Standards and Certifications

Standards and certifications relevant to B2B suppliers that provide outsourced development and IT services. These cover quality, information security management and service management and apply to offshore, nearshore, staff augmentation from suppliers. Standards are typically international, such as ISO9001, IS27001 but some may be specific to a country or region.

Jump to: ISO | ITIL | Partner Networks | SSAE | CMMI | PCMM | CREST | NCSC (UK) | FedRAMP | COBIT | PCIDSS | HIPAA | CSA | SOX | OCEG | COSO | IOT

ISO International Standards 

Typical standards that suppliers may be certified to by an external independent party.

  1. ISO9001 Quality Management System
  2. ISO27001 Information Security Management System
  3. ISO20000 System Management System

For further information visit: 


An acronym for Information Technology Infrastructure Library. The latest version of the guide is V4 that covers running digital/IT services and infrastructure.

  • There are 4 certification levels for individuals.

For further information visit:

Partner Networks

The major software and cloud platforms also offer certifications to businesses.

  • MPN Microsoft Partner Network, with levels including Silver Application Developer and Gold Application Developer, which require a certain number of staff to eb trained and have passed exams in certain technology subjects.
  • APN Amazon Partner Network – Technology Partners provide software solutions that operate on the AWS cloud platform.

For further information visit: 

SSAE18 (Formerly SSAE16 formerly SAS70 SOC Report)

SSAE Statement on Standards for Attestation Engagements

SOC System Operating Control

For further information visit:



CMMI Software Engineering Institute Capability Maturity Model Integration

Originally developed by Carnegie Mellon University in the USA and now managed by the CMMI Institute.

It has three areas of interest

  1. Product and service development
  2. Service establishment
  3. Product and service acquisition

And has 5 levels of maturity

  • L1 Initial – unpredictable and poorly controlled
  • L2 Managed – Processes for projects
  • L3 Defined – Processes characterized across the organization
  • L4 Quantitativel Managed – Processes are measured and controlled
  • L5 Optimizing – Focus on continual improvement

For further information visit:

PCMM People Capability Maturity Model

This model from the CMMI institute is for organizations that improve their performance through best practice and key practices for critical people management processes.

For further information visit:


The following are standards applicable to security

  • CREST accreditation for companies and individuals providing penetration testing, cyber incident, threat intelligence and security centre (OSC) services

UK NCSC National Cyber Security Centre

NIST - National Institute of Standards and Technology, USA

FedRAMP - Federal Risk and Authorization Management Program, USA

COBIT Control Objectives for Information and Related Technology

PCI DSS Payment Card Industry Data Security Standard

HIPAA Health Insurance Portability and Accountability Act, USA

CSA Cloud Security Alliance

SOX Sarbannes Oxley, USA

OCEG - Open Compliance and Ethics Group

COSO Committee Of Sponsoring Organizations of the Treadway Commission

IOT Security Foundation