iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty!
ISO

ISO/IEC PRF TS 38505-3

(Main)

Information technology -- Governance of data

Information technology -- Governance of data

Technologies de l'information -- Gouvernance des technologies de l'information

General Information

Status
Published
ICS
35.020 - Information technology (IT) in general
Technical Committee
ISO/IEC JTC 1/SC 40 - IT service management and IT governance
Drafting Committee
ISO/IEC JTC 1/SC 40/WG 1 - Governance of InformationTechnology
Current Stage
5060 - Close of voting Proof returned by Secretariat
Completion Date
25-Nov-2021
Ref Project

Buy Standard

ISO/IEC PRF TS 38505-3 - Information technology -- Governance of dataISO/IEC PRF TS 38505-3 - Information technology -- Governance of data
PreviousNext
Draft
ISO/IEC PRF TS 38505-3 - Information technology -- Governance of data
English language
17 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/IEC TS
SPECIFICATION 38505-3
First edition
Information technology — Governance
of data —
Part 3:
Guidelines for data classification
Technologies de l'information — Gouvernance des technologies de
l'information —
PROOF/ÉPREUVE
Reference number
ISO/IEC TS 38505-3:2021(E)
© ISO/IEC 2021
---------------------- Page: 1 ----------------------
ISO/IEC TS 38505-3:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC TS 38505-3:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction .............................................................................................................................................................................................................................. vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Foundations ............................................................................................................................................................................................................... 4

4.1 Context ........................................................................................................................................................................................................... 4

4.1.1 The data deluge ................................................................................................................................................................... 4

4.1.2 The strategic value of data ........................................................................................................................................ 4

4.1.3 The risks associated with data .............................................................................................................................. 4

4.1.4 Consequences of failure ............................................................................................................................................... 4

4.2 Data classification................................................................................................................................................................................ 5

4.3 Purpose of classification: .............................................................................................................................................................. 5

4.4 Engage and empower staff ........................................................................................................................................... ................ 6

4.5 Structure of this document ......................................................................................................................................................... 6

5 Roles and responsibilities .......................................................................................................................................................................... 6

5.1 General ........................................................................................................................................................................................................... 6

5.2 Role of governing body .................................................................................................................................................................... 8

5.2.1 General ........................................................................................................................................................................................ 8

5.2.2 Understanding the role of data .............................................................................................................................. 8

5.2.3 Governance of data ........................................................................................................................................................... 8

5.2.4 Data classification approach .................................................................................................................................... 8

5.2.5 Data classification and risk management .................................................................................................... 8

5.2.6 Direct according to policy .......................................................................................................................................... 9

5.2.7 Monitor conformance and performance ....................................................................................................... 9

5.3 Role of management ......... .................................................................................................................................................................. 9

5.3.1 General ........................................................................................................................................................................................ 9

5.3.2 Setting the scope of data classification .......................................................................................................... 9

5.3.3 Propagating and implementing policy ............................................................................................................ 9

5.3.4 Defining roles and responsibilities ................................................................................................................. 10

5.3.5 Mobilizing the organization in support of the policy...................................................................... 10

5.3.6 Operation ............................................................................................................................................................................... 11

5.3.7 Feedback from management to the governing body ....................................................................... 11

5.3.8 Levels, discovery and attribution ..................................................................................................................... 11

5.4 Changing classifications.............................................................................................................................................................. 11

5.5 Defining the requirements: key considerations ....................................................................................................12

6 Data classification framework ...........................................................................................................................................................12

6.1 Context ........................................................................................................................................................................................................ 12

6.2 Identification ......................................................................................................................................................................................... 13

6.3 Implementation ........................................................................................................................................... ........................................13

6.4 Monitor/Improve ............................................................................................................................................................................... 14

7 Guiding principles ...........................................................................................................................................................................................14

7.1 Simplicity .................................................................................................................................................................................................. 14

7.2 Default classifications ................................................................................................................................................................... 14

7.3 Interoperability................................................................................................................................................................................... 14

7.4 Equivalence............................................................................................................................................................................................. 14

7.5 Use of data classification for processor and controller ................................................................................... 15

7.6 Auditing, controls and compliance .................................................................................................................................... 15

7.7 Customer data ...................................................................................................................................................................................... 15

7.8 Assessment and reporting ........................................................................................................................................................ 16

7.9 Learning, maintaining and improving ........................................................................................................................... 16

7.10 Data protection ................................................................................................................................................................................... 16

iii
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 3 ----------------------
ISO/IEC TS 38505-3:2021(E)

Bibliography .............................................................................................................................................................................................................................17

PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC TS 38505-3:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC

list of patent declarations received (see https://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 40, IT Service Management and IT Governance.

