BS ISO IEC 27013-2015 pdf free download – Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
4 overviews of ISO/IEC27001 and lsO/IEC 20000-1
4.1Understanding the International Standards
An organization should have a good understanding of the characteristics, similarities and differences ofISO/IEC 27001 and ISO/IEC 20000-1 before planning an integrated management system for informationsecurity management and service management. This maximizes the time and resources available forimplementation.4.2 to 4.4 provide an introduction to the main concepts underlying both InternatonalStandards but should not be used as a substitute for a detailed review.
4.2ISO/IEC 27001 concepts
ISO/IEC 27001 provides a model for establishing, implementing, maintaining and continually improvingan iSMS to protect information.Information can take any shape, be stored in any form and be used forany purpose by, or within, the organization.
To achieve conformity with the requirements specified in lSO/IEC 27001, an organization shouldimplement an ISMS based on a risk assessment process to identify risks to information.As part of thiswork, the organization should select, implement, monitor and review a variety of measures to managethese risks. These measures are known as controls. The organization should determine acceptablelevels of risk, taking into account the requirements of interested parties relevant to informationsecurity.Examples of requirements are business requirements, legal and regulatory requirements orcontractual obligations.
ISO/IEC 27001 can be used by any type and size of organization.4.3ISO/IEC 20000-1 concepts
ISO/IEC 20000-1 can be used by organizations，or parts of organizations,which use or provideservices. This adds value for both the customer and the service provider. All processes covered by thestandard should be controlled by the service provider, even if some processes are operated by otherparties. lt is only the service provider that can achieve conformity with the requirements specified inisO/IEC 20000-1.
The SMs directs and controls a service provider’s activities and resources in the design,development, transition, operation and improvement of services to fulfil service requirements asagreed with its customer(s).
To fulfil the requirements specified in ISO/IEC 20000-1, the service provider should implement a rangeof specific service management processes.These include incident management, change managementandproblem management, amongst others. Information security management is one of the ISo/iEC 20000-1 service management processes.
ISO/IEC 20000-1 can be used by any type and size of organization.4.4Similarities and differences
Service management and information security management are often treated as if they are neitherconnected nor interdependent. The context for such separation is that service management caneasily be related to efficiency and profitability， while information security management is oftennot understood to be fundamental to effective service delivery.As a result, service management isfrequently implemented first. However, as shown in Figure 1, many control objectives and controls inISo/IEC 27001:2013,Annex A are also included within the service management requirements for anSMs specified in ISO/IEC 20000-1.
Information security management and service management clearly address very similar processes and activities, even though each management system highlights different details. See Annex A for further information. When working with the two standards, it should be understood that their characteristics differ in more than one respect. For example, their scopes differ (see 5.2). They also have different goals. ISO/IEC 20000-1 is designed to ensure that the organization provides effective services, while ISO/IEC 27001 is designed to enable the organization to manage information security risk and prevent security incidents.BS ISO IEC 27013 pdf download.