CMMI: Bringing Organizational Excellence to Software QA, and Beyond

CMMI: Bringing Organizational Excellence to Software QA, and Beyond

CMMI stands for Capability Maturity Model Integration. Sounds like a complex term the first time you hear it, doesn’t it? Let’s break it down and see what each component means.

First Capability/Maturity Models were developed through the 1990’s for the U.S. Department of Defence to assess the quality of software engineering contractors. CMM models rated organizations according to their level of process maturity and performance capability. In the beginning, there were multiple CMM models in use that were later combined into a single, integrated model – hence the integration part in the CMMI acronym. Over time, the CMMI framework expanded beyond software engineering. It can now be used to address performance issues in organizations and/or projects in any industry.

CMMI is now being further developed and managed by ISACA’s CMMI Institute. That’s where one finds certified CMMI partners, training courses, information on the appraisal process, and more.

CMMI levels and their definitions

The latest version of CMMI offers five levels of organizational maturity and three levels of capability.

Five organizational maturity  levels:

Level 0 – Incomplete (The service provider lacks organizational structure.)

Level 1 – Initial (The processes are reactive and ad-hoc.)

Level 2 – Managed (There is some planning and organization going on.)

Level 3 – Defined (There is even more proactivity and standardization.)

Level 4 – Quantitatively managed (Characterized by well-managed predictable processes and heavy utilization of data to improve processes.)

Level 5 – Optimizing (The org is both stable and flexible. There is a lot of predictability, but also a capacity to respond to change quickly. There is continuous improvement.)

Three performance capability levels:

Level 0 – Incomplete (There is no performance consistency at all.)

Level 1 – Initial (At least some performance issues are addressed.)

Level 2 – Managed (There are certain performance optimization practices in place.)

Level 3 – Defined (The org has clearly-defined performance objectives and organizational standards.)

CMMI’s Getting Started guide emphasizes that, while it’s easy to formally introduce CMMI standards and processes, it is difficult to change people’s habits and deal with resistance. With that said, one should strive for real performance improvements and not just for passing an audit or demonstrating compliance, when adopting CMMI principles.

CMMI appraisals

Those who wish to use the Capability/Maturity Model for organizational improvement can benefit from CMMI appraisals. These are carried out by certified CMMI partner organizations, including partner sponsored individuals. CMMI Institute offers a searchable partner directory that will help you find a suitable appraiser.

The new integrated Capability/Maturity Model uses an improved appraisal method, applicable to a broad variety of markets, organizations, and types of work. The method supports appraisals in a variety of contexts:

  • Benchmarking
  • Internal performance and process improvement
  • Process monitoring
  • Supplier selection
  • Risk reduction

In addition, the new method emphasizes a collaborative approach to identifying performance challenges by focusing on the process implementation versus personnel assessment.

Besides appraisals, ISACA-licensed partners can consult on implementing CMMI processes, deliver CMMI courses, and more.

CMMI applications

While being structured and detailed, the CMMI model is also flexible and can be used in most scenarios where process or performance improvement/benchmarking is required.

Depending on the organization’s specific pain points, CMMI can prescribe concrete measures to address the shortcomings.

The CMMI model is not prescriptive; rather it describes what to do to improve an organization’s capabilities, not how to do it. This makes the model very flexible to meet the unique needs of any business.

CMMI Adoption and Transition Guidance, page 6; by ISACA 2022.

CMMI and software quality assurance

In a paper that talks about the significance of SQA (software quality assurance) and its part in CMMI, the author aligns CMMI maturity levels with corresponding roles/functions QA performs at an organization at each level:

Maturity level QA role
1. Initial Testing
2. Managed Quality hurdle
3. Defined Oversight, Metrics
4. Quantitatively managed Process and Risk management
5. Optimizing Reference, Oversight
Source: – we named maturity levels according to the latest CMMI model

The higher the maturity level, the less it is about “putting out fires” and the more it is about preventing/predicting them via proper standardization and oversight.

Now let’s look at how CMMI-defined process areas align with SQA (software quality assurance) and SQC (software quality control) in the CMMI model:

Software engineering process areas where QA/QC play a part: 

  • Requirements development (Level 3)
  • Requirements management (Level 2)
  • Verification (Level 3)
  • Validation (Level 3)

There is also one QA-specific process area in CMMI, and that is Process and Product QA (Level 2).

These should give you a general idea about how the framework can be used to improve the QA process.

QA/QC-related process areas under CMMI

And now let’s talk a little more in-depth about what each process area means.

Process and Product Quality Assurance

There are two specific goals within this process area:

  • Objectively evaluate processes and work products
  • Provide objective insight

The first goal is to measure  carried-out processes and products-in-development against available process descriptions, standards and procedures.

When noncompliance issues are found, the second goal becomes to provide staff and management with objective (criteria-based) insight regarding said issues, while also documenting them and ensuring they are addressed in due time.

Requirements development

CMMI distinguishes between three types of requirements:

  • Customer requirements
  • Product requirements
  • Product-component requirements

QA ensures that the documented standards/procedures are followed. QA also establishes software KPIs, e.g. the number of errors that can be traced back to incomplete or confusing requirements.

QC verifies requirements for clarity and completeness.

Requirement management

It includes:

  • Version control of the requirements
  • Mapping requirements to test cases, planned project items, and deliverables

QA ensures that the documented standards/procedures are followed. QA also establishes software KPIs, e.g., the number of times the wrong requirements version was used, errors arising from insufficient test coverage, etc.

QC verifies accurate connections between the requirements and work products.


Verification is ensuring that “we have built it right”. It lies in checking that the delivered work products satisfy the requirements (mostly a QC role; QA provides oversight).


Verification is ensuring that “we have built the right thing”. Together with QC, end-product users perform acceptance testing to determine whether the product really serves its intended function.

In conclusion

If you are a large (or quickly-growing) organization and are noticing that your processes are chaotic and there are certain performance issues that need to be addressed, consider the CMMI model as a way to “tame” that chaos and make work outcomes plannable and predictable.

Full information on the framework and the organization supporting it can be found at

Looking for a software development partner?Work with ObjectStyle!See Our Work


with ObjectStyle

Digitize with ObjectStyle See our work