ISO/IEC 27013 — Information technology — Security techniques — Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 (DIS)
This standard will provide guidance on implementing an integrated information security and IT service management system, based on both ISO/IEC 27001:2005 (ISMS) and ISO/IEC 20000-1:2011 (IT service management specification, derived from ITIL) standards respectively, since those management systems are felt to complement and support each other.
The standard will advise users on the processes and supporting documentation required to implement an integrated dual management system, for example helping them to:
-
Implement ISO/IEC 27001 when they have already adopted ISO/IEC 20000-1, or vice versa;
-
Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together from scratch (brave souls!); or
-
Align and coordinate pre-existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems.
The standard will provide a framework for organizing and prioritizing activities, with advice on:
-
Aligning the information security and service management and improvement objectives;
-
Coordinating multidisciplinary activities, leading to a more integrated and aligned approach (e.g. both donor standards specify incident management activities, with differing scopes for the incidents but otherwise quite similar);
-
A collective system of processes and supporting documents (policies, procedures etc.);
-
A common vocabulary and shared vision;
-
Combined business benefits to customers and service providers plus additional benefits arising from the integration of both management systems; and
-
Combined auditing of both management systems at the same time, with the consequent reduction in audit costs (we hope!).
The scope of this standard involves two ISO/IEC JTC1 subcommittees, hence SC27 and SC7 are actively liaising to ensure that the information security and service management perspectives are both taken adequately into consideration. The liaison is going well.
It is possible that the resulting standard may be dual-numbered as both ISO/IEC 20000-13 and ISO/IEC 27013 to reflect its use within both series of standards. Care is being taken to adopt consistent terminology and concepts from both series.
Note: while the approach recommended by ISO/IEC 20000 was derived from ITIL (the IT Infrastructure Library, owned by the British OGC - Office of Government Commerce), there are subtle differences in the details. Differences between the latest version of ITIL, ITIL v3, and ISO 20000-1 are explained here. A new version of ISO 20000-1 is expected to be published later in 2011: ISO/IEC 27013 will reflect that new version.
Latest available status info
Comments on the CD were addressed so the standard is moving to DIS with publication likely this year. Additional pragmatic advice would help organizations implement both ISO27k and ISO20k, but it has been agreed to release the standard as-is rather than wait another year for the necessary inputs.
|
