CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Rhand Leal

ISO 27001 vs. ITIL: Similarities and differences

IT services are one of the main pathways for information to flow through organizations, their clients and partners, and as legal and contractual requirements are increasingly including information protection demands (the healthcare industry is an example), these services and their management practices must evolve to adapt to this new scenario. But, how can we do that properly and in a cost-effective way?

This article will present an overview of how ISO 27001, an ISO standard focused on information security management, and ITIL, a public-private framework that focuses on IT services management, are related considering information protection, and how they can be used together to increase their benefits to an organization’s business.

General facts

Here is some information you may find useful for an initial understanding of ISO 27001 and ITIL:

International standardBest practice framework
Defines requirements for the establishment, implementation, maintenance, and continual improvement of an Information Security Management System (ISMS).Presents a set of best practices for IT service management, giving guidance on the provision of quality IT services and the processes, functions, and other capabilities needed to support them.
Applicable to any type and size of organization.Applicable to almost every type of IT environment.
Implementation and certification are optional.Implementation is not subject to certification.
Current version: ISO 27001:2013Current version: ITIL 2011 edition

As you can see, ISO 27001 has a direct definition concerning information protection, while ITIL’s is more indirect. This is so because the term “ITIL” refers to a multitude of practices to manage and provide quality of IT services, like financial management and request fulfillment. However, since information security is also a critical aspect in IT service management and quality in IT services, ITIL does cover information security as one of its support processes (security management), and integrates information security into most of the processes in the framework.

ISO 27001 structure


ISO 27001 consists of 11 clauses and 114 generic security controls grouped into 13 sections (the Annex A). For more information, read these articles: A first look at the new ISO 27001 and An overview of ISO 27001:2013 Annex A.

One of the ISO 27001 limitations is that it does not provide detail on what to do to fulfill requirements or implement controls, only about what you need to achieve. For detailing, you can use ISO 27002 as guidance. For more information, read this article: ISO 27001 vs. ISO 27002.

ITIL structure and similarities and differences with ISO 27001

On the other hand, the ITIL framework consists of 26 processes and four functions, based on a five-stage service lifecycle approach:

Service strategy (4 processes): involves the alignment of IT strategy to overall business goals and expectations, for ensuring value aggregation to the organization. This stage can be related to ISO 27001 clause 4 (Context of the organization).

Service design (7 processes): involves ensuring IT services meet business objectives balancing cost, functionality, and performance. One of the processes in service design is security management, and because the use of many similar concepts (e.g., CIA triad, security controls, etc.), it can be covered by ISO 27001 clause 6 (Planning). For more information, read this article: If anything shouldn’t be taken for granted… it’s Information Security Management.

Service transition (7 processes): involves ensuring that new, modified, and retired IT services are meeting the needs of the business, and that changes are managed and controlled effectively. This stage can be related to ISO 27001 clause 8 (Operation) and control A.12.1.2 – Change management.

Service operation (5 processes): involves ensuring that IT services are operated securely and reliably to support the business needs. This stage can be related to ISO 27001 clause 8 (Operation).

Continual service improvement (3 processes): involves the improvement of the quality, efficiency, and effectiveness of IT services, while reducing costs. This stage can be related to ISO 27001 clauses 9 (Performance evaluation) and 10 (Continual improvement).

As you can see, though ISO 27001 and ITIL have different presentations, they share a similar approach to the PDCA cycle, which facilitates working with them together.

PDCA CycleISO 27001:2013 clausesITIL stages

Clause 4 – Context of the organization

Clause 5 – Leadership

Clause 6 – Planning

Clause 7 – Support

Service strategy

Service design

DoClause 8 – Operation

Service transition

Service operation

CheckClause 9 – Performance evaluationContinual service improvement
ActClause 10 – Continual improvementContinual service improvement

Additionally, like ISO 27001, ITIL lacks “how to do” details on how the processes should be implemented, though it provides detailed descriptions concerning objectives, activities to be done, inputs, and outputs, in addition to checklists, all to provide room for organizations to tailor them according to their needs. A rough comparison would be to think of ITIL as if the contents of ISO 27002 were included in ISO 27001.

How do we use ITIL and ISO 27001 together?

There is no exact answer for this question, since it depends on the organization and its requirements. One approach is to start ISO 27001 implementation first, because it covers general information security management (of which the IT environment is only a part), and after that go for ITIL, which will provide more implementation details.

Another alternative is to consider the ISO 27001 elements for each ITIL stage and implement them in sequence according to an ITIL implementation schedule.

For more information about ISO 27001 and ITIL implementation, see these materials: Diagram of ISO 27001:2013 Implementation and ITIL implementation diagram.

The important thing here is that you see both ISO 27001 and ITIL as complementary material that can help an organization to provide customer services with proper security.

To learn more about how to implement ISO 27001, see this free ISO 27001:2013 Lead Implementer Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

5 responses to “ISO 27001 vs. ITIL: Similarities and differences”

  1. Dav3R says:

    Why would you compare 2 standards that provide different things, ISO27001 is a Information Security framework, and ITIL is service management. It would be more appropriate to compare ISO20000 and ITIL which have the same goals

  2. Wings2i says:

    Quite an insightful article on the differences between ISO 27001 & ITIL…

  3. Alexander Bakker says:

    Thank you for this article. The comparison table between ISO 27001:2013 and ITIL mapped on the PDCA cycle is especially useful. I do have a small remark though. Unless I’m sorely mistaken, the most recent version of ITIL was published in 2011 ( ). Therefore, it would reference ISO 27001:2005, and not ISO 27001:2013, as its normative standard. In your view, does this partly make ITIL outdated, at least in the area of security, considering the fact that the changes from 27001:2005 to 27001:2013 have not been incorporated into ITIL? Also, might it be worth noting in your article that ITIL’s security management process is based on ISO 27001:2005, considering the fact that when searching for “ISO 27001 vs ITIL”, your (otherwise excellent) article is one of the first results in Google?

    Thank you for your contribution, it is very helpful.

    • Rhand Leal says:

      1- In your view, does this partly make ITIL outdated, at least in the area of security, considering the fact that the changes from 27001:2005 to 27001:2013 have not been incorporated into ITIL?

      Answer: In my view, the new version of ISO 27001 does not outdate ITIL recommendations, since ITIL processes involved in information security (design of controls, testing, management of incidents, and security review) are mostly related to operating controls then managing security. However, the new ISO 27001 requirements and reviewed list of controls on Annex A should be used to perform a review of implemented recommendations to identify adjustments needed to ensure the implementation remains compliant with the standard.

      2 – Also,might it be worth noting in your article that ITIL’s security management process is based on ISO 27001:2005, considering the fact that when searching for “ISO 27001 vs ITIL”, your (otherwise excellent) article is one of the first results in Google?

      Answer: Thanks for this feedback, but I wouldn’t say ITIL’s security management process is based on ISO 27001:2005. Instead of that, I’d say it also refers to ISO 27001:2005 practices, as others like CMMi, COBIT, IEEE 830, etc.

      If you have any other questions, please fell free to contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.