All management systems based on ISO standards have one thing in common: the cycle of PDCA (Plan, Do, Check, and Act), which can make it easier to integrate and achieve different ISO standards in an organisation.
As these management systems share similar processes they can be implemented in a unified fashion. This streamlined approach is reflected in the ISO/IEC 27013 framework, which was created to provide guidance to organisations on how to integrate information security and service management system requirements.
What is the ISO 27013 Standard?
The International Organisation for Standardisation (ISO) maintains a wide range of standards as an international body. In general, the standards represent the consensus of experts from around the world on matters relating to their fields. The ISO 27000 series is one of the most important standards for information security. This series of standards provides a framework for managing information security risks.
The ISO 27013 standard establishes the requirements for an organisation to implement Information Security Management System (ISMS) and Service Management System (SMS).
ISO/IEC 27001 is a standard that defines information security management systems (ISMS) that provides organisations with a powerful framework for implementing best practices and guidelines on cybersecurity. ISO/IEC 20000-1 is an international framework for IT service management that allows organisations to ensure that their IT service management systems are compatible with business needs.
The ISO 27013 standard was created to assist organisations in implementing both ISO 27001 and ISO 20000-1 concurrently or in implementing one where another is already in place. By doing so, businesses can maximise customer loyalty, gain a strategic edge, enhance corporate operations, and over time, realise significant cost savings.
What is an ISMS?
An ISMS is an Information Security Management System. This is a framework for implementing security initiatives such as access controls, incident response, monitoring, security training, and much more. An ISMS is sometimes referred to as ISO 27001 after the international standard that is used for this framework.
It describes and demonstrates your organisation’s approach to Information Security. These systems can be implemented in any number of ways depending on your business.
Understanding what an ISMS is and the function(s) it serves is important to achieving compliance with ISO 27001, according to the U.S. Department of State. According to the ISO 27001 standard, all organisations should have an Information Security Management System implemented.
What is IT Service Management?
IT Service Management, most commonly known as ITSM, is a consensus within the IT industry regarding how services are delivered to clients. Simply put, ITSM is a framework for providing and supporting IT services. The practices that define ITSM can be used in any organisation regardless of size, type of technology or level of business activity.
ITSM enables effective and efficient delivery of IT services to internal or external customers. An IT service is any product that is delivered to a customer and may be funded, performed, or procured as an IT service.
It is essentially a management framework that helps you manage and organise all the aspects of delivering services in an effective, efficient, reliable, secure manner aligned with customer’s needs and expectations. ISO 20000-1 is the standard for IT service management (ITSM) systems and set guidelines for external party’ certification audit. The goal of ISO 20000-1 is the strategic alignment of ITSM with other IT activities, processes and resources.
Integrated Implementation of ISO 27001 and ISO 20000-1 Based on ISO 27013
ISO/IEC 27001 and ISO/IEC 20000-1 are two standards that share a large number of components and objectives, as well as the critical principle of continuous improvement. Thus, integrating the implementation of a service management system (SMS) and an information security management system (ISMS) would be the optimal solution.
These are the PDCA points from ISO 27001 and ISO 20000 that can be integrated during the implementation of ISO 27013:
Specifies internal guidelines for the integrated system’s administration.
All staff who would be affected by the integrated management system’s implementation must receive adequate education in information security and service management.
Internal and external correspondence about the integrated management framework must be conducted in accordance with defined guidelines (usually defined as communications protocol).
Definition of objectives
Defines the objectives to be accomplished through the implementation of the integrated system. This will also include the establishment of certain benchmarks for determining if the targets have been met.
Definition of responsibilities
Sets out the responsibilities for the integrated system’s management. Typically, this term refers to the person who is accountable for the integrated system. Additionally, a team that includes senior management as the primary member will be formed for the integration of the management system.
ISMS.online was the only tool we found that hit the sweet spot of providing a comprehensive and proven ISMS, ‘out of the box’, at a reasonable price for a mid-sized organisation. And unlike many other solutions, a complete ISMS and data privacy were integrated well in one package.
