well) which have a negative impression on the usefulness

of CMM. Many criticisms have come up on the purpose and usefulness of CMM and one such can be found at

www.satisfice.com/articles/cmm.htm This URL leads to an excellent criticism on CMM written by an independent SQA consultant,

called James. His view is that CMM doesn’t have any theoretical basis behind its development and use. The main purpose of

this Deming and the CMM mapping article is to discuss the theoretical basis for CMM. Of course, James addressed many other

areas in his article where, he feels CMM is weak. Those areas are not discussed in this article.

CSQA CBOK

2006 Common Body of Knowledge

Certified Software Quality Analyst (CSQA)

The Common Body of Knowledge (CBOK) for the CSQA is designed to cover the
challenges faced by today’s quality professional. The CBOK’s knowledge categories
have been selected to address these challenges. It is recognized that many quality
professionals do not need to be competent in all of the categories to fulfill their current
job responsibilities. Categories one to eight should be common to all quality challenges
and therefore most of the certification examination will focus on categories one to eight.
However, the candidate should have a basic knowledge of categories nine and ten to
ensure currentness of quality assurance competencies and candidates will be examined at
a high level on these two categories.

The following ten knowledge categories describe the Common Body of Knowledge that
an individual must master to obtain a certification in software quality assurance (CSQA):

1. Quality Principles and Concepts


2. Quality Leadership


3. Quality Baselines (Assessments and Audits)


4. Quality Assurance


5. Quality Planning


6. Define, Build, Implement and Improve Work Processes


7. Quality Control Practices


8. Metrics and Measurement


9. Internal Control and Security


10. Outsourcing, COTS and Contracting Quality

Knowledge Category 1: Quality Principles and Concepts

Before an organization can begin to assess the quality of its products and services, and
identify opportunities for improvement, it first must have a working knowledge of quality
principles and basic concepts. This category will test the CSQA candidate’s ability to
understand and apply these principles, which include the quality vocabulary, various
ways of defining quality, key concepts, distinguishing between quality control and
quality assurance, and the contributions of quality pioneers.

This knowledge category addresses the following:

• Vocabulary of quality—understanding the vocabulary used to explain and
  implement quality in an IT organization. Includes terms such as quality,
  processes, defects and products.


• The different views of quality—an understanding of how quality is viewed from a
  producer of products, a customer/user of products, and suppliers of products.
  These different definitions result in a quality gap.



• Quality concepts and practices—an overview of the more prevalent concepts,
  approaches and practices used by quality professionals to implement and improve
  quality. These include:
  
  
  
  1. the PDCA Cycle (Plan-Do-Check-Act)
  
  
  2. the Cost of Quality
  
  
  3. Six Sigma Quality
  
  
  4. Baselining and Benchmarking
  
  
  5. Earned Value
  
  
  
  6. Quality control and quality assurance—understanding the difference between
     quality control and quality assurance, definitions, activities, and processes.
  
  
  7. Quality pioneers approach to quality—includes quality pioneers such as Dr. W.
     Edwards Deming, Philip Crosby, and Dr. Joseph Juran.
  
  

Knowledge Category 2: Quality Leadership

The most important prerequisites for successful implementation of any major quality
initiative are leadership and commitment from executive management. Management
must create a work environment supportive of quality initiatives. It is management’s
responsibility to establish strategic objectives and build an infrastructure that is
strategically aligned to those objectives. This category will cover the management
processes used to establish the foundation of a quality-managed environment, as well as
commitment, new behaviors, building the infrastructure, techniques, approaches and
communications.

• Leadership Concepts




1. Executive and Middle Management Commitment


2. Quality Champion


3. New Behaviors for Management




• Traditional Management versus Quality Management (differences
  in philosophy)


• Leadership (modeling, coaching, reinforcing)


• The importance of establishing mentoring relationships


• Establishing Trust




4. Empowerment of employees




• Quality Management Infrastructure




1. Quality Council


2. Management Committees


3. Teams and Work Groups


4. Process Improvement review teams




• Quality Environment—environment supportive of quality




1. Setting the proper “tone” at the top


2. Code of Ethics


3. Open communication


4. Implementing a mission, a vision, goals, values and a quality policy


5. Monitoring compliance to organizational policy and procedures


6. Enforcement of organizational policies and procedures

Knowledge Category 3: Quality Baselines (Assessments and Audits)

Organizations need to establish baselines of performance for quality, productivity and
customer satisfaction. These baselines are used to document current performance and
document improvements by showing changes from a baseline. In order to establish a
baseline, a model and/or goal must be established for use in measuring against to
determine the baseline.

