Towards an Integrated Management System (IMS), harmonizing the ISO/IEC and ISO/IEC Standards

Transcription

1 , pp Towards an Integrated Management System (IMS), harmonizing the ISO/IEC and ISO/IEC Standards César Pardo 1*, Francisco J. Pino 2 and Félix Garcia 3 1 Electronic and Telecommunications Engineering Faculty, University of Cauca Calle 5 # 4 70 Popayán, Colombia. Tel: ext cpardo@unicauca.edu.co 2 IDIS Research Group Electronic and Telecommunications Engineering Faculty, University of Cauca Calle 5 # 4 70 Popayán, Colombia. Tel: ext fjpino@unicauca.edu.co 3 ALARCOS Research Group Information Systems and Technologies Department UCLM ITSI Institute of Technology and Information Systems University of Castilla La Mancha Paseo de la Universidad, Ciudad Real, Spain. Tel: ext.3747 {Felix.Garcia}@uclm.es Abstract In recent times, and in order to maintain an integrated, efficient and homogeneous policy, Integrated Management Systems (IMS) have emerged as an opportunity to improve processes related to Information Technology (IT) in organizations in a way that is modular, consistent and orderly. The ISO and ISO standards provide good practices for creating and/or strengthening management infrastructure whose purpose is information security and IT services. In an attempt to provide information on how these standards are related, as well as to facilitate their integration under a single IMS, this article presents the harmonization strategy and results of the harmonization of standards ISO and ISO in an organization. The work thereby supports organizations which are interested in knowing how to carry out the harmonization of these models. It also provides a detailed analysis of their similarities and differences, showing an example of how to carry out the integration of related practices between ISO and ISO In addition, some benefits achieved by the organization are presented. Keywords: Multi-model, Harmonization, Information Security Management System (ISMS), IT service management, Integrated Management Systems, Homogenization, Comparison, Integration 1. Introduction At present, there is a wide range of models and standards which can be used by software organizations to carry out the improvement and certification of their processes. For example: CMMI, ISO 9001, ISO 12207, ISO 90003, ITIL, COBIT, to name a few of them. * Corresponding Author: César Pardo, cpardo@unicauca.edu.co. ISSN: IJSEIA Copyright c 2016 SERSC

2 The interest of organizations in obtaining the certification of standards defined by the International Organization for Standardization (ISO) has been increasing of late. This concern has focused mainly on information approaches as a means of improving their various departments through a single Integrated Management System (IMS) [1]. Two of these approaches are the ISO and ISO standards. ISO provides a wide description and controls related to information security. ISO 20000, for its part, defines the practices and processes for managing services and IT management through the use of an assistance service based on ITIL. Although ISO and ISO provide support for different management infrastructures in an organization, we believe that integrated institutionalization can have large benefits; e.g., improving competitiveness, organizational development, security, risk management, as well as improved corporate management and assurance to stakeholders, and continuous improvement. Likewise, it has a positive impact on loyalty and the attracting of new customers, thanks to provision of services that meet their needs and expectations. It is possible that the appropriate integration of ISO and ISO may allow a strong and powerful combination for IT management to be generated in an organization It would also encourage the reuse of the effort, time, money and human talent involved in any improvement projects that had been carried out previously. With the reuse, the organizations, especially small and medium enterprises (SMEs) would reap immense benefits, because the effort and costs associated with the implementation of a new model as compared to an institutionalized could be reduced, i.e. a model implemented previously in an organization can meet the requirements with regard to the new model to be implemented. The results obtained in this paper are an example of the above, as are the comparison and harmonization of other models already carried out, such as that performed between ISO 9001 and CMMI [2], ISO and CMMI [3], amongst others. In this sense, and in our effort to guide the organizations through the harmonization of ISO 27001:2005 and ISO :2005 (hereafter referred to as ISO and ISO , respectively), this article presents the harmonization strategy used to homogenize, compare and align the clauses of ISO with the clauses of ISO A harmonization strategy allows multiple models to be put in harmony and consonance with each other, through a set of methods configured systematically [4]. This paper attempts to provide a guide for organizations to manage, homogenize, compare and integrate the harmonized standards in this paper into a single management system. This paper proceeds as follows. Section 2 presents related work. Section 3 describes the harmonization strategy designed from the needs of Audisec s. Section 4 gives an explanation of the harmonization of ISO and ISO through the harmonization strategy configured. An example is also shown about how to carry out the integration of the relationships established between the standards. Section 5 presents some benefits expressed by organizations. Lastly, some relevant discussion is given, along with the conclusions we have drawn and the future work we have planned. 2. Related Work Based on the results of a systematic review performed in [5], which involves the analysis of the proposals for the harmonization of multiple models, we can see some studies that show an interest in integrating multiple models e.g., the PRIME project funded by the Software Engineering Institute (SEI), which examines the value of harmonization of multiple technologies, including: CMMI, Six Sigma, ITIL, ISO 27001, among others [6]. Likewise, this institution has also conducted studies that focus on the analysis of ISO standards and their integration with other models. Some of these studies are, among others: analysis and integration of ITIL and ISO [7], the definition of Integrated Management Systems (IMS) from ISO 9001 and ISO [8], ISO 9001, 218 Copyright c 2016 SERSC

