ISO Standards
- From my own understanding of the standards and their implementation in multiple industries, I feel some standards are universally applicable to multiple industries. I am calling these standards "core" standards. Such standards include ISO 9001 on Quality, ISO 27001 on Information Security, and ISO 14001 for Environment considerations.
- The core standards may not be sufficient for certain industries and "additional" standards are required to put in place guidelines and guardrails to support projects, programs, and portfolios to support the industry specific compliance to operate as a business to serve their targeted customers. For example, the ISO 28005 for giving electronic port clearance before a ship/cruise leaves the port. I call these standards as "additional" standards mandatory for that industry.
- Furthermore, some reference standards give clearer guidance for multiple industries to benefit from overarching principles. The exact choice of guidance applicable may vary from one industry to another and therefore serve as "supporting" the companies in those industries depending upon the specific products and services. The ISO 31000 gives the risk management fundamentals with many techniques but not all techniques (such as the Fault Tree Analysis may not apply in small enterprises focusing on IT software products) may extend to all the small, medium, and large enterprises. I call them "supporting" because they serve as an additional reference.
- The core and additional standards may act as a de jure standard (i.e., required legally). Some of the additional and supporting standards may act as a de facto (used as a default best practice guideline) standard.
- When I list "Multiple" in the "Industries" column, the appropriate standard can apply to any industry, such as the IT, Construction, Telecommunication, Transportation, Manufacturing, Healthcare, Agriculture, Aviation, Event Management, Food Safety, Banking, Financial Services, Investment, Insurance, Automotive, etc.
Here is my high-level summary of ISO standards for people to investigate. This table is not a complete summary of all standards in every industry. In fact, some of these standards have so many sub-standards that I will not be able to balance any justification if I go into any more detail. So, please consult the appropriate ISO standard or the appropriate standard body.
Standard | Description | My Classification | Industries |
ISO 9001 | Quality Management | Core | Multiple |
ISO 27001 | Information Security | Core | Multiple |
ISO 14001 | Environment | Core | Multiple |
ISO 31000 | Risk Management | Core | Multiple |
ISO 45001 | Occupational Health & Safety: Physical Risks | Supporting | Multiple |
ISO 22301 | Business Continuity | Additional | IT Industry |
ISO 20000 | IT Services | Additional | IT Industry |
ISO 15288 | IT Engineering Services | Additional | IT Industry |
ISO 45003 | Occupational Health & Safety: Psychosocial Risks | Additional | Engineering |
ISO 28805 | Electronic Port Clearance | Additional | Shipping, Cruises |
ISO 50001 | Energy Management Services | Additional | Energy |
ISO 27701 | Privacy Extension | Additional | IT Industry |
ISO 26000 | Social Responsibility | Supporting | Multiple |
ISO 17025 | Testing and Calibration Laboratories | Additional | Healthcare |
ISO 13485 | Medical Devices | Additional | Healthcare |
ISO 22000 | Food & Safety Management | Additional | Restaurant and Food Safety |
ISO 37001 | Anti-bribery Management Services | Supporting | FinTech |
ISO 20022 | Electronic Data Interchange | Supporting | FinTech |
ISO 20121 | Sustainable Events | Supporting | Event Management |
ISO 14971 | Risk Management for Medical Devices | Supporting | Healthcare |
ISO 15854 | Aircraft Equipment | Additional | Aviation |
ISO 17944 | Banking Security | Additional | Banking |
ISO 12812 | Mobile Financial Services | Additional | Banking |
ISO 15782 | Certificate Management | Additional | Investment Services |
ISO 17989 | Agriculture Tractors and Machinery | Additional | Agriculture |
ISO 22002 | Food Safety & Farming | Additional | Agriculture & Farming |
ISO 22005 | Traceability in the Feed and Food Chains | Additional | Agriculture & Animal Safety |
Additional Industry Standards
While the above ISO standards are a good reference for the global community, there are also specific standards from other non-profit standards issuing organization (e.g.: IEEE, ANSI) and government entities (e.g.: Department of Defense, Food & Drug Association, Federal Trade Commission, etc.). Given below are some of standards issued by these organizations (The following is neither a complete list nor presented in any priority order).
