Integrating risk management in IT settings from ISO standards and management systems perspectives

Abstract

[eng] Organizational capabilities in companies, within IT settings, can be strengthened by a centralized and integrated risk management approach based on ISO standards. This paper analyses risk management activities throughout various selected ISO standards in order to provide the basis to improve, coordinate and interoperate risk management activities in IT settings for various purposes related to quality management, project management, IT service management and information security management. Taking as a basis the ISO 31000 international standard for risk management, a comparison is performed with the aim of identifying risk management related activities in the ISO high level structure for management system standards, ISO 9001, ISO 21500, ISO/IEC 20000-1 and ISO/IEC 27001. These standards are of high interest for practitioners in IT settings, benefitting from the integration of process-based activities, implementing mechanisms for linking IT and non-IT entities of their organization with risk management challenges to address. Integration vectors such as the understanding of the organisation and its context, risk-based thinking, leadership and commitment, process approach and PDCA structure are elicited.