Category Archives: ISO

ISO, ISO 27001, IT, Online Collections

ISO Online Collections – IT Management

2 Comments

Online CollectionsOnline collections from ISO.org can be a fantastically good deal. With an online collection you get the most up-to-date versions by paying a yearly or monthly subscription fee. By paying the fee, the various standards in the collection can be accessed via ISO’s “Online Browsing Platform”.

I should point out, by the way, that  I don’t have any kind of “kickback” deal with ISO.org- I’m just pointing to a good deal and saying, “Hey, that’s a good deal!

Online Browsing Platform InterfaceThe online browsing platform for online collections is a tabbed interface where multiple standards can be viewed at once.

Depending on your subscription or purchase license status, documents may be downloaded as well. As with all things in the cloud, however, if you don’t have Internets – you won’t have access to your documents. Not such a big deal these days.

The online collections aren’t exactly inexpensive in themselves, but when compared to the cost of the individual standards – literally thousands can be saved.

IT Management – Online Collections

Recently (last week), ISO.org made available a collection of IT related documents as  one of the online collections. It consists of 80 documents that are intended to assist an Information Technology professional.

It is a surprisingly comprehensive list within the following categories:

  • Governance
  • Project management
  • Service management
  • Information security management (ISO/IEC 27000)
  • Risk management (ISO 31000)
  • Records management
  • Systems and software engineering: application management, software life-cycle processes, system life-cycle processes, architecture description
  • Business continuity and disaster recovery
  • Energy efficiency
  • Quality (ISO 9000)

If you were considering starting down the path of an ISO 27001  or 20001 Registration, this should be one of your first steps.

Hey, I get a quantity discount on space – here’s the whole list:

ISO/Guide 73:2009(en) Risk management — Vocabulary
ISO 5127:2001(en) Information and documentation — Vocabulary
ISO/IEC 7498-1:1994(en) Information technology — Open Systems Interconnection — Basic Reference Model: The Basic Model — Part 1
ISO 7498-2:1989(en) Information processing systems — Open Systems Interconnection — Basic Reference Model — Part 2: Security Architecture
ISO/IEC 7498-3:1997(en) Information technology — Open Systems Interconnection — Basic Reference Model: Naming and addressing — Part 3
ISO/IEC 7498-4:1989(en) Information processing systems — Open Systems Interconnection — Basic Reference Model — Part 4: Management framework
ISO 9000:2005(en) Quality management systems — Fundamentals and vocabulary
ISO 9001:2008(en) Quality management systems — Requirements
ISO 9001:2008/Cor.1:2009(en) Quality management systems — Requirements TECHNICAL CORRIGENDUM 1
ISO 9004:2009(en) Managing for the sustained success of an organization — A quality management approach
ISO 10006:2003(en) Quality management systems — Guidelines for quality management in projects
ISO/IEC 12207:2008(en) Systems and software engineering — Software life cycle processes
ISO 14001:2004(en) Environmental management systems — Requirements with guidance for use
ISO 14004:2004(en) Environmental management systems — General guidelines on principles, systems and support techniques
ISO 14050:2009(en) Environmental management — Vocabulary
ISO/IEC 15288:2008(en) Systems and software engineering — System life cycle processes
ISO/IEC 15504-1:2004(en) Information technology — Process assessment — Part 1: Concepts and vocabulary
ISO/IEC 15504-2:2003(en) Information technology — Process assessment — Part 2: Performing an assessment
ISO/IEC 15504-2:2003/Cor.1:2004(en) Information technology — Process assessment — Part 2: Performing an assessment TECHNICAL CORRIGENDUM 1
ISO/IEC 15504-3:2004(en) Information technology — Process assessment — Part 3: Guidance on performing an assessment
ISO/IEC 15504-4:2004(en) Information technology — Process assessment — Part 4: Guidance on use for process improvement and process capability determination
ISO/IEC 15504-9:2011(en) Information technology — Process assessment — Part 9: Target process profiles
ISO/IEC 15504-10:2011(en) Information technology — Process assessment — Part 10: Safety extension
ISO 15489-1:2001(en) Information and documentation — Records management — Part 1: General
ISO/TR 15489-2:2001(en) Information and documentation — Records management — Part 2: Guidelines
ISO/IEC 15504-5:2012(en) Information technology — Process assessment — Part 5: An exemplar software life cycle process assessment model
ISO/IEC 15504-8:2012(en) Information technology — Process assessment — Part 8: An exemplar process assessment model for IT service management
ISO/TR 15801:2009(en) Document management — Information stored electronically — Recommendations for trustworthiness and reliability
ISO/IEC 17020:2012(en) Conformity assessment — Requirements for the operation of various types of bodies performing inspection
ISO/IEC 17021:2011(en) Conformity assessment — Requirements for bodies providing audit and certification of management systems
ISO/IEC 17025:2005(en) General requirements for the competence of testing and calibration laboratories
ISO 19011:2011(en) Guidelines for auditing management systems
ISO/IEC 20000-1:2011(en) Information technology — Service management — Part 1: Service management system requirements
ISO/IEC 20000-2:2012(en) Information technology — Service management — Part 2: Guidance on the application of service management systems
ISO/IEC 20000-3:2012(en) Information technology — Service management — Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1
ISO/IEC TR 20000-4:2010(en) Information technology — Service management — Part 4: Process reference model
ISO/IEC TR 20000-5:2013(en) Information technology — Service management — Part 5: Exemplar implementation plan for ISO/IEC 20000-1
ISO/IEC TR 20000-10:2013(en) Information technology — Service management — Part 10: Concepts and terminology
ISO 20121:2012(en) Event sustainability management systems — Requirements with guidance for use
ISO 21500:2012(en) Guidance on project management

