ISO/IEC 20000-1:2017 – What To Expect?
Author: Subrata Guha
ISO/IEC DIS 20000-1:2017 is about to become the newest revised international standard when it comes to IT service management.
About ISO/IEC 20000-1:2011
ISO/IEC 20000-1:2011 is a global service management system standard which describes the requirements for the service provider to improve their service management system. Aiming to provide control and efficiency to an organization and its team can run as smoothly as possible.
Why Update ISO/IEC 20000-1:2011?
With certifications and processes continually changing, ISO/IEC 20000-1:2011 is ready for a facelift. ISO/IEC 20000-1:2011 has stayed the same for over five years now, and in this digital age it is time for revisions.
About ISO/IEC DIS 20000-1:2017
ISO/IEC DIS 20000-1:2017 version provides more specific requirements for planning as a) what will be done; b) what resources will be required; c) who will be responsible; d) when it will be completed; e) how the results will be evaluated.
Specific Updates Include:
- New Sections: Organization and Its Context, Plan the Service
- New Requirements: Plan the Services, Knowledge Management, Asset Management, Demand Management, and Service Delivery
- Focuses On: Accountability, Measurements, and More Explicit Details
- New Annex SL Formatting
- Changes of documented procedures: Removing requirement for availability to plan service ability and capacity and replacing it with requirements to plan service availability and capacity
- Changes in Terminology: Service provider is now “Organization”
If you would like to learn more about ISO/IEC 20000-1:2017, contact us at DQS either by email at [email protected] or call us at 800-285-4476
New ISO IEC 20000-1: Alignment with ISO 27001
“We need ISO 20000 and ISO 27001, which one should we get first?” – I hear this question very often these days. This is a very intriguing question. In my opinion, these two standards are closely linked and should be implemented as a single management system. The new release of ISO 20000-1 has made this process easier than ever before.
- Management responsibility
- Document management
- Resource management
- Management reviews
- Internal audit
- Continuous improvement
Once an organization addresses the requirements listed above, they will have laid the foundation for ISO 20000-1 and ISO 27001. Now, let’s look at section 6.6 (Information Security Management) of ISO 20000-1. The key elements of this section are:
- Information security policy
- Risk management
- Information security controls
- Security incident management
Requirements for security policy and incident management have been defined in ISO 20000-1; however, no details are provided on risk management and security controls. Let’s discuss the critical elements of risk assessment:
- Methodology for risk assessment
- Risk analysis
- Evaluation of risks
- Risk treatment options
- Calculation of residual risks
Section 4.2.1 of ISO 27001 provides these details. Where will you find the security controls? You can define your own controls or refer to a security standard. The best available source that I have found is Annexure A of ISO 27001. With a list of 133 security controls, there is no need to reinvent the wheel. Organizations can easily identify the controls applicable to their business and integrate them with their service management system.
Now you see why I think these two standards should be implemented together. Having said so, I’d like to clarify one point. It is not a pre-requisite to implement these two standards together. I have worked with many organizations that have successfully implemented ISO 20000-1 without referring to ISO 27001. However, I recommend the integrated approach that will establish an effective IT Service Management system with a robust backbone of an Information Security Management system.