ISO/IEC 27013:2015 — Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (second edition)
This standard provides guidance on implementing an integrated information security and IT service management system, based on both ISO/IEC 27001:2005 (ISMS) and ISO/IEC 20000-1:2011 (IT service management specification, derived from ITIL).
Scope and purpose
The standard advises users on the processes and supporting documentation required to implement an integrated dual management system, for example helping them to:
- Implement ISO/IEC 27001 when they have already adopted ISO/IEC 20000-1, or vice versa;
- Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together from scratch (brave souls!); or
- Align and coordinate pre-existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems.
The scope of this standard spans two ISO/IEC JTC1 subcommittees. SC 27 and SC 7 collaborated to ensure that the information security and IT service management perspectives were both duly considered.
Content of the standard
The standard proposes a framework for organizing and prioritizing activities, offering advice on:
- Aligning the information security and service management and improvement objectives;
- Coordinating multidisciplinary activities, leading to a more integrated and aligned approach (e.g. both donor standards specify incident management activities, with differing scopes for the incidents but otherwise quite similar);
- A collective system of processes and supporting documents (policies, procedures etc.);
- A common vocabulary and shared vision;
- Combined business benefits to customers and service providers plus additional benefits arising from the integration of both management systems; and
- Combined auditing of both management systems at the same time, with the consequent reduction in audit costs (we hope!).
Two annexes compare the 27001 and 20000 standards side-by-side.
Status of the standard
The standard was first published in 2012.
It was revised in line with the 2013 release of ISO/IEC 27001: the second edition was published in 2015.
The standard is currently being revised in line with the current 3rd 2018 version of ISO/IEC 20000-1, and the current 2013 version of ISO/IEC 27001. It is due to be published in 2022. The revision is at 2nd Committee Draft stage.
Write out 1,000 times: “There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT ...”
Pragmatic advice would help organizations implement both ISO27k and ISO20k together. Maybe the 60-odd pages of the third edition will be more helpful ...
Unfortunately, the revised standard will not reflect the forthcoming updated version of ‘27001.
< Previous standard ^ Up a level ^ Next standard >