ISO/IEC 19770 is the family of standards that defines what a credible Software Asset Management programme looks like. It is rarely certified against, but it is referenced constantly in compliance discussions because it provides the only neutral framework for proving an estate is managed intentionally rather than reactively. When an audit lands and the defence is 'we manage carefully,' ISO 19770 is what 'carefully' means.
ISO/IEC 19770 is the family of standards that defines what a credible Software Asset Management (SAM) programme looks like. It is rarely certified against — fewer than 200 organisations globally hold formal certification — but it is referenced constantly in compliance discussions because it provides the only neutral, audit-defensible framework for proving that an organisation manages its software estate intentionally rather than reactively. When a vendor audit lands and the customer's defence rests on "we manage our estate carefully," ISO 19770 is what "carefully" means.
The family has five parts. Part 1 (19770-1) defines the management system — the processes, policies and governance for the SAM function. Part 2 (19770-2) defines the Software Identification Tag (SWID) data format. Part 3 (19770-3) defines the Software Entitlement Tag (ENT) data format. Part 4 (19770-4) defines Resource Utilization Measurement (RUM). Part 5 (19770-5) defines the overview and vocabulary. The two parts that matter most to a compliance programme are Part 1 (the management system) and Part 3 (the entitlement format that lets a customer prove what they own).
ISO 19770-1 requires a SAM function with defined responsibilities, documented processes for software lifecycle management, a tooling layer that reconciles deployment against entitlement, and a continual-improvement cycle. The standard is process-oriented rather than tool-prescriptive — it does not mandate Flexera over Snow or ServiceNow SAM Pro. What it requires is that whatever tool is in place produces an auditable record of what is deployed, what is entitled, and what the gap is.
The gap is rarely in the policy. It is almost always in the process discipline that lives behind the policy.
The ISO 19770-1 management system implies a maturity progression even though the standard itself does not formalise it. The levels organisations move through are: trust-based (no central record, asset position recreated under audit pressure); reactive (records exist but are recreated each audit cycle); managed (records are maintained continuously, tied to a SAM tool); and enhanced (records are integrated with procurement, identity and HR, and the SAM function participates in renewal cycles). Most large enterprises operate at the reactive or managed level. Few move to enhanced without a deliberate programme investment.
The Software Entitlement Tag (ENT) defined in ISO 19770-3 is the audit-defence asset most organisations do not maintain. The ENT is a structured XML record of what an organisation has the right to use — derived from the contract, not the deployment. When an Oracle, Microsoft or SAP audit lands, the question the auditor asks is: what do you own? The answer the organisation is usually able to produce is what is deployed, not what is owned. The ENT closes that gap by recording the entitlement separately from the deployment.
The full SAM process toolkit covering ISO 19770 alignment, tool selection and audit defence.
Few organisations generate ISO-formal ENT files. The practical equivalent is a structured entitlement register that captures, per contract: the licensable metric, the quantity owned, the geographic and entity scope, the support and upgrade rights, the renewal date and the non-renewal notice window. The register sits adjacent to the SAM tool — most SAM tools record deployment well and entitlement poorly. The reconciliation between the two is where compliance work actually happens — and where an independent license compliance assessment earns its keep, closing the entitlement-to-deployment gap before an auditor forces the question.
An organisation building a SAM programme from a low maturity base typically takes 9–18 months to reach managed-level operations. The work sequence: month 1–3, tool selection and entitlement register baseline; month 3–6, deployment-to-entitlement reconciliation across the top five publishers; month 6–9, integration with procurement and identity systems; month 9–12, audit-defence simulation; month 12–18, renewal-cycle integration. The cost of skipping the audit-defence simulation is consistently visible in the first real audit that follows.
We baseline maturity, design the entitlement register and walk the audit-defence simulation.
Weekly compliance intelligence for IT leaders.