ISO 19600

ISO 19600:2014, Compliance management systems -- Guidelines, is a compliance standard introduced by the International Organization for Standardisation (ISO) in April 2014.

This standard was developed by ISO Project Committee ISO/PC 271 that was chaired by Martin Tolar. In recent times technical committee ISO/TC 309 has been created and the maintenance and future development of 19600 will be undertaken by members of this committee.

Origins

Standards Australia proposed a new ISO standard, based on the existing Australian standard "AS 3806 - Compliance Programs", which was issued in 1998 and updated in 2006. This standard is more widely used in the financial industry, being endorsed by Australian Prudential Regulation Authority and the Australian Securities and Investment Commission. The published version of ISO 19600:2014 is similar to AS 3806:2006 standard, and will replace it.[1]

The draft stage of ISO 19600 was completed in April 2014;[2] the final version was published on 5 December 2014.

Main requirements of the standard

The ISO 19600:2014 adopts the "ISO High Level Structure (HSL)" in 10 chapters in the following breakdown:

  • 1 Purpose
  • 2 Reference standards
  • 3 Terms and definitions
  • 4 organization Context
  • 5 Leadership
  • 6 Planning
  • 7 Support
  • 8 Operating Activities
  • 9 Performance Evaluation
  • 10 Improvement

Structure of the standard

ISO 19600 helps organizations establish, develop, evaluate, and maintain a compliance management system. It brings together separate standards of compliance management and risk management, and its processes align very closely with ISO 31000, another risk management standard.[3]

Many existing compliance standards focus on one specific regulatory requirement or topic area; ISO 19600 aims to unify these, so organizations can work within a single framework rather than several different ones focussing on different standards. Unlike PS 980, ISO does not mandate any specific auditing requirements.[4] ISO 19600 is "based on the principles of good governance, proportionality, transparency and sustainability".[5]

Like other related ISO standards, it emphasises the use of a Plan, Do, Check, Act (PDCA) cycle.

See also

References

  1. ^ Tattam, David (2015). "Compliance Risk Management". Protecht Risk Management Insights. Retrieved 27 March 2015.
  2. ^ "Austria: ISO 19600: compliance management systems — guidelines". TheLawyer.com. Retrieved 3 May 2015.
  3. ^ Hortensius, Dick. "What Is The General Idea Behind The Proposed ISO 19600?". Ethic Intelligence. Retrieved 3 May 2015.
  4. ^ "ISO 19600: Your questions, our answers". digital spirit. 2015. Retrieved 3 May 2015.
  5. ^ "ISO 19600:2014: Compliance management systems -- Guidelines". ISO. Retrieved 3 May 2015.

External links

  • ISO 19600—Compliance management systems -- Guidelines
  • ISO TC 309—Governance of organizations
Annex SL

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS (and B where appropriate) are aligned and the compatibility of these standards is enhanced.

Before 2012, various standards for management systems were written in different ways. Several attempts have been made since the late 90s to harmonize the way to write these but the first group that succeeded to reach an agreement was the Joint Technical Coordination Group (JTCG) set up by ISO/Technical Management Board.

Various of Technical Committees within ISO are currently working on revising all MSS published before Annex SL was adopted. Many standards are already following Annex SL such as ISO 9001, and ISO 14001).

Governance, risk management, and compliance

Governance, risk management and compliance (GRC) is the umbrella term covering an organization's approach across these three areas: Governance, risk management, and compliance. The first scholarly research on GRC was published in 2007 where GRC was formally defined as "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity." The research referred to common "keep the company on track" activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.

ISO 31000

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.

Currently, the ISO 31000 family is expected to include:

ISO 31000:2009 – Principles and Guidelines on Implementation

ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques

ISO Guide 73:2009 – Risk Management – VocabularyISO also designed its ISO 21500 Guidance on Project Management standard to align with ISO 31000:2009.

List of International Organization for Standardization standards, 18000-19999

This is a list of published International Organization for Standardization (ISO) standards and other deliverables. For a complete and up-to-date list of all the ISO standards, see the ISO catalogue.The standards are protected by copyright and most of them must be purchased. However, about 300 of the standards produced by ISO and IEC's Joint Technical Committee 1 (JTC1) have been made freely and publicly available.

Regulatory compliance

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.

Regulations and accrediting organizations vary among fields, with examples such as PCI-DSS and GLBA in the financial industry, FISMA for U.S. federal agencies, HACCP for the food and beverage industry, and the Joint Commission and HIPAA in healthcare. In some cases other compliance frameworks (such as COBIT) or even standards (NIST) inform on how to comply with regulations.

Some organizations keep compliance data—all data belonging or pertaining to the enterprise or included in the law, which can be used for the purpose of implementing or validating compliance—in a separate store for meeting reporting requirements. Compliance software is increasingly being implemented to help companies manage their compliance data more efficiently. This store may include calculations, data transfers, and audit trails.

ISO standards by standard number
1–9999
10000–19999
20000+

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.