With the increasing frequency and sophistication of cyber threats, safeguarding sensitive data is vital for information security. The UK Government estimates that the average cost of a data breach within the UK has increased by 8.1%, resulting in a total cost of £4.56 million. By proactively managing and securing data, you are not just protecting assets but driving innovation and trust in an increasingly connected world.
IT leaders face complex challenges, from heightened cybersecurity risks and responsible AI integration to managing economic pressures that impact budgets. Rapid technological changes demand continuous modernisation and reduction of technical debt, while innovation must drive tangible business transformations. Regulatory compliance remains critical as data protection laws evolve.
Now, more than ever, organisations must safeguard assets, mitigate risks, and build trust. BSI offers the opportunity for businesses to achieve this with compliance to information security standards. The first internationally recognised IT service management system standard, ISO 20000-1, is a widely implemented and trusted core product. It lays the groundwork for establishing effective processes and controls to deliver high-quality IT services. It emphasises the importance of meeting customer requirements, fostering business relationships and aligning IT service strategy with business objectives. But by combining ISO 20000-1 with a complementary standard, you can take your security enhancement to the next level.
Your organisation can create a robust framework by implementing ISO 27001 alongside ISO 20000-1, delivering efficient IT services, safeguarding the confidentiality and integrity of sensitive data, and providing good governance around cybersecurity and privacy protection. The relationship between ISO management systems has never been so well aligned. Both terminology and clause requirements are harmonised to allow organisations to implement integrated management systems more efficiently and effectively.
The need for ISO/IEC 27001
Examining the standard more closely, ISO 27001 provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and better stakeholder management.
ISO 27001 builds upon the foundation laid by ISO 20000-1, integrating information security seamlessly into existing IT service management practices. Since 2020, the number of global ISO 27001 certificates has risen by 24.7% in line with the rise of cyber-crime, which now impacts around one third of all businesses in the UK each year (source: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023).
Most organisations would welcome the following benefits of integrating their SMS (Service Management System) with an ISMS (Information Security Management System):
- Achieving certification for both ISO 20000-1 and ISO 27001 demonstrates an organisation’s commitment to excellence in IT service management and information security, boosting confidence and professional credibility.
- Aligning governance (policies, procedures, and controls) and combining communication channels increases efficiencies and reduces costs and effort.
- ISO 27001 bolsters risk assessment and management. By conducting risk assessments alongside ISO 20000-1 processes, organisations can identify potential threats to IT services and information security. This comprehensive approach enables you to prioritise risks effectively and allocate resources where they are most needed.
- By integrating incident response mechanisms with ISO 20000-1’s continual improvement process, companies can learn from security incidents and enhance both their IT services and information security posture over time.
Complementing ISO 27001 with ISO/IEC 20000-1
While both standards address distinct aspects of organisational governance and risk, ISO 27001 offers a natural progression to ISO 20000-1. Implementing both together will help companies fortify their security posture while ensuring service management is best served.
To support a seamless transition and integration of other ISO management systems both ISO 20000-1 and ISO 27001 follow a harmonised HLS (High Level Structure) with regards to their compliance requirements. Clause headings and content terminology are aligned. Like ISO 20000-1, ISO/IEC 27001 can be used by any type and size of organisation.
ISO 20000-1 focuses on delivering quality IT services, while ISO 27001 addresses the critical aspects of information security, cybersecurity, and privacy protection. By integrating these two standards, organisations can create a unified approach to managing IT services and safeguarding sensitive data, ultimately enhancing trust, credibility, and resilience in today’s digital landscape.
Getting started
To ensure any organisation sets off correctly on their integrated management system journey, seeking to drive innovation and trust in this increasingly connected world, you must consider the following:
- The scope of the management system(s), defining the physical and logical boundaries of what the organisation seeks to certify.
- Who needs to be involved. Consideration must be given to stakeholders, other interested parties, logical, physical, and information assets, business operations, processes, and organisational support functions.
- Which elements of each management system can be integrated, and which elements are to remain separate.
Training
Employee awareness and training play a crucial role in the success of both standard implementations. By providing comprehensive training programmes covering IT service management and information security best practices, organisations can ensure that employees understand their roles and responsibilities in maintaining the confidentiality and integrity of data while delivering IT services effectively.
To support the step from ISO 20000 to 27001, further reading is available in more depth and detail within ISO 27013:2021, entitled “Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1”.
BSI is proud to partner with organisations like itSMF UK to drive change and accelerate progress towards a fair society and a sustainable world where everyone can thrive.
Resources
- Embrace the option to integrate other service-supporting management systems and certifications such as Privacy (ISO 27701) and Business Continuity (ISO 22301).
- Consultancy support, training and further publications are available by contacting BSI here.
- For a free Taster Session from the BSI Training Academy in our ISO Awareness 27001 course, click here and use code ‘LEARNWITHBSI’.
- ISO20000-14: a standard for SIAM. View the recent itSMF UK session here.