Risk Management: Birds' Eye View of some Standards and Regulations

I have been doing management training for several years preparing professionals in multiple industries for their career certifications and corporate training as well as mentoring some professionals. Through all these interactions and my personal desire for viewing standards and regulations from the lens of risk management, I have been exposed to some ISO standards and some regulations. At the same time, it has also become increasingly clear to me that many professionals are not aware of these standards and regulations. So, as I wrapped up another PMP session, I decided to capture some of these standards and regulations. 

ISO Standards

1. From my own understanding of the standards and their implementation in multiple industries, I feel some standards are universally applicable to multiple industries. I am calling these standards as "core" standards. Such standards include ISO 9001 on Quality, ISO 27001 on Information Security, and ISO 14001 for Environment considerations. 
2. The core standards may not be sufficient for certain industries and "additional" standards are required to put in place guidelines and guardrails to support projects, programs, and portfolios to support the industry specific compliance to operate as a business to serve their targeted customers. For example, the ISO 28005 for giving electronic port clearance before a ship/cruise leaves the port. I call these standards as "additional" standards mandatory for that industry.
3. Furthermore, some reference standards give clearer guidance for multiple industries to benefit from overarching principles. The exact choice of guidance applicable may vary from one industry to another and therefore serve as "supporting" the companies in those industries depending upon the specific products and services. The ISO 31000 gives the risk management fundamentals with many techniques but not all techniques (such as the Fault Tree Analysis may not apply in small enterprises focusing on IT software products) may extend to all the small, medium, and large enterprises.  I call them as "supporting" because they serve as an additional reference. 
4. The core and additional standards may act as either a de jure standard (i.e., required legally). Some of the additional and supporting standards may act as a de facto (used as a default best practice guideline) standard. 
5. When I list "Multiple" in the "Industries" column, the appropriate standard can apply to any industry, such as the IT, Construction, Telecommunication, Transportation, Manufacturing, Healthcare, Agriculture, Aviation, Event Management, Food Safety, Banking, Financial Services, Investment, Insurance, Automotive, etc.

NOTE: The "core", "additional", and "supporting" are just my own reference classification to guide aspiring professionals in their own industry to gain adequate knowledge as part of their continuous improvement! 

Here is my high-level summary of ISO standards for people to look into. This table is not a complete summary of all standards in every industry. In fact, some of these standards have so many sub-standards that I will not be able to balance any justification if I go into any more detail. So, please consult the appropriate ISO standard or the appropriate standard body.

Standard	Description	My Classification	Industries
ISO 9001	Quality Management	Core	Multiple
ISO 27001	Information Security	Core	Multiple
ISO 14001	Environment	Core	Multiple
ISO 31000	Risk Management	Core	Multiple
ISO 45001	Occupational Health & Safety: Physical Risks	Supporting	Multiple
ISO 22301	Business Continuity	Additional	IT Industry
ISO 20000	IT Services	Additional	IT Industry
ISO 45003	Occupational Health & Safety: Psychosocial Risks	Additional	Engineering
ISO 28805	Electronic Port Clearance	Additional	Shipping, Cruises
ISO 50001	Energy Management Services	Additional	Energy
ISO 27701	Privacy Extension	Additional	IT Industry
ISO 26000	Social Responsibility	Supporting	Multiple
ISO 17025	Testing and Calibration Laboratories	Additional	Healthcare
ISO 13485	Medical Devices	Additional	Healthcare
ISO 22000	Food & Saftey Management	Additional	Restaurant and Food Safety
ISO 37001	Anti-bribery Management Services	Supporting	FinTech
ISO 20121	Sustainable Events	Supporting	Event Management
ISO 14971	Risk Management for Medical Devices	Supporting	Healthcare
ISO 15854	Aircraft Equipment	Additional	Aviation
ISO 17944	Banking Security	Additional	Banking
ISO 12812	Mobile Financial Services	Additional	Banking
ISO 15782	Certificate Management	Additional	Investment Services
ISO 17989	Agriculture Tractors and Machinery	Additional	Agriculture
ISO 22002	Food Safety & Farming	Additional	Agriculture & Farming
ISO 22005	Traceability in the Feed and Food Chains	Additional	Agriculture & Animal Safety

Additional Industry Standards 

 While the above ISO standards are a good reference for the global community, there are also specific standards from other non-profit standards issuing organization (e.g.: IEEE, ANSI) and government entities (e.g.: Department of Defense, Food & Drug Association, Federal Trade Commission, etc.). Given below are some of standards issued by these organizations (The following is neither a complete list nor presented in any priority order). 

• CMMC – DoD’s Cybersecurity Maturity Model Certification (CMMC) is a standard proving risk management structured designed to ensure defense contractors are complying with the current security requirements while dealing with public information 
• NIST CSF – National Institute for Standards and Technology (NIST) has many standards and is frequently known for the NIST Cyber security framework (CSF), which is a risk driven quality management standard for private firms to improve their processes and products while focusing mainly on maturity of security related processes 
• CMMI – It is a Software Engineering Institute’s (SEI) structural quality guidance, called Capability Maturity Model Integration (CMMI) with multiple levels, targeted at the processes and products. Its focus is not only on security but also on overall organizational processes and policies. 
• SOC2 – Has a series of audit controls from the American Institute of Certified Public Accountants (AICPA) on a company’s system and organization controls (SOC) as part of their internal risk assessment and treatment plans. SOC1 controls are mainly on financial controls while SOC2 controls are on CIA triad as well as security and privacy controls. 
• FedRAMP – It is a US based Federal Risk and Authorization Management Program (FedRAMP) focusing on standardized approach to security assessment, authorization and continuous monitoring for cloud related products and services. 
• FIPA is an IEEE Computer Society standards for Physical Agents and similar agent based technology interoperability. 
• COBIT represents a set of control objectives for information technology from an international association on computerized security governance (ISACA) and is prevalent in may industries. 
• ITIL (Information Technology Infrastructure Library) represents a collection of service delivery guidelines as a library for the entire lifecycle of any IT services within a company. 
• PCI DSS is a set of data security standards (DSS) for the payment card industry (PCI) to address vulnerabilities for point of sale (POS) devices, mobile devices and computers, wireless hotspots, web shopping applications, and transmission of data. 
• Six Sigma is a framework of qualitative and quantitative tools and techniques to aid the quality from an operational excellence perspective feeding prescriptive and predictive data analysis.
• DICOM represents a set of digital communication (DICOM) standards for the level of encryption required for data transmission and storage for PACS (picture archiving and communication systems) systems used for medical diagnostic images.
• PMBOK is a collection of business processes governing the management of projects, programs, and portfolios from the Project Management Institute for unique delivery of products, services, and results in any industry or organization. 

Regulations

In addition to the standards discussed so far, there are regulations. Similar to standards, there are too many regulations. Given below are a few for consideration

• HIPAA - Health Insurance Portability and Accountability Act to protect patient health information
• SOX - Sarbanes Oxley Act responsible for internal and disclosure controls
• GDPR - General Data Protection Regulation from European Union governing the privacy rights of individuals
• CCPA - California Consumer Protection Act governing the privacy rights of individuals
• TCPA - Telephone Consumer Protection Act amended to protect the individuals against unsolicited text message, robot calling, do not call registry violations, etc.
• COPA - Children's Online Protection Act governing the rights and responsibilities for protecting children from abuse and cybercrimes
• PDMA - Prescription Drug Marketing Act governing the responsibilities for fair balance, efficacy, indicated use, black box warning, and adverse event consideration 
• GAMP - General Automation Manufacturing Protocol in healthcare and allied industries governing the entire GxP (General Lab Practices, General Manufacturing Practices, etc.)
• CSA - Computer System Assurance related practices governing the design, development and testing of requirements (regardless of project delivery frameworks
• ASPICE - Automotive Software Process Improvement and Capability Determination to govern the detailed processes related to the original equipment manufacturers (OEM) whose products are included in the vehicles including but not limited to self-driving autonomous vehicles

Disclaimer: I am not a qualified professional to go into the details of any of these standard or regulations. I have captured them from my own limited understanding very briefly in this blog.  For all, references, please consult the appropriate ISO reference guides or the appropriate governing body for details. 

Do you think I should mention any other standard? Do you know of any industry that I can add to this standard?