must-read highlights
TRANSCRIPT
Must-readhighlightsPage 4-7
Page 10-15
Page 18-19
Page 24-27 ISO/IEC 20000-1 Q&A Sessionwith Mostafa Alshamy
PECB MS Client Success Story- ISO/IEC 27032
Combine security practisesfor a successful ISMSimplementation andbe prepared for theISO/IEC 27001 audit
The value and benefits ofISO/IEC 27001 certification– Auditor’s perspective
02
Certifications to theISO/IEC 27001standard had anincrease by 22%from 2019.
Source: ISO Survey 2020
03
04
ISO/IEC 27001 Information Security Management SystemsWith information security breaches, now the new normal, security teams are compelled to take dedicated measures to reduce the risk of suffering a damaging breach. ISO/IEC 27001 presents an effective way of reducing such risks.
ISO/IEC 27001 is an internationally accepted standard for governing the information security management system (ISMS) of an organization. The ISMS preserves the confidentiality, integrity, and availability of information by apply-ing a risk management process and gives confidence to interested parties that risks are adequately managed.
ISO/IEC 27001 guides organizations how to create and run an effective information security program through policies, procedures, and associated legal, physical, and technical controls supporting an organization’s information risk management processes. It is vital that the ISMS is integrated with the organization’s processes and overall man-agement structure, and that information security is considered in the design of processes, information systems, and controls.
ISO/IEC 27001 and Privacy - Relationship with ISO/IEC 27701 and GDPRCertificates of conformity with ISO/IEC 27001 can be issued without a guarantee that data protection needs have been adequately met. While data protection naturally requires a degree of information security, it goes much further than simply protecting the information – the organization must also protect the rights of the data subjects, which cannot be ensured through information security alone.
ISO/IEC 27701 - Privacy Information Management System (PIMS) is an enhancing extension of ISO/IEC 27001, and they are closely related. ISO/IEC 27701’s approach acknowledges that information security (the preservation of the confidentiality, integrity and availability of information) is a key aspect for an effective privacy management. The ISMS requirements documented in ISO/IEC 27001 can support adding sector-specific requirements onto the ISMS without adding a new management system specification.
ISO/IEC 27701 defines the additional requirements for an ISMS to cover privacy and outlines a framework for Person-ally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. These are supported by additional controls that relate specifically to data protection and privacy which create a Privacy Information Man-agement System (PIMS).
Despite how neatly ISO/IEC 27701 ties into the ISO/IEC 27001, the truth is that they cover different topics. The former addresses organization’s privacy controls, while ISO/IEC 27001 addresses information security.
Why organizations should consider certification against ISO/IEC 27001?There can never be a more appropriate time for organizations all over the world to consider ISO/IEC 27001 certifica-tion as this helps to improve the management of information security risks and improves the effectiveness and efficiency of information security processes first and foremost.
Demonstration of strong commitment to security of global business partners;
Increase customer trust and confidence;
Helping the organization to prioritize information security budget and resources based on their specific risks;
Effectively managing disparate standards like PCI DSS, BCMS, and SMS in a comprehensive and repeat-able way and helps to show that an organization is proactive in its information security and compliance efforts, which could be just what is needed to stay ahead in the industry.
The value and benefits ofISO/IEC 27001 certificationBy Oludare Ogunkoya
When an organization implements an information security management system according to ISO/IEC 27001, usually the following step is to get that man-agement system certified by a certification body. Hence, a certification body is an independent third party responsible for the audit and certification process.
Organizations use certification bodies to obtain inde-pendent recognition. Today, there are thousands of certification bodies covering different boundaries. The task of finding the right one to conduct ISO/IEC 27001 audit is dependent on several factors. It should be noted that different organizations will value differ-ent things, while making their choice as there is no universal solution.
Finding the right Certification Body to conduct your ISO/IEC 27001 certification audit
05
To explain it in another perspective, ISO/IEC 27001 relates to the way an organization keeps data accurate, available, and accessible only to approved persons, while ISO/IEC 27701 relates to the way an organization collects personal data and prevents unauthorised use or disclosure.
