Integrating information security and service management - a new ISO/IEC standard tells how
by Elizabeth Gasiorowski Denis
Busy office

ISO and IEC have published a new International Standard giving organizations advice on how to make integrated use of information security and service management system standards.

The relationship between information security and service management is so close that many organizations already recognize the benefits of adopting both standards: ISO/IEC 27001 for information security and ISO/IEC 20000-1 for service management.

The new
ISO/IEC 27013:2012, Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1, provides guidance to be used whether one standard is implemented before the other, or both standards are implemented simultaneously.

"Both ISO/IEC 27001 for information security and ISO/IEC 20000-1 for service management address very similar processes and activities, including the important principle of continual improvement" said Edward Humphreys, Convenor of the information security management systems working group (ISO/IEC JTC 1/SC 27). "A number of advantages can be gained by implementing an integrated management system which takes into account not only the services provided, but also the protection of information assets."

Jenny Dugmore, an editor of the new standard and former Convener of the service management working group (ISO/IEC JTC 1/ SC 7), added: "The publication of ISO/IEC 27013 arose from the recognition that combining use of both International Standards brings additional benefits. ISO/IEC 27013 gives guidance on the first steps to be taken by organizations that wish to increase efficiency, improve their information security, service management and services."

Key benefits of an integrated implementation include:

  • Gaining credibility for an effective and secure service to internal or external customers of the organization
  • Lowering costs of an integrated programme
  • Reducing implementation time due to the integrated development of processes common to both standards
  • Eliminating necessary duplication
  • Promoting understanding between service management and security personnel
  • Improving the certification process

  • Users of this International Standard include auditors, organizations implementing information security and/or service management systems, and organizations involved in auditor certification or training, certification/registration of management systems, and accreditation or standardization in the area of conformity assessment.

    A technical report ISO/IEC TR 20000-10 is under development to provide an overview of the concepts of ISO/IEC 20000, explaining the terminology used within the series and identifying how the different parts of ISO/IEC 20000 interact with each other and how the standard is interrelated with other ISO/IEC standards. Similarly, ISO/IEC TR 90006 is under development as audit guidelines for the application of ISO 9001 to service management.

    ISO/IEC 27013:2012, Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1, was developed by joint technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT Security techniques, in cooperation with ISO/IEC JTC 1, subcommittee SC 7, Software and systems engineering. It costs 140 Swiss francs and is available from ISO national member institutes (see the complete list with contact details) and from ISO Central Secretariat through the ISO Store or by contacting the Marketing, Communication and Information department.

    iso.org