3 ISO and ISO [9], ISO 9001, ISO and OHSAS [10]. Other studies carried out the comparison between specific models, i.e., between the same family and between not more than two different models, e.g., usually we can find mappings between ISO 9001 and CMMI [11], CMMI and ISO/IEC TR :1998 [12, 13], to name a few examples. Although it is possible to see an extensive use of ISO and SEI models in related work, the models used most in harmonization projects are ISO 9001, ISO and CMMI-DEV. With regard to the existing literature, and considering that we did not find studies which perform an analysis of the relationships and differences between ISO and ISO 20000, this article presents the harmonization of these two standards. Furthermore, this paper proposes a solution to the need expressed by AUDISEC, the consultancy organization in ISO and ISO 20000, which is interested in carrying out the implementation of these two approaches under a single IMS. A detailed summary of the strategy followed to harmonize the models involved is presented in the next Section. 3. Configuring a Harmonization Strategy This section describes the harmonization of standards ISO and ISO in terms of the harmonization needs identified in an organization as well as the harmonization strategy followed Organization s Needs Audisec carried out the integration of ISO and ISO , taking into account the needs identified. Audisec is an organization that provides consulting services and support in the certification of ISO and ISO The needs expressed by Audisec in connection with the carrying out of the harmonization of these models are: To facilitate the ISO certification in organizations previously certified under ISO To reduce costs, time and resources associated with the reuse of efforts previously employed in the certification of ISO To minimize the complexity of implementing multiple models without proper alignment and integration. Based on these needs, the harmonization goal of the two standards focused on defining a harmonization strategy made up of a set of methods which enabled the following to be carried out: i ii resolution of differences related to their structures, comparison and identification of differences and similarities, iii analysis of detail level and depth of standards, and iv establishing of the degree of coverage, as well as the fulfillment of the ISO processes on those defined in ISO Harmonization Strategy Configured Project management for harmonizing ISO and ISO was carried out with the implementation of elements defined in HFramework. These are: (i) a harmonization process (HProcess) and a (ii) set of harmonization methods (HMethods). The purpose of HProcess is to provide a guideline to facilitate the management of tasks related to the definition and configuration of a harmonization strategy for carrying Copyright c 2016 SERSC 219

