Advertisement

How to Elicit Processes for an ISO-Based Integrated Risk Management Process Reference Model in IT Settings?

  • Béatrix Barafort
  • Antoni-Lluís MesquidaEmail author
  • Antònia Mas
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 748)

Abstract

Process performance remains a key challenge in organizations. Improving processes can be guided by Capability Maturity Models resting on processes that can be assessed. Several ISO standards propose process models for Management System Standards, such as ISO 9001, ISO/IEC 20000-1 and ISO/IEC 27001, and project management proposes processes in ISO 21500. The ISO 31000 standard provides guidance for Risk management with a process approach and systemic perspective. This paper presents the approach for eliciting processes based on ISO 31000 as the main thread in a process reference model (PRM). This PRM integrates risk management dimensions with the selected ISO standards: ISO 9001, ISO 21500, ISO/IEC 20000-1 and ISO/IEC 27001.

Keywords

Integrated risk management IT settings ISO Process reference model Process reference model engineering Transformation process 

Notes

Acknowledgements

This work has been supported by the Spanish Ministry of Science and Technology with ERDF funds under grants TIN2016-76956-C3-3-R and TIN2013-46928-C3-2-R.

References

  1. 1.
    ISO/IEC 33001: Information Technology - Process assessment – Concepts and terminology. International Organization for Standardization, Geneva (2015)Google Scholar
  2. 2.
  3. 3.
  4. 4.
    ISO/IEC 15504-8: Information Technology – Process assessment – An exemplar process assessment model for IT service management. International Organization for Standardization, Geneva (2012)Google Scholar
  5. 5.
  6. 6.
    Barafort, B., Mesquida, A.L., Mas, A.: Integrating risk management in IT settings from ISO standards and management systems perspectives. Comput. Stand. Interfaces (2016)Google Scholar
  7. 7.
    ISO 9001: Quality management systems – Requirements. International Organization for Standardization, Geneva (2015)Google Scholar
  8. 8.
    ISO/IEC 27001: Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization, Geneva (2013)Google Scholar
  9. 9.
    ISO/IEC 20000-1: Information Technology – Service management – Part 1: Service management system requirements. International Organization for Standardization, Geneva (2011)Google Scholar
  10. 10.
    ISO/IEC ISO 21500: Guidance on project management. International Organization for Standardization, Geneva (2012)Google Scholar
  11. 11.
    ISO 31000: Risk management – Principles and guidelines. International Organization for Standardization, Geneva (2009)Google Scholar
  12. 12.
    ISO/IEC Directives, Part1, Annex SL. International Organization for Standardization, Geneva (2014)Google Scholar
  13. 13.
    Barafort, B., Renault, A., Picard, M., Cortina, S.: A transformation process for building PRMs and PAMs based on a collection of requirements – example with ISO/IEC 20000. In: 8th International SPICE 2008 Conference, Nuremberg (2008)Google Scholar
  14. 14.
    ISO/IEC 33004: Information Technology – Process assessment – Requirements for process reference, process assessment and maturity models. International Organization for Standardization, Geneva (2015)Google Scholar
  15. 15.
    ISO/IEC 27005: Information technology – Security techniques – Information security risk management – Requirements. International Organization for Standardization, Geneva (2011)Google Scholar
  16. 16.
    Hillson, D.: Integrated risk management as a framework for organisational success. In: Proceedings of the PMI Global Congress 2006 North America, presented in Seattle WA, USA, 23 October 2006Google Scholar
  17. 17.
    Chittister, C., Haimes, Y.Y.: Risk associated with software development: a holistic framework for assessment and management. IEEE Trans. Syst. Man Cybern. 23(3), 710–723 (1993)CrossRefGoogle Scholar
  18. 18.
    Lyytinen, K., Mathiassen, L., Ropponen, J.: A framework for software risk management. J. Inf. Technol. 11(4), 275–285 (1996)CrossRefGoogle Scholar
  19. 19.
    Bandyopadhyay, K., Mykytyn, P.P., Mykytyn, K.: A framework for integrated risk management in information technology. Manag. Dec. 37(5), 437–445 (1999)CrossRefGoogle Scholar
