ISO/IEC 27013 was revised and republished late in 2015 to reflect the updated ISO/IEC 27001:2013 standard, information security management system requirements and the updated ISO/IEC 27000:2014, overview and vocabulary.
ISO/IEC 27001 has been updated into the revised high level structure for management system standards in line with many other standards such as ISO 9001, ISO 14001 and ISO/IEC 22301. ISO/IEC 20000-1 is currently being revised into this new structure and is due for republication in 2018.
What is ISO/IEC 27013?
ISO/IEC 27013 has the title Information technology — Security Techniques – Guidance on the integrated implementation of ISO/IEC 27001and ISO/IEC 20000-1.
The guidance is useful for organizations who are implementing the two standards together or those who have implemented one and now wish to implement the other using an integrated management system. The standard does not contain the text of other standards and needs to be read in conjunction with ISO/IEC 27001 and ISO/IEC 20000-1.
The body of the document is 15 pages with 23 pages of annexes containing reference tables. The annexes have been considerably extended from the 12 pages of the previous edition. This is largely due to annex B, the comparison of terms, because ISO/IEC 27000 now has many more terms defined than previously.
After the usual introductory and mandatory clauses, the contents are:
- Overviews of ISO/IEC 27001 and ISO/IEC 20000-1
- Approaches for integrated implementation
- Considerations of scope
- Pre-implementation scenarios
- Integrated implementation considerations
- Potential challenges
- Potential gains
- Annex A (informative) Correspondence between ISO/IEC 27001:2005 and ISO/IEC 20000-1:2011
- Annex B (informative) Comparison of ISO/IEC 27000:2009 and ISO/IEC 20000-1:2011 terms
ISO/IEC 27013 states ‘Service management and information security management are often treated as if they are neither connected nor interdependent. The context for such separation is that service management can easily be related to efficiency and profitability, while information security management is often not understood to be fundamental to effective service delivery. As a result, service management is frequently implemented first. However, as shown in Figure 1, many control objectives and controls in ISO/IEC 27001:2013, Annex A are also included within the service management requirements for an SMS specified in ISO/IEC 20000-1.’
Annex A shows a detailed comparison table at clause and sub-clause level with ISO/IEC 27001 as a base compared to ISO/IEC 20000-1. The similarities and differences are summarised in the figure.
The terms and definitions used are those of ISO/IEC 27000:2013 and ISO/IEC 20000-1:2011. There is a very useful comparison of terms in Annex B. This is vital due to some differences and implications for integrated management systems.
Terms which are used in one standard only are covered e.g. Authentication is defined and used in 27000/1 but not in 20000, Configuration item is defined and used in 20000 but not in 27000/1. An information asset (term used in 27001) can also be a configuration item (term used in 20000-1) but not all information assets will be configuration items.
The most significant identical term used in both standards is information security incident. However, the term ‘incident’ is used in different ways in each standard. The word Incident is used in ISO/IEC 27001 to mean ‘something that has gone wrong with the security of the in-scope environment’. In ISO/IEC 20000-1 the word Incident has a defined meaning and is more specific than in ISO/IEC 27001. In ISO/IEC 20000-1 Incident is one of a series of related terms and is not only associated with information security incidents. Information security incidents in ISO/IEC 20000 Clause 6.6 are required to be managed according to the incident management process which can introduce variations from the controls in ISO/IEC 27001. This difference between the terms and its implications are explained further in ISO/IEC 27013 with a useful diagram as below.
There is a discussion on the scope of the management system for each standard. Information security can cover the whole organisation or may be restricted to parts of the organisation. Service management is restricted to the parts of the organisation that deliver service. These two scopes may differ, may overlap or may be the same.
ISO/IEC 27013 is an essential document for those wanting to build an integrated management system for both ISO/IEC 27001 and ISO/IEC 20000-1.
ITIL Master, ISO/IEC 20000-1 project editor, ISO/IEC 27001 lead auditor, consultant and trainer
Permission to reproduce extracts from BSI ISO/IEC 20000-1:2011 is granted by BSI. British Standards can be obtained in PDF or hard copy formats from the BSI online shop: www.bsigroup.com/Shop or by contacting BSI Customer Services for hardcopies only: Tel: +44 (0)20 8996 9001, Email: firstname.lastname@example.org.