4 out the harmonization of multiple models [14]. The purpose of HMethods is to provide a set of methods which make it easier to configure a harmonization strategy (HStrategy), taking into account the organization s needs. HStrategy is the work product resulting from the implementation of HProcess. That is, whereas HProcess provides information about what to do, systematic configuration of an HStrategy describes the activities and tasks which make it possible to know how to carry out the harmonization of multiple models from the organization s needs. Figure 1 shows a summary of the process, roles and activities of HProcesses and HStrategy applied in the harmonization of ISO and ISO The processes presented in this paper use the notation of SPEM 2.0. All this being so, and on the basis of the needs identified and the implementation of HProcess in Audisec, an HStrategy was defined and configured according to two methods: (i) a homogenization method (HoMethod), (ii) a comparison method (CoMethod) and (iii) an integration method (IMethod). Incorporating these methods allowed us to carry out the step-by-step harmonization of the models involved. In order to organize and manage the people and activities throughout the strategy, this process establishes two roles: the performers and the reviewers, along with three methods: Method 1. Homogenization. This stage involved the tasks: (i) acquisition of knowledge about the models involved, (ii) structure analysis and terminology, (iii) identification of requirements and (iv) correspondence. Method 2. Comparison. This stage involved the tasks: (i) designing the mapping, (ii) carrying out the mapping, (iii) presenting the outcomes of the mapping and (iv) analyzing the results of the mapping. Method 3. Integration. (i) designing the integration, (ii) establishing integration criteria, (iii) carrying out the integration, (iv) analyzing the results of the integration and (v) presenting the integrated model. Homogenization, comparison and integration are harmonization methods which make up the Harmonization Framework, which is also available through the WEB [15]. A detailed summary of these methods can be seen in homogenization [16], [17] and [18], respectively. A summary of the tasks of the HStrategy that were followed to harmonize the models involved is presented in the next sections. 4. Harmonizing ISO and ISO Carrying out the Homogenization The purpose of ISO 27001:2005 is to help organizations establish, implement, operate, monitor, review, maintain and improve their Information Security Management Systems (ISMS) [19]. The implementation of this rule brings great benefits which have to do mainly with reducing the risk of data loss, theft or corruption of information. On the other hand, according to Part 1 of ISO 20000:20005 [19], the purpose of ISO is to help organizations to improve the efficiency of providing technological services through guidelines for quality IT service management. This rule also takes into account aspects related to system capacity, levels of management when the system changes, as well as financial budgeting and control and software distribution. In addition, this rule takes into account aspects related to system capacity, as well as levels of management when the system changes, along with financial budgeting and control and software distribution. Before carrying out the comparison of the two models, and as set out in the HStrategy defined (see Figure 1), it was necessary to harmonize the models through the HoMethod and the Common Structure Process Element (CSPE) template described in [16]. To carry 220 Copyright c 2016 SERSC

5 out the homogenization: (i) the information described in Part 1 of ISO or ISO and (ii) Part 2 of ISO or ISO were taken into account. Part 2 of ISO was seen as relevant because this section describes the best practices or requirements in terms of processes to comply with the standard. The organization of the descriptions of each standard in the CSPE template allowed us to compare the standards to a high level of abstraction. This first comparison enabled us to see that ISO models analyzed are standards which define their requirements as statements in each paragraph, which are contained within clauses, which in turn are contained in major clauses (see Figure 2). Likewise, they do not define a process element structure based on process, e.g. activities, tasks, steps or roles. Only ISO defines objectives explicitly in relation to each major clause. This means that the performer carried out the adaptation and exclusion of process elements of the CSPE template which are not defined in standards, leaving only the necessary ones, i.e., process group (this is a major clause), processes (these are clauses and sub-clauses), activities (paragraphs), tasks (statements), artifacts (which are implicit in paragraphs and statements) and related processes (related clauses). Table 1 shows an example of the homogenization of clause 8 of ISO 27001, related to ISMS improvement. Table 2 shows the syntax used to identify the requirements in standards. The homogenization of the clauses in each standard was performed in an iterative incremental approach (see process of harmonization strategy in Figure 1). Figure 1. Activity Diagram of HProcess Applied to Obtain an HStrategy Copyright c 2016 SERSC 221