  20. 20.
    Kontio, J.: Software Engineering Risk Management: A Method, Improvement Framework, and Empirical Evaluation. Doctoral dissertation (2001)Google Scholar
  21. 21.
    Roy, G.G.: A risk management framework for software engineering practice. In: Proceedings of the 2004 Australian Software Engineering Conference, pp. 60–67 (2004)Google Scholar
  22. 22.
    Alberts, C.J., Dorofee, A.J.: Risk Management Framework, SEI. Technical report. CMU/SEI-2010-TR-017. ESC-TR-2010-017, August 2010Google Scholar
  23. 23.
    Buglione, L., Abran, A., von Wangenheim, C.G., McCaffery, F., Hauck, J.C.R.: Risk management: achieving higher maturity & capability levels through the LEGO approach. In: 2016 Joint Conference of the International Workshop on Software Measurement and the International Conference on Software Process and Product Measurement (IWSM-MENSURA), pp. 131–138. IEEE, October 2016Google Scholar
  24. 24.
    ISO/IEC 15504-5. Information Technology – Process assessment – An exemplar software life cycle process assessment model. International Organization for Standardization, Geneva (2012)Google Scholar
  25. 25.
    de Bruin, T., Rosemann, M., Freeze, R., Kulkarni, U.: Understanding the main phases of developing a maturity assessment model. In: 16th Australasian Conference on Information Systems (ACIS), Sydney (2005)Google Scholar
  26. 26.
    Becker, J., Knackstedt, R., Pöppelbuß, J.: Developing maturity models for IT management. Bus. Inf. Syst. Eng. 1(3), 213–222 (2009)CrossRefGoogle Scholar
  27. 27.
    Pöppelbuß, J., Röglinger, M.: What makes a useful maturity model? A framework of general design principles for maturity models and its demonstration in business process management. In: ECIS 2011 (2011)Google Scholar
  28. 28.
    von Wangenheim, G., Hauck, J.C.R., Zoucas, A., Salviano, C.F., McCaffery, F., Shull, F.: Creating software process capability/maturity models. IEEE Softw. 27(4), 92–94 (2010)CrossRefGoogle Scholar
  29. 29.
    Stallinger, F., Plösch, R.: Towards methodological support for the engineering of process reference models for product software. In: Mitasiunas, A., Rout, T., O’Connor, R.V., Dorling, A. (eds.) SPICE 2014. CCIS, vol. 477, pp. 24–35. Springer, Cham (2014). doi: 10.1007/978-3-319-13036-1_3 Google Scholar
  30. 30.
    Renault, A., Barafort, B.: TIPA for ITIL – from genesis to maturity of SPICE applied to ITIL 2011. In: Proceedings of the 21th European System & Software Process Improvement and Innovation Conference 2014, Luxembourg (2014)Google Scholar
  31. 31.
    Di Renzo, B., et al.: Operational risk management in financial institutions: process assessment in concordance with Basel II. Softw. Process Improv. Pract. 12(4), 321–330 (2007)CrossRefGoogle Scholar
  32. 32.
  33. 33.
    ISO/IEC 33072: TS Information Technology – Process Assessment – Process capability assessment model for information security management. International Organization for Standardization, Geneva (2016)Google Scholar
  34. 34.
    ISO/IEC 33073: PDTS Information Technology – Process Assessment – Process capability assessment model for quality management. International Organization for Standardization, Geneva (under development)Google Scholar
  35. 35.
    Pardo, C., Pino, F.J., García, F., Piattini, M., Baldassarre, M.T.: An ontology for the harmonization of multiple standards and models. Comput. Stand. Interfaces 34(1), 48–59 (2012)CrossRefGoogle Scholar
  36. 36.
    ISO/IEC 27000: TS Information Technology – Security techniques – Information security management systems – Overview and vocabulary. International Organization for Standardization, Geneva (2016)Google Scholar
  37. 37.
    ISO Guide 73, Risk management – Vocabulary. International Organization for Standardization, Geneva (2009)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Béatrix Barafort
    • 1
  • Antoni-Lluís Mesquida
    • 2
    Email author
  • Antònia Mas
    • 2
  1. 1.Luxembourg Institute of Science and TechnologyEsch-sur-AlzetteLuxembourg
  2. 2.Department of Mathematics and Computer ScienceUniversity of the Balearic IslandsPalma de MallorcaSpain

Personalised recommendations