In a broad perspective, ISO/IEC 27001 is the over-arching standard for information security including privacy (ISO/IEC 27701). Organizations that are already ISO/IEC 27001 compliant will only have a few extra tasks to complete, such as a second risk assessment, to account for the new controls. Since the introduction of the EU’s General Data Protection Regulation (GDPR), and the ongoing growth in comparable data protection laws around the world, there has been an increasing need for a standard or code of conduct to support compliance.
ISO/IEC 27701 that was published in August 2019 aims to fill the assurance gap, and provides an international approach to data protection as an extension of information security.
Focus should always be placed on value than justgetting a piece of paper saying that you are certified.
Reputation: the credibility of the certification body;
Accreditation: if the certification body has the authority to issue accredited certificates;
Specialization: the areas of competence of their auditors e.g., manufacturing, banking, oil & gas, etc.;
Experience: the wealth of knowledge of their auditors which is very crucial;
Flexibility: the ease at which changes can be accommodated e.g., do they have local auditors, how optimized are their processes, good use of technology, et al.
Choosing a certification body can be much more thanjust comparing prices in a commoditized market.
an application form and sent it to PECB MS by formally requesting an independent assessment of the management system. After this application has been reviewed and approved by the certification body, an auditor is appointed to conduct the inde-pendent assessment in the name of the certification body. If it is an initial assessment, two (2) stages of audit would be carried out namely Stage 1 and Stage 2 audit respectively.
During the Stage 1 audit, the auditor will assess whether your documentation meets the require-ments of the ISO/IEC 27001 and point out any areas of nonconformity and potential improvement of the management system. Once any required changes have been made, the organization will then be ready for the Stage 2 audit.
During the Stage 2 audit, the auditor will conduct a thorough assessment to establish whether the implemented ISMS is in compliance with the ISO/IEC 27001 i.e., Stage 2 audit will validate whether the implemented system is operationalized in line with the system design that was verified in Stage 1.
If the auditor finds something that does not conform to the requirements of the standard, they will raise a “nonconformity”. These can be major or minor and, as the names suggest, these vary in importance. Some auditors take note of a third level of item often called an observation and/or opportunity for improvement. These are not nonconformities and so do not affect the result of the audit; but may be useful for improvement purposes.
Once the audit has been completed, the auditor will write up the report often whilst still on site. They will then tell you the result of the audit and go through any nonconformities that have been raised.
Certification to the standard is conditional upon any nonconformities being addressed and upon the higher-level body that regulates the auditors agree-ing with the report after the review and evaluation.
For most accredited certification bodies, this process normally takes a while to process so, even if you have no nonconformities, officially your organization is not certified yet.
06
An organization can think beyond just compliance. Many organizations forget that they are the ones choosing and paying the certification body. Of course, certification bodies need to follow a code of conduct and their internal processes, and if your management system does not comply with the requirements of the standard(s), they have to raise nonconformities. But they may introduce a fresh, outside look that brings value to your management system.
So, do your due diligence and choose the right certification body according to what is valued by your organization.
Leveraging on about 20 years of auditing experience I possess, and having worked with several accredited certification bodies, PECB MS stands out of the pack, considering all factors mentioned above.
Audit and certification process for ISO/IEC 27001 and importance of maintaining certificationOnce an organization has implemented all the requirements of ISO/IEC 27001, the next step would be to complete
07
A lot of time regulatory imperatives do have a big impact on the audit itself since one of the audit objectives is to demonstrate compliance to all applicable requirements which include regulatory imperatives. Hence, conformity with the ISO/IEC 27001 requirements alone may not be sufficient to attest that an organization’s established ISMS can be issued a conformity certificate. For instance, there was a case where I raised a major non-conformity against an organization’s ISMS implementation not as a result of non-fulfilment of the management clauses, but because of some infractions against local laws including non-payment of corporate taxes. This demonstrates that the ISMS must fulfil all applicable requirements including regulatory, contractual, legal, and business context alike.
