Abstract
With risk management as a key topic for most organizations, aligning and improving organisational and business processes is essential. Capability and Maturity Models can contribute to assess and then enable process improvement. With the need to integrate risk management in IT settings (IT department/organisation), ISO/IEC 15504-330xx process assessment approach combined with ISO 31000 for risk management can be the foundations for new process models. An integrated process-based approach with various market-demanded ISO standards (ISO 9001, ISO 21500, ISO/IEC 20000-1 and ISO/IEC 27001) is proposed in the paper; it explains how the Integrated Risk Management Process Model for IT settings in an ISO multi-standards context is developed with a Design Science research method.
Keywords
- Integrated risk management
- ISO
- IT settings
- ISO/IEC 15504-330xx
- Process reference and assessment models engineering
- Design science research method
This is a preview of subscription content, access via your institution.
Buying options
References
ISO/IEC ISO/IEC 15504: Information technology – Process assessment, Parts 1-10. International Organization for Standardization, Geneva (2003, 2012)
ISO/IEC 330xx: Information Technology - Process assessment. International Organization for Standardization, Geneva (2013, 2017)
ISO/IEC 15504-5: Information Technology – Process assessment – An exemplar software life cycle process assessment model. International Organization for Standardization, Geneva (2012)
ISO/IEC 15504-8: Information Technology – Process assessment – An exemplar process assessment model for IT service management. International Organization for Standardization, Geneva (2012)
ISO/IEC 33072: TS Information Technology – Process Assessment – Process capability assessment model for information security management. International Organization for Standardization, Geneva (2016)
Automotive Spice, https://goo.gl/BNu8c2
TIPA for ITIL, https://goo.gl/EA9NMh
Lepmets, M., McCaffery, F., Clarke, P.: Development and benefits of MDevSPICE®, the medical device software process assessment framework. J. Softw. Evol. Process 28(9), 800–816 (2016)
ISO/IEC 27001: Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization, Geneva (2013)
ISO/IEC 20000-1: Information Technology – Service management – Part 1: Service management system requirements. International Organization for Standardization, Geneva (2011)
ISO 9001: Quality management systems – Requirements. International Organization for Standardization, Geneva (2015)
ISO/IEC ISO 21500: Guidance on project management. International Organization for Standardization, Geneva (2012)
Barafort, B., Mesquida, A.L., Mas, A.: Integrating risk management in IT settings from ISO standards and management systems perspectives. Comput. Stand. Interfaces (2016)
Barafort, B., Mesquida, A.L., Mas, A.: How to elicit Processes for an ISO-based Integrated Risk Management Process Reference Model in IT Settings? In: To be published in Proceedings of the 24th European System & Software Process Improvement and Innovation Conference 2017, Ostrava (2017)
ISO 31000: Risk management – Principles and guidelines (2009)
Barafort, B., Renault, A., Picard, M., Cortina, S.: A transformation process for building PRMs and PAMs based on a Collection of Requirements – Example with ISO/IEC 20000. In: 8th International SPICE 2008 Conference, Nuremberg (2008)
Peffers, K., Tuunanen, T., Rothenberger, M., Chatterjee, S.: A design science research methodology for information systems research. J. Manage. Inf. Syst. 24(3) (2008)
Buglione, L., Abran, A., von Wangenheim, C.G., McCaffery, F., Hauck, J.C.R.: Risk management: achieving higher maturity & capability levels through the LEGO approach. In: 2016 Joint Conference of the International Workshop on Software Measurement and the International Conference on Software Process and Product Measurement (IWSM-MENSURA), pp. 131–138. IEEE, October 2016
ISO, Economic benefits of standards – International case studies. ISBN 978-92-10556-7
ISO Survey (2015). https://goo.gl/lrkvkQ
MacMahon, S.T., McCaffery, F., Keenan, F.: The MedITNet assessment framework: development and validation of a framework for improving risk management of medical IT networks. J. Softw. Evol. Process 28(9), 817–834 (2016)
ISO/IEC 27005: Information technology – Security techniques – Information security risk management – Requirements. International Organization for Standardization, Geneva (2011)
Denning, P.J.: A new social contract for research. Commun. ACM 40(2), 132–134 (1997)
March, S., Smith, G.: Design and natural science research on information technology. Decis. Support Syst. 15(4), 251–266 (1995)
ISO/IEC TR 24774: Software and systems engineering – Life cycle management – Guidelines for process description. International Organization for Standardization, Geneva (2010)
Acknowledgements
This work has been supported by the Spanish Ministry of Science and Technology with ERDF funds under grants TIN2016-76956-C3-3-R and TIN2013-46928-C3-2-R.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Barafort, B., Mesquida, AL., Mas, A. (2017). Developing an Integrated Risk Management Process Model for IT Settings in an ISO Multi-standards Context. In: Mas, A., Mesquida, A., O'Connor, R., Rout, T., Dorling, A. (eds) Software Process Improvement and Capability Determination. SPICE 2017. Communications in Computer and Information Science, vol 770. Springer, Cham. https://doi.org/10.1007/978-3-319-67383-7_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-67383-7_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67382-0
Online ISBN: 978-3-319-67383-7
eBook Packages: Computer ScienceComputer Science (R0)