Policy

Documentation Requirement

What is policy?

CMMI defines a policy as a management mandate—the rule set that commits the organization to act in a certain way. This establishes the authority and governance context immediately.

CMMI SVC requires a documented policy

What Is a Documented Policy?

A policy is the governing rule established by Senior Management that commits the organization to a specific course of action. It sets the mandatory expectation for how the company will operate.

It typically takes the shape of a simple, authoritative statement:

"The company shall <commit, provide, perform, ensure, etc.>... <for a specific area of work>."

This is your executive team's official mandate to the service delivery organization, spoken in the future tense as a clear directive.

The Role of the Policy

The policy document is always the top document in your company's Quality Management System (QMS) hierarchy.

Foundation: It serves as the non-negotiable commitment from which all operational details flow.
Hierarchy: All remaining documents, including procedures, forms, templates, and tools, are derived directly from the policies you establish. They explain how the organization will meet the top-level commitment made in the policy.

You have the flexibility to publish all policies in a single stand-alone document or include the relevant policy statements directly within the corresponding process definitions. The important thing is that the commitment is documented and clear.

How many policies do we need?

The simple answer is: you need enough policy statements to cover every core CMMI function you choose to implement—but you can, and should, consolidate them.

One Document is Ideal

For simplicity and ease of control, we strongly recommend consolidating all top-level policy statements into one single document. This master document acts as the official mandate from Senior Management for the entire Services QMS.

Structure by Function, Not Document

The CMMI Process Areas (PAs) define the functions you need policies for (e.g., Risk Management, Training, Planning). Your policy document must contain a commitment statement for each of these functions.

Consolidate Statements: For efficiency, policies for closely related PAs can be merged into a single section or statement. For example, your policy could state: "The company shall define, measure, and analyze its service delivery processes to ensure continuous improvement." This single statement covers the intent of multiple PAs (Organizational Process Definition, Measurement & Analysis, etc.).
The Practical Guide: Use the CMMI Process Areas as your checklist to ensure no critical management function is missed, but do not treat them as a requirement for separate documents.

The goal is clarity of commitment, not volume of paper. One well-structured policy document is always better than many fragmented ones.

Do I need a policy statement for each process area?

No, you do not need a separate policy document for each Process Area. You should consolidate policies to maximize clarity and efficiency.

The goal is to ensure that every critical function is backed by a management commitment, which is why a structured policy template works best.

Typically, a policy related to any process area has four components to it.

People: it states what kind of people resources will be provided by the company to get a work completed as desired.
Training: It states what all training will be provided by the company to the people on the project.
Tools and resources: It states that the company will be responsible for providing any tools required to perform the functions.
Reviews: It states who all will have authority to review the project work, deliverables, process execution, etc. to objectively review and report the findings.

We highly recommend using this standardized structure. It eliminates redundancy, simplifies compliance checks, and ensures that every policy automatically covers the mandatory management ingredients required by CMMI-SVC.

Policy Approval and Governance

A policy is only valid if it has the authority and commitment of the company's leaders.

Formal Approval is Mandatory

The policy document is a management mandate and must be formally approved and authorized by Senior Management before it is released to the organization. This official sign-off is non-negotiable and provides the necessary weight for compliance.

The Scheduled Review

Your policy is not a static document. It must be periodically reviewed (we recommend at least once per year) to ensure it remains:

Aligned: Does the policy still support the current business goals and services?
Accurate: Does the policy reflect the current organizational structure and tool landscape?

This scheduled review confirms that Senior Management is sustaining its commitment and prevents the policy from becoming outdated or irrelevant.

Page updated

Google Sites

Report abuse