2006 Common Body of Knowledge For The

Certified Software Quality Analyst (CSQA)

The Common Body of Knowledge (CBOK) for the CSQA is designed to cover the
challenges faced by today’s quality professional. The CBOK’s knowledge categories
have been selected to address these challenges. It is recognized that many quality
professionals do not need to be competent in all of the categories to fulfill their current
job responsibilities. Categories one to eight should be common to all quality challenges
and therefore most of the certification examination will focus on categories one to eight.
However, the candidate should have a basic knowledge of categories nine and ten to
ensure currentness of quality assurance competencies and candidates will be examined at
a high level on these two categories.

The following ten knowledge categories describe the Common Body of Knowledge that
an individual must master to obtain a certification in software quality assurance (CSQA):

1. Quality Principles and Concepts

2. Quality Leadership
3. Quality Baselines (Assessments and Audits)
4. Quality Assurance
5. Quality Planning
6. Define, Build, Implement and Improve Work Processes
7. Quality Control Practices
8. Metrics and Measurement
9. Internal Control and Security
10. Outsourcing, COTS and Contracting Quality

Knowledge Category 1: Quality Principles and Concepts

Before an organization can begin to assess the quality of its products and services, and
identify opportunities for improvement, it first must have a working knowledge of quality
principles and basic concepts. This category will test the CSQA candidate’s ability to
understand and apply these principles, which include the quality vocabulary, various
ways of defining quality, key concepts, distinguishing between quality control and
quality assurance, and the contributions of quality pioneers.
This knowledge category addresses the following:
• Vocabulary of quality—understanding the vocabulary used to explain and
implement quality in an IT organization. Includes terms such as quality,
processes, defects and products.
• The different views of quality—an understanding of how quality is viewed from a
producer of products, a customer/user of products, and suppliers of products.
These different definitions result in a quality gap.

1
 • Quality concepts and practices—an overview of the more prevalent concepts,
approaches and practices used by quality professionals to implement and improve
quality. These include:
1. the PDCA Cycle (Plan-Do-Check-Act)
2. the Cost of Quality
3. Six Sigma Quality
4. Baselining and Benchmarking
5. Earned Value
• Quality control and quality assurance—understanding the difference between
quality control and quality assurance, definitions, activities, and processes.
• Quality pioneers approach to quality—includes quality pioneers such as Dr. W.
Edwards Deming, Philip Crosby, and Dr. Joseph Juran.

Knowledge Category 2: Quality Leadership

The most important prerequisites for successful implementation of any major quality
initiative are leadership and commitment from executive management. Management
must create a work environment supportive of quality initiatives. It is management’s
responsibility to establish strategic objectives and build an infrastructure that is
strategically aligned to those objectives. This category will cover the management
processes used to establish the foundation of a quality-managed environment, as well as
commitment, new behaviors, building the infrastructure, techniques, approaches and
communications.
• Leadership Concepts
1. Executive and Middle Management Commitment
2. Quality Champion
3. New Behaviors for Management
a. Traditional Management versus Quality Management (differences
in philosophy)
b. Leadership (modeling, coaching, reinforcing)
c. The importance of establishing mentoring relationships
d. Establishing Trust
4. Empowerment of employees

• Quality Management Infrastructure

1. Quality Council
2. Management Committees
3. Teams and Work Groups
4. Process Improvement review teams
• Quality Environment—environment supportive of quality
1. Setting the proper “tone” at the top

2
 2. Code of Ethics
3. Open communication
4. Implementing a mission, a vision, goals, values and a quality policy
5. Monitoring compliance to organizational policy and procedures
6. Enforcement of organizational policies and procedures

Knowledge Category 3: Quality Baselines (Assessments and Audits)

Organizations need to establish baselines of performance for quality, productivity and
customer satisfaction. These baselines are used to document current performance and
document improvements by showing changes from a baseline. In order to establish a
baseline, a model and/or goal must be established for use in measuring against to
determine the baseline.
• Why Baselines are needed
1. Measure current level of performance
2. Basis for establishing improvement goals
3. Means to measure improvement
• Methods Used for Establishing Baselines
1. Customer Surveys
2. Benchmarking
3. Assessments against industry models
4. Assessments against management established criteria (e.g. software
requirements and user acceptance criteria)
• Model and Assessment Fundamentals
1. Purpose of a Model
2. Types of Models (staged and continuous)
3. Model Selection Process
4. Using Models for Assessment and Baselines
• Industry Quality Models
1. Software Engineering Institute Capability Maturity Model/CMMI
2. Malcolm Baldrige National Quality Award
3. ISO 9001:2000
4. ISO/IEC 12207
5. ISO/IEC TR 15504
6. Post Implementation Audits