ISO 22300:2012(en) Societal security — Terminology
ISO 22301:2012(en) Societal security — Business continuity management systems — Requirements
ISO 22313:2012(en) Societal security — Business continuity management systems — Guidance
ISO/IEC 24762:2008(en) Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services
ISO/IEC 27000:2014(en) Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001:2013(en) Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27003:2010(en) Information technology — Security techniques — Information security management system implementation guidance
ISO/IEC 27004:2009(en) Information technology — Security techniques — Information security management — Measurement
ISO/IEC 27005:2011(en) Information technology — Security techniques — Information security risk management
ISO/IEC 27006:2011(en) Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27007:2011(en) Information technology — Security techniques — Guidelines for information security management systems auditing
ISO/IEC TR 27008:2011(en) Information technology — Security techniques — Guidelines for auditors on information security controls
ISO/IEC 27010:2012(en) Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications
ISO/IEC 27011:2008(en) Information technology — Security techniques — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
ISO/IEC 27013:2012(en) Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO/IEC 27014:2013(en) Information technology — Security techniques — Governance of information security
ISO/IEC TR 27015:2012(en) Information technology — Security techniques — Information security management guidelines for financial services
ISO/IEC TR 27019:2013(en) Information technology — Security techniques — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
ISO/IEC 27031:2011(en) Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27032:2012(en) Information technology — Security techniques — Guidelines for cybersecurity
ISO/IEC 27033-1:2009(en) Information technology — Security techniques — Network security — Part 1: Overview and concepts
ISO/IEC 27033-2:2012(en) Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security
ISO/IEC 27033-3:2010(en) Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues
ISO/IEC 27033-4:2014(en) Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways
ISO/IEC 27033-5:2013(en) Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
ISO/IEC 27034-1:2011(en) Information technology — Security techniques — Application security — Part 1: Overview and concepts
ISO/IEC 27035:2011(en) Information technology — Security techniques — Information security incident management
ISO/IEC 27036-3:2013(en) Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for information and communication technology supply chain security
ISO/IEC 27036-1:2014(en) Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts
ISO/IEC 27037:2012(en) Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence
ISO 31000:2009(en) Risk management — Principles and guidelines
ISO/IEC 38500:2008(en) Corporate governance of information technology
ISO/IEC TR 38502:2014(en) Information technology — Governance of IT — Framework and model
ISO/IEC/IEEE 42010:2011(en) Systems and software engineering — Architecture description
ISO 55000:2014(en) Asset management — Overview, principles and terminology
ISO 50001:2011(en) Energy management systems — Requirements with guidance for use
ISO 55001:2014(en) Asset management — Management systems — Requirements
ISO 55002:2014(en) Asset management — Management systems — Guidelines for the application of ISO 55001
ISO/IEC 90003:2004(en) Software engineering — Guidelines for the application of ISO 9001:2000 to computer software
ISO/IEC TR 90006:2013(en) Information technology — Guidelines for the application of ISO 9001:2008 to IT service management and its integration with ISO/IEC 20000-1:2011