• Why Baselines are needed
  
  
  
  1. Measure current level of performance
     
  2. Basis for establishing improvement goals
     
  3. Means to measure improvement
     


• Methods Used for Establishing Baselines
  
  
  
  1. Customer Surveys
     
  2. Benchmarking
     
  3. Assessments against industry models
     
  4. Assessments against management established criteria (e.g. software
     requirements and user acceptance criteria)
     


• Model and Assessment Fundamentals
  
  
  
  1. Purpose of a Model
     
  2. Types of Models (staged and continuous)
     
  3. Model Selection Process
     
  4. Using Models for Assessment and Baselines
     


• Industry Quality Models
  
  
  
  1. Software Engineering Institute Capability Maturity Model/CMMI
     
  2. Malcolm Baldrige National Quality Award
     
  3. ISO 9001:2000
     
  4. ISO/IEC 12207
     
  5. ISO/IEC TR 15504
     
  6. Post Implementation Audits
     

Knowledge Category 4: Quality Assurance

Quality Assurance is a professional competency whose focus is directed at the critical
processes used to build products and services. The profession is charged with the
responsibility for tactical process improvement initiatives that are strategically aligned to
the goals of the organization. This category will address the understanding and
application of quality assurance practices in support of the strategic quality direction of
the organization. The quality practitioner should understand the importance of a quality
function, how to implement a quality function and how it matures over time, as well as
how to create a quality plan, the use of quality tools, process deployment, and
differentiating between internal auditing and quality assurance.

• Establishing a Function to Promote and Manage Quality
  
  
  
  1. Why an IT Quality Function is Desirable
  
  
  2. The Challenges of Implementing a Quality Function
  
  
  3. How the Quality Function Matures Over Time
  
  
  4. Support in Corporate Quality Management Environment
  
  
  5. Implementing an IT Quality Function
  
  
  
  


• Quality Tools
  
  
  
  1. Statistical Tools
  
  
  2. Management Tools
  
  
  
  


• Process Deployment
  
  
  
  1. Getting Buy-in for Change Through Marketing
  
  
  2. The Formula for Effective Behavior Change
  
  (behavior=individual+environment)
  
  3. The Deployment Process (assessment, strategic, tactical phases)
  
  
  4. Critical Success Factors for Deployment
  
  
  
  


• Internal Auditing and Quality Assurance




1. Types of Internal Audits


2. Differences in Responsibilities

Knowledge Category 5: Quality Planning

Executive management establishes the vision and strategic goals. Planning is the process
that describes how those strategic goals will be accomplished. Quality planning should
be integrated into the IT plan so that they become a single plan. In simplistic terms, the
IT plan represents the producer and the quality plan represents the customer.

• Considerations in Establishing IT Goals and Objectives
  

  
  
  1. Risk Management
  
  
  2. Industry Models
  
  
  3. Laws and Regulations (e.g. Sarbanes Oxley Act)
  
  
  4. User Goals and Objectives
  
  
  5. Improving IT Effectiveness and Efficiency
  
  
  6. Improving IT Customer Satisfaction
  
  
  7. Planning Tools and Techniques
  
  
  8. Process Mapping to IT Goals
  
  
  9. Establishing a Critical Metric Set
  
  
  10. Aligning IT Plans to Organizational and User Plans
  
  
  11. Strategic Planning Process
  
  
  
  

Knowledge Category 6: Define, Build, Implement and Improve Work
Processes

The world is constantly changing. Customers are more knowledgeable and demanding,
therefore, quality and speed of delivery are now critical needs. Companies must
constantly improve their ability to produce quality products that add value to their
customer base. Defining and continuously improving work processes allows the pace of
change to be maintained without negatively impacting the quality of products and
services. This category addresses process management concepts, including the definition
of a process, the workbench concept and components of a process. Additionally, it will
address the understanding of definitions and continuous improvement of a process
through the process management PDCA cycle.