A list of all parts in the ISO/IEC 38505 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

www.iec.ch/national-committees.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 5 ----------------------
ISO/IEC TS 38505-3:2021(E)
Introduction

This document complements the existing International Standards on IT governance (ISO/IEC 38500)

and data governance (ISO/IEC 38505-1). It is designed to provide practical guidance for organizations

including governing bodies and management to allow them to:
— maintain an oversight of their data portfolio,

— understand the business context, value, sensitivity and risk associated with the data, and

— apply mechanisms that are both proportionate and appropriate, ensuring that data is protected,

and is only used for intended purposes consistent with the organization’s obligations.

PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 6 ----------------------
TECHNICAL SPECIFICATION ISO/IEC TS 38505-3:2021(E)
Information technology — Governance of data —
Part 3:
Guidelines for data classification
1 Scope

This document provides essential guidance for members of governing bodies of organizations and

management on the use of data classification as a means to support the organization’s overall data

governance policy and associated systems. It sets out important factors to be considered in developing

and deploying a data classification system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
big data

extensive datasets, primarily in the data characteristics of volume, variety, velocity and/or variability,

that require scalable technology for efficient storage, manipulation, management and analysis

Note 1 to entry: Big data is commonly used in many different ways, for example as the name of the scalable

technology used to handle big data extensive datasets.
[SOURCE: ISO/IEC 20546:2019, 3.1.2, modified.]
3.2
customer data
data held on file about customers

Note 1 to entry: This comprises the information customers provide while interacting with the organization via

their website, mobile applications, surveys, social media, marketing campaigns and other online and offline

avenues.
3.3
data controller

person or organization who determines the purposes for which and the manner in which any data are

to be processed, stored and used
[SOURCE: ISO 10667-1:2020, 3.10, modified.]
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 7 ----------------------
ISO/IEC TS 38505-3:2021(E)
3.4
data processor

person [other than an employee of the data controller (3.3)] or organization that processes the data on

behalf of the data controller.
[SOURCE: ISO 10667-1:2020, 3.11, modified.]
3.5
data quality owner
senior level employee accountable for the quality of one or more datasets
3.6
data sensitivity
property of data that reflects the potential harm of unauthorized disclosure
Note 1 to entry: The potential harm is to an individual or organization.

Note 2 to entry: Different levels of data protection can be used to account for varying levels of data sensitivity.

Note 3 to entry: Data sensitivity can be applied to specific categories of data such as healthcare, finance, personal

data (3.12)
3.7
data sharing
access to or processing of the same data by more than one authorized entity
3.8
data stakeholder

natural or legal person that can affect, be affected by, or perceive themselves to be affected by a decision

or activity related to the processing of data
3.9
data steward

role within an organization responsible for ensuring that data-related work is performed according to

policies and practices as established through data governance

Note 1 to entry: Typically, data stewards are responsible for business controls, data content and meta-data

management related to a set of data assets, utilizing an organization's data governance processes to ensure

fitness of data elements, both the content and metadata.
[SOURCE: ISO/TR 14872:2019, 3.5, modified.]
3.10
data taxonomy
scheme for organizing data based upon relationships and common characteristics

Note 1 to entry: A data taxonomy can include data categorization and data classification; it represents a

convenient way to organize data.
3.11
organizational data

class of data objects under the control, by legal, contractual or other reasons, of an organization.

Note 1 to entry: Organizational data are all business information and data that are accessed, collected, used,

processed, stored, shared, distributed, transferred, disclosed, destroyed or disposed of by any of the business

units. Organization data can include, for example, financial records, business strategy documents, governing

body and governance papers, staff information (employees, contractors, consultants), business analysis and

intelligence, and executive information.

