ISO 19600

Last updated

ISO 19600, Compliance management systems - Guidelines, is a compliance standard introduced by the International Organization for Standardization (ISO) in April 2014. As its title suggests, it operates as an advisory standard and is not used for accreditation or certification.

Contents

This standard was developed by ISO Project Committee ISO/PC 271, which was chaired by Martin Tolar. In recent times technical committee ISO/TC 309 has been created and the maintenance and future development of ISO 19600 will be undertaken by members of this committee.

Currently, ISO/TC 309 is in the process of developing ISO/DIS 37301 , which is expected to replace ISO 19600. The main difference between these two standards is that, when published, ISO 37301 will establish requirements for the implementation of a compliance management system, as opposed to USO 19600 which only provides recommendations. This means that in the future, organizations can have their compliance management system (CMS) verified through an independent third party

Origins

Standards Australia proposed a new ISO standard, based on the existing Australian standard " AS 3806 - Compliance Programs", which was issued in 1998 and updated in 2006. The handbook to accompany AS 3806 was developed by a working group of the Australasian Compliance Institute members. This standard is more widely used in the financial industry, being endorsed by Australian Prudential Regulation Authority and the Australian Securities & Investments Commission. The published version of ISO 19600:2014 is similar to AS 3806:2006 standard, and will replace it.

The draft stage of ISO 19600 was completed in April 2014; [1] the final version was published on 5 December 2014.

Main requirements of the standard

The ISO 19600:2014 adopts the "ISO High Level Structure (HSL)" in 10 main clauses in the following breakdown :

Structure of the standard

ISO 19600 helps organizations establish, develop, evaluate, and maintain a compliance management system. It brings together separate standards of compliance management and risk management, and its processes align very closely with ISO 31000, another risk management standard. [2]

Many existing compliance standards focus on one specific regulatory requirement or topic area; ISO 19600 aims to unify these, so organizations can work within a single framework rather than several different ones focussing on different standards. Unlike PS 980, ISO does not mandate any specific auditing requirements. [3] ISO 19600 is "based on the principles of good governance, proportionality, transparency and sustainability". [4]

Like other related ISO standards, it emphasises the use of a Plan, Do, Check, Act (PDCA) cycle.

History

YearDescription
2014ISO 19600 (1st Edition)

See also

Related Research Articles

The ISO 9000 family is a set of five quality management systems (QMS) standards by the International Organization for Standardization (ISO) that help organizations ensure they meet customer and other stakeholder needs within statutory and regulatory requirements related to a product or service. ISO 9000 deals with the fundamentals and vocabulary of QMS, including the seven quality management principles that underlie the family of standards. ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfill. ISO/TS 9002 offers guidelines for the application of ISO 9001. ISO 9004 gives guidance on achieving sustained organizational success.

The ISO 14000 family of standards by the International Organization for Standardization (ISO) relate to environmental management that exists to help organizations (a) minimize how their operations negatively affect the environment ; (b) comply with applicable laws, regulations, and other environmentally oriented requirements; and (c) continually improve in the above.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality Management System.

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

ISO 13485Medical devices -- Quality management systems -- Requirements for regulatory purposes is a voluntary standard, published by International Organization for Standardization (ISO) for the first time in 1996, and contains a comprehensive quality management system for the design and manufacture of medical devices. The latest version of this standard supersedes earlier documents such as EN 46001 and EN 46002 (1996), the previously published ISO 13485, and ISO 13488.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

An environmental audit is a type of evaluation intended to identify environmental compliance and management system implementation gaps, along with related corrective actions. In this way they perform an analogous (similar) function to financial audits. There are generally two different types of environmental audits: compliance audits and management systems audits. Compliance audits tend to be the primary type in the US or within US-based multinationals.

The ISO/IEC 27000 family comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO 55000 is an international standard covering management of assets of any kind. Before it, a Publicly Available Specification was published by the British Standards Institution in 2004 for physical assets. The ISO 55000 series of Asset Management standards was launched in January 2014.

ISO 31000 is a family of international standards relating to risk management codified by the International Organization for Standardization. The standard is intended to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described.

ISO 28000:2022, Security and resilience – Security management systems – Requirements, is a management system standard published by International Organization for Standardization (ISO) that specifies requirements for a security management system including aspects relevant to the supply chain.

ISO 10007 "Quality management — Guidelines for configuration management" is the ISO standard that gives guidance on the use of configuration management within an organization. "It is applicable to the support of products from concept to disposal." The standard was originally published in 1995, and was updated in 2003 and 2017. Its guidance is specifically recommended for meeting "the product identification and traceability requirements" introduced in ISO 9001:2015 and AS9100 Rev D.

ISO/TC 176 is Technical Committee 176 of the International Organization for Standardization (ISO), responsible for Quality management and quality assurance - the ISO 9000 family of standards.

ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address information security, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.

<span class="mw-page-title-main">ISO/TC 292</span>

ISO/TC 292 Security and resilience is a technical committee of the International Organization for Standardization formed in 2015 to develop standards in the area of security and resilience.

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed-upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS are aligned and the compatibility of these standards is enhanced.

ISO 37001Anti-bribery management systems - Requirements with guidance for use, is a management system standard published by International Organization for Standardization (ISO) in 2016. As the title suggests, this standard sets out the requirements for the establishment, implementation, operation, maintenance, and continual improvement of an anti-bribery management system (ABMS). It also provides guidance on the actions and approaches organizations can take to adhere to the requirements of this standard.

ISO 22301:2019, Security and resilience – Business continuity management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization.

References

  1. "Austria: ISO 19600: compliance management systems — guidelines". TheLawyer.com. Retrieved 3 May 2015.
  2. Hortensius, Dick. "What Is The General Idea Behind The Proposed ISO 19600?". Ethic Intelligence. Archived from the original on 24 October 2016. Retrieved 3 May 2015.
  3. "ISO 19600: Your questions, our answers". digital spirit. 2015. Archived from the original on 13 January 2017. Retrieved 3 May 2015.
  4. "ISO 19600:2014: Compliance management systems -- Guidelines". ISO. 19 December 2014. Retrieved 3 May 2015.