The TickITplus scheme was designed to incorporate multiple standards related to systems and software engineering, IT and IT related aspects. The core standard is ISO 9001 and with the release of the the lastest BPL (V1.2.0) now covers ISO 9001:2015. THe latest version also includes an number of additional ‘supplementary’ standards, namely ISO/IEC 20000-1:2011, ISO/IEC 27001:2013 and PAS 754:2014, although note that ISO/IEC 27001:2005 has now been dropped.
The main component of TickITplus is the Base Process Library (BPL) which details 40 processes typically needed by organisations working in an IT related field of work. For further information on the TickITplus components please visit here. In essence, the BPL forms a 'generic' model of an IT related management system written in a manner that would be familiar to practitioners implementing, managing and improving IT related processes and if appropriately implemented would satisfy the requirements of the referenced standards. However, this is not to say that the BPL can just be implemented in an organisation and the standards will have been satisfied. The BPL is just a model and with all good models there needs to be appropriate interpretation to suit the needs of the business. This is done through the organisation’s management system using the Process Reference Model (PRM) as the mapping mechanism back to the model.
While the aim was to provide a usable model by which effective management systems could be constructed and operated, there was also an aim to provide cost effective certification to the core standard and one or more of the supplementary standards. Out of necessity, the words and terminology used in the BPL are fairly high-level and as such there was always a potential risk that the specific requirements within the referenced standards could get missed. Consequently, the BPL contains specific references back to the individual clauses of the included standards to provide links to specific requirements that are intended to be fully addressed while implementing the processes. While all processes reference ISO 9001, they do not all reference the supplementary standards as in many cases these standards do not specifically address the particular intent of the processes. For example, the processes covering software development, such as architectural design or development implementation, have clear references back to ISO 9001, but not to either ISO/IEC 27001 or ISO/IEC 20000-1 as these standards do not specifically address software development activities. There are aspects within these standards that could arguable be traced back into these processes, but fundamentally these standards are not aimed at the purpose of these processes.
Each process in the BPL is constructed using the same 5 components, these being a purpose statement, outcomes, base practices, work products and references to the standards.
In this particular extract, above, taken from ORG.3 Corporate Management and Legal, all 4 standards have clauses referenced against the 2 base practices (BP.1 and BP.2) shown as these clauses would be satisfied by implementing the practices within the organisations management system. In the following extract taken from TEC.6 Transition and Release only ISO 9001 and ISO/IEC 20000-1 are referenced as ISO/IEC 27001 doesn't explicitly refer to transition and release of products or services.
In some cases there are specific requirements of a standard that would not be mandated by ISO 9001 and these are typically dealt with by including additional outcomes in the relevant processes. The thinking here was that given a good generic standard such as ISO 9001 and defined processes to implement that standard in a particular sector, i.e. IT, anything additional required by another standard, must by definition, have an additional outcome from the basic processes. If the additional requirement doesn't have an additional outcome it is either achieving nothing more than the basic process or the basic process is not complete; neither of these have been the case so far. It’s worth remembering that before these 'relatively' new standards (ISO/IEC 20000-1 and ISO/IEC 27001) emerged, the practices they encourage were often managed under ISO 9001 albeit with maybe not the granularity that these standards bring to the associated implementation of a management system addressing service or security management.
In the example below, ISO/IEC 27001 requires the creation and maintenance of a Statement of Applicability (SOA) which isn't specifically called for under ISO 9001. Now arguably a SOA could be considered a good thing to have in any event to provide confidence that implemented security controls are adequate even for an organisation that has no more of a security need than to shut and lock the doors and windows on an evening. Having said that however, it is rare that this would be the only security requirement that a company would need in today’s cyber-risk world. Nevertheless, a specific artefact called a SOA is not required by ISO 9001 even if an organisation choses to create one.
Here, a new outcome (OU.2) has been added to ORG.12 Security Management to accommodate a couple of extra activities required by ISO/IEC 27001 which aren't explicitly called for by ISO 9001, and particular to ensure artefacts required by the standard, such as the SOA, can be generated without causing everyone using the BPL to also have a need to generate and maintain them. This new outcome will result as a consequence of adopting ISO/IEC 27001 and implementing the associated referenced clauses to support the additional practices (BP.5 and BP.6).
Through the approach described above it is possible to have a multi-dimensional tailorable process model that can accommodate many different needs whilst still providing a good reference benchmark for process development and also for certification against multiple standards. The TickITplus design goal to encourage organisations to implement a single basic management system that satisfies their fundamental needs while allowing them to extend it into specific areas such as service and security has been achieved.
The BPL is a living document and currently work is ongoing to integrate and map further standards into the core set of 40 processes. Clearly, as ISO 9001 is the core standard referenced from all processes, the recent release of the new ISO 9001:2015 version will need to be reviewed and any identified gaps addressed. However, it is encouraging to note that many of the new requirements of ISO 9001:2015 have already been incorporated into the BPL process set. For example, the new standard places a much greater importance on top level management fully understanding the design inputs to the management system and this is in essence what was being required through the process ORG.3 Corporate Management and Legal and specifically the emphasis placed on the importance of the business planning activities with regard to the management system and not just from a financial point of view. ISO 9001:2015 also (finally) brings into the management system the concepts of risk management and again this was a process within the BPL that existed from the initial release along with the links back to its use by top management.
The lastest version of the BPL now fully satisfies the requirements of ISO 9001:2015.
The requirements of PAS 754:2014 have also been incorporated into the latest version of the Base Process Library, for more information on PAS 754 please see here. PAS 754 is a British Standards Institution Publicly Available Specification (titled "Software trustworthiness - Governance and management - Specification) that for the first time documents the overall principles for effective software trustworthiness. It was launched by the Minister for Universities and Science in June 2014. It addressed the technical, physical, cultural and behaviours measures alongside effective leadership and governance techniques to address five key facets of trustworthiness: safety, reliability, availability, resilience and security.
Work is also fully underway on mapping the requirements of ISO 26262 (titled "Road vehicles - Functional safety") into the BPL and again there will invariably be new outcomes added to existing processes to accommodate specific requirements such as those related to Safety Integrity Levels (SILs).