- CMMC – DoD’s Cybersecurity Maturity Model Certification (CMMC) is a standard proving risk management structured designed to ensure defense contractors are complying with the current security requirements while dealing with public information
- NIST CSF – National Institute for Standards and Technology (NIST) has many standards and is frequently known for the NIST Cyber security framework (CSF), which is a risk driven quality management standard for private firms to improve their processes and products while focusing mainly on maturity of security related processes
- CMMI – It is a Software Engineering Institute’s (SEI) structural quality guidance, called Capability Maturity Model Integration (CMMI) with multiple levels, targeted at the processes and products. Its focus is not only on security but also on overall organizational processes and policies.
- SOC2 – Has a series of audit controls from the American Institute of Certified Public Accountants (AICPA) on a company’s system and organization controls (SOC) as part of their internal risk assessment and treatment plans. SOC1 controls are mainly on financial controls while SOC2 controls are on CIA triad as well as security and privacy controls.
- FedRAMP – It is a US based Federal Risk and Authorization Management Program (FedRAMP) focusing on standardized approach to security assessment, authorization and continuous monitoring for cloud related products and services.
- FIPA is an IEEE Computer Society standard for Physical Agents and similar agent-based technology interoperability.
- COBIT represents a set of control objectives for information technology from an international association on computerized security governance (ISACA) and is prevalent in many industries.
- ITIL (Information Technology Infrastructure Library) represents a collection of service delivery guidelines as a library for the entire lifecycle of any IT services within a company.
- PCI DSS is a set of data security standards (DSS) for the payment card industry (PCI) to address vulnerabilities for point of sale (POS) devices, mobile devices and computers, wireless hotspots, web shopping applications, and transmission of data.
- Six Sigma is a framework of qualitative and quantitative tools and techniques to aid quality from an operational excellence perspective feeding prescriptive and predictive data analysis.
- DICOM represents a set of digital communication (DICOM) standards for the level of encryption required for data transmission and storage for PACS (picture archiving and communication systems) systems used for medical diagnostic images.
- PMBOK is a collection of business processes governing the management of projects, programs, and portfolios from the Project Management Institute for unique delivery of products, services, and results in any industry or organization.
- PRINCE2 is a collection of business processes governing the management of projects, programs, and portfolios, originally started by the UK government and owned currently by Axelos focusing on projects in a controlled environment.
Regulations
In addition to the standards discussed so far, there are regulations. Like standards, there are too many regulations. Given below are a few for consideration
- HIPAA - Health Insurance Portability and Accountability Act to protect patient health information
- SOX - Sarbanes Oxley Act responsible for internal and disclosure controls
- GDPR - General Data Protection Regulation from European Union governing the privacy rights of individuals
- CCPA - California Consumer Protection Act governing the privacy rights of individuals
- TCPA - Telephone Consumer Protection Act amended to protect individuals against unsolicited text message, robot calling, do not call registry violations, etc.
- COPA - Children's Online Protection Act governing the rights and responsibilities for protecting children from abuse and cybercrimes
- PDMA - Prescription Drug Marketing Act governing the responsibilities for fair balance, efficacy, indicated use, black box warning, and adverse event consideration
- GAMP - General Automation Manufacturing Protocol in healthcare and allied industries governing the entire GxP (General Lab Practices, General Manufacturing Practices, etc.)
- CSA - Computer System Assurance related practices governing the design, development and testing of requirements (regardless of project delivery frameworks
- ASPICE - Automotive Software Process Improvement and Capability Determination to govern the detailed processes related to the original equipment manufacturers (OEM) whose products are included in the vehicles including but not limited to self-driving autonomous vehicles
Disclaimer: I am not a qualified professional to go into the details of any of these standards or regulations. I have captured them from my own limited understanding very briefly in this blog. For all, references, please consult the appropriate ISO reference guides or the appropriate governing body for details.
Do you think I should mention any other standard? Do you know of any industry that I can add to this standard?
1 comment:
This is an excellent summary. It is actually a great reference compilation for any professional working in any industry. I managed many projects for more than 15 years and do not know half of this risk management concepts. Wish my graduate classes introduced these principles. Keep writing.
Post a Comment