• Process Management Concepts
  
  
  
  1. Definition of a Process
  
  
  2. Why Processes are Needed (management and worker perspectives)
  
  
  3. Process Workbench and Components (standards, input, work and check
     procedures, output/deliverables)
  
  
  4. Process Categories
     
     
     
     1. Management Processes
     
     
     2. Work Processes
     
     
     3. Check Processes
     
     
  
  
  5. The Process Maturity Continuum (products and services, work and check
     processes, customer involvement)
  
  
  6. How Processes are Managed
  
  
  7. Process Template
  
  
  
  


• Process Management Processes
  
  
  
  1. Planning Processes
     
  
  
• Process Inventory


• Process Mapping


• Process Planning



• Do Process
  
  
  
  1. Process Definition
  
  


• Check Processes
  
  
  
  1. Process Measurement
  
  
  2. Testing
  
  


• Act Processes
  
  
  
  1. Process Improvement Teams
  
  
  2. Process Improvement Process
  
  

Knowledge Category 7: Quality Control Practices

Quality control practices should occur during product development, product acquisition,
product construction at the end of development/acquisition and throughout product
change and operation. During development, the quality control process is frequently
called verification and at the conclusion of development, it is called validation. This
category will address the various types of controls and when they are best used in the
process. The quality practitioner should also be familiar with verification and validation
techniques, the framework for developing testing tactics, change control and
configuration management.

• Testing Concepts
  
  
  
  1. The Testers’ Workbench
  
  
  2. Test Stages (Unit, Integration, System, User Acceptance)
  
  
  3. Independent Testing
  
  
  4. Static vs. Dynamic Testing
  
  
  5. Verification vs. Validation
  
  
  6. Stress vs. Volume vs. Performance
  
  
  7. Test Objectives
  
  
  8. Reviews and Inspections
  
  
  
  


• Verification and Validation Techniques
  
  
  
  1. Verification Techniques (reviews, code walkthroughs, requirements
     tracing)
  
  
  2. Validation Techniques (white box, black box, incremental, thread,
     regression)
  
  
  3. Structural and Functional Testing
  
  


• Software Change Control
  
  
  
  1. Software Configuration Management
  
  
  2. Change Control Procedures
  
  


• Defect Management
  
  
  
  1. Defect Management Process
  
  
  2. Defect Reporting, including metrics
  
  
  3. Severity versus Priority
  
  
  4. Using Defects for Process Improvement
  
  

Knowledge Category 8: Metrics and Measurement

A properly established measurement system is used to help achieve missions, visions,
goals, and objectives. Measurement data is most reliable when it is generated as a by-
product of producing a product or service. The QA analyst must ensure that quantitative
data is valued and reliable, and presented to management in a timely and easy-to-use
manner. Measurement can be used to gauge the status, effectiveness and efficiency of
processes, customer satisfaction, product quality, and as a tool for management to use in
their decision-making processes. This category addresses measurement concepts, the use
of measurement in a software development environment, variation, process capability,
risk management, the ways measurement can be used and how to implement an effective
measurement program.

• Measurement Concepts
  
  
  
  1. Standard Units of Measure
  
  
  2. Metrics
  
  
  3. Objective and Subjective Measurement
  
  
  4. Types of Measurement Data (nominal, ordinal, interval, ratio)
  
  
  5. Measures of Central Tendency (mean, medium, mode etc.)
  
  
  6. Attributes of Good Measurement
  
  
  7. Using quantitative data to manage an IT Function
  
  
  8. Key Indicators
  
  


• Measurement in Software
  
  
  
  1. Product Measurement (size, complexity, quality and customer perception)
  
  
  2. Process Measurement
  
  


• Variation and Process Capability
  
  
  
  1. Common and Special Causes of Variation
  
  
  2. Variation and Process Improvement
  
  
  3. Process Capability
  
  


• Risk Management
  
  
  
  1. Defining Risk
  
  
  2. Characterizing Risk (situational, time-based, interdependent, magnitude
     dependent, value-based)
  
  
  3. Identifying, Analyzing, Prioritizing, responding to, Resolving and
     Monitoring Risks
  
  
  4. Software Risk Management
  
  
  5. Risks of Integrating New Technology
  
  


• Implementing a Measurement Program
  
  
  
  1. The Need for Measurement
  
  
  2. Prerequisites
  
  
  3. The Four Uses of Measurement
  
  
  4. Installing the Measurement Program
  
  

Knowledge Category 9: Internal Control and Security

Privacy laws and increased accessibility to data have necessitated increased security.
Accounting scandals and governmental regulation such as the Sarbanes Oxley Act have
placed increased importance on building and maintaining adequate systems of internal
control. The quality assurance function can contribute to meeting those objectives by
assuring that IT has adequate processes governing internal control and security.