Implementation of Information Security Management System (ISMS) using ISO/IEC 27001 is so vital for all organiza-tions as the benefits are numerous:
In conclusion, the benefits of implementing ISMS using ISO/IEC 27001 out ways the cost i.e., overall gains derived are far greater than the financial outlay incurred to its implementation. Hence, it is almost certain that more organiza-tions will embrace this standard year on year.
Improves the management of information security risks;
Improves the effectiveness and efficiency of information security processes;
Demonstrates compliance to legal/regulatory requirements, hence preventing revenue loss as a result of penalties/fines;
Increases competitive advantage; and
Increases customer confidence and trust.
The slogan: Anything that cannot be measured would be difficult to improve.
This is one of the unique strengths of PECB MS as they ensure that all reviews and evaluations are concluded within the shortest period of time, upon submission of the audit documentations after the completion of Stage 2 Audit.
Despite how neatly ISO/IEC 27701 ties into the ISO/IEC 27001, the truth is that they cover different topics. The former addresses organization’s privacy controls, while ISO/IEC 27001 addresses information security.
To explain it in another perspective, ISO/IEC 27001 relates to the way an organization keeps data accurate, available, and accessible only to approved persons, while ISO/IEC 27701 relates to the way an organization collects personal data and prevents unauthorised use or disclosure.
In a broad perspective, ISO/IEC 27001 is the over-arching standard for information security including privacy (ISO/IEC 27701). Organizations that are already ISO/IEC 27001 compliant will only have a few extra tasks to complete, such as a second risk assessment, to account for the new controls. Since the introduction of the EU’s General Data Protection Regulation (GDPR), and the ongoing growth in comparable data protection laws around the world, there has been an increasing need for a standard or code of conduct to support compliance.
ISO/IEC 27701 that was published in August 2019 aims to fill the assurance gap, and provides an international approach to data protection as an extension of information security.
One of the fastest ways to improve any management system including ISMS is to have an effective continual moni-toring and evaluation process in place. For instance, focusing ISMS objectives/targets on areas that have shown significant weakness and de-emphasizing areas where strong achievements of objectives have been made will go a long way in improving the management system. In addition, as much as possible, all relevant tasks pre-defined to achieve established objectives must be measurable.
About the AuthorOludare Ogunkoya is a well-breed auditor from diverse perspective with over 20 years industry experience. He is an astute practitioner in the field of Information Security, Governance, Risk and Compliance (GRC) in various sectors including financial institutions, manufacturing and public sector, among others.
Since 2017, on behalf of PECB MS, Mr. Ogunkoya has been leading audits for many large firms with a lot of diligence and in the most professional way.
His will to cooperate, his impartiality, punctuality, and outstanding professional preparedness against ISO/IEC 27001:2013, ISO/IEC 20000-1:2018, ISO 22301:2019, ISO 9001:2015, and ISO 45001:2018 has been prominent in all the audits that he has conducted. We are honored to have Mr. Ogunkoya part of PECB MS Auditors Network.
08
How can you simplystart to protect yourinformation withISO/IEC 27001controls?
09
A.9.4.3. Password management systemPassword management systems shall be interactive and shall ensure quality passwords.
A.12.3.1. Information backupBackup copies of information, software and system images shall be taken and testedregularly in accordance with an agreed backup policy.
Source: ISO/IEC 27001:2013
ISO/IEC 27001:2013 specifies the requirements for establishing, imple-menting, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
– ISO/IEC 27001:2013
Information Security Management SystemThere can never be a more appropriate time for organizations all over the world to consider ISO/IEC 27001 certification as this helps to improve the management of information security risks and improves the effectiveness and efficiency of informa-tion security processes first and foremost.