Pretty Amazing, right?

Pricing, like I noted earlier, isn’t inexpensive – but it is a bargain. The yearly  1 user license is 488 CHF (about $545 USD) and the monthly is only 54 CHF ($60 USD). If one needed to do an intense investigation, a one month license could yield a fast trove of information.

There are also 2-5 and 6-10 user yearly and monthly licenses available.

There are other collections being added – I’ll discuss those in future posts. Here is a link to the current collection of online collections.

I hope you find something you like.

Happy Collecting.

9001:2015, Annex SL, ISO, ISO 14001, ISO 27001, ISO 9001

Annex SL’s Impact

2 Comments
What does Annex SL have to do with an interesting table leg?
Some supports are interesting

While it might have been the intent that Annex SL would be the template for all new standards and revisions to standards – this isn’t exactly the reality.

Annex SL was described in the last post – you may review that HERE if you like.

As a quick summary, “Annex SL” is an ISO document that defines a framework – the basic structure with common terms and requirements – for a generic management system. A standard would be this structure PLUS any additional sector specific requirements.

Understanding this is the key to new ISO releases, such as DIS ISO 9001:2015.

ISO 9001:2015 will not be the first ISO management standard to employ Annex SL – nor will it be the last.

Already released and compliant with Annex SL:

  • ISO/IEC 27001, Information technology: Security techniques, Information security management systems
  • ISO 30301:2011, Information and documentation: Management systems for records
  • ISO 22301:2012, Societal security: Business continuity management systems
  • ISO 21101:2014, Adventure Tourism
  • ISO 20121:2012, Event sustainability management systems
  • ISO 39001, Road-traffic safety (RTS) management systems
  • ISO 55001, Asset management – Currently on CD ballot with publication scheduled for 2014.

What this means is, for one thing, organizations that have one management system in place will have the basic structure needed to adopt another one – or several.

En route via Annex SL:

  • ISO 9001:2015 (General Quality Management) – I’m guessing you knew that one
  • ISO 14001:2015  (Environmental management) – Also expected in 2015.  I have been following the development of this standard and you’ll find related articles on the site
  • ISO 13485 (Medical devices. Quality management systems. Requirements for regulatory purposes) – Released as a Draft International Standard (DIS) on 20 Feb 2014.  The voting period for that closes on 20 July of this year.

Probable Defections to Annex SL:

These standards, for various political and structural issues I can’t pretend to understand, probably will not utilize Annex SL as their template in the coming updates:

  • ISO/TS 16949 – International Automotive Task Force standard. Cars – the big automotive companies dictate what takes place in this rarefied playing field
  • AS9100/10/20 – International Aerospace Quality Group (IAQG) standards  –  Essentially these folks are the Vegans of the management system world . If you don’t know what I mean by that then I am sorry. Actually, I am also sorry either way
  • ISO 45001 (formerly OHAS 18001) – Occupational Health and Safety. A bit of a controversial one to end on because the ultimate format isn’t set in stone. There are those who believe complying with the Annex SL structure will add too much “bloat” to the document.  Apparently bloat is a bad thing.

