Take the ISO 27001 course exam and get the EU GDPR course exam for free
  • (0)

    ISO 27001 & ISO 22301 Blog

    How to implement ISO 27001 and ISO 20000 together

    All management systems based on ISO standards have one thing in common: the known cycle of Deming or PDCA (Plan, Do, Check, and Act), which can make the integration of various ISO standards in an organization easier: ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22301, etc. I know companies that have ISO 27001, but they need to focus more on IT service management, so they implement ISO 20000. And vice versa – I know companies that have ISO 20000, but they need to focus more on information security and implement ISO 27001.

    In the case of ISO 27001 and ISO 20000, this integration can go beyond PDCA, as we shall see below – there are security controls in Annex A of ISO 27001 that can be managed as a process in ISO 20000.

    Similar management elements in ISO 27001 and ISO 20000

    Let us first remember which points of ISO 27001/ISO 20000, related to PDCA, can be integrated at the time of implementing ISO 27001 and ISO 20000 (the resulting system integrates both standards, and is called an “integrated system” or “integrated management system”):

    • Policy: Defines internal rules for the management of the integrated system.
    • Definition of objectives: Defines the objectives to be achieved with the implementation of the integrated system. This will also involve the definition of some indicators to measure whether the objectives have been achieved.
    • Definition of roles and responsibilities: Defines roles and responsibilities for the management of the integrated system. Usually defines the person responsible for the integrated system. Also sets an integrated Committee with senior management as the main participant.
    • Awareness: All personnel affected by the scope of the integrated management system must be properly educated in information security and management of services.
    • Communications: Internal and external communication related to the integrated management system must be carried out by establishing guidelines (usually defined as communications protocol).
    • Control of documents and records: You have to define guidelines for the management of all documentation and records of the integrated system.
    • Management of metrics: In the case of ISO 27001, you will have to establish metrics to measure the effectiveness of the security controls, while in the case of ISO 20000 you must establish metrics to measure the effectiveness of the processes.
    • Internal audit: You have to carry out the realization of an internal audit to detect possible nonconformities in the integrated system, and determine the level of implementation regarding the standards of reference.
    • Management review: The top management of the organization has to review a series of points of entry for the integrated management system. As a result of the review, they have to generate some conclusions or results.
    • Corrective/Preventive actions and continual improvement: The management of the integrated system can develop corrective and preventive actions for the treatment of nonconformities detected (usually detected in audits, reviews, etc.). In the case of ISO 27001, there is no reference to preventive actions, which may be the same in the next version of ISO 20000. (Something similar is happening with the rest of the ISO standards, given the changes that are taking place on a general level for greater integration between all ISO standards.)

    For the integration of ISO 27001 and ISO 20000, for each of the last bullets you need to develop a unique document that would cover both the ISMS (information security management system) and the SMS (service management system), separating those aspects that are specific to the security and related to the service management.

    Integration of ISO 27001 security controls with ISO 20000

    In relation to the security controls of Annex A of ISO 27001, which we can integrate with processes of ISO 20000, we may find ourselves with the following:

    • A.12.1.2 Change management: Related to the change management process. Obviously, the process of ISO 20000 (clause 9.2) covers much more.
    • A.12.1.3 Capacity management: Related to the capacity management process. In this case, the process of ISO 20000 (clause 6.5) also encompasses much more.
    • A.15 Supplier relationships: Related to the supplier management and service level management process. Also, in this case, the ISO 20000 (clause 7.2) processes include much more.
    • A.16 Information security incident management: Related to the process of incident and service request management and problem management process. ISO 27001 focuses on information security incidents, while the process of ISO 20000 (clause 6.6) is about any kind of incident/problem. ISO 20000, in its information security management process, also makes reference to security incidents, so again in this case ISO 20000 covers more.
    • A.17 Information security aspects of business continuity management: Related to the service continuity and availability management process. In this case, again, ISO 20000 (clause 6.3) is more complete, since it not only refers to continuity, also makes reference to availability. The only difference is that ISO 27001 refers to the business, while ISO 20000 refers to the service.

    The recommendation here is to have a unique document that covers both the ISMS and the SMS for each process, using ISO 20000 as reference, because this standard covers much more.

    Regarding the information security process that defines which controls will be selected, ISO 27001 obviously covers much more for the risk management and the security controls, so the recommendation here is to use it as a reference.

    Differences between ISO 27001 and ISO 20000

    There are controls in the annex of ISO 27001 that we cannot find in the processes of ISO 20000, for example:

    • A.9 Access Control
    • A.10 Cryptography
    • A.11 Physical and environmental security
    • A.12 Operations security
    • A.13 Communications security
    • A.14 System acquisition, development and maintenance

    These domains of controls are specific to information security, and possibly are more technical than the rest, and so are not addressed directly in the ISO 20000 service management. But, you need to implement them for the Integrated System using, of course, ISO 27001 as a reference.

    Therefore, we see that both standards are very compatible and can be integrated perfectly, in which case we will get an integrated management system that will provide quality and security to our business processes and services, and therefore our customers will be more satisfied.

    Click here to download a free ISO 27001 vs ISO 20000 Matrix that will provide you a clause-by-clause overview of similarities and differences between these two standards.

    Advisera Antonio Jose Segovia
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.