Integrated risk management process improvement framework in it settings based on ISO standards

Abstract

The International Organization for Standardization (ISO) proposes management system standards (MSSs), with the most popular one: ISO 9001, and in the IT domain ISO/IEC 20000-1 for IT service management system and ISO/IEC 27001 for information security management system. With also a process-based approach and risk-based thinking, the ISO 21500 standard tackles project management. These four ISO standards are of high interest for many practitioners in IT settings, concerned by the integration of process-based activities, implementing mechanisms for making the link between IT and non-IT entities of their organization with risk management challenges to address. IT settings mean IT companies and IT departments, covering both development and operations sides, with project and non-project based activities. In order to improve and integrate risk management in IT settings with ISO standards as the basis representing international consensus of practices, the following main research question is targeted: “How to improve risk management processes in IT settings from an integrated and management system perspective in multiple ISO standards?”. This research intends to explore risk management in IT settings from the angle of the following ISO standards: ISO 31000, the international reference in risk management, ISO Annex SL (high level structure for MSSs), ISO 9001, ISO 21500, ISO/IEC 20000-1 and ISO/IEC 27001 (as well as ISO/IEC 27005 on information security risk management for complementary inputs). This research is based on Design Science principles for creating artefacts in IT settings. A set of six activities was followed for creating a process reference model (PRM) and a process assessment model (PAM) for integrated risk management processes based on ISO standards (IRMIS), with iterations and interactions for improving the proposed solution related to the problem to be solved. The research contribution consists in three main lines. The first one deals with identifying risk management activities throughout various selected ISO standards targeting management systems. It consists in the mapping of ISO 31000 with the following ISO selected standards: ISO Annex SL, ISO 9001, ISO 9001, ISO 21500, ISO/IEC 20000-1 and ISO/IEC 27001 and ISO/IEC 27005. The second research line deals with driving integration for risk management activities in IT settings with the elicitation of management systems dedicated processes, and risk management specific processes. The third research line deals with improving risk management processes throughout the IRMIS PRM and PAM enabling process assessment. For reaching this result, the Transformation process is applied to ISO 31000 and selected standards in order to fully develop the IRMIS PRM and PAM. The IRMIS PRM and PAM constitute the final outcome for an integrated risk management improvement framework in IT settings based on ISO standards.