Similarities and variations between ISO 27001 and ISO 20000

When We talk to our customers, we often talk about the implementation of various ISO standards, and we often hear that ISO 20000 and ISO 27001 are strongly related, they have much in common and, if you have implemented one of them, the other one will be much easier. But, when we start discussing details, it’s a different story.

It’s true that these two standards do have a lot of things in common but, more accurately: they complement each other. On the other hand, they also have differences, so you can’t copy/paste a complete implementation. Let’s examine that in more detail.

Let’s start with ISO/IEC 27001 Certification based on the ISMS (Information Security Management System). Although it seems that ISO 27001 Certification is related to information only, the “story” is broader. Information could be a broad term, that encompasses information, place, and instrumentation wherever knowledge is control.
It conjointly includes devices and software systems for process, management, folks and also the organization concerned. Additionally, it includes communication channels, suppliers and procurement, development and legislation. As you'll be able to see, if we are saying that ISO 27001 Certification relates to the data, we actually didn’t say nearly enough.

ISO/IEC 22000 Certification for Foods Industries is similar to SMS (Service Management System). It defines, implements, manages and improves IT service from its design through management and improvement after release in a live environment. That goes way beyond what the service does and encompasses how the service is built, how it is used, and how it handles issues that occur. It also includes how you set up your organization, your handling of third parties, reporting, and customer satisfaction/complaints/compliments, etc. Many of these elements can be found in ISO 27001, but they are seen from a different point of view.

ISO 20000 is process-based. Although ISO 27001 is not explicitly process-based if you check Annex A (list of controls to manage risks), there are many controls for which you need to define a process. ISO 20000 processes tackle a similar topic as ISO 27001 controls.

Examples that your ISMS implementation might need inside the scope of its risk assessment:

Capacity – ISO 27001 Certification needs that capability to support the needed system performance ought to be provided.
ISO 20000 Certification is additional careful in capability needs, planning, and observation.
Configuration – Both standards have strong requirements related to the assets needed to support IT services, i.e. information processing. ISO 20000 Certification goes deeper and sets more detailed requirements.
Incident – Information security incidents are just one category of incidents in ISO 20000. If you have implemented incident management in ISO 20000 Certification that will also be good enough for ISO 27001 Certification implementation.
Change – Both of the standards require change management to be implemented. ISO 20000 Certification views change management as control of many activities, from planning and designing the IT service, up to control once the service is in a life environment.
Supplier – Both standards see suppliers as one of the important elements of the management system. ISO 20000 Certification requires more details to be controlled with the supplier and their sub-suppliers.
So, those who claim that, if you have one of the standards in place, you already have a significant part of the other one is, essentially, right.

Seen from the ISO 20000 Certification point of view, the standard requires Information Security Management, IT Service Continuity and Availability processes to be implemented. Requirements for those two processes are very much in line with ISMS requirements defined by ISO 27001. So, if you have ISO 27001 Certification in place, it will be a great help for ISO 20000 Certification Service implementation. See the articles ITIL Incident Management and IT Service Continuity Management – waiting for the big one to learn more.

But, are there any differences between ISO 20000:2005 and ISO 20000:2013?

Although so far, a match between standards sounds perfect, it’s not that easy. ISO 20000:2005Certification and ISO 27001:2013 Certification have many common elements, but there are differences. ISO 20000 Certification is service-based. ISO 27001 Certification is risk management-based – it has risk management at its core. ISO 20000 Certification considers risks as one of the building elements of the IT service management i.e. adding more aspects on top of the service. (See also: The basic logic of ISO 27001:2013 How does information security work?)

ISO 20000 Certification goes deep into the daily operation of the IT organization. That means it coincides with some parts of the ISO 27001 Certification (like information classification, access control, continuity concept, etc.) but looks for a broader context. Further, in addition to the information security, ISO 20000 gives a 360-degree view of the service, including financial aspects, design, release, and deployment of the IT service, service level management, business relationships with customers, etc.

So, in ISO 20000 some common processes such as incident, change or capacity management, go into much more detail to manage IT services (taking into account customer requirements, all aspects of IT service delivery, characteristics of the services, roles, and responsibilities, customers, etc...

So, use ISO 20000 and ISO 27001 together or not?
Sure, if you have one of the standards in place, that will be beneficial for the implementation of the other one. Depending on which one you implemented first, use elements that fit together and add what’s missing.

The fact is that both standards have re-usable elements. Fine-tune them, use the best that each of the standards brings and enjoy final results in the form of reliable and well-managed services or information security management brought to the state-of-the-art level. Your customers will know how to reward that.

For more information about ISO 20000 and ISO 27001 and the role, we can play in your efforts to achieve certification to it, feel free to contact us. To get started with the certification process, you can also request a quote.

Comments

Post a Comment

Popular posts from this blog

What are the new requirements for risks and opportunities according to ISO 45001 Certifications?

With the release of ISO 45001, there are new requirements for assessing risks and opportunities in the ISO 45001 Occupational Health & Safety Management System (OH&SMS)So, how does this differ from the previous necessities for assessing hazards and risks in OHSAS 18001, and are these necessities still within the standard? In short, these necessities in ISO 45001 certifications cover 2 different types of risk for the individual processes and also the overall OH&SMS, and both assessments are required for a good OH&SMS. What is required for hazards and risks? The previously existing necessities within the OHSAS 18001:2007 standard were quite simply written, even if the task was rather massive. In brief, for all of your activities, processes and work areas, you must identify what hazards exist for the occupational health and safety of all involved (including contractors and visitors). Once these hazards were identified, you would then identify what risks exist f
Read more

ISO 17025 vs ISO 9001 – Main differences and Similarities

Image
If you noticed the release of the 2017 update of ISO 17025:2017 Certification , you might wonder what this standard is all about, and how it relates to ISO 9001:2015 Certification  and the Quality Management System ( QMS ) in your organization. You might well ask: What is ISO 17025:2017, and how is it similar and different from ISO 9001:2015? In this article, you will find out what the ISO 17025 standard is about, and how it relates to the ISO 9001 standard requirements. What is ISO 17025:2017 Certification about? ISO 17025:2017, “General requirements for the competence of testing and calibration laboratories,” is the third edition of this standard. This standard is intended to be used as requirements for the competence, impartiality, and consistent operation of testing and calibration laboratories of all sizes or numbers of employees, regardless of industry. The requirements of the standard include general requirements regarding impartiality and confidentiality (clause 4), s
Read more

Merits and Demerits of an AS 9100 Integrated Management System

When you are implementing an aerospace Quality Management System (QMS) using the requirements of AS9100, you may find that you are integrating a lot of support processes for your QMS that work alongside the main processes to supply merchandise and services. This may lead you to look at these support processes and notice that they're the same as those utilized in alternative management systems, such as an Environmental Management System (EMS) using  ISO 14001:2015  or an Occupational Health & Safety Management System (OH&SMS) using OHSAS 18001. Because these support processes are common to many ISO standards, you may consider integrating more than one management system for your company, but that can leave you unsure of the benefits and limitations that may result. So, is it a good idea to implement an Integrated Management System ( IMS ), with one master set of policies and procedures to address several aspects of your company at the same time, such as quality and en
Read more