ISO 12207 Software Life Cycle Processes: Full Guide & Certification
Post by Alina Ansari | July, 2026

What Is ISO 12207?
Jointly published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and the Institute of Electrical and Electronics Engineers (IEEE), the standard establishes a common process vocabulary and structure that software development organizations, system integrators, acquirers and suppliers can use to communicate, manage and govern software work consistently.
The standard does not prescribe a specific software development methodology, life cycle model, or programming approach. Instead, it defines what processes need to exist, what activities and tasks each process must address and what outcomes each process must produce, leaving the organization to select the development model that best fits its context, whether that is waterfall, agile, DevOps, or any hybrid approach.
This principle-based, model-agnostic structure makes ISO 12207 applicable to organizations of all sizes, from startups building a single software product to large enterprises managing complex, multi-system software portfolios. The current version, ISO/IEC/IEEE 12207:2017, harmonizes with ISO/IEC/IEEE 15288:2015 for systems engineering, establishing a unified life cycle process architecture that applies consistently across both software-specific and system-level engineering activities.
ISO 12207 helps software organizations manage requirements, design, development, testing, deployment and maintenance through a structured life cycle process framework - Pacific Certifications
Software Life Cycle Process Groups
The four process groups are:
Agreement Processes - covering acquisition and supply relationships between organizations
Technical Processes - covering the engineering activities that define, build and operate the software system
Technical Management Processes - covering planning, monitoring, decision-making, risk management and quality assurance at the project level
Organizational Project-Enabling Processes - covering the organization-level capabilities, infrastructure and improvement mechanisms that enable projects to succeed
This structure reflects the 2017 harmonization with ISO/IEC/IEEE 15288, which aligned the process groupings across both software and system engineering standards for consistency.
Practical Tip: Map each software activity to the right process group so agreement, technical, management and organizational responsibilities stay clear.
ISO 12207 Primary Processes
Acquisition:
The set of activities and tasks performed by the acquiring organization, the entity that procures a software system, product, or service. Acquisition covers defining requirements, selecting suppliers, managing contracts and accepting delivered software.
Supply:
The activities performed by the supplying organization, the entity that provides the software product or service to the acquirer. This includes responding to acquisition requirements, developing delivery plans and managing the delivery and acceptance process.
Development:
The core engineering process covering software requirements analysis, architectural design, detailed design, coding, integration, testing and installation. Development applies to both new software construction and modification of existing systems.
Operation:
The activities covering deployment of software into its operational environment, operational testing and the ongoing use of the software to deliver its intended function to end users or other systems.
Maintenance:
The activities required to modify a deployed software system to correct faults, improve performance, adapt it to changes in the operating environment, or add new capabilities, while preserving the system's integrity and traceability.
Writer’s view: Primary processes are where software value is created, delivered and maintained through acquisition, supply, development, operation and maintenance.
ISO 12207 Supporting Processes
ISO 12207 defines the following supporting processes:
Documentation: Planning and producing recorded information about the software system and its life cycle activities.
Configuration Management: Identifying, controlling, tracking and auditing the configuration of software items and related work products throughout the life cycle.
Quality Assurance: Providing objective evidence that work products and processes comply with established requirements and plans.
Verification: Confirming that each software work product correctly reflects the requirements specified for it.
Validation: Confirming that the completed software fulfills its intended use in the operational environment.
Joint Review: Evaluating the status of software activities and work products with relevant stakeholders at defined points in the life cycle.
Audit: Independently determining compliance with defined requirements, plans and contracts.
Problem Resolution: Analyzing and resolving all problems, including non-conformances, defects, failures and incidents, discovered during the life cycle.
Tip: Supporting processes strengthen software delivery by making documentation, configuration control, quality assurance, verification, validation and problem resolution consistent.
ISO 12207 checklist: Key points to review before certification
An ISO 12207 checklist helps software teams review whether their development, testing, maintenance and support processes are properly planned and documented. It is especially useful if your organization is preparing for an internal review, client requirement, process assessment or certification audit.