6 Figure 2. Structures used by ISO :2005 and ISO 27001:2005 Table 1. Clause 8. ISMS improvement, ISO CSPE Template (adapted) SD1. Process Category ISMS improvement SD2. Process ID Clause 8 Name ISMS improvement SD1.3 Activities SC1.3 Artifacts 8.1 Continual improvement It does The organization shall continually improve the effectiveness of the ISMS through the use not of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review (see 7). define artifacts. The documented procedure for corrective action shall define 8.2 Corrective action requirements for: The organization shall a) identifying nonconformities; take action to eliminate b) determining the causes of nonconformities; the cause of c) evaluating the need for actions to ensure that nonconformities do not nonconformities with the recur; ISMS requirements, in d) determining and implementing the corrective action needed; order to prevent e) recording results of action taken (see 4.3.3); and recurrence. f) reviewing of corrective action taken. 8.3 Preventive action The organization shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems. The output from the management review shall include any decisions and actions related to the following. a) Improvement of the effectiveness of the ISMS. b) Update of the risk assessment and risk treatment plan. c) Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1) business requirements; 2) security requirements; 3) business processes effecting the existing business requirements; 4) regulatory or legal requirements; 5) contractual obligations; and 6) levels of risk and/or risk acceptance criteria. d) Resource needs. e) Improvement to how the effectiveness of controls is being measured. 222 Copyright c 2016 SERSC

7 Table 2. Syntax to Identify the Requirements in ISO Models Family 1. Shall [verb] Syntax 2. Shall [verb] and [verb] 3. Begins with [shall] or shall [verb] 4. Shall be [verb] 5. Shall [include] 6. Shall be [verb] + [by], [to] or [on] 7. Documented, input, output Description This statement indicates the actions, activities, tasks or procedures which the organization that will develop it will have. It is probable that this statement will be used to describe one or several actions or to derive processes. Identifies a list of derived requirements of processes, procedures, activities or tasks. Indicates the characteristics associated with a process, or possible roles or work products. Indicates the details that the organization must include in a process or work product. This syntax helps to identify the detail of some procedures or processes. Indicates a possible work product. It might include some characteristics related to the work product Designing the Comparison After carrying out the homogenization of standards, the P carried out a low-level comparison with regard to the information described in the tasks defined in the comparison method (see Figure 3). The comparison supported comparative analysis of descriptions from the point of view of all the relations of the elements classified as activities. In that sense, the directionality of the comparison was a comparison of the ISO with regard to ISO The choice of the directionality took into account the needs expressed by the organization: (i) expanding the market for ISO certified organizations, (ii) certifying in ISO the organizations certified in ISO and (iii) taking advantage of previous efforts in ISO To express the degree of relationship between the tasks compared, a discrete scale or scale of comparison was defined. The scale consists of the following elements: Not related (N) (0%), weakly related (W) (1% to 15%), partially related (P) (16% to 50%), largely related (L) (51% to 85%) and strongly related (S) (86% to 100%). From the comparison scale we found two values to classify the results collected: The degree of relationship (dr) can be found by dividing the number of elements (statements) where a relationship (between two models) has been found, by the total number of elements (statements) of one of the two models. It is important to highlight that the numeric value assigned to a relationship is only indicative of the extent to which a process element of a model A is addressed by means of another process element of a model B. The Fulfillment (F) can be found by taking into account the relationships found between the models involved. However, unlike the dr, to find F, the number of statements supported by a model A with respect to a model B is taken into account. Hence, dr doesn t take into account the number of relationships found in each intersection during the comparison. Copyright c 2016 SERSC 223

8 Figure 3. Activity Diagram of the Comparison Method 4.3. Carrying out the Mapping The comparison was carried out according to comparison design. In this sense, the analysis focused on a study of how the requirements of ISO address in some way (or not), some aspects of the requirements of ISO As can be seen in Figure 4, the comparison used the iterative and incremental approach to make it easier to manage the complexity in comparing the entities concerned at a low level of abstraction. After each iteration of comparison, the results were analyzed by two peer reviewers (see Figure 1). The review verified the reliability of the results and the comparison method. Table 3 shows a detailed example of the relationship between the tasks identified in clause 8, relating to ISO 27001, and clause concerning the closing and review of an application for change of ISO In Table 3, the F found means: 1 statement of ISO supports 1 statement out of 3 of ISO Clause 8.2 therefore has a fulfillment of 33% with regard to clause of ISO , i.e. ISO partially supports the enforcement of clause Table 3. Comparison between Clause 8.2 of ISO and Clause of ISO Some considerations: - Direction of the comparison: From ISO to ISO Process elements for the comparison: Statements shall of both standards. - Research question: 1). What statements of ISO can offer support to statements of ISO ? 2). What ISO s statements are strongly related to the support to ISO s statements? - Comparison goal: To determine which statements (shall) of ISO have a close relationship with some statements of ISO The goal is know what the degree of fulfillment of the statements of ISO is, based on the statements described in ISO dr & F ISO Closing and reviewing the change request. All changes should be reviewed for success or failure after implementati on and any improvement recorded. Any nonconfor mity should be recorded and acted on. Any weaknesses or deficiencies identified in a review of the change management process should be fed into plans for improving the service. ISO to ISO : P (1 of 3) (in this case dr and F are equal). ISO Clause 8.2 Corrective action: The organization shall take action to eliminate the cause of nonconformities with the ISMS requirements, in order to prevent recurrence. 224 Copyright c 2016 SERSC

