ISO/IEC 20000 is the standard for service management. It includes requirements for information security in clause 6.6, information security management.
Conforming to the information security requirements of ISO/IEC 20000-1
Introduction
ISO/IEC 20000 is the standard for service management. It includes requirements for information security in clause 6.6, information security management.
Many organisations who wish to certify to ISO/IEC 20000-1 already have certification to ISO/IEC 27001. The question then arises about whether they automatically conform to the requirements of ISO/IEC 20000, 6.6?
The requirements for information security in ISO/IEC 20000-1
The requirements for information security management in clause 6.6 of ISO/IEC 20000-1 are aligned to the requirements in ISO/IEC 27001. Of course, the ISO/IEC 20000-1 requirements are only a subset of ISO/IEC 27001 because the focus of the two standards is different.
The requirements of ISO/IEC 20000-1, 6.6 can be summarised as:
- establish, approve and communicate an information security policy
- establish information security objectives
- conduct information security risk assessments to a defined approach and using criteria for accepting risks
- identify controls to manage the identified risks
- conduct information security audits at planned intervals and review the effectiveness of controls
- document, agree and implement controls with external parties accessing, using or managing service provider’s information or services
- assess all requests for change (RFC) to identify risks to information security or impacts on the policy or controls
- manage information security incidents, according to the ISO/IEC 20000-1 incident management procedure, and analyse them to identify improvements.
Scope
The first question to ask is about scope. Is the scope of the service management system (SMS) for ISO/IEC 20000-1 the same or within the scope of the information security management system (ISMS) for ISO/IEC 27001. If the scope of the ISMS is outside the scope of the SMS, then the ISO/IEC 20000-1 requirements must all be assessed separately. If the scope of the ISMS is the same or larger than the scope of the SMS, then there can be some cross over between the two standards.
Using the ISMS to support the ISO/IEC 20000-1 information security management
The information security policy established for ISO/IEC 27001 can be used for ISO/IEC 20000-1. However it needs to be checked that it is appropriate for the SMS and the services to be delivered. It also needs to be communicated to ‘appropriate personnel within the service provider, customer and suppliers’ for the scope of the SMS.
Similarly, information security objectives established for ISO/IEC 27001 can be used for ISO/IEC 20000-1 but they need to be checked to see if there are any additions required to ensure that they are appropriate for the SMS and the services.
The risk assessment method used in the ISMS is entirely appropriate for the SMS. The risks need to be assessed for the SMS and the services which may not have been done for ISO/IEC 27001. Similarly the controls to manage these risks need to be appropriate to the risks identified which may require some additional controls from those for ISO/IEC 27001. The documented agreements, and their implementation, with external parties accessing, using or managing service provider’s information or services may be covered by an ISO/IEC 27001 control but this needs to be checked.
Audits of information security can be conducted in the same way as for ISO/IEC 27001 and may be done by the same or different staff. Specific activities to check the effectiveness of controls, such as penetration testing, may be required for the services in scope of the SMS.
The assessment of all RFCs for any impact on information security needs to be checked to see how this works for the ISO/IEC 27001 controls and how this can interface with the ISO/IEC 20000-1 change management process. It is likely that additional activities will be required here.
The recording and management of information security incidents will already be set up through ISO/IEC 27001 but it will be necessary to check that this meets the requirements of the ISO/IEC 20000-1 incident management procedure.
So if I have ISO/IEC 27001 certification, do I conform to the information security requirements of ISO/IEC 20000-1?
The answer is that it is unlikely that you will meet all the requirements of ISO/IEC 20000-1, 6.6 just because you are certified to ISO/IEC 27001. You are likely to meet some of the requirements but do need to carefully look at each requirement of clause 6.6 to ensure that what is set up in your ISMS is appropriate for the SMS and the services in scope of ISO/IEC 20000-1.
Further information
ISO/IEC 20000-2 provides further information about the requirements in ISO/IEC 20000-1, 6.6.
Lynda Cooper, an independent consultant and trainer, is one of the first people in the world to hold the ITIL Master qualification. Lynda chairs the BSI committee for IT service management (ITSM) and is one of the authors of ISO/IEC 20000. Lynda sits on various ISO/IEC committees and is the project editor for ISO/IEC 20000-1 and ISO/IEC 90006.
Author Lynda Cooper – Originally published - September 16, 2015