That’s approximately the current Annex SL situation, with a few less notable omissions.

Personally, I’m hoping the structure holds firm and far as it should serve to make it easier for clients to adopt – and for auditors and certification bodies to consistently understand.

Can it be better? Probably – but it’s a start, and more importantly – a basis for common ground.

Thanks for checking in – and for calibrating yourself.

And now a word from our sponsor:

9001:2015, Annex SL, Auditing, Certification, ISO

Annex SL Esplained

2 Comments

“Annex SL” is an ISO/IEC document that defines a framework for a generic management system. Understanding it is the key to new ISO releases, such as DIS ISO 9001:2015.

It was published by ISO’s Technical Management Board (TMB) in 2012 but since the recent release of DIS ISO 9001:2015 – and it’s strong impact on that standard, a review of the Annex should be helpful to implementors and auditors alike for several years to come.

annex sl page

You may not have heard of the TMB – but maybe you have heard of a TC, or “Technical Committee”. These are groups of experts; representatives of industry, NGOs, governments and other stakeholders within ISO. One well-known TC is TC 176 – that’s the group responsible for ISO 9001 or “Quality management and quality assurance”.

There are (or have been) at least 290 TCs (I know this because they are numbered sequentially and the latest one is TC 290).

You can see a full list HERE.

The TMB sits above the TCs within the “Organization” (ISO). Their charter is this that they

  • “… shall have responsibility for the general management of the technical committee structure…
  • approve the establishment and dissolution of technical committees, and revisions of the directives for the work of technical committees…
  • shall deal with all matters of strategic planning, coordination,
  • and monitoring of technical committee activities

– (Article 9.3 of the ISO statutes).

TMB Map

Annex SL is one attempt by the TMB to help the TCs provide a better product more easily and efficiently.

Annex SL does this by:

  1. reducing duplication efforts – many management system standards have the same basic requirements
  2. by reducing the differing interpretation of the same terms, or consolidating terms
  3. and by delivering the material in a clear and repeatable manner; making it digestible by consumers of multiple standards.

As you could imagine, all of these committees don’t always have knowledge of what the others are doing – inconsistencies occur. Then, once a standard is released, the industry; those who are certified to these standards and the auditors that interpret them – sometimes come to different conclusions.

There are mechanisms within the certification process to minimize confusion and disconnects, but a better way is a top-down approach; one that begins above the standards creation level itself. Annex SL is a large leap toward a more effective process.

What is in Annex SL?

It is a template – a framework. Scaffolding for other standards. It consists of:

  • Eight clauses
  • Core text
  • A baseline of 45 ‘shall’ statements generating 84 requirements (differing standards will have additional requirements)
  • Base terms and core definitions

This common structure will contain, in addition, the special requirements of the target standard (forgive, please, my space-saving abbreviations. Click to embiggen, then hit your browser’s back button):

ASL Main Structure

And there are common core definitions; the following words will have the same interpretations across all Annex SL conformant standards:

  • organization
  • interested party (preferred term)
  • stakeholder (admitted term)
  • requirement
  • management system
  • top management
  • effectiveness
  • policy
  • objective
  • risk
  • competence
  • documented information
  • process
  • performance
  • outsource (verb)
  • monitoring
  • measurement
  • audit
  • conformity
  • nonconformity
  • correction
  • corrective action
  • continual improvement

A given standard may have other words to be defined, naturally.

“SL”? – What Does It Stand For?

I wish it was something cooler, but…

“SL” is simply the sequential number of an Annex within numerous annexes as part of a document titled, ISO / IEC Directives, Part 1 “Consolidated ISO Supplement – Procedures specific to ISO”

The Annex before it is “SK” (though it is currently just a placeholder), and the one after it is “SM”, “Global relevance of ISO technical work and publications”.

Aren’t you glad you asked. You were going to ask, right?

For next time:

How has Annex SL impacted Publications?

 

Thank you again. Go forth – and annex something.