Knowledge Category 4: Quality Assurance

Quality Assurance is a professional competency whose focus is directed at the critical
processes used to build products and services. The profession is charged with the
responsibility for tactical process improvement initiatives that are strategically aligned to
the goals of the organization. This category will address the understanding and

3
application of quality assurance practices in support of the strategic quality direction of
the organization. The quality practitioner should understand the importance of a quality
function, how to implement a quality function and how it matures over time, as well as
how to create a quality plan, the use of quality tools, process deployment, and
differentiating between internal auditing and quality assurance.
• Establishing a Function to Promote and Manage Quality
1. Why an IT Quality Function is Desirable
2. The Challenges of Implementing a Quality Function
3. How the Quality Function Matures Over Time
4. Support in Corporate Quality Management Environment
5. Implementing an IT Quality Function
• Quality Tools
1. Statistical Tools
2. Management Tools
• Process Deployment
1. Getting Buy-in for Change Through Marketing
2. The Formula for Effective Behavior Change
(behavior=individual+environment)
3. The Deployment Process (assessment, strategic, tactical phases)
4. Critical Success Factors for Deployment

• Internal Auditing and Quality Assurance

1. Types of Internal Audits
2. Differences in Responsibilities

Knowledge Category 5: Quality Planning

Executive management establishes the vision and strategic goals. Planning is the process
that describes how those strategic goals will be accomplished. Quality planning should
be integrated into the IT plan so that they become a single plan. In simplistic terms, the
IT plan represents the producer and the quality plan represents the customer.
• Considerations in Establishing IT Goals and Objectives
1. Risk Management
2. Industry Models
3. Laws and Regulations (e.g. Sarbanes Oxley Act)
4. User Goals and Objectives
5. Improving IT Effectiveness and Efficiency
6. Improving IT Customer Satisfaction
7. Planning Tools and Techniques
8. Process Mapping to IT Goals
9. Establishing a Critical Metric Set

4
 10. Aligning IT Plans to Organizational and User Plans
11. Strategic Planning Process

Knowledge Category 6: Define, Build, Implement and Improve Work

Processes
The world is constantly changing. Customers are more knowledgeable and demanding,
therefore, quality and speed of delivery are now critical needs. Companies must
constantly improve their ability to produce quality products that add value to their
customer base. Defining and continuously improving work processes allows the pace of
change to be maintained without negatively impacting the quality of products and
services. This category addresses process management concepts, including the definition
of a process, the workbench concept and components of a process. Additionally, it will
address the understanding of definitions and continuous improvement of a process
through the process management PDCA cycle.
• Process Management Concepts
1. Definition of a Process
2. Why Processes are Needed (management and worker perspectives)
3. Process Workbench and Components (standards, input, work and check
procedures, output/deliverables)
4. Process Categories
a. Management Processes
b. Work Processes
c. Check Processes
5. The Process Maturity Continuum (products and services, work and check
processes, customer involvement)
6. How Processes are Managed
7. Process Template

• Process Management Processes

1. Planning Processes
a. Process Inventory
b. Process Mapping
c. Process Planning
2. Do Process
a. Process Definition
3. Check Processes
a. Process Measurement
b. Testing
4. Act Processes
a. Process Improvement Teams
b. Process Improvement Process

5
Knowledge Category 7: Quality Control Practices
Quality control practices should occur during product development, product acquisition,
product construction at the end of development/acquisition and throughout product
change and operation. During development, the quality control process is frequently
called verification and at the conclusion of development, it is called validation. This
category will address the various types of controls and when they are best used in the
process. The quality practitioner should also be familiar with verification and validation
techniques, the framework for developing testing tactics, change control and
configuration management.
• Testing Concepts
1. The Testers’ Workbench
2. Test Stages (Unit, Integration, System, User Acceptance)
3. Independent Testing
4. Static vs. Dynamic Testing
5. Verification vs. Validation
6. Stress vs. Volume vs. Performance
7. Test Objectives
8. Reviews and Inspections
• Verification and Validation Techniques
1. Verification Techniques (reviews, code walkthroughs, requirements
tracing)
2. Validation Techniques (white box, black box, incremental, thread,
regression)
3. Structural and Functional Testing
• Software Change Control
1. Software Configuration Management
2. Change Control Procedures
• Defect Management
1. Defect Management Process
2. Defect Reporting, including metrics
3. Severity versus Priority
4. Using Defects for Process Improvement

Knowledge Category 8: Metrics and Measurement

A properly established measurement system is used to help achieve missions, visions,
goals, and objectives. Measurement data is most reliable when it is generated as a by-
product of producing a product or service. The QA analyst must ensure that quantitative

