The ITAM Exchange logo Join the Network

SAM Standard · Maturity

ISO/IEC 19770 and SAM Maturity: What the Standard Really Means for ITAM Programs

A practical explanation of ISO/IEC 19770, SAM maturity, ITAM governance, process design, evidence control, and program improvement.

ISO/IEC 19770SAMMaturity
18 June 20268 min readThe ITAM Exchange
ISO/IEC 19770 and SAM Maturity: What the Standard Really Means for ITAM Programs hero image
5maturity layers
1governance lens
19770standard family
improvement cycle

Key takeaways

  • Use ISO/IEC 19770 as a maturity lens, not only a certification target.
  • Connect SAM processes to business governance and lifecycle control.
  • Improve evidence quality before measuring maturity.
  • Prioritize gaps that reduce audit, renewal, and spend risk.

Clarifying the standard

The standard often discussed in SAM maturity conversations is ISO/IEC 19770, especially ISO/IEC 19770-1 for IT asset management systems. It is not simply a software inventory checklist. It is a governance and management-system approach.

From SAM operations to ITAM governance

Many organizations begin with license compliance and discovery. Maturity requires a broader operating model: request, procurement, deployment, change, support, renewal, retirement, cloud consumption, SaaS ownership, and risk control.

How to use it practically

Use the standard as a maturity map. Identify gaps in policy, data, process integration, role ownership, evidence, measurement, and continual improvement.

Process view

The practical sequence below keeps the review structured and avoids rushing into vendor, auditor, or provider conversations before the internal position is clear.

1. Policy

Clarify scope and ownership before collecting evidence.

2. Process

Validate facts against contracts, systems, and business context.

3. Data

Separate technical data from commercial interpretation.

4. Controls

Create an internal position before external engagement.

5. Improvement

Convert findings into action, remediation, or negotiation steps.

Readiness matrix

AreaWhat to testWhy it matters
EvidenceContracts, deployment, usage, ownership, and exception data.Weak evidence creates weak negotiation and audit positions.
InterpretationCommercial terms, metrics, exclusions, and historical rights.Technical data alone does not explain license exposure.
GovernanceDecision rights, escalation path, and remediation ownership.Clear ownership prevents findings from becoming stalled risk.
Commercial actionRenewal timing, negotiation options, and cost scenarios.Readiness is valuable only when it changes the decision path.
Practical rule: do not treat a tool report, publisher statement, or raw discovery export as the final answer. Use it as input into a structured review.

Detailed PDF guide

Download the full guide

The PDF includes deeper analysis, visual timelines, flowcharts, risk matrices, and a practical review checklist.