ISO 27001 vs. ITIL: Similarities and differences

IT services are one of the main pathways for information to flow through organizations, their clients and partners, and as legal and contractual requirements are increasingly including information protection demands (the healthcare industry is an example), these services and their management practices must evolve to adapt to this new scenario. But, how can we do that properly and in a cost-effective way?

This article will present an overview of how ISO 27001, an ISO standard focused on information security management, and ITIL, a public-private framework that focuses on IT services management, are related considering information protection, and how they can be used together to increase their benefits to an organization’s business.

General facts

Here is some information you may find useful for an initial understanding of ISO 27001 and ITIL:

ISO 27001 ITIL
International standard Best practice framework
Defines requirements for the establishment, implementation, maintenance, and continual improvement of an Information Security Management System (ISMS). Presents a set of best practices for IT service management, giving guidance on the provision of quality IT services and the processes, functions, and other capabilities needed to support them.
Applicable to any type and size of organization. Applicable to almost every type of IT environment.
Implementation and certification are optional. Implementation is not subject to certification.
Current version: ISO 27001:2013 Current version: ITIL 2011 edition

As you can see, ISO 27001 has a direct definition concerning information protection, while ITIL’s is more indirect. This is so because the term “ITIL” refers to a multitude of practices to manage and provide quality of IT services, like financial management and request fulfillment. However, since information security is also a critical aspect in IT service management and quality in IT services, ITIL does cover information security as one of its support processes (security management), and integrates information security into most of the processes in the framework.


ISO 27001 structure

ISO 27001 consists of 11 clauses and 114 generic security controls grouped into 13 sections (the Annex A). For more information, read these articles: A first look at the new ISO 27001 and An overview of ISO 27001:2013 Annex A.

One of the ISO 27001 limitations is that it does not provide detail on what to do to fulfill requirements or implement controls, only about what you need to achieve. For detailing, you can use ISO 27002 as guidance. For more information, read this article: ISO 27001 vs. ISO 27002.

ITIL structure and similarities and differences with ISO 27001

On the other hand, the ITIL framework consists of 26 processes and four functions, based on a five-stage service lifecycle approach:

Service strategy (4 processes): involves the alignment of IT strategy to overall business goals and expectations, for ensuring value aggregation to the organization. This stage can be related to ISO 27001 clause 4 (Context of the organization).

Service design (7 processes): involves ensuring IT services meet business objectives balancing cost, functionality, and performance. One of the processes in service design is security management, and because the use of many similar concepts (e.g., CIA triad, security controls, etc.), it can be covered by ISO 27001 clause 6 (Planning). For more information, read this article: If anything shouldn’t be taken for granted… it’s Information Security Management.

Service transition (7 processes): involves ensuring that new, modified, and retired IT services are meeting the needs of the business, and that changes are managed and controlled effectively. This stage can be related to ISO 27001 clause 8 (Operation) and control A.12.1.2 – Change management.

Service operation (5 processes): involves ensuring that IT services are operated securely and reliably to support the business needs. This stage can be related to ISO 27001 clause 8 (Operation).

Continual service improvement (3 processes): involves the improvement of the quality, efficiency, and effectiveness of IT services, while reducing costs. This stage can be related to ISO 27001 clauses 9 (Performance evaluation) and 10 (Continual improvement).

As you can see, though ISO 27001 and ITIL have different presentations, they share a similar approach to the PDCA cycle, which facilitates working with them together.

PDCA Cycle ISO 27001:2013 clauses ITIL stages
Plan

Clause 4 – Context of the organization

Clause 5 – Leadership

Clause 6 – Planning

Clause 7 – Support

Service strategy

Service design

Do Clause 8 – Operation

Service transition

Service operation

Check Clause 9 – Performance evaluation Continual service improvement
Act Clause 10 – Continual improvement Continual service improvement

Additionally, like ISO 27001, ITIL lacks “how to do” details on how the processes should be implemented, though it provides detailed descriptions concerning objectives, activities to be done, inputs, and outputs, in addition to checklists, all to provide room for organizations to tailor them according to their needs. A rough comparison would be to think of ITIL as if the contents of ISO 27002 were included in ISO 27001.

How do we use ITIL and ISO 27001 together?

There is no exact answer for this question, since it depends on the organization and its requirements. One approach is to start ISO 27001 implementation first, because it covers general information security management (of which the IT environment is only a part), and after that go for ITIL, which will provide more implementation details.

Another alternative is to consider the ISO 27001 elements for each ITIL stage and implement them in sequence according to an ITIL implementation schedule.

For more information about ISO 27001 and ITIL implementation, see these materials: Diagram of ISO 27001:2013 Implementation and ITIL implementation diagram.

The important thing here is that you see both ISO 27001 and ITIL as complementary material that can help an organization to provide customer services with proper security.

To learn more about how to implement ISO 27001, see this free ISO 27001:2013 Lead Implementer Online Course.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.