6
data is valued and reliable, and presented to management in a timely and easy-to-use
manner. Measurement can be used to gauge the status, effectiveness and efficiency of
processes, customer satisfaction, product quality, and as a tool for management to use in
their decision-making processes. This category addresses measurement concepts, the use
of measurement in a software development environment, variation, process capability,
risk management, the ways measurement can be used and how to implement an effective
measurement program.
• Measurement Concepts
1. Standard Units of Measure
2. Metrics
3. Objective and Subjective Measurement
4. Types of Measurement Data (nominal, ordinal, interval, ratio)
5. Measures of Central Tendency (mean, medium, mode etc.)
6. Attributes of Good Measurement
7. Using quantitative data to manage an IT Function
8. Key Indicators

• Measurement in Software
1. Product Measurement (size, complexity, quality and customer perception)
2. Process Measurement
• Variation and Process Capability
1. Common and Special Causes of Variation
2. Variation and Process Improvement
3. Process Capability
• Risk Management
1. Defining Risk
2. Characterizing Risk (situational, time-based, interdependent, magnitude
dependent, value-based)
3. Identifying, Analyzing, Prioritizing, responding to, Resolving and
Monitoring Risks
4. Software Risk Management
5. Risks of Integrating New Technology

• Implementing a Measurement Program

1. The Need for Measurement
2. Prerequisites
3. The Four Uses of Measurement
4. Installing the Measurement Program

7
Knowledge Category 9: Internal Control and Security
Privacy laws and increased accessibility to data have necessitated increased security.
Accounting scandals and governmental regulation such as the Sarbanes Oxley Act have
placed increased importance on building and maintaining adequate systems of internal
control. The quality assurance function can contribute to meeting those objectives by
assuring that IT has adequate processes governing internal control and security.
• Principles and Concepts of Internal Control and Security
1. Understand internal control and security models. The current model that is
most accepted by US corporations is the COSO (Committee of Sponsoring
Organizations, composed of five major accounting and audit associations)
model. (Note: there is an equivalent counterpart to COSO in Canada called
CoCo, Criteria of Control.) Many IT organizations use CobiT (Control
Objectives for Information and related Technology), which is a popular
and internationally accepted set of guidance materials for IT governance,
developed by the Institute for Security Control and Audit.
2. Build the System of Internal Controls—the process for building the system
of internal controls in software is:
a. Perform risk analysis—determine the risks faced by the
transactions/events processed by the software.
b. Determine the controls that each of the processing segments for
those transactions including:
i. Transaction Origination
ii. Transaction Entry
iii. Transaction Processing
iv. Data Base Control
v. Transaction Results
c. Determine whether the identified controls are adequate to reduce
the risks to an acceptable level.
d. When all components of the control system are present and
functioning effectively, the internal control process can be deemed
“effective.”
• Risk, Internal Control and Security Models
1. COSO Enterprise Risk Management Model (ERM)
2. COSO Internal Control Model (includes security) or equivalent
• Building Controls into Software Systems
1. Controlling Transaction Error Origination
2. Controlling Transaction Entry
3. Controlling Transaction Communication
4. Controlling Transaction Processing
5. Controlling Databases
6. Controlling Transaction Output
• Assuring Adequacy of Internal Control and Security
1. Internal Control and Security Awareness Training

8
 2. Creating an Environment that Supports Control and Security
3. Control and Security Policies
4. Identifying Points of Security Penetration
5. Control and Security Practices

Knowledge Category 10: Outsourcing, COTS and Contracting Quality

Organizations can assign software development work responsibilities to outside
organizations through purchasing software or contracting services; but they cannot assign
the responsibility for quality. Quality of software remains an internal IT responsibility
regardless of who builds the software. The quality professionals need to assure that those
quality responsibilities are fulfilled through appropriate processes for acquiring
purchased software and contracting for software services.

Specifically, this category addresses:

• The difference between software developed in-house and software developed by
outside organizations.
1. COTS Software—the documentation may not correspond to the software
source code.
2. Contractors/Outsourced—the contractual provisions will determine
whether the acquiring organization can perform verification activities
during development; and the ability to obtain source code.
• Selecting COTS Software. This involves first determining the needed
requirements; second, the available software that might meet the requirements,
and then third, evaluating those software packages against the selection criteria.
Quality professionals can perform or should participate in this process.
• Selecting organizations to build all or part of the needed software. Quality
professionals should be involved in these activities, specifically to:
1. Review the contract for testability (should be able to determine, but testing
what is in the contract, if the contract is adequate)
2. Assure that requirements are testable.
3. Review the adequacy of the outsourcers test plan.
4. Perform acceptance testing when the software is complete.
5. Issue a report on the adequacy of the software to meet the contractual
specifications
6. Ensure the contract specifically covers knowledge transfer from the
contractor to the contracting organization
7. Ensure the contract specifically covers intellectual property rights