How to elicit processes for an ISO-based integrated risk management process reference model in IT settings?

Abstract

Process performance remains a key challenge in organizations. Improving processes can be guided by Capability Maturity Models resting on processes that can be assessed. Several ISO standards propose process models for Management System Standards, such as ISO 9001, ISO/IEC 20000-1 and ISO/IEC 27001, and project management proposes processes in ISO 21500. The ISO 31000 standard provides guidance for Risk management with a process approach and systemic perspective. This paper presents the approach for eliciting processes based on ISO 31000 as the main thread in a process reference model (PRM). This PRM integrates risk management dimensions with the selected ISO standards: ISO 9001, ISO 21500, ISO/IEC 20000-1 and ISO/IEC 27001.