ISO 19600

Last updated November 06, 2023

ISO 19600, Compliance management systems - Guidelines, is a compliance standard introduced by the International Organization for Standardization (ISO) in April 2014. As its title suggests, it operates as an advisory standard and is not used for accreditation or certification.

Currently, ISO/TC 309 is in the process of developing ISO/DIS 37301 , which is expected to replace ISO 19600. The main difference between these two standards is that, when published, ISO 37301 will establish requirements for the implementation of a compliance management system, as opposed to USO 19600 which only provides recommendations. This means that in the future, organizations can have their compliance management system (CMS) verified through an independent third party

Origins

Standards Australia proposed a new ISO standard, based on the existing Australian standard " AS 3806 - Compliance Programs", which was issued in 1998 and updated in 2006. The handbook to accompany AS 3806 was developed by a working group of the Australasian Compliance Institute members. This standard is more widely used in the financial industry, being endorsed by Australian Prudential Regulation Authority and the Australian Securities & Investments Commission. The published version of ISO 19600:2014 is similar to AS 3806:2006 standard, and will replace it.

The draft stage of ISO 19600 was completed in April 2014;^[1] the final version was published on 5 December 2014.

Main requirements of the standard

The ISO 19600:2014 adopts the "ISO High Level Structure (HSL)" in 10 main clauses in the following breakdown :

Structure of the standard

ISO 19600 helps organizations establish, develop, evaluate, and maintain a compliance management system. It brings together separate standards of compliance management and risk management, and its processes align very closely with ISO 31000, another risk management standard.^[2]

Many existing compliance standards focus on one specific regulatory requirement or topic area; ISO 19600 aims to unify these, so organizations can work within a single framework rather than several different ones focussing on different standards. Unlike PS 980, ISO does not mandate any specific auditing requirements.^[3] ISO 19600 is "based on the principles of good governance, proportionality, transparency and sustainability".^[4]

Like other related ISO standards, it emphasises the use of a Plan, Do, Check, Act (PDCA) cycle.

History

Year	Description
2014	ISO 19600 (1st Edition)

Related Research Articles

The ISO 9000 family is a set of five quality management systems (QMS) standards by the International Organization for Standardization (ISO) that help organizations ensure they meet customer and other stakeholder needs within statutory and regulatory requirements related to a product or service. ISO 9000 deals with the fundamentals of QMS, including the seven quality management principles that underlie the family of standards. ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfill. ISO 9002 is a model for quality assurance in production and installation. ISO 9003 for quality assurance in final inspection and test. ISO 9004 gives guidance on achieving sustained organizational success.

ISO 14000 is a family of standards by the International Organization for Standardization (ISO) related to environmental management that exists to help organizations (a) minimize how their operations negatively affect the environment ; (b) comply with applicable laws, regulations, and other environmentally oriented requirements; and (c) continually improve in the above.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

An environmental audit is a type of evaluation intended to identify environmental compliance and management system implementation gaps, along with related corrective actions. In this way they perform an analogous (similar) function to financial audits. There are generally two different types of environmental audits: compliance audits and management systems audits. Compliance audits tend to be the primary type in the US or within US-based multinationals.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO 55000 is an international standard covering management of assets of any kind. Before it, a Publicly Available Specification was published by the British Standards Institution in 2004 for physical assets. The ISO 55000 series of Asset Management standards was launched in January 2014.

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizations as these could have consequence in terms of economic performance and professional reputation.

ISO 28000:2022, Security and resilience – Security management systems – Requirements, is a management system standard published by International Organization for Standardization (ISO) that specifies requirements for a security management system including aspects relevant to the supply chain.

ISO 10007 "Quality management — Guidelines for configuration management" is the ISO standard that gives guidance on the use of configuration management within an organization. "It is applicable to the support of products from concept to disposal." The standard was originally published in 1995, and was updated in 2003 and 2017. Its guidance is specifically recommended for meeting "the product identification and traceability requirements" introduced in ISO 9001:2015 and AS9100 Rev D.

ISO/TC 176 is Technical Committee 176 of the International Organization for Standardization (ISO), responsible for Quality management and quality assurance - the ISO 9000 family of standards.

ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address information security, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

ISO/TC 292 Security and resilience is a technical committee of the International Organization for Standardization formed in 2015 to develop standards in the area of security and resilience.

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed-upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS are aligned and the compatibility of these standards is enhanced.

ISO 37001Anti-bribery management systems - Requirements with guidance for use, is a management system standard published by International Organization for Standardization (ISO) in 2016. As the title suggests, this standard sets out the requirements for the establishment, implementation, operation, maintenance, and continual improvement of an anti-bribery management system (ABMS). It also provides guidance on the actions and approaches organizations can take to adhere to the requirements of this standard.

