How to integrate risk management in IT settings Within management systems? Comparison and integration perspectives from ISO standards

Auteurs

B. Barafort, A. L. Mesquida, and A. Mas

Référence

in Software Process Improvement and Capability Determination: 16th International Conference, SPICE 2016, Dublin, Ireland, June 9-10, 2016, M. P. Clarke, V. R. O'Connor, T. Rout, and A. Dorling (Eds.), Springer, pp. 254-269, 2016

Description

With the omnipresence of IT in any business, risk management is a critical and central activity. IT companies or IT department in companies may seek certification against one or several management system standard(s). Then risk management have to be tackled in the context of the domain targeted by each management system. This paper is investigating how risk management could be integrated from several ISO standards that are relevant for IT settings: quality management, project management, IT service management and information security management. Based on the reference standard ISO 31000 dedicated to risk management, a comparison is performed in order to identify risk management related activities in the ISO high level structure for management system standards, ISO 9001, ISO 21500, ISO/IEC 20000-1 and ISO/IEC 27001, and to elicit integration vectors. The paper concludes on future works aiming at proposing a process reference and assessment model for integrating risk management activities.

Lien

doi: 10.1007/978-3-319-38980-6_19