All management systems based on ISO standards have one thing in common: the cycle of PDCA (Plan, Do, Check, and Act), which can make it easier to integrate and achieve different ISO standards in an organisation.
As these management systems share similar processes they can be implemented in a unified fashion. This streamlined approach is reflected in the ISO/IEC 27013 framework, which was created to provide guidance to organisations on how to integrate information security and service management system requirements.
The International Organisation for Standardisation (ISO) maintains a wide range of standards as an international body. In general, the standards represent the consensus of experts from around the world on matters relating to their fields. The ISO 27000 series is one of the most important standards for information security. This series of standards provides a framework for managing information security risks.
The ISO 27013 standard establishes the requirements for an organisation to implement Information Security Management System (ISMS) and Service Management System (SMS). ISO/IEC 27001 is a standard that defines information security management systems (ISMS) that provides organisations with a powerful framework for implementing best practices and guidelines on cybersecurity.
ISO/IEC 20000-1 is an international framework for IT service management that allows organisations to ensure that their IT service management systems are compatible with business needs.
The ISO 27013 standard was created to assist organisations in implementing both ISO 27001 and ISO 20000-1 concurrently or in implementing one where another is already in place. By doing so, businesses can maximise customer loyalty, gain a strategic edge, enhance corporate operations, and over time, realise significant cost savings.
An ISMS is an Information Security Management System. This is a framework for implementing security initiatives such as access controls, incident response, monitoring, security training, and much more. An ISMS is sometimes referred to as ISO 27001 after the international standard that is used for this framework.
It describes and demonstrates your organisation’s approach to Information Security. These systems can be implemented in any number of ways depending on your business.
Understanding what an ISMS is and the function(s) it serves is important to achieving compliance with ISO 27001, according to the U.S. Department of State. According to the ISO 27001 standard, all organisations should have an Information Security Management System implemented.
IT Service Management, most commonly known as ITSM, is a consensus within the IT industry regarding how services are delivered to clients. Simply put, ITSM is a framework for providing and supporting IT services. The practices that define ITSM can be used in any organisation regardless of size, type of technology or level of business activity.
ITSM enables effective and efficient delivery of IT services to internal or external customers. An IT service is any product that is delivered to a customer and may be funded, performed, or procured as an IT service.
It is essentially a management framework that helps you manage and organise all the aspects of delivering services in an effective, efficient, reliable, secure manner aligned with customer’s needs and expectations. ISO 20000-1 is the standard for IT service management (ITSM) systems and set guidelines for external party’ certification audit. The goal of ISO 20000-1 is the strategic alignment of ITSM with other IT activities, processes and resources.
ISO/IEC 27001 and ISO/IEC 20000-1 are two standards that share a large number of components and objectives, as well as the critical principle of continuous improvement. Thus, integrating the implementation of a service management system (SMS) and an information security management system (ISMS) would be the optimal solution.
These are the PDCA points from ISO 27001 and ISO 20000 that can be integrated during the implementation of ISO 27013:
Specifies internal guidelines for the integrated system’s administration.
All staff who would be affected by the integrated management system’s implementation must receive adequate education in information security and service management.
Internal and external correspondence about the integrated management framework must be conducted in accordance with defined guidelines (usually defined as communications protocol).
Defines the objectives to be accomplished through the implementation of the integrated system. This will also include the establishment of certain benchmarks for determining if the targets have been met.
Sets out the responsibilities for the integrated system’s management. Typically, this term refers to the person who is accountable for the integrated system. Additionally, a team that includes senior management as the primary member will be formed for the integration of the management system.
ISMS.online makes setting up and managing your ISMS as easy as it can get.
With ISMS.online, challenges around version control, policy approval & policy sharing are a thing of the past.
Provision must be made for the control and management of the integrated system’s documentation and records.
For ISO 27001, metrics must be put in place to assess the effectiveness of security controls. For ISO 20000, metrics must be established to assess the effectiveness of protocols.
An internal audit will be conducted to identify potential nonconformities in the integrated system and to assess the extent of compliance in relation to standard requirements.
The organisation’s top management must evaluate a set of points of entry into the integrated management system. They are required to make certain findings or results as a result of the analysis.
The integrated system’s management will establish corrective and preventive measures for the treatment of identified nonconformities (usually detected in audits, reviews, etc.).
As we can see, both ISO 27001 and ISO 20000-1 requirements are completely compatible and can be seamlessly combined to form the basis for ISO 27013, resulting in an integrated management system that ensures the consistency and security of company processes and services, thus increasing customer satisfaction.
The ISO 27013 standard provides instructions on how to incorporate ISO 27001 and ISO 20000-1 in an automated manner for organisations that plan to:
This standard’s scope encompasses two ISO/IEC JTC1 subcommittees. SC 27 and SC 7 worked to ensure that the views of information technology and IT service management were adequately addressed.
The ISO 27013 standard also provides guidance on planning and prioritising tasks, including the following:
Book a tailored hands-on session based on your needs and goals.