IntroductionThe implementation of an Information Security Management System (ISMS) is a combination of requirements based on security objectives. The requirements may be based on standards, laws, regulations, agreements, or established by the organiza-tion using some other internal or external sources. An ISMS Implementer has to consider these requirements and plan the implementation activities, defined as, statement of applicability (SOA). The ISMS Auditor has to use the same requirements and create the audit criteria, defined as audit test plans. In this article, the possibilities of using the ISO standards as appropriate source for guidance and practices are explained to find the suitable support for implementing an ISMS. Moreover, it may serve as a good option for ISMS Auditors that want to be better prepared for their next audit. This provided approach also helps to consider the technology trends (e.g., use of cloud computing) and regulative requirements (e.g., related with privacy) in information security management.
The requirements that ISO/IEC 27001 standard covers are:
Organizational context and stakeholders;
Information security leadership and high-level support for policy;
Planning an information security management system; riskassessment; and risk treatment;
Supporting an information security management system;
Making an information security management system operational;
Reviewing the system's performance;
Corrective action.
Combine security practices for a successful ISMS implementation and be prepared for theISO/IEC 27001 auditBy Andro Kull
10
ISO/IEC 27002:2013 gives guidelines for organizational information securi-ty standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
For each selected control, it is practicable to concentrate on processes, activities, and records.
Information security controls guidelines provide a list of 114 controls separated in 14 groups:
Information security policies (includes 2 controls);
Organization of information security (include 7 controls);
Human resource security (includes 6 controls that are applied before, during, or after employment);
Asset management (includes 10 controls);
Access control (includes 14 controls);
Cryptography (includes 2 controls);
Physical and environmental security (includes 15 controls);
Operations security (includes 14 controls);
Communications security (includes 7 controls);
System acquisition, development and maintenance (includes 13 controls);
Supplier relationships (includes 5 controls);
Information security incident management (includes 7 controls);
Information security aspects of business continuity management (includes 4 controls);
Compliance (includes 8 controls with internal requirements, such as policies, and external requirements, such as laws).
Information security controls
It is designed to be used by organizations that intend to:
select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
implement commonly accepted information security controls;
develop their own information security management guidelines.”
11
– ISO/IEC 27002:2013
Information security risk
This document provides guidelines for information security risk manage-ment. This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of infor-mation security based on a risk management approach.
Knowledge of the concepts, models, processes, and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document.
This document is applicable to all types of organizations (for example, commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization's information security.”
– ISO/IEC 27005:2018
Risk treatment
Risk acceptance
Risk communication andconsultation
Risk monitoring and review
Risk management process should cover the following:
Context establishment
Risk identification
Risk analysis
Risk evaluation
Cybersecurity management
ISO/IEC 27032:2012 provides guidance for improving the state of Cyberse-curity, drawing out the unique aspects of that activity and its dependen-cies on other security domains, in particular:
information security,
network security,
internet security, and
critical information infrastructure protection (CIIP).
12
It covers the baseline security practices for stakeholders in theCyberspace. This International Standard provides:
an overview of Cybersecurity,
an explanation of the relationship between Cybersecurity and other types of security,
a definition of stakeholders and a description of their roles in Cybersecurity,
guidance for addressing common Cybersecurity issues, and
a framework to enable stakeholders to collaborate on resolving Cybersecurity issues.
– ISO/IEC 27032:2012
The above-mentioned cybersecurity risks can be managed by implementing appro-priate cybersecurity controls at different levels, such as:
Malware
Web-based attacks
Phishing
Web application attacks
Spam
DDoS
Identify theft
Data breach
Insider threat
Botnets
Information leakage
Ransomware
Cyberespionage
Crytojacking
Physical manipulation, damage, theft, and loss
The extended control set covers the following topics:
ISO/IEC 27017:2015 gives guidelines for information security controls appli-cable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services.This International Standard provides controls and implementation guid-ance for both cloud service providers and cloud service customers.”
– ISO/IEC 27017:2015
Cloud securityIn cases where the organization is using cloud services, it may be advisable to focus more in the implemention of necessary controls by cloud service provider. ISO/IEC 27017 guidelines can be used to find controls based on the cloud service extended control set.