Start by checking whether your team has a clear software life cycle process. This includes how requirements are collected, how software is designed, how code changes are controlled, how testing is performed and how issues are tracked after release.
Your checklist should also cover important records such as software requirements documents, design records, test plans, review approvals, configuration management records, risk logs, maintenance procedures and change control evidence. These documents show that your software processes are not only followed but also traceable.
For Agile or DevOps teams, the checklist does not have to feel complicated. Sprint boards, user stories, release notes, automated test reports, pull request reviews and deployment records can all support ISO 12207 alignment when they are organized properly.
A good ISO 12207 checklist is not just a tick-box exercise. It helps your team find gaps early, improve consistency and prepare more confidently before a formal audit or assessment.
Organizational Processes
ISO 12207 defines four organizational processes:
Management:
Establishing and executing plans, monitoring progress, controlling deviations and managing the resources, schedules and priorities of software projects and organizational units.
Infrastructure:
Establishing and maintaining the hardware, software, tools, facilities, standards and procedures that support the execution of software life cycle processes across the organization.
Improvement:
Assessing the current state of software life cycle processes, identifying improvement opportunities, implementing changes and measuring the impact of those changes on organizational performance.
Training:
Developing and maintaining the skills and competencies of individuals involved in software life cycle activities, covering both technical capabilities and process knowledge.
Organizational processes should give software teams the infrastructure, training, governance and improvement system needed to deliver consistently.
ISO 12207:2017 Updates
Harmonization with ISO/IEC/IEEE 15288:2015: The 2017 edition aligned the process architecture, terminology and process outcomes of ISO 12207 with the systems engineering life cycle standard ISO 15288, creating a unified framework applicable to both software-specific and integrated system-software engineering programs.
Outcome-based process definitions: Each process is now defined in terms of the outcomes it must achieve rather than prescriptive activities, giving organizations greater flexibility to implement processes in ways appropriate to their context and development model.
Expanded scope to include software services: The 2017 edition explicitly extends its scope to cover software as a service (SaaS) and other service-oriented software delivery models, reflecting the shift in the industry toward cloud and subscription-based software.
New process groupings: The classification of processes into agreement, technical, technical management and organizational project-enabling groups replaced the earlier primary, supporting and organizational taxonomy, aligning with ISO 15288's process architecture.
Stronger integration with quality management: The 2017 edition strengthened its compatibility with ISO 9001, ISO/IEC 27001 and ISO/IEC 20000-1, making it easier for organizations to implement ISO 12207 within an existing management system framework.
Final Remark: The 2017 update made ISO 12207 more flexible, outcome-based and aligned with modern software delivery models like SaaS, agile and DevOps.
ISO 12207 vs ISO 15288
The two standards are designed to be used together where a system contains both hardware and software elements. In practice, organizations that develop pure software products or services apply ISO 12207 as their primary reference.
Organizations developing integrated hardware-software systems, such as medical devices, industrial control systems, or embedded platforms, typically apply ISO 15288 at the system level and ISO 12207 at the software component level.
Practical Tip: Use ISO 12207 for software life cycle processes and ISO 15288 when software is part of a broader system with hardware, people or facilities.
ISO 12207 Implementation Examples
Software development company:
A custom software development firm uses ISO 12207's development and quality assurance processes to define its software development life cycle, establishing mandatory requirements analysis, design review, unit testing and integration testing stages for all client projects.
Combined with ISO 9001 certification, this demonstrates consistent, auditable delivery capability to enterprise clients.
SaaS provider:
A cloud software company applies ISO 12207's operation and maintenance processes to govern its release management, incident response and change control procedures, ensuring that service updates are tested, documented and deployed without disrupting operational services. ISO/IEC 20000-1 certification provides third-party validation of these processes.
Government IT contractor:
A public sector software supplier uses ISO 12207's acquisition and supply processes to manage its contractual obligations, including requirements traceability, acceptance testing documentation and formal delivery protocols required by government procurement frameworks.