9 As for organizations interested in harmonization in the opposite direction, i.e., ISO to ISO 27001, they can find dr and F from the comparison performed. For instance, taking into account the comparison in Table 2, F in the direction of ISO to ISO is 100%, i.e., 1 statement of ISO supports 1 statement of 3 of ISO Hence, clause strongly supports the enforcement of clause 8.2. Figure 4. Activity Diagram of the Integration Method Table 2. Syntax to Identify the Requirements in ISO Models Family 1. Shall [verb] Syntax 2. Shall [verb] and [verb] 3. Begins with [shall] or shall [verb] 4. Shall be [verb] 5. Shall [include] 6. Shall be [verb] + [by], [to] or [on] 7. Documented, input, output Description This statement indicates the actions, activities, tasks or procedures which the organization that will develop it will have. It is probable that this statement will be used to describe one or several actions or to derive processes. Identifies a list of derived requirements of processes, procedures, activities or tasks. Indicates the characteristics associated with a process, or possible roles or work products. Indicates the details that the organization must include in a process or work product. This syntax helps to identify the detail of some procedures or processes. Indicates a possible work product. It might include some characteristics related to the work product Analyzing the Results of the Mapping Based on the harmonization objectives defined and on the directionality of comparison, the result of the comparisons was a ratio of one to many. Of the 133 relationships that may exist between the processes of each model, (85) relationships were classified as N. That is, 64% are not related in any way, and 36% (48) are related. That means that within Copyright c 2016 SERSC 225

10 Clause 3 The management system Clause 4.1 Plan service management (Plan) Clause 4.2 Implement service management and provide the services (Do) Clause 4.3 Monitoring, measuring and reviewing (Check) Clause 4.4 Continual improvement (Act) Clause 5 Planning and implementing new or changed services Clause 6.1 Service level management Clause 6.2 Service reporting Clause 6.3 Service continuity and availability management Clause 6.4 Budgeting and accounting for IT services Clause 6.5 Capacity management Clause 6.6 Information security management Clause 7.2 Business relationship management Clause 7.3 Supplier management Clause 8.2 Incident management Clause 8.3 Problem management Clause 9.1 Configuration management Clause 9.2 Change management Clause 10.1 Release management process International Journal of Software Engineering and Its Applications the 36% where some correspondence was identified, 5% (6) corresponds to Strongly related relationships, 5% (6) corresponds to Largely related relationships, 24% (32) corresponds to partially related relationships and 2% (3) to weakly related relationships. It is possible to see that there are strongly related relationships between processes, i.e., these relationships come close to, or are at, 100% of relationship. This does not mean that the processes are identical, but that all the statements analyzed in ISO have found some relationship with a task of ISO Table 4 shows a summary of the comparison performed between ISO and ISO In conclusion, it is possible to see a relationship between the two models. The ISO standard supports compliance of 36% of the statements defined by ISO Based on the results obtained, it is possible to identify some similarities and differences between ISO and ISO ; e.g., in terms of the Information Security Management System we can note that ISO presents a series of controls and objectives to ensure information security. For its part, ISO delves into the risks associated with the operation and maintenance of the controls proposed in ISO In this regard, ISO extends the description of the controls, describing in greater detail the manner in which they must be performing. This feature can be observed in several of the clauses compared, but these relationships were not identified because this first comparison of the standards was performed only at the level of descriptions of their terms and did not involve the controls and objectives defined in Annex A of ISO In that sense, it is possible to establish more relationships. As future work we will address the comparison of the models, taking into account the controls and objectives defined in ISO Table 4. General Results of Comparison between Clause 8.2 of ISO and Clause of ISO Some considerations: - Direction of the comparison: From ISO to ISO Process elements for the comparison: Statements shall be of both standards. - Research question: 1). What statements of ISO can offer support to statements of ISO ? 2). What ISO s statements are strongly related with the support to ISO s statements? - Comparison goal: To determine which statements (shall) of ISO have a close relationship with some statements of ISO The goal is know what the degree of fulfillment of the statements of ISO is, based on the statements described in ISO C: Clauses ISO/IEC ISO C4.2 Establishing and managing the ISMS L P P L P N W N P P N S P N W L L P S C4.3 Documentation requirements P N N N N N N P N N N S P N N P L P P C5.1 Management commitment N N N P N S N N N N N S N N N N N N N C5.2 Resource management P N N P N P N N N N N P S P P S N L P C6 Internal ISMS audits P N N N N N N N N N N P N N N N P N N C7. Management review of N N N P N N N N N N N N P N N N N P N 226 Copyright c 2016 SERSC

