ISO/IEC 27013
ISO/IEC 27013:2015 – Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (2nd edition)
Introduction
In this standard, guides are provided for implementing a security management system and an IT service management system, both compliant with ISO/IEC 27001:2005 (ISMS) and ISO/IEC 20000-1:2011 (a standard for IT service management, based on ITIL).
Among the benefits are:
– Secure and effective information/IT service provision.
– Cost savings, a quicker implementation, increased communication, improved reliability, and an easier certification process because of integration and standardization.
– Understanding between information security and service management personnel.
Scope and objectives
By providing guidance on the processes and supporting documentation for implementing an integrated dual management system, the standard helps users:
– ISO/IEC 27001 implementation when ISO/IEC 20000-1 is already in place; or vice versa;
– Implementing both ISO/IEC 27001 and ISO/IEC 20000-1 together; or
– Ensure that existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems operate in accordance.
The scope of this standard consists of two ISO/IEC JTC1 subcommittees. To maintain information security and IT service management perspectives, SC 27 and SC 7 collaborated to ensure they were both met.
The content
The standard offers guidelines for organizing and prioritizing activities, including advice on:
– Affirmation of the information security objectives and the improvement of the service management objectives;
– Coordination of multidisciplinary activities, resulting in an integrated and integrated approach (for example, both donor standards stipulate incident management, but the incidents are varying in scope but are mostly identical);
– A collection of processes and supporting documents (policy, procedure, etc.);
– A shared language and vision;
– A combination of benefits for service providers and customers, and additional benefits that result from the integration of both management systems; and
– Auditing both management systems simultaneously, which should result in a cost reduction.
The 27001 and 20000 standards are compared in two annexes.
The standard’s status
In 2012, the standard was published for the first time.
In 2015, this document was revised to coincide with ISO/IEC 27001 version 2013.
Revisions will bring the standard up to date with the current 2018 version of ISO/IEC 20000-1, as well as the current 2013 version of ISO/IEC 27001 standard. A 2022 publication date has been set.
Currently, the 3rd edition is in the Draft International Standard stage. The new title of the document will be “Information security, cybersecurity and privacy protection – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1”.
Commentary
100 times as many times as possible: “There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT. There is more to information security than securing IT …”
An organization that implements both ISO27k and ISO20k together would benefit from pragmatic advice. Perhaps the second or third edition’s 60 or so pages will be more helpful…
Due to a pending update to ‘27001,’ the revised standard will not reflect that update.