Branimir Valentic Update 2022-05-03.
When I talk to my customers, we often talk about implementation of various ISO standards, and I often hear that ISO 20000 and ISO 27001 are strongly related, they have much in common and, if you have implemented one of them, the other one will be much easier. But, when we start discussing details, it’s a different story.
It’s true that these two standards do have a lot of things in common but, more accurately: they complement each other. On the other hand, they also have differences, so you can’t copy/paste a complete implementation. Let’s examine that in more detail.
The similarities between ISO 27001 and ISO 20000 include:
- Policy
- Definition of objectives
- Definition of roles and responsibilities
- Awareness
- Communication
- Control of documents and records
- Management of metrics
- Internal audit
- Management review
- Corrective/preventative actions, and continual improvement
Positive things first – similarities
Let’s start with ISO 27001 based ISMS (Information Security Management System). Although it seems that ISO 27001 is related to information only, the “story” is broader. Information is a broad term, that encompasses raw data, place and equipment where data is held. It also includes devices and software for processing, management, people and the organization involved. Additionally, it includes communication channels, suppliers and procurement, development and legislation. As you can see, if we say that ISO 27001 relates to the information, we, actually didn’t say nearly enough.
ISO 20000 is also a very similar SMS (Service Management System). It defines, implements, manages and improves IT service from its design through management and improvement after release in a live environment. That goes way beyond on what the service does and encompasses how the service is built, how it is used, and how it handles issues that occur. It also includes how you set up your organization, your handling of third parties, reporting and customer satisfaction/complaints/compliments, etc. Many of these elements can be found in ISO 27001, but they are seen from different point of view.
ISO 20000 is process-based. Although ISO 27001 is not explicitly process-based, if you check Annex A (list of controls to manage risks), there are many controls for which you need to define a process. ISO 20000 processes tackle the same topics as ISO 27001 controls. Let’s see few examples that your ISMS implementation may require within the scope of its risk assessment:
- Capacity – ISO 27001 requires that capacity to support required system performance should be provided. ISO 20000 is more detailed in capacity requirements, planning and monitoring.
- Configuration – Both standards have strong requirements related to the assets needed to support IT services, i.e., information processing. ISO 20000 goes deeper and sets more detailed requirements.
- Incident – Information security incidents are just one category of incidents in ISO 20000. If you have implemented incident management in ISO 20000 that will also be good enough for ISO 27001 implementation.
- Change – Both of the standards require change management to be implemented. ISO 20000 views change management as control of many activities, from planning and designing the IT service, up to control once the service is in a live environment.
- Supplier – Both standards see suppliers as one of the important elements of the management system. ISO 20000 requires more details to be controlled in relationship to the supplier and their sub-suppliers.
So, those who claim that, if you have one of the standards in place, you already have a significant part of the other one are, essentially, right.
Seen from the ISO 20000 point of view, the standard requires Information Security Management, IT Service Continuity and Availability processes to be implemented. Requirements for those two processes are very much in line with ISMS requirements defined by ISO 27001. So, if you have ISO 27001 in place, it will be a great help for ISO 20000 implementation. See the articles ITIL Incident Management and IT Service Continuity Management – waiting for the big one to learn more.
Similar management elements in ISO 27001 and ISO 20000
With both management systems using the PDCA model, ISO 27001 and ISO 20000 can be integrated to create a single management system – better known as an integrated management system.
The similarities of creating an integrated management system consist of:
- Policy
- Definition of objectives
- Definitions of roles and responsibilities
- Awareness
- Communication
- Control of documents and records
- Management of metrics
- Internal audit
- Management review
- Corrective/preventative actions and continual improvement
For the integration of ISO 27001 and ISO 20000, you need to develop a document that covers both the ISMS (information security management system) and SMS (service management system), segregating the aspects of security and service management.
But are there any differences?
Although, so far, a match between standards sounds perfect, it’s not that easy. ISO 20000 and ISO 27001 have many common elements, but there are differences. ISO 20000 is service-based. ISO 27001 is risk management-based – it has risk management at its core. ISO 20000 considers risks as one of the building elements of the IT service management i.e. adding more aspects on top of the service. (See also: The basic logic of ISO 27001: How does information security work?)
ISO 20000 goes deep into the daily operation of the IT organization. That means it coincides with some parts of the ISO 27001 (like information classification, access control, continuity concept, etc.) but looks for a broader context. Further, in addition to the information security, ISO 20000 gives a 360-degree view on the service, including financial aspects, design, release and deployment of the IT service, service level management, business relationships with customers, etc.
So, in ISO 20000, some common processes, such as incident, change, or capacity management, go into much more detail in order to manage IT services (considering customer requirements, all aspects of IT service delivery, characteristics of the services, roles and responsibilities, customers, etc.).
ISO 27001 includes controls that are not found in ISO 20000, for example, the controls from the following sections of Annex A:
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
The ISO 20000 service management does not directly address information security domains or controls.
So, use them together or not?
Sure, if you have one of the standards in place, that will be beneficial for the implementation of the other one. Depending on which one you implemented first, use elements that fit together and add what’s missing.
When incorporating the security controls of Annex A of ISO 27001 with processes of ISO 20000, we may encounter the following:
- A.12.1.2 Change management: A process for managing change. ISO 20000 (clause 9.2)
- A.12.1.3 Capacity management: This refers to the process of managing capacity. ISO 20000 (clause 6.5)
- A.15 Supplier relationships: Related to supplier management and service level management. ISO 20000 (clause 7.2)
- A.16 Information security incident management: Refers to the process of incident management and service request management. ISO 20000 (clause 6.6)
- A.17 Information security aspects of business continuity management: These are related to the service continuity and availability management processes. ISO 20000 (clause 6.3)
ISO 27001 clearly covers a broader range of information security policies and procedures, so this standard should be used as a reference when defining which controls will be implemented.
Finally, both standards are highly compatible and can be integrated seamlessly. Therefore, we can obtain an integrated management system that provides quality and security to both our business processes and services.
The fact is that ISO 27001 and ISO 20000 have reusable elements. Fine-tune them, use the best that each of the standards brings and enjoy final results in the form of reliable and well-managed services or information security management brought to the state-of-the-art level. Your customers will know how to reward that.
Use this free ISO 27001 vs. ISO 20000 matrix to see more detailed comparison.
