What is the relationship between ISO 27001 and ISO 20000?December 6th, 2021 By Amywright
With more businesses investing in their information security processes, we have seen an increase in ISO/IEC 27001 certifications. Alongside this growth, we have also seen more curiosity regarding ISO/IEC 20000. It’s true that these two standards do have a lot of things in common but, more accurately, they complement each other. On the other hand, they also have differences, and these differences are worth exploring.
In this article, we will discuss:
- What is ISO/IEC 20000?
- What are the similarities between ISO/IEC 27001 and ISO/IEC 20000?
- What are the differences between ISO/IEC 27001 and ISO/IEC 20000?
- Can I implement ISO/IEC 27001 and ISO/IEC 20000 together?
What is ISO 20000?
ISO/IEC 20000 is a Service Management System (SMS) standard that specifies requirements for an organisation to establish, implement, maintain, and continually improve a service management system (SMS). The requirements specified in the standard include the planning, design, transition, delivery, and improvement of services to meet the service requirements and deliver value. It enables IT institutions to ensure their IT service management processes are aligned to the needs of the business and customers, whilst following international best practices.
What are the similarities between ISO 27001 and ISO 20000?
An ISO 27001 based ISMS (Information Security Management System) may seem like its related to information only, however information is a broad term, and can include raw data, the location, and the equipment where the data is held. It also includes devices, software, processing operations, management, people, and the organisation itself. Additionally, it includes communication channels, suppliers and procurement, development, and legislation. ISO 27001 relates to far more than just the information or data that we would normally expect.
ISO 20000 is also a very similar SMS (Service Management System). It defines, implements, manages, and improves IT service from its design through management and improvement after its release into the live environment. It goes beyond what the service does and includes how the service is built, how it is used, and how it handles issues that occur. It includes details on how you set up your organisation, how you handle third parties, how you report customer satisfaction, complaints, and compliments, etc. Many of the same or similar elements can be found in the ISO 27001 standard, but these are seen from a different point of view.
ISO 20000 is process-based and although ISO 27001 is not explicitly process-based, when you review the list of controls detailed in Annex A there are many where you would need to define a process to deal with the particular requirement. Seen from the ISO 20000 point of view, the standard requires Information Security Management, IT Service Continuity and Availability processes to be implemented. Requirements for those two processes are very much in line with ISMS requirements defined by ISO 27001.
What are the differences between ISO 27001 and ISO 20000?
Although both standards offer specific approaches, ISO 20000 is service based whereas ISO 27001 is risk management based; it has risk management at its core. ISO 20000 considers risks as one of the building elements of the IT service management and goes deep into the daily operation of the organisation, meaning that it coincides with some parts of the ISO 27001 (like information classification, access control, etc.) but looks at a far wider context.
In addition to information security, ISO 20000 gives an overall view on the service, including financial aspects, design, release, and deployment of the IT service. While ISO/IEC 20000 specifies a standard for service management, ISO/IEC 27001 focuses on risk assessment.
In ISO 20000 some common processes such as incident, change or capacity management, go into much more detail in order to manage IT services than those found in an ISMS aligned to the requirements of ISO27001.
Can I implement ISO 27001 and ISO 20000 together?
Yes, and with an experienced consultant, it’s relatively straightforward. Management systems provide benefits to any business, regardless of size or industry. Whether you’re looking to reduce costs, streamline your operations, reach customers on a global scale, or otherwise expand your business, you’ll benefit from having some form of management system in place. What kind of management system is right for you depends on your specific goals; both ISO/IEC 27001 for information security and ISO/IEC 20000 for IT service management can set out precise goals that can help streamline your company.
Speak to an ISO consultant today to better understand which ISO could be best for your business or if you’d benefit from multiple systems.
For a free Quotation or On-Site presentation by an ISO Specialist, contact us today!
The Gig House
Wiltshire SN16 9AX