Note 2 to entry: Organizational protected data, or OPD, is organizational data for which protection is required

based on the policies established by the governance of data process.
PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC TS 38505-3:2021(E)

Note 2 to entry: Organizations have policies that govern the data under their control. ISO/IEC 38505-1 identifies

and examines higher level governance concerns regarding the use of data which is relevant from the perspective

of governance of data.
Note 3 to entry: Organizational data can contain OPD and PII.
[SOURCE: ISO/IEC 19944-1:2020, 3.4.2, modified.]
3.12
personally identifiable information
PII
personal data

any information that (a) can be used to establish a link between the information and the natural person

to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.

Note 1 to entry: The “natural person” in the definition is the PII principal (3.13). To determine whether a PII

principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy

stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural

person.
[SOURCE: ISO/IEC 29100:2011/Amd1: 2018, 2.9, modified.]
3.13
PII principal

natural person to whom the personally identifiable information (PII) (3.12) relates

Note 1 to entry: Depending on the jurisdiction and the particular PII protection and privacy legislation, the

synonym “data subject” can also be used instead of the term “PII principal”.
[SOURCE: ISO/IEC 29100:2011, 2.11]
3.14
semi-structured data

aggregate datatype whose components' datatypes and their labels are not pre-determined

Note 1 to entry: Semi-structured data are forms of structured data (3.15) that do not follow the formal structure

of data models related to relational databases or other forms of databases.

Note 2 to entry: Examples of semi-structured data include the data that contain HTML tags or other markers to

separate semantic elements and to represent hierarchies of records and fields within the data.

[SOURCE: ISO/IEC 20944-1:2013, 3.21.12.21, modified.]
Note 3 to entry:
3.15
structured data
data which are organized based on a pre-defined (applicable) set of rules.

Note 1 to entry: The predefined set of rules governing the basis on which the data are structured needs to be

clearly stated and made known.

Note 2 to entry: A pre-defined data model is often used to govern the structuring of data.

Note 3 to entry: Examples of structured data are the data contained in relational databases.

[SOURCE: ISO/IEC 20546:2019, 3.1.35, modified.]
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 9 ----------------------
ISO/IEC TS 38505-3:2021(E)
4 Foundations
4.1 Context
4.1.1 The data deluge

As organizations create, process and share ever more data, they run the risk of being overwhelmed by a

data deluge. Due to rapid growth in global data volumes, any attempted quantification risks becoming

quickly obsolete; nevertheless, some indications are available.

The World Economic Forum (WEF) has estimated that the global volume of data will double between

2018 and 2022 and with then double again within 3 years. Currently, much of this growth is driven by

searches (5 billion per day) and social media platforms (Twitter: 456 thousand tweets every minute),

while future growth is expected to be driven mainly by new data scenarios, especially those related to

big data, artificial intelligence (AI) and Internet of Things (IoT).

As data has proliferated, it has become a key enabler for the effective operations of all organizations

and critical for effective decision-making by both managers and governing bodies. The pervasiveness

of data in organizations today mandates the governance of data as an organizational imperative.

As a consequence, managers and governing body members should seek to better acquaint themselves

with the potential value, risk and constraints associated with data.
4.1.2 The strategic value of data

More and more organizations understand that data constitutes a strategic asset which has financial and

non-financial value, and which can be used in turn to generate additional value for the organization.

Hence the focus on enabling organizations to leverage the value of their data without incurring data/

privacy breaches, unethical use, disclosing intellectual property, or having its data misappropriated or

misused.

Each organization should consider the data opportunity relative to its strategic context, the nature of

the data in its custody, and the risk appetite as defined by the organization’s governing body.

4.1.3 The risks associated with data

While data presents an organization with strategic, value-generating opportunities, it can also pose

significant threats. Data can be exposed to inappropriate or illegal access and used for illegal purposes.

It can be lost and, as a result, expose natural and legal persons to threats against them. It can even be

used against the organization itself in anti-competitive, unethical, or illegal ways.

Each organization should consider the threats posed by data in its care, assess the risks and take steps

to appropriately address these risks.
4.1.4 Consequences of failure

Ineffective data stewardship by the organization can present very real threats to the organization.

