New ISO IEC 20000-1: Alignment with ISO 27001

“We need ISO 20000 and ISO 27001, which one should we get first?”  – I hear this question very often these days. This is a very intriguing question. In my opinion, these two standards are closely linked and should be implemented as a single management system. The new release of ISO 20000-1 has made this process easier than ever before.

To begin with, let’s look at the common management system requirements of ISO 27001 and ISO 20000-1:

  • Management responsibility
  • Document management
  • Resource management
  • Management reviews
  • Internal audit
  • Continuous improvement

Once an organization addresses the requirements listed above, they will have laid the foundation for ISO 20000-1 and ISO 27001. Now, let’s look at section 6.6 (Information Security Management) of ISO 20000-1.  The key elements of this section are:

  • Information security policy
  • Risk management
  • Information security controls
  • Security incident management

Requirements for security policy and incident management have been defined in ISO 20000-1; however, no details are provided on risk management and security controls. Let’s discuss the critical elements of risk assessment:

  • Methodology for risk assessment
  • Risk analysis
  • Evaluation of risks
  • Risk treatment options
  • Calculation of residual risks

Section 4.2.1 of ISO 27001 provides these details. Where will you find the security controls? You can define your own controls or refer to a security standard. The best available source that I have found is Annexure A of ISO 27001. With a list of 133 security controls, there is no need to reinvent the wheel.  Organizations can easily identify the controls applicable to their business and integrate them with their service management system.

Now you see why I think these two standards should be implemented together. Having said so, I’d like to clarify one point. It is not a pre-requisite to implement these two standards together. I have worked with many organizations that have successfully implemented ISO 20000-1 without referring to ISO 27001. However, I recommend the integrated approach that will establish an effective IT Service Management system with a robust backbone of an Information Security Management system.