Risk and Compliance Director, REPL
Control of documents and records
Provision must be made for the control and management of the integrated system’s documentation and records.
For ISO 27001, metrics must be put in place to assess the effectiveness of security controls. For ISO 20000, metrics must be established to assess the effectiveness of protocols.
An internal audit will be conducted to identify potential nonconformities in the integrated system and to assess the extent of compliance in relation to standard requirements.
The organisation’s top management must evaluate a set of points of entry into the integrated management system. They are required to make certain findings or results as a result of the analysis.
The integrated system’s management will establish corrective and preventive measures for the treatment of identified nonconformities (usually detected in audits, reviews, etc.).
As we can see, both ISO 27001 and ISO 20000-1 requirements are completely compatible and can be seamlessly combined to form the basis for ISO 27013, resulting in an integrated management system that ensures the consistency and security of company processes and services, thus increasing customer satisfaction.
Scope and Purpose of the ISO 27013 Standard
The ISO 27013 standard provides instructions on how to incorporate ISO 27001 and ISO 20000-1 in an automated manner for organisations that plan to:
- Implement ISO/IEC 27001 after adopting ISO/IEC 20000-1, or vice versa; implement ISO/IEC 27001 and ISO/IEC 20000-1 concurrently or
- Align and integrate previously implemented ISO/IEC 27001 and ISO/IEC 20000-1 management systems.
This standard’s scope encompasses two ISO/IEC JTC1 subcommittees. SC 27 and SC 7 worked to ensure that the views of information technology and IT service management were adequately addressed.
The ISO 27013 standard also provides guidance on planning and prioritising tasks, including the following:
- Aligning the goals of information security, service administration, and improvement;
- Coordination of collaborative tasks, resulting in a more coordinated and aligned framework;
- Creating a collection of protocols and supporting documentation (policies, practices, and etc);
- Common terminology and goals;
- Providing benefits to service providers and customers as a result of the convergence of all control systems; and
- Concurrent auditing of all control processes, resulting in expense savings.
Understanding the ISO 27001 and ISO 20000-1 Concept
Before planning an advanced management system, the organisation should have a firm grasp on the features, similarities, and distinctions between ISO/IEC 27001 and ISO/IEC 20000-1. This significantly reduces the amount of time and money required for implementation. The ISO 27013 Standard Clauses 4.2 to 4.4 offer an overview of the major principles behind all specifications, but should not be taken in place of a detailed analysis.
4.2 ISO/IEC 27001 Concepts
ISO/IEC 27001 establishes, implements, operates, monitors, reviews, maintains and improves an information security management system (ISMS) to safeguard information assets. The term “information assets” refers to data of any form, stored in any medium, and used by or inside the organisation for any reason.
To comply with ISO/IEC 27001, an organisation must adopt an information security management system (ISMS) based on a risk assessment method for identifying threats to information assets. The company should choose, adopt, evaluate, and revisit a number of risk management programmes as part of this function. These are referred to as controls.
The organisation should establish appropriate acceptable risk standards, taking market conditions and externally imposed things into account. Statutory and administrative requirements, as well as contractual commitments, are examples of externally imposed requirements.
4.3 ISO/IEC 20000-1 Concept
ISO/IEC 20000-1 is applicable to organisations or segments of organisations that use or offer services. This enhances both the customer’s and the service provider’s value. However, the standard requires the service provider to monitor all processes affected by the standard, and only the service provider is capable of achieving compliance with ISO/IEC 20000-1.
The standard’s primary objective is to ensure that providers meet quality standards and provide value to both the user and the service provider. Service management manages and controls the operations and resources of a service provider in the planning, production, transfer, implementation, and expansion of services in order to meet the customer’s requirements (s).
To comply with the standard’s specifications, the service provider must incorporate a number of relevant service management processes. These include, but are not limited to, incident management, change management, and problem management. Information security management is a service management process specified in ISO/IEC 20000-1.
