Here at IT Governance we have focused a lot on the recent launch of ISO/IEC 27001:2013. However, my interest in everything related to ITIL and service management hasn’t dimmed. In fact, some questions on how the new edition of ISO27001 relates to ITIL 2011 have come into my mind lately. I therefore perused the ITIL Lifecycle Publication Suite to see if anything clashed with the new version of ISO27001.
Having viewed the guidance in the Service Design publication, in which the Security Management process is documented, it would seem that not a lot clashes between the information security standard and the ITIL framework. It’s important to remember that ITIL was last updated in 2011 and therefore reflects the 2005 edition of ISO27001.
But are ITIL 2011 and ISO/IEC 27001:2013 compatible?
On the face of it, it would appear they are compatible. None of the guidance, including the plan-do-check-act (PDCA) cycle mentioned in ITIL 2011 or asset-based risk assessments is incompatible with ISO 27001:2013. Additionally, both ITIL 2011 and ISO/IEC 27001:2013 say you should use a set of information security controls, but do not mandate which set of controls you use, which in some ways could be seen as ITIL being ahead of the ISO27001 curve as it was published in 2011..
So to summarise, ITIL 2011 and ISO/IEC 27001:2013 can be employed together. Yes, there are some parts of ITIL that will need to be updated to reflect the greater flexibility toward the implementation of an ISMS that ISO/IEC 27001:2013 brings and the use of technical language, but other than these points, they can be widely leveraged together.
If you employ ITIL in your organisation and haven’t touched on ISO/IEC 27001 until now, ISO/IEC 27001:2013 makes it easier than ever to get started with ISMS implementation!