ISO 22301:2019, Security and resilience – Business continuity management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization.

References

↑ "Austria: ISO 19600: compliance management systems — guidelines". TheLawyer.com. Retrieved 3 May 2015.
↑ Hortensius, Dick. "What Is The General Idea Behind The Proposed ISO 19600?". Ethic Intelligence. Archived from the original on 24 October 2016. Retrieved 3 May 2015.
↑ "ISO 19600: Your questions, our answers". digital spirit. 2015. Retrieved 3 May 2015.
↑ "ISO 19600:2014: Compliance management systems -- Guidelines". ISO. 19 December 2014. Retrieved 3 May 2015.

External links

ISO 19600—Compliance management systems -- Guidelines
ISO TC 309—Governance of organizations

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Austria: ISO 19600: compliance management systems — guidelines". TheLawyer.com. Retrieved 3 May 2015.

[2] Hortensius, Dick. "What Is The General Idea Behind The Proposed ISO 19600?". Ethic Intelligence. Archived from the original on 24 October 2016. Retrieved 3 May 2015.

[3] "ISO 19600: Your questions, our answers". digital spirit. 2015. Retrieved 3 May 2015.

[4] "ISO 19600:2014: Compliance management systems -- Guidelines". ISO. 19 December 2014. Retrieved 3 May 2015.

[1]

[2]

[3]

[4]

v t e ISO standards by standard number
List of ISO standards – ISO romanizations – IEC standards
1–9999	1 2 3 4 6 7 9 16 17 31 -0 -1 -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13 68-1 128 216 217 226 228 233 259 261 262 302 306 361 500 518 519 639 -1 -2 -3 -5 -6 646 657 668 690 704 732 764 838 843 860 898 965 999 1000 1004 1007 1073-1 1073-2 1155 1413 1538 1629 1745 1989 2014 2015 2022 2033 2047 2108 2145 2146 2240 2281 2533 2709 2711 2720 2788 2848 2852 3029 3103 3166 -1 -2 -3 3297 3307 3601 3602 3864 3901 3950 3977 4031 4157 4165 4217 4909 5218 5426 5427 5428 5725 5775 5776 5800 5807 5964 6166 6344 6346 6373 6385 6425 6429 6438 6523 6709 6943 7001 7002 7010 7027 7064 7098 7185 7200 7498 -1 7637 7736 7810 7811 7812 7813 7816 7942 8000 8093 8178 8217 8373 8501-1 8571 8583 8601 8613 8632 8651 8652 8691 8805/8806 8807 8820-5 8859 -1 -2 -3 -4 -5 -6 -7 -8 -8-I -9 -10 -11 -12 -13 -14 -15 -16 8879 9000/9001 9036 9075 9126 9141 9227 9241 9293 9314 9362 9407 9496 9506 9529 9564 9592/9593 9594 9660 9797-1 9897 9899 9945 9984 9985 9995
10000–19999	10006 10007 10116 10118-3 10160 10161 10165 10179 10206 10218 10279 10303 -11 -21 -22 -28 -238 10383 10487 10585 10589 10628 10646 10664 10746 10861 10957 10962 10967 11073 11170 11179 11404 11544 11783 11784 11785 11801 11889 11898 11940 (-2) 11941 11941 (TR) 11992 12006 12052 12182 12207 12234-2 12620 13211 -1 -2 13216 13250 13399 13406-2 13450 13485 13490 13567 13568 13584 13616 13816 14000 14031 14224 14289 14396 14443 14496 -2 -3 -6 -10 -11 -12 -14 -17 -20 14617 14644 14649 14651 14698 14764 14882 14971 15022 15189 15288 15291 15292 15398 15408 15444 -3 -9 15445 15438 15504 15511 15686 15693 15706 -2 15707 15897 15919 15924 15926 15926 WIP 15930 16023 16262 16355-1 16485 16612-2 16750 16949 (TS) 17024 17025 17100 17203 17369 17442 17506 17799 18004 18014 18181 18245 18629 18916 19005 19011 19092 -1 -2 19114 19115 19125 19136 19407 19439 19500 19501 19502 19503 19505 19506 19507 19508 19509 19510 19600 19752 19757 19770 19775-1 19794-5 19831
20000–29999	20000 20022 20121 20400 20802 21000 21047 21122 21500 21827 22000 22275 22300 22395 22537 23000 23090-3 23270 23271 23360 24517 24613 24617 24707 25178 25964 26000 26262 26300 26324 27000 series 27000 27001 27002 27005 27006 27729 28000 29110 29148 29199-2 29500
30000+	30170 31000 32000 37001 38500 40500 42010 45001 50001 55000 56000 80000
Category