Examples include:

a) Data breach litigation: with potentially significant penalties, including legal prosecution and

financial penalties. The full cost of a data breach can last for months or even years.

b) Critical failure: disclosure of information, for example via a data breach, that can result in financial

loss, the failure of critical infrastructure or, in the most serious cases, to loss of life.

c) Reputational risk: reputation matters in many ways, for example, the ability to recruit top talent or

to retain the trust of customers, regulators, investors and other stakeholders.
PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC TS 38505-3:2021(E)

d) Under-performance: poor data stewardship by the organization can lead to under-performance of

the organization and put it at a disadvantage relative to peers or competitors.
4.2 Data classification

There are many ways to organize data. A data taxonomy organizes data into various groups or

hierarchies based on a desired facet of data. For example, data can be organized into sub-groups based

on the nature of what the underlying data describes (data categories), or based on geo-location of data,

or the level of de-identification performed on the data, or on the legal means of control over the data.

Another important facet of data is its level of classification. The classification level describes the

significance or sensitivity of the data, from the perspective of an organization. For example, it can be

described as N levels of significance (N being scenario-specific). Data sensitivity, and its associated

degree or level, is determined by the purpose and context of the organization and relates to the

potential value, risk and constraints of the data. Different classifications allow the organization to have

differentiated policies and associated controls and costs based on the data’s significance. This ensures

each class of data receives the appropriate treatment (e.g. level of security controls or compliance

requirements).

See ISO/IEC 19944-1 for a description of a multi-faceted data taxonomy, where data classification

is one such facet. ISO/IEC 19944-1 describes how data classification is an important facet in an

otherwise broader, multi-faceted taxonomy of data. It is important to note the distinction between data

classification and data categorization; the latter refers more to the nature of the data. Some examples

that illustrate this distinction are shown in Table 1.
Table 1 — Distinguishing data classification and data categories
Data category: examples Data classification: examples

Customer data, e.g. identity data, descriptive data High business impact (HBI), medium business impact

(MBI), low business impact (LBI).

Aggregated data, e.g. summary statistics Confidential, restricted, internal use, public

Derived data, e.g. telemetry
Anonymized data, so that it is impossible to re-identify
an individual
Structured data, e.g. stored in a structure such as a
database
4.3 Purpose of classification:

Data classification provides a means for the organization to objectively distinguish between different

datasets, so as to indicate the significance of the data and to allow differentiated policies and controls

consistent with the significance of the data and with its compliance obligations. Data classification is a

fundamental requirement for many effective data stewardship activities in an organization.

Some examples of policies and controls that can be applied differently to different classification levels

include:

a) Data Protection: This ensures that a risk-based approach is taken for each different classification

of data such that treatments are appropriate, cost effective and enable the achievement of the

organization’s strategic objectives.

b) Compliance: Applying the correct compliance processes for each classification helps to ensure the

policies and controls for that level are correctly implemented.

c) Intended use: A core tenet of data stewardship is that data is used only for legitimate and agreed

purposes. That means that data can be used or processed only for the purpose explicitly stipulated

in an agreement with, and under the parameters defined in, the data agreement. Data classification

provides a useful mechanism that ensures that definitive and unambiguous details are assigned to

© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 11 ----------------------
ISO/IEC TS 38505-3:2021(E)

data attributes such that they are easily understood by people and systems with which they come

into contact.

d) Data quality: Data classification (along with data categorization) can help to ensure the necessary

treatment of that data to confirm that the appropriate level of data quality is maintained.

e) Innovation: Given the rapidly evolving data landscape, with emerging data scenarios, it is important

that the organization considers innovation in its data classification schemes. For example, Internet

of Things, artificial intelligence and big data scenarios could test established policies and controls

of data assets by the organization.
4.4 Engage and empower staff

Whether through their action or inaction, understanding or misunderstanding, staff of the organization

exert a power
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC TS 30105-6:2021(Main)
Information technology -- IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes

This document provides guidance on risk management practices for the IT enabled services-business process outsourcing (ITES-BPO) service provider for the outsourced business processes. It provides guidance for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and improving the risk management framework for the ITES-BPO services. This document: —   covers IT enabled business processes that are outsourced; —   is applicable to the service provider; —   is applicable to all lifecycle processes of ITES-BPO; —   is not intended to cover IT services. The guidelines in this document align to ISO 31000, elaborating the risk principles, risk management framework and risk management process from an ITES-BPO perspective.

