When We talk to our customers, we often talk about the implementation of various ISO standards, and we often hear that ISO 20000 and ISO 27001 are strongly related, they have much in common and, if you have implemented one of them, the other one will be much easier. But, when we start discussing details, it’s a different story.
It’s true that these two standards do have a lot of things in common but, more accurately: they complement each other. On the other hand, they also have differences, so you can’t copy/paste a complete implementation. Let’s examine that in more detail.
Let’s start with ISO/IEC 27001 Certification based on ISMS (Information Security Management System). Although it seems that ISO 27001 Certification is related to information only, the “story” is broader. Information could be a broad term, that encompasses information, place, and instrumentation wherever knowledge is control.
It conjointly includes devices and software systems for process, management, folks and also the organization concerned. Additionally, it includes communication channels, suppliers and procurement, development and legislation. As you'll be able to see, if we are saying that ISO 27001 Certification relates to the data, we actually didn’t say nearly enough.
ISO/IEC 22000 Certification for Foods Industries is similar SMS (Service Management System). It defines, implements, manages and improves IT service from its design through management and improvement after release in a live environment. That goes way beyond what the service does and encompasses how the service is built, how it is used, and how it handles issues that occur. It also includes how you set up your organization, your handling of third parties, reporting, and customer satisfaction/complaints/compliments, etc. Many of these elements can be found in ISO 27001, but they are seen from a different point of view.
ISO 20000 is process-based. Although ISO 27001 is not explicitly process-based, if you check Annex A (list of controls to manage risks), there are many controls for which you need to define a process. ISO 20000 processes tackle a similar topic as ISO 27001 controls.
Examples that your ISMS implementation might need inside the scope of its risk assessment:
Capacity – ISO 27001 Certification needs that capability to support needed system performance ought to be provided.
ISO 20000 Certification is additional careful in capability needs, planning, and observation.
Configuration – Both standards have strong requirements related to the assets needed to support IT services, i.e. information processing. ISO 20000 Certification goes deeper and sets more detailed requirements.
Incident – Information security incidents are just one category of incidents in ISO 20000. If you have implemented incident management in ISO 20000 Certification that will also be good enough for ISO 27001 Certification implementation.
Change – Both of the standards require change management to be implemented. ISO 20000 Certification views change management as control of many activities, from planning and designing the IT service, up to control once the service is in a live environment.
Supplier – Both standards see suppliers as one of the important elements of the management system. ISO 20000 Certification requires more details to be controlled with the supplier and their sub-suppliers.
So, those who claim that, if you have one of the standards in place, you already have a significant part of the other one are, essentially, right.
Seen from the ISO 20000 Certification point of view, the standard requires Information Security Management, IT Service Continuity and Availability processes to be implemented. Requirements for those two processes are very much in line with ISMS requirements defined by ISO 27001. So, if you have ISO 27001 Certification in place, it will be a great help for ISO 20000 Certification Service implementation. See the articles ITIL Incident Management and IT Service Continuity Management – waiting for the big one to learn more.
But, are there any differences between ISO 20000:2005 and ISO 20000:2013?
Although so far, a match between standards sounds perfect, it’s not that easy. ISO 20000:2005Certification and ISO 27001:2013 Certification have many common elements, but there are differences. ISO 20000 Certification is service-based. ISO 27001 Certification is risk management-based – it has risk management at its core. ISO 20000 Certification considers risks as one of the building elements of the IT service management i.e. adding more aspects on top of the service. (See also: The basic logic of ISO 27001:2013 How does information security work?)
ISO 20000 Certification goes deep into the daily operation of the IT organization. That means it coincides with some parts of the ISO 27001 Certification (like information classification, access control, continuity concept, etc.) but looks for a broader context. Further, in addition to the information security, ISO 20000 gives a 360-degree view on the service, including financial aspects, design, release, and deployment of the IT service, service level management, business relationships with customers, etc.
So, in ISO 20000 some common processes such as incident, change or capacity management, go into much more detail to manage IT services (taking into account customer requirements, all aspects of IT service delivery, characteristics of the services, roles, and responsibilities, customers, etc...
Visit : ISO 20000 Certification
The Wall