11 the ISMS C8. ISMS improvement P N N P P N N N W N N N N N N N P P N 5. Integrating ISO and ISO Scale of comparison Not related (N) (0%) N Weakly related (W) (1% to 15%) W Partially related (P) (16% to 50%) P Largely related (L) (51% to 85%) L Strongly related (S) (86% to 100%) S On the basis of the results obtained in the comparison stage and following IMethod (see Figure 4), in Table 5 we present an example, which shows how to carry out the integration between two related clauses of ISO and ISO The unified clause column shows the content of a unified practice, which integrates the content of clause 8.2 of ISO and clause of ISO The result is a combination of the best practices into a single practice. The ISO column indicates whether there is a relationship between the content of unified practice and ISO The explanation column describes additional information. The ISO relationship column indicates that clause of ISO has a correspondence to ISO , i.e., the clauses 8.2. The square brackets [ ] indicate the information added into unified practice; they thereby reflect a modification by insertion. The characters << >> indicate the deleted content and thus reflect a modification by erasing. Table 6 shows the final result of the unified clause 8.2. This clause contains certain content of clause of ISO which is not contained in ISO Organizations can use this method to define their integrated processes or unified models. Table 5. Partial Example of a Unified Practice Integrating ISO and ISO Unified Practice (Clause 8.2 Corrective action: has been taken as basis practice). [Any nonconformity should be recorded and acted on]. [Then, ] <<The>> organization shall take action to eliminate the cause of nonconformities with the ISMS requirements, in order to prevent recurrence. ISO relationship Statement 2 of clause Closing and reviewing the change request. Explanation Clause of ISO offers complement to practice 8.2 of ISO Table 6. Clause 8.2 Unified Clause 8.2 Corrective action Any nonconformity should be recorded and acted on. The organization shall then take action to eliminate the cause of nonconformities with the ISMS requirements, in order to prevent recurrence. 6. Some Benefits Reported by Audisec With the harmonization of standards ISO and ISO , Audisec reported several benefits, some of these, and the most significant ones are: When two ISO models such as ISO and ISO are being harmonized, it is conceivable that, as they are structurally compatible standards, it may not be necessary to carry out the homogenization of their process elements using a common structure of process elements as a CSPE template. However, the semantic analysis done to organize the statements of the clauses in the common structure improved the understanding of the standards, as it facilitated the identification, interpretation, internalization and classification of descriptions under a process-oriented structure that is more detailed and easier to apply as a reference model. An example is presented in Table 1. Copyright c 2016 SERSC 227

