As many management systems share common processes, it is possible to take an integrated approach to implementing them.
ISO/IEC 27001 and ISO/IEC 20000-1 are two such standards and share many of the same controls and control objectives. Therefore implementing a service management system (SMS) and an information security management system (ISMS) using an integrated approach would seem ideal.
ISO (The International Standards Organisation) and IEC (The International Electrotechnical Commission), have now released ISO/IEC 27013:2013. This standard gives guidance on the integrated implementation of both an SMS and ISMS.
ISO/IEC 27013 recognises that the similarities between ISO/IEC 27001 and ISO/IEC 20000-1 are so strong that by implementing both an SMS and ISMS, the unique opportunity of delivering efficient and effective IT services whilst protecting organisational information assets can be a reality for organisations.
Additional benefits of taking an integrated approach to SMS and ISMS implementation include:
- Increased credibility in offering secure and efficient IT service, to both internal and external customers, and stakeholders
- Considerably cheaper costs compared to implementing each individually
- Time savings owing to not having to develop processes twice that are common to both standards
- The elimination of unnecessary or duplicate processes
- A greater awareness of both service management and information security between service management and information security personnel
- Any organisation that is certified to ISO/IEC 27001 can more easily meet the requirements for information security in ISO/IEC 20000-1.
With these benefits being clear, it would seem that taking an integrated approach to SMS and ISMS implementation would be wise.