Embedded systems manufacturer:
A medical device manufacturer applies ISO 12207 alongside ISO 15288 to manage the software component of a regulated device, ensuring that software requirements are traced to design outputs, verification activities are documented and the complete software development life cycle record supports regulatory submission.
IT services organization:
An IT managed services provider uses ISO 12207's organizational processes to establish its project management methodology, staff competency framework and process improvement program, creating the organizational capability infrastructure that its delivery teams draw upon across all client engagements.
Writer’s view: ISO 12207 is easiest to understand when examples show how software companies, SaaS providers, contractors and embedded systems teams apply it in real projects.
ISO 12207 Audit Readiness
A documented software life cycle policy identifying the processes, activities and responsibilities that govern software work within the organization
A defined software life cycle model, whether waterfall, agile, or hybrid with traceability to ISO 12207 process requirements
Requirements management documentation covering traceability from stakeholder needs through to test evidence
Configuration management records covering version control, change log and release history for all software work products
Quality assurance records including review and inspection reports, test plans, test execution records and defect logs
Risk management records identifying software-related risks, mitigations and residual risk acceptance decisions
Competence and training records demonstrating that all roles involved in the software life cycle hold the required qualifications and have received appropriate training
Problem resolution logs recording all defects, incidents and non-conformances identified during the life cycle, along with their resolution status
Supplier and subcontractor management records where software development activities are outsourced
Audit readiness improves when software policies, life cycle models, traceability, configuration records, test evidence and defect logs are complete before assessment.
ISO 12207 Certification Cost
A small development team with a focused service scope will have a modest audit fee, while a mid-size company with distributed teams and multiple product lines will require more audit days. ISO/IEC/IEEE 12207 does not carry a separate audit cost — it is referenced as the process framework within the ISO 9001 scope and assessed as part of the same audit.
For organizations pursuing integrated certification across ISO 9001, ISO/IEC 27001, and ISO/IEC 20000-1 simultaneously, integrated audits reduce total audit days and provide better value than separate certifications for each standard. Pacific Certifications provides transparent, fixed-fee proposals so your organization has full cost visibility before the process begins.
Cost planning should consider employee count, development sites, software scope, target ISO standards and whether integrated certification is required.
ISO 12207 Certification Timeline
This includes 1 to 2 months for gap analysis and process documentation, 2 to 3 months for implementation across live software projects, and 2 to 4 weeks for Stage 1 and Stage 2 audits. Certificate issuance follows within 1 to 2 weeks of a successful Stage 2 audit.
For organizations pursuing ISO/IEC 27001 alongside ISO 9001, or adding ISO/IEC 20000-1 for service management coverage, the timeline extends to 6 to 9 months. Organizations with largely informal and undocumented software processes should plan for the longer end of this range. Assigning clear process ownership and conducting a structured internal audit before the Stage 2 assessment are the most reliable ways to stay within the planned timeframe.
A Practical Tip from Pacific Certifications: Software organizations can avoid delays by assigning process owners, documenting live project evidence and completing internal audits early.
How Pacific Certifications Can Help?
Accredited by ABIS, Pacific Certifications conducts impartial, evidence-based audits against applicable ISO standards in full conformance with ISO/IEC 17021. Our services for software and technology organizations include:
Independent certification audits for ISO 9001, ISO/IEC 27001, ISO/IEC 20000-1, ISO 22301 and ISO/IEC 27701
Stage 1 and Stage 2 audit execution across single and multi-site software organizations
Clear, transparent audit reports with conformity findings and certification decisions
Issuance of internationally recognized ISO certificates upon successful audit completion
Annual surveillance and triennial recertification audits to maintain certificate validity
Pacific Certifications does not provide consultancy, our role is strictly that of an independent auditor, ensuring your certificate carries full credibility with enterprise clients, government procurement authorities and regulatory bodies in every market you operate in.
Contact Us
To get started with your software life cycle certification program or initiate your audit, contact us at support@pacificcert.com or +91-8595603096.
For training programs, contact us at trainings@pacificcert.com.
Also read: ISO/IEC TS 33061:2021 – Software Life Cycle Process Assessment Model
