Topic-specific policies
ISO/IEC 27013


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27013:2021 — Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (third edition)

 

Abstract

“This document gives guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for organisations intending to: (a) implement ISO/IEC 27001 when ISO/IEC 20000-1 is already implemented, or vice versa; (b) implement both ISO/IEC 27001 and ISO/IEC 20000-1 together; or (c) integrate existing management systems based on ISO/IEC 27001 and ISO/IEC 20000-1. This document focuses exclusively on the integrated implementation of an information security management system (ISMS) as specified in  ISO/IEC 27001 and a service management system (SMS) as specified in  ISO/IEC 20000-1.”
[Source: ISO/IEC 27013:2021]
 

Introduction

This standard provides guidance on implementing an integrated information security and IT service management system, based on both ISO/IEC 27001:2005 (ISMS) and ISO/IEC 20000-1:2011 (IT service management specification, derived from ITIL).

The benefits include:

  • Credible provision of effective and secure information/IT services.
  • Cost reduction, quicker implementation, better communication, increased  reliability and efficiency, and easier certification process due to integration and commonality.
  • Mutual understanding by service management and information security personnel.

 

Scope and purpose

The standard advises users on the processes and supporting documentation required to implement an integrated dual management system, for example helping them to:

  • Implement ISO/IEC 27001 when they have already adopted ISO/IEC 20000-1, or vice versa;
  • Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together from scratch (brave souls!); or
  • Align and coordinate pre-existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems.

The scope of this standard spans two ISO/IEC JTC 1 subcommittees. SC 27 and SC 7 collaborated to ensure that the information security and IT service management perspectives were both duly considered.

 

Content of the standard

The standard proposes a framework for organizing and prioritizing activities, offering advice on:

  • Aligning the information security and service management and improvement objectives;
  • Coordinating multidisciplinary activities, leading to a more integrated and aligned approach (e.g. both donor standards specify incident management activities, with differing scopes for the incidents but otherwise quite similar);
  • A collective system of processes and supporting documents (policies, procedures etc.);
  • A common vocabulary and shared vision;
  • Combined business benefits to customers and service providers plus additional benefits arising from the integration of both management systems; and
  • Combined auditing of both management systems at the same time, with the consequent reduction in audit costs (we hope!).

Two annexes compare the ISO/IEC 27001 and 20000 standards side-by-side.

 

Status of the standard

The first edition was published in 2012.

It was revised for ISO/IEC 27001:2013 and the second edition was published in 2015.

It was revised again for ISO/IEC 20000-1:2018. The third edition was published in 2021.

The teams working on this standard plus ISO/IEC 20000-1 and -7, and ISO 9001, failed to reach consensus on a fourth edition, so ISO/IEC JTC 1 will decide what to do next ...

Meanwhile, SC 27 intends to update the standard to reflect the 2022 versions of ISO/IEC 27001 and 27002. A ~four-page amendment to the third edition is in preparation, with publication expected in 2024, perhaps sooner.

 

Personal comments

Write out 1,000 times: “There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT ...

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights