ISO 31000‐based integrated risk management process assessment model for IT organizations

Governance, Risk management, and Compliance activities are key challenges faced by organizations. Process Models and Capability Process Assessments are governance instruments that can help organization in assessing and improving their processes. Several ISO standards propose process models for Management System Standards based on ISO 9001, ISO/IEC 20000‐1, and ISO/IEC 27001, and for project management with ISO 21500. The ISO 31000 standard provides guidance for Risk management with a process approach and systemic perspective. This paper presents an ISO 31000‐based Integrated Risk Management Process Assessment Model (PAM) for IT organizations enabling to integrate on an easy way several ISO process‐oriented standards which are often targeted by IT organizations. This PAM integrates risk management dimensions with ISO 9001, ISO 21500, ISO/IEC 20000‐1, and ISO/IEC 27001. It offers a centralized and integrated risk management approach which provides the basis to improve, coordinate, and interoperate risk management activities.

[1]  Mian Muhammad Waseem Iqbal,et al.  A comprehensive people, process and technology (PPT) application model for Information Systems (IS) risk management in small/medium enterprises (SME) , 2017, 2017 International Conference on Communication Technologies (ComTech).

[2]  Alain Abran,et al.  Risk Management: Achieving Higher Maturity & Capability Levels through the LEGO Approach , 2016, 2016 Joint Conference of the International Workshop on Software Measurement and the International Conference on Software Process and Product Measurement (IWSM-MENSURA).

[3]  André Rifaut,et al.  Operational risk management in financial institutions: Process assessment in concordance with Basel II , 2007, Softw. Process. Improv. Pract..

[4]  A. Rifaut,et al.  Operational risk management in financial institutions: Process assessment in concordance with Basel II , 2007 .

[5]  Michael Rosemann,et al.  Understanding the Main Phases of Developing a Maturity Assessment Model , 2005 .

[6]  Kakoli Bandyopadhyay,et al.  A framework for integrated risk management in information technology , 1999 .

[7]  Jyrki Kontio,et al.  Software engineering risk management : a method, improvement framework, and empirical evaluation , 2001 .

[8]  Fergal McCaffery,et al.  Development and benefits of MDevSPICE®, the medical device software process assessment framework , 2016, J. Softw. Evol. Process..

[9]  Jörg Becker,et al.  Developing Maturity Models for IT Management , 2009, Bus. Inf. Syst. Eng..

[10]  Kalle Lyytinen,et al.  A Framework for software risk management , 1996, Scand. J. Inf. Syst..

[11]  Forrest Shull,et al.  Creating Software Process Capability/Maturity Models , 2010, IEEE Software.

[12]  Béatrix Barafort,et al.  Developing an Integrated Risk Management Process Model for IT Settings in an ISO Multi-standards Context , 2017, SPICE.

[13]  Lars Öbrand,et al.  Navigating Rumsfeld's quadrants: A performative perspective on IT risk management , 2017 .

[14]  Béatrix Barafort,et al.  Integrated risk management process assessment model for IT organizations based on ISO 31000 in an ISO multi-standards context , 2018, Comput. Stand. Interfaces.

[15]  Fergal McCaffery,et al.  Revising IEC 80001-1: Risk management of health information technology systems , 2018, Comput. Stand. Interfaces.

[16]  David Hillson Integrated Risk Management As A Framework For Organisational Success , 2006 .

[17]  Reinhold Plösch,et al.  Towards Methodological Support for the Engineering of Process Reference Models for Product Software , 2014, SPICE.

[18]  Vladimir Stantchev,et al.  A process framework for information security management , 2022, International Journal of Information Systems and Project Management.

[19]  Yacov Y. Haimes,et al.  Risk associated with software development: a holistic framework for assessment and management , 1993, IEEE Trans. Syst. Man Cybern..

[20]  João Varajão,et al.  ISO 21500: 2012 and PMBoK 5 processes in information systems project management , 2017, Comput. Stand. Interfaces.

[21]  Nicolas Mayer,et al.  Towards a Process Assessment Model for Management System Standards , 2014, SPICE.

[22]  Mario Piattini,et al.  An ontology for the harmonization of multiple standards and models , 2012, Comput. Stand. Interfaces.

[23]  Geoffrey G. Roy,et al.  A risk management framework for software engineering practice , 2004, 2004 Australian Software Engineering Conference. Proceedings..

[24]  Maximilian Röglinger,et al.  What makes a useful maturity model? a framework of general design principles for maturity models and its demonstration in business process management , 2011, ECIS.

[25]  José Luis Borbinha,et al.  Risk Management: A Maturity Model Based on ISO 31000 , 2017, 2017 IEEE 19th Conference on Business Informatics (CBI).

[26]  Béatrix Barafort,et al.  Integrating risk management in IT settings from ISO standards and management systems perspectives , 2017, Comput. Stand. Interfaces.