• Principles and Concepts of Internal Control and Security
  
  
  
  1. Understand internal control and security models. The current model that is
     most accepted by US corporations is the COSO (Committee of Sponsoring
     Organizations, composed of five major accounting and audit associations)
     model. (Note: there is an equivalent counterpart to COSO in Canada called
     CoCo, Criteria of Control.) Many IT organizations use CobiT (Control
     Objectives for Information and related Technology), which is a popular
     and internationally accepted set of guidance materials for IT governance,
     developed by the Institute for Security Control and Audit.
  
  
  2. Build the System of Internal Controls—the process for building the system
     of internal controls in software is:
     
     
     
     1. Perform risk analysis—determine the risks faced by the
        transactions/events processed by the software.
     
     
     2. Determine the controls that each of the processing segments for
        those transactions including:
        
        
        
        1. Transaction Origination
        
        
        2. Transaction Entry
        
        
        3. Transaction Processing
        
        
        4. Data Base Control
        
        
        5. Transaction Results
        
        
        
        
     
     
     3. Determine whether the identified controls are adequate to reduce
        the risks to an acceptable level.
     
     
     4. When all components of the control system are present and
        functioning effectively, the internal control process can be deemed
        “effective.”
     
     
  
  


• Risk, Internal Control and Security Models
  
  
  
  1. COSO Enterprise Risk Management Model (ERM)
  
  
  2. COSO Internal Control Model (includes security) or equivalent
  
  


• Building Controls into Software Systems
  
  
  
  1. Controlling Transaction Error Origination
  
  
  2. Controlling Transaction Entry
  
  
  3. Controlling Transaction Communication
  
  
  4. Controlling Transaction Processing
  
  
  5. Controlling Databases
  
  
  6. Controlling Transaction Output
  
  
  
  


• Assuring Adequacy of Internal Control and Security
  
  
  
  1. Internal Control and Security Awareness Training
  
  
  2. Creating an Environment that Supports Control and Security
  
  
  3. Control and Security Policies
  
  
  4. Identifying Points of Security Penetration
  
  
  5. Control and Security Practices
  
  
  
  

Knowledge Category 10: Outsourcing, COTS and Contracting Quality

Organizations can assign software development work responsibilities to outside
organizations through purchasing software or contracting services; but they cannot assign
the responsibility for quality. Quality of software remains an internal IT responsibility
regardless of who builds the software. The quality professionals need to assure that those
quality responsibilities are fulfilled through appropriate processes for acquiring
purchased software and contracting for software services.

Specifically, this category addresses:

• The difference between software developed in-house and software developed by
  outside organizations.
  

  
  

  1. COTS Software—the documentation may not correspond to the software
     source code.

  
  

  2. Contractors/Outsourced—the contractual provisions will determine
     whether the acquiring organization can perform verification activities
     during development; and the ability to obtain source code.

  
  




• Selecting COTS Software. This involves first determining the needed
  requirements; second, the available software that might meet the requirements,
  and then third, evaluating those software packages against the selection criteria.
  Quality professionals can perform or should participate in this process.




• Selecting organizations to build all or part of the needed software. Quality
  professionals should be involved in these activities, specifically to:
  

  
  
  1. Review the contract for testability (should be able to determine, but testing
     what is in the contract, if the contract is adequate)
  
  
  2. Assure that requirements are testable.
  
  
  3. Review the adequacy of the outsourcers test plan.
  
  
  4. Perform acceptance testing when the software is complete.
  
  
  5. Issue a report on the adequacy of the software to meet the contractual
     specifications
  
  
  6. Ensure the contract specifically covers knowledge transfer from the
     contractor to the contracting organization
  
  
  7. Ensure the contract specifically covers intellectual property rights
  
  

ISO Vs CMM

Similarities

• Both are TQM based


• Both talk about Continuous improvement (CMM stresses more on this)


• Both stress on “ Say what you do. Do what you say”

Differences

Sl.No	ISO	CMM
1	ISO is a generic standard. It is applicable for all industries.	CMM is S/W specific
2	ISO is a standard. It tells what needs to be done, in an organization.	CMM is a model. It doesn’t mandate the practices
3	ISO focuses on the entire organization’s processes	CMM is specific to S/W processes
4	ISO Certification is followed by Surveillance audit once in 6 months	After CMM assessment, there are no such checks. It is upto the organization to use it for internal process improvements
5	ISO is continuous	CMM is staged (It has different levels of process maturity)
6	Internal Audits are mandatory	Not mandatory