End user device
Application level
Server level
Network level
To select the cybersecurity controls and to better understand the risks from cyber-space, it may be advisable to use other sources as well. For example, based on ENISA statistics (2020), the most common cybersecurity risks are:
13
Malware
Web-based attacks
Phishing
Web application attack
Spam
DDoS
Identify theft
Data breach
Insider threat
Botnets
Information leakage
Ransomware
Cyberespionage
Crytojacking
Physical manipulation, damage, theft, and losst
Privacy extensionsIt is quite common that one of the most relevant legal and regulatory requirements for most of the organizations is to protect personally identifiable information (PII), for example, strict requirements to comply with general data protection regulation (GDPR). For guidance, the ISO/IEC 27701 standard may be appropriate reference to improve the information security management from a privacy perspective.
ConclusionsThere is no single solution for organizations to get reasonable assurance for their information security. The key is a combination of appropriate requirements and practices. ISO is providing many options to select the guidance which may be useful to reach the combination that works for organization’s purposes. In addition, the provided explanation above, may be useful for organizations that have already implemented an ISMS, but are seeking possibilities for continual improvement.
Organizations are advised to define the roles and responsibilities accordingly and provide suitable training for roles who are responsible of implementation or audit of the information security practices. To ensure the security implementation matu-rity, organizations can proceed with ISMS certification. PECB MS is an accredited certification body that provides audit and certification against ISO/IEC 27001 and ISO/IEC 27701. Get to know more about the PECB MS audit and certification process.
As a result, we can highlight the security checklist as top 10 activities and results which may be needed to ensure that information security is actually managed:
This document specifies requirements and provides guidance for estab-lishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
This document specifies PIMS-related requirements and provides guid-ance for PII controllers and PII processors holding responsibility and accountability for PII processing. It is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.”
– ISO/IEC 27701:2019
Additional guidance for personally identifiable information (PII) controllers and processors:
Information security management system established, maintained,certified and continually improved;
Information security risks identified, analyzed, assessed, decided and treated;
Appropriate information security controls identified, planned,implemented, operated and measured;
Incident management process developed, implemented, prepared and tested;
Conditions for collectingand processing;
Obligations to PII principals.
Privacy by design and privacy by default;
PII sharing, transfer and disclosure.
14
15
Operational security integrated with IT operations;
Cloud security program established and operating;
PII protection controls planned, implemented and operating;
IT readiness for business continuity is ensured and tested;
Internal control activities for information security established and internal audit program operating.
ReferencesENISA. 2020. ENISA Threat Landscape 2020 - List of top 15 threats. [online] Available at: <https://ww-w.enisa. europa.eu/publications/enisa-threat-landscape-2020-list-of-top-15-threats> [Accessed 15 October 2021].
ISO/IEC 27001:2013 Information technology — Security techniques — Information security manage-ment systems — Requirements. [online] Available at: <https://www.iso.org/standard/54534.html> [Accessed 15 October 2021].
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for informa-tion security controls. [online] Available at: <https://www.iso.org/standard/54533.html> [Accessed 15 October 2021].
ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management. [online] Available at: <https://www.iso.org/ standard/75281.html> [Accessed 15 October 2021].
ISO/IEC 27032:2012 Information technology — Security techniques — Guidelines for cybersecurity. [online] Available at: <https://www.iso.org/ standard/44375.html> [Accessed 15 October 2021].
ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management. [online] Available at: <https://www.iso.org/ standard/44379.html> [Accessed 15 October 2021].
ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for informa-tion security controls based on ISO/IEC 27002 for cloud services. [online] Available at: <https://ww-w.iso.org/standard/43757.html> [Accessed 15 October 2021].
ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. [online] Available at: <https://ww-w.iso.org/standard/71670.html> [Accessed 15 October 2021].
15
About the AuthorAndro Kull holds a PhD degree from the University of Tampere, concentrat-ing on the IT oversight and compliance verification methodologies. He currently is lecturing IT risk and information security management issues at the university of Tallin.
Previously, he has worked for the financial sector in IT and information security, and for the energy sector in IT risks, where security and continuity demands are very high. Kull started his career as IT specialist, IT manager and has worked extensively as IT auditor and as IT risk manager for one of the largest companies in Estonia. At the same time, he founded a consulting company and managed projects related to IT risk assessment, the implementation of security measures, business continuity planning (BC), planning for recovery (DR), and crisis management mostly in public sector organizations.
His auditing experience with PECB MS has started in 2017, until this day he has been engaged in many ISO/IEC 27001 audits for companies of different sizes and types.
Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are.
Jeh Johnson
16
17
Agricultural Development Fund (ADF) was estab-lished based on royal decree no. 58 in 1963, as a gov-ernmental credit institution that specialized in fund-ing various agricultural activities across Kingdom of Saudi Arabia (KSA). ADF aims to develop the agricul-tural sector and improve the production efficiency by using the best scientific methods and modern tech-nologies. ADF offers facilitated loans without interest to farmers in order to secure the needs of this activity by providing machinery, pumps, and agricultural equipment for raising cattle, poultry, sheep, beekeep-ing, breeding fish, and others.
“Vision 2030 has been inspiring us to achieve an unprecedented step in the field of cybersecurity in line with the Kingdom’s aspirations to be one of the best cybersecurity leaders in the world. Following our successful certification against ISO/IEC 27001:2013 and ISO 22301:2019, we consider ISO/IEC 27032:2012 certification as an additional step towards the achievement of our strategic goal to integrate the highest standards of cybersecurity and information security procedures.” - Abdulaziz I. Al-Issa
Read the success story
18
PECB MSClient Success StoryISO/IEC 27032
19
Due to human negligence, sensitive data may be stolenwhen the user clicks on the wrong email address, sharetheir passwords, use public internet, etc.
Human error
Having access to stolen smartphone, laptops, drives, or other data storage devices, hackerscan steal your information.
Loss of devices
Malware, phishing emails,skimming, social engineering, etc.
Cyber-attacks
Stealing sensitive data with the intent tocause harm.
Employee data theft
Common Causesof Data Breach4
20
21
Stealing sensitive data with the intent tocause harm.
Records to keep, incase of Data Breach7
Who reportedthe incident?
Consequences and impactof the incident
Incident description
Who receivedthe incident
notification/reports?Time of occurrence
DurationSteps taken
to follow up and solve the issue
Common Consequences of Data Breach6
FinesFinancial Loss
OperationalDowntime
Loss ofIntellectual Property
Loss ofSensitive Data
ReputationalDamage
22
As of 2020, the average costof a single data breach acrossall industries worldwide stoodat nearly 4 million U.S. dollars.
Source: Statista
23
24
ISO/IEC 20000-1Q&A Session with Mostafa Alshamy
1. Why is the ISO/IEC 20000 standard divided into parts? The ISO/IEC 20000 family contains more than one standard to provide readers with different types of support on how to establish, develop, manage, measure, and improve an SMS prop-erly.
The first part is ISO/IEC 20000-1:2018 and it covers the controls needed to have an effective SMS. It has a lot of requirements covering all the components and processes of an SMS as mentioned above.
Part two, ISO/IEC 20000-2:2019 provides guidance on the application of service manage-ment systems. It supports readers on interpreting the requirements of the first part of the standard by providing examples and recommendation about how to implement the SMS.
Part three, ISO/IEC 20000-3:2019 gives guidance on scope definition of an SMS and the applicability of the first part to different types of service providers.
2. What is the connection between ISO/IEC 20000 and ITIL and how can ITIL help in the certification process? ISO/IEC 20000 is based on two main components. The first one, is the common require-ments for a management system that ISO Annex SL Appendix 2 covers clearly, and which exists in any other ISO management system. The second one, is ITSM processes which are taken from ITIL v3 and 2011 edition.
The ISO/IEC 20000-1 includes 17 explicit ITIL processes while there are others covered implic-itly.
