ISO 9001:2008 specifies requirements for a quality management system where an organization
- needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements, and
- aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
All requirements of ISO 9001:2008 are generic and are intended to be applicable to all organizations, regardless of type, size and product provided.
Where any requirement(s) of ISO 9001:2008 cannot be applied due to the nature of an organization and its product, this can be considered for exclusion.
Where exclusions are made, claims of conformity to ISO 9001:2008 are not acceptable unless these exclusions are limited to requirements within Clause 7, and such exclusions do not affect the organization's ability, or responsibility, to provide product that meets customer and applicable statutory and regulatory requirements.
ISO/IEC 20000-1:2005 defines the requirements for a service provider to deliver managed services. It is based on BS 15000-2, which has been superseded. It may be used
- by businesses that are going out to tender for their services;
- to provide a consistent approach by all service providers in a supply chain;
- to benchmark IT service management;
- as the basis for an independent assessment;
- to demonstrate the ability to meet customer requirements;
- to improve services.
ISO/IEC 20000-2:2005 represents an industry consensus on guidance to auditors and offers assistance to service providers planning service improvements or to be audited against ISO/IEC 20000-1. ISO/IEC 20000-2:2005 is based on BS 15000-2, which has been superseded.
Organizations require increasingly advanced facilities (at minimum cost) to meet their business needs. With the increasing dependencies in support services and the diverse range of technologies available, service providers can struggle to maintain high levels of customer service. Working reactively, they spend too little time planning, training, reviewing, investigating, and working with customers. The result is a failure to adopt structured, proactive working practices. Those same service providers are being asked for improved quality, lower costs, greater flexibility, and faster response to customers.
ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both "in-house" and "outsourced" ICT DR service providers of physical facilities and services.
ISO/IEC 24762:2008 specifies:
ISO/IEC 27000:2009 ~ ISO/IEC 27001:2005
- the requirements for implementing, operating, monitoring and maintaining ICT DR services and facilities;
- the capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate organizations' recovery efforts;
- the guidance for selection of recovery site; and
- the guidance for ICT DR service providers to continuously improve their ICT DR services.
ISO/IEC 27000:2009 provides an overview of information security management systems, which form the subject of the information security management system (ISMS) family of standards, and defines related terms. As a result of implementing ISO/IEC 27000:2009, all types of organization (e.g. commercial enterprises, government agencies and non-profit organizations) are expected to obtain:
The objectives of ISO/IEC 27000:
- an overview of the ISMS family of standards;
- an introduction to information security management systems (ISMS);
- a brief description of the Plan-Do-Check-Act (PDCA) process; and
- an understanding of terms and definitions in use throughout the ISMS family of standards.
2009 are to provide terms and definitions, and an introduction to the ISMS family of standards that:
- define requirements for an ISMS and for those certifying such systems;
- provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA) processes and requirements;
- address sector-specific guidelines for ISMS; and
- address conformity assessment for ISMS.
all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.