ISO/IEC 27013 -- IT Security -- Security techniques -- Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 (DRAFT)
This standard, soon to enter 2nd WD stage, will provide guidance on implementing an integrated information security and IT service management system, based on ISO/IEC 27001 (ISMS) and ISO/IEC 20000-1 (IT service management specification, derived from ITIL) standards respectively, since those management systems are felt to complement and support each other.
Publication is not expected before 2011, which is when the next revision of ISO/IEC 20000-1 is also due, so hopefully both standards will be aligned at that point.
The standard will advise users on the processes and supporting documentation required to implement an integrated dual management system, for example helping them to:
-
Implement ISO/IEC 27001 when they have already adopted ISO/IEC 20000-1, or vice versa;
-
Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together from scratch (brave souls!); or
-
Align and coordinate pre-existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems.
The standard will provide a framework for organizing and prioritizing activities, with advice on:
-
Aligning the information security and service management and improvement objectives;
-
Coordinating multidisciplinary activities, leading to a more integrated approach (e.g. both donor standards specify incident management activities, with differing scopes for the incidents but otherwise quite similar);
-
A collective system of processes and supporting documents (policies, procedures etc.);
-
A common vocabulary and shared vision;
-
Combined business benefits to customers and service providers plus additional benefits arising from the integration of both management systems; and
-
Combined auditing of both management systems at the same time, with the consequent reduction in audit costs (we hope!).
The scope of this standard involves two ISO/IEC JTC1 subcommittees, hence SC27 and SC7 are actively liaising to ensure that the information security and service management perspectives are both taken adequately into consideration. The liaison is going well.
It is possible that the resulting standard may be dual-numbered as both ISO/IEC 20000-13 and ISO/IEC 27013 to reflect its use within both series of standards. Care will be needed to adopt consistent terminology and concepts from both series.
Note: while the approach recommended by ISO/IEC 20000 was derived from ITIL (the IT Infrastructure Library, owned by the British OGC - Office of Government Commerce), there are subtle differences in the details. Differences between the latest version of ITIL, ITIL v3, and ISO 20000-1 are explained here.
|