12 The harmonization strategy has allowed a systematic harmonization guide to be defined, and this has facilitated the analysis, identification of differences and support opportunities between ISO and ISO According to Audisec, the strategy of harmonization was a practical and powerful guide for carrying out the harmonization of ISO and ISO With the results obtained, the organization has developed a software tool to support the ISO consulting process. This tool has been developed taking into account the relationships found between ISO and ISO Based on the results, we may affirm that the tool has reduced the effort involved in the institutionalization of ISO in organizations that had implemented ISO previously. Figure 5 shows an example of the comparison between clause 5.1 of ISO and clause 5.1 of ISO (we maintain the original screen shot, which is in Spanish). Figure 5. Comparison between ISO and ISO by Means Audisec s Tool 7. Conclusions In this paper we have presented the harmonization of standards ISO and ISO To carry out the harmonization of these standards, a harmonization strategy has been defined and configured, made up of a homogenization method, a comparison method and an integration method. The harmonization strategy obtained is the result of the implementation of a harmonization process, which supports the definition and configuration of strategies for harmonization of multiple models. Both ISO and ISO describe objectives and best practices for improving the management systems of organizations through two different approaches, namely information security and IT service. Although these standards describe practices for different approaches, it is possible to find similarities in their descriptions, as well as a different level of detail. This feature suggests that the similarities identified can be harmonized and integrated under one management system, impacting positively on: (i) the cost, (ii) time and (iii) associated resources, which can be different if they are implemented separately. In that sense, the comparison made in this work of ISO and ISO can be a practical benefit for ISO certified organizations when they are seeking to institutionalize the processes of ISO It has been possible to note that there is a partial relationship of 36%. This means that there are 48 relationships where ISO offers some kind of support for the processes 228 Copyright c 2016 SERSC

13 of ISO Although the amount of strongly-related relationships found is only around 10%, it is important to highlight that while ISO and ISO define best practices for different implementation approaches, models are not totally different and it is thereby possible to find close relationships. For instance, ISO provides greater coverage for the practices related to the management system and control process, i.e. clause 3 (71%) and clause 7 (64%), respectively. The conceptual relationships established between the two standards have been identified under the criteria and experience of the performer responsible for the analysis and comparison of models. As future work we will carry out an empirical study that allows there to be a mapping of the standards using the opinion of several experts and/or practitioners involved in the use of ISO and ISO in some organizations. This validation would enable the correspondence between these standards to be checked, not only from a theoretical point of view, but also from an empirical and practical standpoint. Acknowledgments This work has been funded by the projects: (i) INGENIOSO (PEII P, Junta de Comunidades de Castilla-La Mancha and FEDER), (ii) SEQUOIA (Ministerio de Economía y Competitividad and Fondo Europeo de Desarrollo Regional - FEDER, TIN C3-1-R),(iii) U-CSCL Project (Universidad del Cauca, VRI-3713) and (iv) MCSS-TI Project (Universidad del Cauca, VRI-4358). César Pardo and Francisco J. Pino acknowledge the contribution of the University of Cauca, where they work as an assistant professor and full professor respectively. References [1] ITGI, Editor, COBIT Mapping: Mapping of ITIL V3 with COBIT 4.1, IT Governance Institute (ITGI) and Office of Government Commerce (OGC), (2008). [2] ITIL, Information Technology Infrastructure Library V3, (2010). [Online]. Available: [3] ITGI, Risk IT: Framework for Management of IT Related Business Risks, (2009). [Online]. Available: [4] ITGI, Editor, "VAL IT Framework 2.0". EEUU: IT Governance Institute, (2008). [5] ISO, Information technology security techniques code of practice for information security management - ISO 27002:2005, (2005). [Online]. Available: [6] ISO, ISO/IEC 27001: Information Security Management System (ISMS) requirements, (2005). [Online]. Available: [7] BIS, International Convergence of Capital Measurement and Capital Standards - BASEL II, Bank for International Settlements, (2006). [8] P. Sarbanes and G. Oxley, Sarbanes-Oxley Act of 2002, (2002). [9] COSO, The Committee of Sponsoring Organization (COSO), (1985). [10] ITGI, IT Control Objectives for BASEL II: The importance of Governance and Risk Management for compliance, (2007). [Online]. Available: [11] C. Pardo, F. J. Pino, F. García, M. Piattini and M. T. Baldassarre, Trends in Harmonization of Multiple Reference Models, in Evaluation of Novel Approaches to Software Engineering, CCIS, L. A. M. Loucopoulos and P., Eds. Springer-Verlag, (Special edition best papers proceedings of the ENASE 2010, extended and updated paper), (2011), pp [12] J. Siviy, P. Kirwan, L. Marino and J. Morley, The Value of Harmonization Multiple Improvement Technologies: A Process Improvement Professional s View, Software Engineering Institute, Carnegie Mellon, (2008). [13] J. Siviy, P. Kirwan, J. Morley and L. Marino, Maximizing your Process Improvement ROI through Harmonization, Software Engineering Institute (SEI). Carnegie Mellon University, (2008). [14] ITGI, Aligning Cobit 4.1, ITIL V3 and ISO/IEC for Business Benefit, IT Governance Institute (ITGI) and Office of Government Commerce (OGC), (2008). [15] S. M. Lemus, F. J. Pino and M. Piattini, Towards a Model for Information Technology Governance applicable to the Banking Sector, Proceedings of the fifth International Congress on IT Governance and Service Management (ITGSM 2010), Madrid, Spain, (2010) June 10, pp [16] ITGI, Editor, COBIT 4.1: Framework, control objectives, management guidelines and maturity models, 3rd ed. EEUU: IT Governance Institute, (2007). Copyright c 2016 SERSC 229

14 [17] ITGI,, Editor, VAL IT Framework 2.0, 3rd ed. EEUU: IT Governance Institute, (2008). [18] C. Pardo, F. J. Pino, F. García, M. Piattini and M. T. Baldassarre. From chaos to the systematic harmonization of multiple reference models: A harmonization framework applied in two case studies. Journal of Systems and Software, vol. 86, no.1, (2013), pp [19] ARMONÍAS: A Process for Driving Multi-models Harmonization, ARMONÍAS Project, (2009), [Online]. Available: [20] C. Pardo, F. Pino, F. García and M. Piattini, Homogenization of Models to Support multi-model processes in Improvement Environments, Proceedings fourth International Conference on Software and Data Technologies, Sofía, Bulgaria, (2009) July 26-29, pp [21] F. Pino, M. T. Balssarre, M. Piattini and G. Visaggio, Harmonizing maturity levels from CMMI-DEV and ISO/IEC 15504, Journal of Software Maintenance and Evolution: Research and Practice, vol. 22, (2010), pp Authors César Pardo, He was born in Popayán (Colombia). He received the MSc. and PhD. degrees in Computer Science from the University of Castilla-La Mancha (UCLM) of Ciudad Real (Spain). He is currently assistant professor at Engineering Faculty at University of Cauca (Colombia). His research interests include software processes, software process improvement, agile methodologies, estimation of projects, software quality, harmonization of multiple models and standards and quality characteristics of process-supported software products. He is also Scrum Master certified by Alliance Inc. He is the author of one book, co-author of seven chapters of books, coauthor of more than 50 research papers between journals and conferences, and the owner of two intellectual properties (IP). He is member of several national and international committees. César Pardo acknowledges the contribution of the University of Cauca, where he works as an assistant professor. Contact details: Universidad of Cauca, Calle 5 No. 4 70, Popayán, Colombia; cpardo@unicauca.edu.co. Francisco J. Pino, He has a European PhD in Computer Science from the University of Castilla-La Mancha (UCLM), Spain. He is currently a full professor at the Electronic and Telecommunications Engineering Faculty at the University of Cauca, in Popayán (Colombia). He is a member of the IDIS Research Group and his research interest is Software process improvement in small companies and Harmonization of multiple improvement technologies. Contact details: Universidad of Cauca, Calle 5 No. 4 70, Popayán, Colombia; fjpino@unicauca.edu.co. Félix García, He received his MSc. (2001) and PhD (2004) degrees in Computer Science from the University of Castilla-La Mancha (UCLM). He is currently an associate professor in the Department of Information Technologies and Systems at the UCLM. He is a member of the Alarcos Research Group and his research interests include business process management, software processes, software measurement, and agile methods. Contact details: Escuela Superior de Informática, Paseo de la Universidad 4, Ciudad Real, Spain; Felix.Garcia@uclm.es. 230 Copyright c 2016 SERSC