3. What is the purpose of ISO/IEC 20000-1 and why is thisstandard so important? ISO/IEC 20000-1 aims to specify clear requirements for establishing, implementing,main-taining, and continually improving a Service Management System (SMS), which assists organizations in developing, building, testing, delivering, managing, and improving the provision of IT services. It is considered as a sign of high quality for IT service providers and a guarantee for their customers.
4. Is ISO/IEC 20000-1 intended only for IT organizations or can it be used also by other industries? ISO/IEC 20000-1 is intended for IT service providers while other providers of different types of services can also benefit from following its requirements in order to provide a better service. All other service management fields, such as Call Center, Outsourcing, and Data Manage-ment, among others, can benefit from implementing one part or all parts of ISO/IEC 20000-1:2018.
5. Which are the most important clauses of the ISO/IEC 20000-1standard? Although the ITSM processes in clause 8 (Operation of the service management system) are very important as they represent the core of this standard, we cannot reduce the impor-tance of the other parts as they support directly or indirectly those processes to achieve the intended results.
23
I believe that these processes cannot achieve their purpose if:
25
7. Which security-related benefits can be obtained by ISO/IEC 20000-1?ISO/IEC 20000-1 addresses the information security as a dedicated process covered in clause 8.7.3 Infor-mation security management, however, we cannot consider this standard an information security ded-icated one.
ISO/IEC 20000-1 covers information security and its incidents in the Information Security Management process, while ISO/IEC 27001:2013 is totally dedicated to information security management and has more security requirements and 114 dedicated controls in its Annex A.
In short, all the components of the ISO/IEC 20000-1 are integral and cannot be separated or distin-guished.
The organization context is not well defined;
There is no top management commitment;
There are not enough competent resources, awareness, or training;
There is no risk management;
There are no clear objectives in addition to the absence of measurement and continual improvement.
6. How is service management defined in ISO/IEC 20000-1?The term service management in ISO/IEC 20000-1 is defined as a set of capabilities and processes to direct and control the organization’s activities and resources for the planning, design, transition, deliv-ery, and improvement of services to deliver value. This definition is clearly based on ITIL’s definition.
8. What other management systems standards can ISO/IEC 20000-1 be aligned with?ISO/IEC 20000 is not the only Management Systems Standards (MSS) which was issued since 2012 by the ISO organization that follows the Annex SL Appendix structure. It has a unified structure for any MSS to support and make it easier for organizations that intend to implement or get certified to more than one ISO standard. I think that among other st andards, ISO/IEC 20000-1 is totally aligned with:
ISO 9001 Quality Management System (QMS);
ISO 22301 Business Continuity Management System (BCMS);
ISO/IEC 27001 Information Security Management System (ISMS); and
ISO/IEC 27701 Privacy Information Management System (PIMS).
So, for example if your organization wants to implement ISO/IEC 20000-1:2018, ISO/IEC 27001:2013, and ISO/IEC 27701:2019, and the three standards will be managed by the same department, this can be achieved easily by integrating clauses 4 (Context of the organization), 5 (Leadership), 6 (Planning), 7 (Support), 9 (Performance evaluation), and 10 (Improvement) which cover the same requirements for these three standards. On the other hand, clause 8 (Operation) is different and needs separate imple-mentation in each standard as it covers the core requirements of each standard.
ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services supports cloud service providers in understanding the implementation of ISO/IEC 27002 controls easily with some additional controls specifically chosen for the cloud.
ISO/IEC 27018:2019 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII proces-sors based on the privacy principles in ISO/IEC 29100 for the public cloud computing envi-ronment and in ISO/IEC 27002 controls, is dedicated to PII in public cloud and this topic is highly important nowadays after the emerge of many PII regulations all over the world, such as GDPR.
Service availability, capacity, continuity, and security in addition to service catalogue; Service level management; Incident management;Request fulfilment;Problem management;Change management among others.
