ISO IEC 27013 pdf – Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
4.2 ISO/IEC 27001 concepts ISO/IEC 27001 provides a model for establishing, implementing, maintaining and continually improving an information security management system (ISMS) to protect information. Information can take any form, be stored in any way and be used for any purpose by, or within, the organization. To achieve conformity with the requirements specified in ISO/IEC 27001, an organization should implement an ISMS based on a risk assessment process. As part of a risk treatment process, the organization should select, implement, monitor and review a variety of measures to manage identified risks. These measures are known as information security controls. The organization should determine acceptable levels of risk, taking into account the requirements of interested parties relevant to information security. Examples of requirements are business requirements, legal and regulatory requirements or contractual obligations. ISO/IEC 27001 can be used by any type and size of organization. Excluding any of the requirements specified in ISO/IEC 27001:2013, Clauses 4 to 10, is not acceptable when an organization claims conformity to ISO/IEC 27001.
4.3 ISO/IEC 20000-1 concepts ISO/IEC 20000-1 specifies requirements for establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services, which meet agreed requirements and deliver value for customers, users and the organization delivering the services. Some of the requirements specified in ISO/IEC 20000-1 are grouped into clauses indicating processes, such as incident management, change management and supplier management. Some requirements for information security management are specified in ISO/IEC 20000-1:2018, 8.7.3. All requirements specified in ISO/IEC 20000-1 are generic and are intended to be applicable to all organizations, regardless of the organization’s type or size, or the nature of the services delivered. ISO/IEC 20000-1 is intended for management of services using technology and digital information. Exclusion of any of the requirements in ISO/IEC 20000-1:2018, Clauses 4 to 10, is not acceptable when the organization claims conformity to ISO/IEC 20000-1, irrespective of the nature of the organization.
4.4 Similarities and differences Service management and information security management are sometimes treated as if they are neither connected nor interdependent. The context for such separation is that service management can easily be related to efficiency, service quality, customer satisfaction and profitability, while information security management is often not understood to be fundamental to effective service delivery. As a result, service management is frequently implemented first. There are some shared concepts between these two disciplines, as well as concepts that are unique to each. Information security management and service management clearly address very similar requirements and activities, even though the SMS and the ISMS each highlight different details. When working with ISO/IEC 27001 and ISO/IEC 20000-1, it should be understood that their characteristics differ in more than one aspect. It is possible that the scopes of an ISMS and an SMS can differ (see 5.2). They also have different intended outcomes. ISO/IEC 20000-1 is designed to ensure that the organization provides effective services, while ISO/IEC 27001 is designed to enable the organization to manage information security risk and recover from or prevent information security incidents. See Annex A for details of the correspondence between ISO/IEC 27001:2013, Clauses 1 to 10, and ISO/IEC 20000-1:2018, Clauses 1 to 10. See Annex B for a comparison of topics between the controls in ISO/IEC 27001:2013, Annex A, and the requirements in ISO/IEC 20000-1:2018. See Annex C for a comparison of terms and definitions between ISO/IEC 27000 and ISO/IEC 20000-1.
5 Approaches for integrated implementation 5.1 General An organization planning to implement both ISO/IEC 27001 and ISO/IEC 20000-1 can be in one of three states as follows: — unofficial management arrangements exist which cover both information security management and service management but have not been formalized, documented or deliberately integrated into the organization ’s other activities;