  • Technical specification
    18 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 20000-11:2021(Main)
Information technology -- Service management

This document provides guidance on the relationship between ISO/IEC 20000–1 and a commonly used service management framework, ITIL 4. It can be used by any organization or person wishing to understand how ITIL can be used with ISO/IEC 20000–1, including: a) an organization that has claimed or demonstrated or intends to claim or demonstrate conformity to the requirements specified in ISO/IEC 20000–1 and is seeking guidance on the use of ITIL to establish and improve an SMS and the services; b) an organization that already uses ITIL and is seeking guidance on how ITIL can be used to support efforts to demonstrate conformity to the requirements specified in ISO/IEC 20000–1; c) an assessor or auditor who wishes to understand the use of ITIL as a support in achieving the requirements specified in ISO/IEC 20000–1. Clause 4 describes how ITIL can support the demonstration of conformity to ISO/IEC 20000–1. Clause 5 correlates the ITIL documents to requirements in ISO/IEC 20000–1. The tables in Annex A correlate terms and clauses in ISO/IEC 20000–1 to ITIL and vice versa; the tables in Annex B correlate clauses in ISO/IEC 20000-1 to the ITIL 4 publications and vice versa.

  • Technical specification
    53 pages
    English language
    sale 15% off
  • Draft
    53 pages
    English language
    sale 15% off
ISO
ISO/IEC 20000-2:2019/Amd 1:2020(Amendment)
ISO/IEC 20000-2:2019/Amd 1:2020
  • Standard
    1 page
    English language
    sale 15% off
  • Standard
    1 page
    French language
    sale 15% off
ISO
ISO/IEC 30105-3:2016/Amd 1:2020(Amendment)
ISO/IEC 30105-3:2016/Amd 1:2020
  • Standard
    3 pages
    English language
    sale 15% off
ISO
ISO/IEC 38506:2020(Main)
Information technology -- Governance of IT -- Application of ISO/IEC 38500 to the governance of IT enabled investments

This document provides guidance on governance of IT enabled investments to the governing body of all forms of organizations, whether private, public or government entities, and will equally apply regardless of the size of the organization or its industry or sector. The terms business and business outcome throughout this document include all forms of organization covered by this document. The document also provides guidance to other parties interacting with governing bodies such as project personnel, accountants, management consultants, investment portfolio managers and governance support staff. IT enabled investments within the scope of this document could be investments of any scale from acquiring businesses to any business change incorporating IT, building new business services or addressing effectiveness and efficiency gains in IT operational services to gain competitive edge, whether those services are internal or provided by external parties. Resource allocation for strategic innovation is addressed by providing guidance to the governing body's decision for investment resource allocation between short-, medium- and long-term innovation projects. This document also provides guidance that can be applied in the due diligence process related to business acquisitions. This document may provide guidance on the application of the principles documented in ISO/IEC 38500 for ranking IT enabled investments including assessing the value and risks of IT elements in the context of investment banking or as performed by investment companies. This document does not prescribe or define specific management practices required for IT enabled investments. ISO/IEC TS 38501 contains guidance on the implementation arrangement for the effective governance of IT in general. The constructs in ISO/IEC TS 38501 can help to identify internal and external factors relating to the governance of IT and to define beneficial outcomes and identify evidence of success. ISO/IEC TR 38502 contains guidance on the integration between the governing body and management of an organization in general. This document is written in accordance with the principles of ISO/IEC TR 38504:2016.

  • Standard
    14 pages
    English language
    sale 15% off
ISO
ISO/IEC TR 30105-7:2019(Main)
Information technology -- IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes

This document presents an exemplar for maturity assessment, following the framework for assessment of process capability levels and measurement of an organization's maturity level for an ITES-BPO service provider. This document: — uses the set of indicators for process performance and process capability; — helps to collect the objective evidence that enables an assessor to determine the process ratings; — helps to assess the result of the process capability level; — serves as a measurement framework for processes and provides an organization maturity model for ITES-BPO organizations delivering the services; — is useful for all users of the ISO/IEC 30105 series, including but not limited to internal assessors, external assessors, ITES-BPO service providers and ITES-BPO service customers; — supports the performance assessment by providing a framework to measure and derive capability and organization maturity levels.

  • Technical report
    22 pages
    English language
    sale 15% off
ISO
ISO/IEC 20000-2:2019(Main)
Information technology -- Service management

This document provides guidance on the application of a service management system (SMS) based on ISO/IEC 20000-1. It provides examples and recommendations to enable organizations to interpret and apply ISO/IEC 20000-1, including references to other parts of ISO/IEC 20000 and other relevant standards.

