Abstract
With the omnipresence of IT in any business, risk management is a critical and central activity. IT companies or IT department in companies may seek certification against one or several management system standard(s). Then risk management have to be tackled in the context of the domain targeted by each management system. This paper is investigating how risk management could be integrated from several ISO standards that are relevant for IT settings: quality management, project management, IT service management and information security management. Based on the reference standard ISO 31000 dedicated to risk management, a comparison is performed in order to identify risk management related activities in the ISO high level structure for management system standards, ISO 9001, ISO 21500, ISO/IEC 20000-1 and ISO/IEC 27001, and to elicit integration vectors. The paper concludes on future works aiming at proposing a process reference and assessment model for integrating risk management activities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ISO/IEC 27001: Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization, Geneva (2013)
ISO/IEC 20000-1: Information Technology — Service management — Part 1: Service management system requirements. International Organization for Standardization, Geneva (2011)
ISO 9001: Quality management systems – Requirements. International Organization for Standardization, Geneva (2015)
ISO 31000: Risk management – Principles and guidelines. International Organization for Standardization, Geneva (2009)
Casadesús, M., Karapetrovic, S., Heras, I.: Synergies in standardized management systems: Some empirical evidence. TQM J. 23(1), 73–86 (2011). Emerald Insight
Simon, A., Karapetrovic, S., Casadesús, M.: Difficulties and benefits of integrated management systems. Ind. Manage. Data Syst. 112(5), 828–846 (2012). Emerald Insight
ISO Survey (2014). http://www.iso.org/iso/iso-survey
Mesquida, A.L., Mas, A.: Integrating IT service management requirements into the organizational management system. Comput. Stand. Interfaces 37, 80–91 (2015). Elsevier
Mesquida, A.L., Mas, A., Amengual, E., Cabestrero, I.: Sistema de gestión integrado según las normas ISO 9001, ISO/IEC 20000 e ISO/IEC 27001. Rev. Esp. Innovación Calidad e Ing. del Softw. 6(3), 25–34 (2010). ATI
Mesquida, A., Mas, A., San Feliu, T., Arcilla, M.: MIN-ITs: a framework for the integration of IT management standards in mature environments. Int. J. Software Eng. Knowl. Eng. 24(06), 887–908 (2014). World Scientific
CMMI for Development, Acquisition & Services, version 1.3. Carnegie Mellon University, Software Engineering Institute (2010)
ISO/IEC 15504-2: Information Technology — Process assessment — Performing an assessment. International Organization for Standardization, Geneva (2003)
ISO/IEC TS 15504-8: Information Technology — Process assessment — An exemplar process assessment model for IT service management. International Organization for Standardization, Geneva (2012)
ISO/IEC 33072: TS Information Technology — Process Assessment — Process capability assessment model for information security management. International Organization for Standardization, Geneva (to be published)
Domingues, P., Sampaio, P., Arezes, P.M.: Integrated management systems assessment: a maturity model proposal. J. Cleaner Prod. (2016). doi:10.1016/j.jclepro.2016.02.103
ISO/IEC Directives, Part1. Annex SL. International Organization for Standardization, Geneva (2014)
Cortina, S., Mayer, N., Renault, A., Barafort, B.: Towards a process assessment model for management system standards. In: Mitasiunas, A., Rout, T., O’Connor, R.V., Dorling, A. (eds.) SPICE 2014. CCIS, vol. 477, pp. 36–47. Springer, Heidelberg (2014)
ISO/IEC 27005: Information technology– Security techniques – Information security risk management – Requirements. International Organization for Standardization, Geneva (2011)
ISO 21500: Guidance on project management. International Organization for Standardization, Geneva (2012)
Mesquida, A.-L., Mas, A., Lepmets, M., Renault, A.: Development of the project management SPICE (PMSPICE) framework. In: Mitasiunas, A., Rout, T., O’Connor, R.V., Dorling, A. (eds.) SPICE 2014. CCIS, vol. 477, pp. 60–71. Springer, Heidelberg (2014)
Mesquida, A.-L., Mas, A., Barafort, B.: The project management SPICE (PMSPICE) process reference model: towards a process assessment model. In: O’Connor, R.V., et al. (eds.) EuroSPI 2015. CCIS, vol. 543, pp. 193–205. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24647-5_16
The Cabinet Office. ITIL Lifecycle Publication Suite. The Stationery Office Edition (2011)
Cots, S., Casadesús, M.: Exploring the service management standard ISO 20000. Total Qual. Manage. Bus. Excellence 26(5-6), 515–533 (2015). Taylor Francis Online
ISO/IEC 33004: Information Technology - Process assessment - Requirements for process reference, process assessment and maturity models. International Organization for Standardization, Geneva (2015)
Acknowledgments
This work has been partially supported by the Spanish Ministry of Science and Technology with ERDF funds under grants TIN2013-46928-C3-2-R.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Barafort, B., Mesquida, AL., Mas, A. (2016). How to Integrate Risk Management in IT Settings Within Management Systems? Comparison and Integration Perspectives from ISO Standards. In: Clarke, P., O'Connor, R., Rout, T., Dorling, A. (eds) Software Process Improvement and Capability Determination. SPICE 2016. Communications in Computer and Information Science, vol 609. Springer, Cham. https://doi.org/10.1007/978-3-319-38980-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-38980-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-38979-0
Online ISBN: 978-3-319-38980-6
eBook Packages: Computer ScienceComputer Science (R0)