Similarities and differences between ISO 27001 and ISO 20000
When I talk to my customers, we often talk about implementation of various ISO standards, and I often hear that ISO 20000 and ISO 27001 are strongly related, they have much in common and, if you have implemented one of them, the other one will be much easier. But, when we start discussing details, it’s a different story.
It’s true that these two standards do have a lot of things in common but, more accurately: they complement each other. On the other hand, they also have differences, so you can’t copy/paste a complete implementation. Let’s examine that in more details.
Positive things first – similarities
Let’s start with ISO 27001 based ISMS (Information Security Management System). Although it seems that ISO 27001 is related to information only, the “story” is broader. Information is a broad term, that encompasses raw data, place and equipment where data is held. It also includes devices and software for processing, management, people and the organization involved. Additionally, it includes communication channels, suppliers and procurement, development and legislation. As you can see, if we say that ISO 27001 relates to the information, we, actually didn’t say nearly enough.
ISO 20000 is also a very similar SMS (Service Management System). It defines, implements, manages and improves IT service from its design through management and improvement after release in a live environment. That goes way beyond on what the service does and encompasses how the service is built, how it is used, and how it handles issues that occur. It also includes how you set up your organization, your handling of third parties, reporting and customer satisfaction/complaints/compliments, etc. Many of these elements can be found in ISO 27001, but they are seen from different point of view.
ISO 20000 is process-based. Although ISO 27001 is not explicitly process-based, if you check Annex A (list of controls to manage risks), there are many controls for which you need to define a process. ISO 20000 processes tackle the same topics as ISO 27001 controls. Let’s see few examples that your ISMS implementation may require within the scope of its risk assessment:
- Capacity – ISO 27001 requires that capacity to support required system performance should be provided. ISO 20000 is more detailed in capacity requirements, planning and monitoring.
- Configuration – Both standards have strong requirements related to the assets needed to support IT services, i.e. information processing. ISO 20000 goes deeper and sets more detailed requirements.
- Incident – Information security incidents are just one category of incidents in ISO 20000. If you have implemented incident management in ISO 20000 that will also be good enough for ISO 27001 implementation.
- Change – Both of the standards require change management to be implemented. ISO 20000 views change management as control of many activities, from planning and designing the IT service, up to control once the service is in a live environment.
- Supplier – Both standards see suppliers as one of the important elements of the management system. ISO 20000 requires more details to be controlled in relationship to the supplier and their sub-suppliers.
So, those who claim that, if you have one of the standards in place, you already have a significant part of the other one are, essentially, right.
Seen from the ISO 20000 point of view, the standard requires Information Security Management, IT Service Continuity and Availability processes to be implemented. Requirements for those two processes are very much in line with ISMS requirements defined by ISO 27001. So, if you have ISO 27001 in place, it will be a great help for ISO 20000 implementation. See the articles ITIL Incident Management and IT Service Continuity Management – waiting for the big one to learn more.
But, are there any differences?
Although, so far, a match between standards sounds perfect, it’s not that easy. ISO 20000 and ISO 27001 have many common elements, but there are differences. ISO 20000 is service-based. ISO 27001 is risk management-based – it has risk management at its core. ISO 20000 considers risks as one of the building elements of the IT service management i.e. adding more aspects on top of the service. (See also: The basic logic of ISO 27001: How does information security work?)
ISO 20000 goes deep into the daily operation of the IT organization. That means it coincides with some parts of the ISO 27001 (like information classification, access control, continuity concept, etc.) but looks for a broader context. Further, in addition to the information security, ISO 20000 gives a 360-degree view on the service, including financial aspects, design, release and deployment of the IT service, service level management, business relationships with customers, etc.
So, in ISO 20000 some common processes such as incident, change or capacity management, go into much more detail in order to manage IT services (taking into account customer requirements, all aspects of IT service delivery, characteristics of the services, roles and responsibilities, customers, etc.).
So, use them together or not?
Sure, if you have one of the standards in place, that will be beneficial for the implementation of the other one. Depending which one you implemented first, use elements that fit together and add what’s missing.
The fact is that both standards have re-usable elements. Fine-tune them, use the best that each of the standards brings and enjoy final results in the form of reliable and well-managed services or information security management brought to the state-of-the-art level. Your customers will know how to reward that.
Use this free ISO 27001 vs. ISO 20000 matrix to see more detailed comparison.