With an increasing number of organisations embracing standards across ITSM and security management, how can we adopt an integrated approach to implementation? Lynda Cooper offers some guidance.
Firstly, some brief definitions. ISO/IEC 20000-1 is a standard which focuses on the delivery of services to meet service requirements using a service management system (SMS). ISO 9001 is a standard which focuses on the quality of products and services to meet customer requirements using a quality management system (QMS). ISO/IEC 27001 is a standard which focuses on the security of information using an information security management system (ISMS).
What all of these standards have in common is a management system. Management systems share many common features which enable them to be integrated together. Some of these features include:
- The use of a common high-level structure with common terms and requirements supplemented by discipline specific terms and requirements
- Top management commitment including the setting of policies and objectives relevant to the standard
- Requirements for context of the organization, leadership, planning, support, operation performance evaluation and continual improvement.
In ISO/IEC 20000-1, an SMS is defined as a: ‘Management system to direct and control the service management activities of the organisation.’ This can include policies, objectives, plans, processes, documented information and resources required for the planning, design, transition, delivery and improvement of services to meet business requirements.
ISO/IEC 20000-1 is a management system standard and not a product or service standard. The SMS, including the service management processes, is the subject of the audit. By ensuring that the SMS meets the requirements of the standard, the services should be of a high quality. An organisation that wishes to be certified must therefore implement a suitable high-quality set of integrated processes to deliver managed services.
The relationship between ISO/IEC 20000, ISO 9001 and ISO/IEC 27001
Many organisations use ISO/IEC 20000-1, ISO 9001 and ISO/IEC 27001 together, and one of the great challenges is integrating the function and effect of the three standards. ISO/IEC 20000 part 7 provides some much-needed guidance in this area.
ISO 9001 Quality Management
There is often a discussion about why ISO/IEC 20000-1 is needed if an organisation is certified to ISO 9001 since it covers quality management for both products and services. Although there are some cross-over points in both standards, ISO 9001 does not cover service management, its service life cycle and the relevant requirements and processes. ISO 9001 is instead very generic for any type of products or services with a focus on quality.
Many organisations achieve certification to both ISO 9001 and ISO/IEC 20000-1 and it is possible to develop an integrated management system for both standards. ISO/IEC 20000-1 can use relevant processes and techniques from ISO 9001 where a QMS already exists (e.g. internal audit, documentation management and resource management). Not all of the ISO 9001 requirements are relevant to ISO/IEC 20000-1 and equally, not all ISO/IC 20000-1 requirements are relevant to ISO 9001.
ISO/IEC 27001 Information Security Management
Many organisations achieve certification to both ISO/IEC 27001 and ISO/IEC 20000-1, and again it is possible to develop an integrated management system for both standards. ISO/IEC 20000-1 can use relevant processes and techniques from ISO/IEC 27001 where an ISMS already exists (e.g. information security controls, approach to risk management for information security).
It is important to note that the information security process in ISO/IEC 20000-1 is a subset of ISO/IEC 27001. It also contains some requirements that are not in ISO/IEC 27001. Organisations that are certified to ISO/IEC 27001 with a scope that includes service management cannot assume that they meet all of the requirements of the information security management process in ISO/IEC 20000-1.
ISO/IEC 27013 covers the integration of ISO/IEC 27001 and ISO/IEC 20000-1 from an ISO/IEC 27001 perspective.
Alignment and differences between the ISO/IEC 27001 information security management process and ISO/IEC 27001
There are some key similarities and differences between the requirements of the information security management process in ISO/IEC 20000-1 and ISO/IEC 27001 that are explained below.
The definition of information security and information security incident are the same in both ISO/IEC 27001 and ISO/IEC 20000-1.
Information security controls
In ISO/IEC 20000-1, there is a need for information security controls to be implemented to support the information security policy and any identified information security risks. There is no requirement to use ISO/IEC 27001 or for a statement of applicability, but if this has been produced for ISO/IEC 27001, it can be used to support the requirements in ISO/IEC 20000-1.
ISO/IEC 20000-1 has specific requirements to protect the organisation’s information and services when they are accessed by external organisations. This is not a specific requirement in ISO/IEC 27001, but can be mapped to some of the controls in ISO/IEC 27001, Annex A.
Information security incidents
In ISO/IEC 20000-1, an information security incident is specifically about something that threatens information security whereas other incidents in ISO/IEC 20000-1 have no specific reference to information security. An information security incident in ISO/IEC 20000-1 might first be reported as an incident. ISO/IEC 20000-1 requires that information security incidents are recorded, classified, prioritised taking into consideration the information security risk, escalated if needed, resolved and closed. There are also further requirements to analyse information security incidents by type, volume and impact, report and review them to identify opportunities for improvement. The ISO/IEC 27001 requirements are less specific about handling the incident than ISO/IEC 20000-1.
Additional requirements in ISO/IEC 20000-1 for handling requests for change
ISO/IEC 20000-1 has specific requirements to ensure that requests for change are assessed to look at their potential impact on information security.
Next steps
This is just a starting point for considering some of the areas of similarity and difference between the respective ISO standards. For more detailed information, it is recommended to consult the full standard documents which are all available through BSI or other suppliers.
This blog is based on an excerpt from the pocket guide ‘Planning and Achieving ISO/IEC 20000 Certification 2019 Edition’ by Lynda Cooper of Service 20000 Ltd, which can be downloaded from the resources section of the itSMF UK website.