Differences in ISO 9001 and the CMM

The CMM is a way to communicate capabilities. The ISO is a way to communicate the process. 
CMM is a very specific way of classifying an organization's software development methods but, ISO procedures describe a definite development and process but give no indication of the likely quality of the designs or whether multiple software efforts are likely to produce software of similar quality. 

• Some issues in ISO 9001 are not covered in CMM, and vice versa, The levels of detail differ 
• The clause such as customer-supplied products and handling, packaging, preservation and delivery as stated in the ISO 9001 has no strong relationship to CMM KPAs 
• The biggest difference is the emphasis in CMM on continuous process improvement. ISO only addresses minimum criteria for an acceptable quality system. 
• The clause in ISO 9001 that addresses in CMM in a completely distributed fashion is servicing. There is significant debate about the exact relationships to CMM for corrective and preventive action and statistical techniques 
• CMM focuses strictly on software, while ISO 9001 includes hardware, software, processed materials and services. 
• For both CMM and ISO 9001, the bottom line is “Say what you do; do what you say.” 
• Every Level 2 KPA is strongly related to ISO 9001. Every KPA is at least weakly related to ISO 9001. A CMM Level-1 organization can be ISO 9001 certified; that organization would have significant Level-2 process strengths and noticeable Level-3 strengths. 
• Given a reasonable implementation of the software process, an ISO 9001 certified organization should be at least close to CMM Level-2. 
• Even a Level-3 organization would need to ensure that delivery and installation are addressed, but even a Level-2 organization would have comparatively little difficulty in obtaining ISO 9001 certification.