Before planning an advanced management system, the organisation should have a firm grasp on the features, similarities, and distinctions between ISO/IEC 27001 and ISO/IEC 20000-1. This significantly reduces the amount of time and money required for implementation. The ISO 27013 Standard Clauses 4.2 to 4.4 offer an overview of the major principles behind all specifications, but should not be taken in place of a detailed analysis.
ISO/IEC 27001 establishes, implements, operates, monitors, reviews, maintains and improves an information security management system (ISMS) to safeguard information assets. The term “information assets” refers to data of any form, stored in any medium, and used by or inside the organisation for any reason.
To comply with ISO/IEC 27001, an organisation must adopt an information security management system (ISMS) based on a risk assessment method for identifying threats to information assets. The company should choose, adopt, evaluate, and revisit a number of risk management programmes as part of this function. These are referred to as controls.
The organisation should establish appropriate acceptable risk standards, taking market conditions and externally imposed things into account. Statutory and administrative requirements, as well as contractual commitments, are examples of externally imposed requirements.
ISO/IEC 20000-1 is applicable to organisations or segments of organisations that use or offer services. This enhances both the customer’s and the service provider’s value. However, the standard requires the service provider to monitor all processes affected by the standard, and only the service provider is capable of achieving compliance with ISO/IEC 20000-1.
The standard’s primary objective is to ensure that providers meet quality standards and provide value to both the user and the service provider. Service management manages and controls the operations and resources of a service provider in the planning, production, transfer, implementation, and expansion of services in order to meet the customer’s requirements (s).
To comply with the standard’s specifications, the service provider must incorporate a number of relevant service management processes. These include, but are not limited to, incident management, change management, and problem management. Information security management is a service management process specified in ISO/IEC 20000-1.
Often, service management and information security management are handled as though they are unrelated or inextricably linked. The context for this distinction is that while service management is readily associated with quality and performance, information security management is often overlooked as a necessary component of efficient service delivery. As a consequence, service management is often the first component to be introduced.
However, numerous control objectives and safeguards defined in ISO/IEC 27001, Annex A, are also included in the ISO/IEC 20000-1 service management requirements.
It helps drive our behaviour in a positive way that works for us
& our culture.
Implementing an advanced management framework such as ISO 27013 that considers both the services offered and the security of information assets will provide a variety of benefits.
The following are some of the main advantages of implementing ISO 27001 and ISO 20000-1 together:
With these advantages in mind, it is obvious that an automated approach to SMS and ISMS implementation is a great idea.
Any organisation that operates in the physical world has a great chance of being impacted by a cyber-attack. The fact is that we are not as safe as we may think. In fact, ISMS implementation gives companies more protection than they realise. Every year our lives become more intertwined with technology and therefore our reliance on it increases.
For this reason, auditors, as well as organisations that implement information security and/or service management programmes, and organisations participating in auditor training and certification or management system accreditation should consider the integrated implementation of ISO 27001 and ISO 20000-1.
An organisation considering implementing both ISO/IEC 27001 and ISO/IEC 20000-1 can be classified into three categories:
An organisation considering implementing an integrated management system should take the following into account:
Here at ISMS.online, we help companies to do the right thing by providing the tools and resources for them to run an integrated management system in line with the ISO 27013 standard. ISMS.online is an online software solution that allows users to demonstrate to their customers, regulators and auditors that they have a complaint management system.
Our powerful cloud-based software allows you to checklist your processes to ensure that they are in keeping with the requirements of the ISO 27013 standard. In fact, our system is one of the most practical, easy to use and comprehensive path to ISMS success.
ISMS.online also provide a Virtual Coach that offers 24/7 context-specific support. You can chat with us from within our platform and you’ll never take the wrong step or lose your way. Call ISMS.online on +44 (0)1273 041140 to find out more about how our platform can help you run an integrated management system that meets the requirements for ISO 27013.
We’re so pleased we found this solution, it made everything fit together more easily.
Easily collaborate, create and show you are on top of your documentation at all times
Find out moreEffortlessly address threats & opportunities and dynamically report on performance
Find out moreMake better decisions and show you are in control with dashboards, KPIs and related reporting
Find out moreMake light work of corrective actions, improvements, audits and management reviews
Find out moreShine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers
Find out moreSelect assets from the Asset Bank and create your Asset Inventory with ease
Find out moreOut of the box integrations with your other key business systems to simplify your compliance
Find out moreNeatly add in other areas of compliance affecting your organisation to achieve even more
Find out moreEngage staff, suppliers and others with dynamic end-to-end compliance at all times
Find out moreManage due diligence, contracts, contacts and relationships over their lifecycle
Find out moreVisually map and manage interested parties to ensure their needs are clearly addressed
Find out moreStrong privacy by design and security controls to match your needs & expectations
Find out moreWe have everything you need to design, build and implement your first ISMS.
We’ll help you get more out of the infosec work you’ve already done.
With our platform you can build the ISMS your organisation really needs.
100% of our users achieve ISO 27001 certification first time