4.4 Similarities and distinctions
Often, service management and information security management are handled as though they are unrelated or inextricably linked. The context for this distinction is that while service management is readily associated with quality and performance, information security management is often overlooked as a necessary component of efficient service delivery. As a consequence, service management is often the first component to be introduced.
However, numerous control objectives and safeguards defined in ISO/IEC 27001:2005, Annex A, are also included in the ISO/IEC 20000-1 service management requirements.
What are the Benefits of Implementing ISO/IEC 27013 Standard?
Implementing an advanced management framework such as ISO 27013 that considers both the services offered and the security of information assets will provide a variety of benefits.
The following are some of the main advantages of implementing ISO 27001 and ISO 20000-1 together:
- Increased trustworthiness in providing reliable and effective IT services to internal and external clients, as well as stakeholders
- Huge cost savings, when compared to implementing each one separately.
- Time savings due to the elimination of the need to create systems that are common to all requirements twice.
- Processes that are redundant or unnecessary will be eliminated.
- Among service management and information security staff, there is a greater knowledge of both service management and information security.
- Any organisation that has achieved ISO/IEC 27001 certification will more readily meet the ISO/IEC 20000-1 standard for information security.
With these advantages in mind, it is obvious that an automated approach to SMS and ISMS implementation is a great idea.
Who Should Implement ISO 27013?
Any organisation that operates in the physical world has a great chance of being impacted by a cyber-attack. The fact is that we are not as safe as we may think. In fact, ISMS implementation gives companies more protection than they realise. Every year our lives become more intertwined with technology and therefore our reliance on it increases.
For this reason, auditors, as well as organisations that implement information security and/or service management programmes, and organisations participating in auditor training and certification or management system accreditation should consider the integrated implementation of ISO 27001 and ISO 20000-1.
What Are the Requirements for Implementing ISO 27013?
An organisation considering implementing both ISO/IEC 27001 and ISO/IEC 20000-1 can be classified into three categories:
- They have ad-hoc management structures that include both information security management and service management;
- They have a management framework based on one of either standard;
- They have different management systems based on the two standards, which are not integrated (separate management systems based on the two standards).
An organisation considering implementing an integrated management system should take the following into account:
- Any other management system(s) currently in operation;
- All services, procedures, and their interrelationships within the framework of the integrated management system;
- Characteristics of each standard that can be merged and how they can be merged; Characteristics that must stay distinct;
- The integrated management system’s effect on clients, vendors, and other stakeholders;
- The integrated management system’s impact on technologies in use;
- The integrated management system’s impact on, or danger to, services and business management;
- The integrated management system’s impact on, or risk to, information security;
- Information security management training and education;
- The integrated management system’s stages and timeline of implementation.
How ISMS.online Make Running an Integrated Management System Easy
Here at ISMS.online, we help companies to do the right thing by providing the tools and resources for them to run an integrated management system in line with the ISO 27013 standard. ISMS.online is an online software solution that allows users to demonstrate to their customers, regulators and auditors that they have a complaint management system.
Our powerful cloud-based software allows you to checklist your processes to ensure that they are in keeping with the requirements of the ISO 27013 standard. In fact, our system is one of the most practical, easy to use and comprehensive path to ISMS success.
ISMS.online also provide a Virtual Coach that offers 24/7 context-specific support. You can chat with us from within our platform and you’ll never take the wrong step or lose your way. Call ISMS.online on +44 (0)1273 041140 to find out more about how our platform can help you run an integrated management system that meets the requirements for ISO 27013.
Take a deep dive into some of our more advanced features
What kind of help do you need from us?
New to information security?
We have everything you need to design, build and implement your first ISMS.
Ready to transform your ISMS?
We’ll help you get more out of the infosec work you’ve already done.
Want to unleash your infosec expertise?
With our platform you can build the ISMS your organisation really needs.