CSA ISO/IEC/IEEE 16085:21
Systems and software engineering — Life cycle processes — Risk management (Adopted ISO/IEC/IEEE 16085:2021, first edition, 2021-01)
Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC.
Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).
For brevity, this Standard will be referred to as CSA ISO/IEC/IEEE 16085 throughout.
At the time of publication, ISO/IEC/IEEE 16085:2021 is available from ISO and IEC in English only. This Standard replaces CAN/CSA-ISO/IEC 16085-07. CSA Group will publish the French version when it becomes available from ISO and IEC.
This Standard has been formally approved, without modification, by the Technical Committee and has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group.
- provides risk management elaborations for the processes described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207,
- provides the users of ISO/IEC/IEEE 15288, ISO/IEC/IEEE 12207 and their associated elaboration standards with common terminology and specialized guidance for performing risk management within the context of systems and software engineering projects,
- specifies the required information items that are to be produced through the implementation of risk management process for claiming conformance, and
- specifies the required contents of the information items.
This document provides a universally applicable standard for practitioners responsible for managing risks associated with systems and software over their life cycle. This document is suitable for the management of all risks encountered in any organization or project appropriate to the systems or software projects regardless of context, type of industry, technologies utilized, or organizational structures involved.
This document does not provide detailed information about risk management practices, techniques, or tools which are widely available in other publications. Instead this document focuses on providing a comprehensive reference for integrating the large and wide variety of processes, practices, techniques, and tools encountered in systems and software engineering projects and other lifecycle activities into a unified approach for risk management, with the purpose of providing effective and efficient risk management while meeting the expectations and requirements of organization and project stakeholders.
This document provides information on how to design, develop, implement, and continually improve risk management in a systems and software engineering project throughout its life cycle.
1.3 Field of application
This document is compatible with risk management as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207 and can also be applied in conjunction with ISO 31000. Depending on the scope and context of the systems or software engineering project of interest, there are a number of additional International Standards that can be applicable to the risk management effort including ISO 9001. This document is intended to provide additional information useful in implementing a system for integrated risk management for systems and software engineering projects. 5.2 discusses in more detail how this document can be applied with other standards.
This document is applicable to:
- project teams which use ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207 on projects dealing with man-made systems, software-intensive systems, software and hardware products, and services related to those systems and products, regardless of organization or project scope, product(s), methodology, size, or complexity;
- project teams performing risk management activities to aid in ensuring that their application of risk management conforms to ISO/IEC/IEEE 15288 and/or ISO/IEC/IEEE 12207;
- project teams using ISO/IEC/IEEE 15289 on projects dealing with human-made systems, software-intensive systems, software and hardware products, and services related to those systems and products, regardless of organization or project scope, product(s), methodology, size, or complexity; and
- project teams generating information items developed during the application of risk management processes to conform to ISO/IEC/IEEE 15289.
This document can be applied in conjunction with ISO 31000 and IEC 31010 to augment risk management performed within the context of ISO/IEC/IEEE 15288 and/or ISO/IEC/IEEE 12207.