ISO IEC 27013-2021 pdf Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

4.2 ISO/IEC 27001 concepts ISO/IEC 27001 provides a model for establishing, implementing, maintaining and continually improving an information security management system (ISMS) to protect information. Information can take any form, be stored in any way and be used for any purpose by, or within, the organization. To achieve conformity with the requirements specified in ISO/IEC 27001, an organization should implement an ISMS based on a risk assessment process. As part of a risk treatment process, the organization should select, implement, monitor and review a variety of measures to manage identified risks. These measures are known as information security controls. The organization should determine acceptable levels of risk, taking into account the requirements of interested parties relevant to information security. Examples of requirements are business requirements, legal and regulatory requirements or contractual obligations. ISO/IEC 27001 can be used by any type and size of organization. Excluding any of the requirements specified in ISO/IEC 27001:2013, Clauses 4 to 10, is not acceptable when an organization claims conformity to ISO/IEC 27001. 4.3 ISO/IEC 20000-1 concepts ISO/IEC 20000-1 specifies requirements for establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services, which meet agreed requirements and deliver value for customers, users and the organization delivering the services.
Some of the requirements specified in ISO/IEC 20000-1 are grouped into clauses indicating processes, such as incident management, change management and supplier management. Some requirements for information security management are specified in ISO/IEC 20000-1:2018, 8.7.3. All requirements specified in ISO/IEC 20000-1 are generic and are intended to be applicable to all organizations, regardless of the organization’s type or size, or the nature of the services delivered. ISO/IEC 20000-1 is intended for management of services using technology and digital information. Exclusion of any of the requirements in ISO/IEC 20000-1:2018, Clauses 4 to 10, is not acceptable when the organization claims conformity to ISO/IEC 20000-1, irrespective of the nature of the organization. 4.4 Similarities and differences Service management and information security management are sometimes treated as if they are neither connected nor interdependent. The context for such separation is that service management can easily be related to efficiency, service quality, customer satisfaction and profitability, while information security management is often not understood to be fundamental to effective service delivery. As a result, service management is frequently implemented first. There are some shared concepts between these two disciplines, as well as concepts that are unique to each.