Software asset management has historically been the IT discipline nobody wanted to staff until a vendor audit arrived. The audit produces a number — usually large, usually negotiable, but always painful — and SAM gets a one-time investment that fades when the immediate pressure does. ISO 19770-1 changes that pattern by treating SAM as a management system with the same operational rhythm as ISO 27001 or ISO 9001. The discipline becomes durable rather than reactive.
Why SAM Is a Bigger Number Than It Looks
Software costs in modern organisations have shifted from one-time licences to ongoing subscriptions. SaaS sprawl multiplies the surface area — every department buys their own tools, often paid by credit card, often invisible to IT until renewal time. A combined view of on-premise licences, cloud subscriptions, and SaaS instances typically reveals duplicate spend, unused seats, contract terms that have drifted from current usage, and renewal timing that gives the vendor every advantage. The total recoverable spend in a mature SAM programme is consistently larger than the cost of running it.
What ISO 19770-1 Actually Provides
ISO 19770-1 is a management system standard for IT asset management, with hardware asset management (HAM) and software asset management (SAM) as integrated disciplines. It uses the High-Level Structure shared with other ISO management standards, so organisations with ISO 27001 or ISO 9001 will find the architecture familiar — context, leadership, planning, support, operation, performance evaluation, improvement.
The substantive ITAM requirements include a documented inventory of assets, defined ownership and accountability, lifecycle management from acquisition through retirement, controls over installation and use, and reconciliation between entitlements (what you have rights to) and consumption (what you are actually using). The reconciliation is where most of the financial value lives.
The Inventory Problem
Most SAM programmes start with discovery — automated tools scanning endpoints and servers to identify installed software. The discovery is necessary but not sufficient. The inventory has to include subscription services discovered through expense data, identity provider integrations to find SaaS apps with single sign-on, and network egress monitoring to find shadow IT subscriptions. A SAM inventory that only sees endpoint installs is missing most of the modern software estate.
A finding that surfaces in nearly every SAM audit: enterprise contracts negotiated for an organisation-wide deployment but actually used by a fraction of the licensed user base. The over-buy is invisible until usage data is reconciled with entitlements. The reconciliation is what unlocks negotiation leverage at renewal — and it is the reason mature SAM programmes pay for themselves several times over.
Vendor Audit Posture
A SAM programme aligned to ISO 19770-1 also fundamentally changes the vendor audit experience. The audit becomes a verification exercise against your existing reconciled position rather than a discovery exercise the vendor controls. Auditors find what you knew about; conversations focus on edge cases rather than on your inability to demonstrate compliance. Audit settlements drop substantially when the organisation can produce credible evidence quickly.
Practical Components of an ITAM Programme
- Single inventory across endpoints, servers, cloud subscriptions, and SaaS — not multiple silos
- Entitlement-versus-consumption reconciliation for material vendors, refreshed quarterly minimum
- Software request and approval workflow that creates traceability from request to deployment to retirement
- License optimisation — true-up where under-licensed, harvest unused seats, downgrade where appropriate
- Renewal calendar with internal target review dates 90+ days before vendor deadlines
- Vendor audit playbook prepared in advance — not assembled when the notice arrives
Why ISO 19770-1 Is the Right Anchor
You can run a SAM programme without ISO 19770-1, and many organisations do. But the standard provides what informal SAM programmes consistently lack — a defined operating model, role accountability, internal audit cadence, management review rhythm, and continual improvement loop. These are the structural reasons SAM programmes survive leadership changes and continue producing value over years rather than fading after the initial vendor audit panic. The certification is optional. The operating model is what matters.