  • Standard
    63 pages
    English language
    sale 15% off
  • Standard
    70 pages
    French language
    sale 15% off
ISO
ISO/IEC 20000-3:2019(Main)
Information technology -- Service management

This document includes guidance on the scope definition and applicability to the requirements specified in ISO/IEC 20000-1. This document can assist in establishing whether ISO/IEC 20000-1 is applicable to an organization's circumstances. It illustrates how the scope of an SMS can be defined, irrespective of whether the organization has experience of defining the scope of other management systems. The guidance in this document can assist an organization in planning and preparing for a conformity assessment against ISO/IEC 20000-1. Annex A contains examples of possible scope statements for an SMS. The examples given use a series of scenarios for organizations ranging from very simple to complex service supply chains. This document can be used by personnel responsible for planning the implementation of an SMS, as well as assessors and consultants. It supplements the guidance on the application of an SMS given in ISO/IEC 20000-2. Requirements for bodies providing audit and certification of an SMS can be found in ISO/IEC 20000-6 which recommends the use of this document.

  • Standard
    28 pages
    English language
    sale 15% off
  • Standard
    29 pages
    French language
    sale 15% off
ISO
ISO/IEC TR 20000-7:2019(Main)
Information technology -- Service management

This document provides guidance on the integrated implementation of a service management system (SMS) as specified in ISO/IEC 20000-1 with a quality management system (QMS) as specified in ISO 9001 and an information security management system (ISMS) as specified in ISO/IEC 27001. It is aimed at those organizations that are intending to either: a) implement ISO 9001 when ISO/IEC 20000-1 is already implemented, or vice versa; b) implement ISO/IEC 27001 when ISO/IEC 20000-1 is already implemented, or vice versa; c) implement both ISO 9001 and ISO/IEC 20000-1 together, or implement both ISO/IEC 27001 and ISO/IEC 20000-1 together; d) implement ISO/IEC 20000-1, ISO 9001 and ISO/IEC 27001 together; or e) integrate existing management systems based on ISO/IEC 20000-1, ISO 9001 and ISO/IEC 27001. In practice, an SMS, QMS or ISMS can also be integrated with other management system standards (MSS), such as ISO 22301 or ISO 55001. Clause 4 provides an introduction to ISO/IEC 20000-1, the HLS of MSS specified in ISO/IEC Directives Part 1 and considerations for the integration of an MSS. Clause 5 provides an introduction to ISO 9001, commonalities and differences with ISO/IEC 20000-1 and considerations for the integration of an SMS with a QMS. Clause 6 provides an introduction to ISO/IEC 27001, commonalities and differences with ISO/IEC 20000-1 and considerations for the integration of an SMS with an ISMS. Clause 7 looks at considerations for the integration of an SMS, a QMS, and an ISMS. This document also provides correlation information for the terms and definitions of ISO/IEC 20000-1 with ISO 9001 and ISO/IEC 27001 in Annex A. Correlation of the clauses of ISO/IEC 20000-1 with ISO 9001 is shown in Annex B. Correlation of the clauses of ISO/IEC 20000-1 with ISO/IEC 27001 is shown in Annex C.

  • Technical report
    57 pages
    English language
    sale 15% off
ISO
ISO/IEC 20000-10:2018(Main)
Information technology -- Service management

This document describes the core concepts of ISO/IEC 20000 (all parts), identifying how the different parts support ISO/IEC 20000‑1:2018 as well as the relationships between ISO/IEC 20000-1 and other International Standards and Technical Reports. This document also includes the terminology used in all parts of ISO/IEC 20000, so that organizations and individuals can interpret the concepts correctly. This document can be used by: a) organizations seeking to understand the terms and definitions to support the use of ISO/IEC 20000 (all parts); b) organizations looking for guidance on how to use the different parts of ISO/IEC 20000 to achieve their goal; c) organizations that wish to understand how ISO/IEC 20000 (all parts) can be used in combination with other International Standards; d) practitioners, auditors and other parties who wish to gain an understanding of ISO/IEC 20000 (all parts).

  • Standard
    28 pages
    English language
    sale 15% off
  • Standard
    29 pages
    French language
    sale 15% off