While clause 8 in ISO/IEC 27001 covers the requirements of:
In short, ISO/IEC 20000-1 is about IT Service Management, while ISO/IEC 27001 is about Information Security Management. To sum it up, all MSS issued from 2012 have the same requirements for the man-agement system except for clause 8, which is a distinctive clause in each ISO standard.
Operational planning and control; Information security risk assessment;Information security risk treatment.
9. What are the differences between ISO/IEC 20000-1 and ISO/IEC 27001?ISO/IEC 20000-1 is for Service Management System (SMS) which covers all the aspects of IT service man-agement during the lifecycle of any IT service including security aspects.
Meanwhile, ISO/IEC 27001 is completely dedicated to information security represented in clear require-ments and controls. They can be easily combined to have a great integrated management system which can support service providers more.
10. Is there any information about cloud service providers in ISO/IEC 20000-1?ISO/IEC 20000-1 covers IT Service Management whether IT services are on cloud or on premises as the concepts are the same. At the same time, there is a dedicated guidance for Security techniques and code of practice for information security controls based on ISO/IEC 27002, for cloud services specifically.
There are two ISO standards in the ISO/IEC 27000 family dedicated to cloud service providers:
24
Both of these standards can be combined to constitute a great source of guidance to cloud service providers.
26
For instance, ISO/IEC 20000-1, clause 8 covers the requirements of the ITIL processes such as:
27
11. How does the certification audit against ISO/IEC 20000-1 helporganizations?ISO/IEC 20000-1 helps organization to keep and improve their IT Service Management all the time and prove to their customers that they have a stable management system for the provided IT services.
Before the certification audit, an organization should prepare and have qualified personnel that are familiar with the requirements of the standards. Besides other requirements, inter-nal audit and management review meeting should be conducted and documented before the external audit. Reaching to the certification audit stage requires a lot of efforts from the organization. Therefore, it can be considered as the celebration time for great efforts and a long journey.
ISO/IEC 20000-1 has a lot of benefits for organizations planning to get certified such as:
Documented processes which can increase the productivity and reduce rediscovering knowledge;Powerful internal audit program which can discover nonconformities and follow up their correction;Increasing the provided services availability, capacity, continuity, andsecurity based on well defined processes;Clear and well-organized service catalogue for IT users and staff;Continual improvement;Top management commitment; andA clear assurance of providing high quality IT services after being certified.
12. What are some tips and advice to get ready for a certification audit against ISO/IEC 20000-1?Try to have all the ITSM processes organized, integrated, and well-documented. The partici-pation of everyone counts, so do not underestimate proper awareness and its impact on the management system and its components.
Having a clear implementation plan and proper training courses on how to implement and audit the SMS, can be of great value for those who seek smooth implementation and audit-ing.
About the Responder
Mostafa AlShamy is a valuable member of our pool of auditors who has been conducting audits on behalf of PECB MS since 2017. As a highly experienced professional, he has demonstrated remarkable audits against ISO/IEC 20000-1, ISO/IEC 27001, ISO/IEC 27701, ISO 22301, and ISO 9001. His auditing expertise are helping organizations achieve excellence day by day. We are fortunate to be able to work with an industry expert such as Mostafa AlShamy who left us astounded by the level of dedication and hard work that he puts in every situation.
Certify youmanagementsystem againstISO/IEC 27001 andISO/IEC 20000-1!
28
29
We provide audit and certificationservices and upon successful conformitywith the requirements of the standard willcertify your management system againstISO/IEC 27001 and/or ISO/IEC 20000-1.
Get a Free Quote
1555 boul de l'Avenir,Bureau 306, Laval,
Quebec H7S 2N5, Canada
+1-844-426-7322
* This document may be reproduced or transmitted for the purpose of informing current or potential PECB MS partners, auditors or potential client organizations wanting to obtain a PECB MS Certification, on the condition that the reproduction or transmission includes the following notice: “Copyright © PECB MS 2021. All rights reserved.” Reproductions or transmissions for any other purpose require the prior written permission.