towards an integrated management system (ims), harmonizing the
TRANSCRIPT
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016), pp. 217-230
http://dx.doi.org/10.14257/ijseia.2016.10.9.18
ISSN: 1738-9984 IJSEIA
Copyright ⓒ 2016 SERSC
Towards an Integrated Management System (IMS), harmonizing
the ISO/IEC 27001 and ISO/IEC 20000-2 Standards
César Pardo1*
, Francisco J. Pino2 and Félix Garcia
3
1Electronic and Telecommunications Engineering Faculty, University of Cauca
Calle 5 # 4 – 70 Popayán, Colombia.
Tel: +57 28209800 ext. 2133
[email protected] 2 IDIS Research Group
Electronic and Telecommunications Engineering Faculty, University of Cauca
Calle 5 # 4 – 70 Popayán, Colombia.
Tel: +57 28209800 ext. 2133
[email protected] 3 ALARCOS Research Group
Information Systems and Technologies Department
UCLM–ITSI Institute of Technology and Information Systems
University of Castilla–La Mancha
Paseo de la Universidad, 4 – 13071 Ciudad Real, Spain.
Tel: +34 926 295300 ext.3747
{Felix.Garcia}@uclm.es
Abstract
In recent times, and in order to maintain an integrated, efficient and homogeneous
policy, Integrated Management Systems (IMS) have emerged as an opportunity to
improve processes related to Information Technology (IT) in organizations in a way that
is modular, consistent and orderly. The ISO 27001 and ISO 20000 standards provide
good practices for creating and/or strengthening management infrastructure whose
purpose is information security and IT services. In an attempt to provide information on
how these standards are related, as well as to facilitate their integration under a single
IMS, this article presents the harmonization strategy and results of the harmonization of
standards ISO 27001 and ISO 20000 in an organization. The work thereby supports
organizations which are interested in knowing how to carry out the harmonization of
these models. It also provides a detailed analysis of their similarities and differences,
showing an example of how to carry out the integration of related practices between ISO
27001 and ISO 20000-2. In addition, some benefits achieved by the organization are
presented.
Keywords: Multi-model, Harmonization, Information Security Management System
(ISMS), IT service management, Integrated Management Systems, Homogenization,
Comparison, Integration
1. Introduction
At present, there is a wide range of models and standards which can be used by
software organizations to carry out the improvement and certification of their processes.
For example: CMMI, ISO 9001, ISO 12207, ISO 90003, ITIL, COBIT, to name a few of
them.
* Corresponding Author: César Pardo, e-mail: [email protected].
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
218 Copyright ⓒ 2016 SERSC
The interest of organizations in obtaining the certification of standards defined by the
International Organization for Standardization (ISO) has been increasing of late. This
concern has focused mainly on information approaches as a means of improving their
various departments through a single Integrated Management System (IMS) [1]. Two of
these approaches are the ISO 27001 and ISO 20000-2 standards. ISO 27001 provides a
wide description and controls related to information security. ISO 20000, for its part,
defines the practices and processes for managing services and IT management through
the use of an assistance service based on ITIL.
Although ISO 27001 and ISO 20000 provide support for different management
infrastructures in an organization, we believe that integrated institutionalization can have
large benefits; e.g., improving competitiveness, organizational development, security,
risk management, as well as improved corporate management and assurance to
stakeholders, and continuous improvement. Likewise, it has a positive impact on loyalty
and the attracting of new customers, thanks to provision of services that meet their needs
and expectations. It is possible that the appropriate integration of ISO 27001 and ISO
20000 may allow a strong and powerful combination for IT management to be generated
in an organization It would also encourage the reuse of the effort, time, money and
human talent involved in any improvement projects that had been carried out previously.
With the “reuse”, the organizations, especially small and medium enterprises (SMEs)
would reap immense benefits, because the effort and costs associated with the
implementation of a new model as compared to an institutionalized could be reduced, i.e.
a model implemented previously in an organization can meet the requirements with
regard to the new model to be implemented. The results obtained in this paper are an
example of the above, as are the comparison and harmonization of other models already
carried out, such as that performed between ISO 9001 and CMMI [2], ISO 15504 and
CMMI [3], amongst others.
In this sense, and in our effort to guide the organizations through the harmonization of
ISO 27001:2005 and ISO 20000-2:2005 (hereafter referred to as ISO 27001 and ISO
20000-2, respectively), this article presents the harmonization strategy used to
homogenize, compare and align the clauses of ISO 27001 with the clauses of ISO 20000-
2. A harmonization strategy allows multiple models to be put in harmony and consonance
with each other, through a set of methods configured systematically [4]. This paper
attempts to provide a guide for organizations to manage, homogenize, compare and
integrate the harmonized standards in this paper into a single management system.
This paper proceeds as follows. Section 2 presents related work. Section 3 describes
the harmonization strategy designed from the needs of Audisec’s. Section 4 gives an
explanation of the harmonization of ISO 27001 and ISO 20000-2 through the
harmonization strategy configured. An example is also shown about how to carry out the
integration of the relationships established between the standards. Section 5 presents
some benefits expressed by organizations. Lastly, some relevant discussion is given,
along with the conclusions we have drawn and the future work we have planned.
2. Related Work
Based on the results of a systematic review performed in [5], which involves the
analysis of the proposals for the harmonization of multiple models, we can see some
studies that show an interest in integrating multiple models e.g., the PRIME project
funded by the Software Engineering Institute (SEI), which examines the value of
harmonization of multiple technologies, including: CMMI, Six Sigma, ITIL, ISO 27001,
among others [6]. Likewise, this institution has also conducted studies that focus on the
analysis of ISO standards and their integration with other models. Some of these studies
are, among others: analysis and integration of ITIL and ISO 20000 [7], the definition of
Integrated Management Systems (IMS) from ISO 9001 and ISO 27001 [8], ISO 9001,
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
Copyright ⓒ 2016 SERSC 219
ISO 20000 and ISO 27001 [9], ISO 9001, ISO 14001 and OHSAS 18000 [10]. Other
studies carried out the comparison between specific models, i.e., between the same
family and between not more than two different models, e.g., usually we can find
mappings between ISO 9001 and CMMI [11], CMMI and ISO/IEC TR 15504-2:1998
[12, 13], to name a few examples. Although it is possible to see an extensive use of ISO
and SEI models in related work, the models used most in harmonization projects are ISO
9001, ISO 15504 and CMMI-DEV.
With regard to the existing literature, and considering that we did not find studies
which perform an analysis of the relationships and differences between ISO 27001 and
ISO 20000, this article presents the harmonization of these two standards. Furthermore,
this paper proposes a solution to the need expressed by AUDISEC, the consultancy
organization in ISO 27001 and ISO 20000, which is interested in carrying out the
implementation of these two approaches under a single IMS.
A detailed summary of the strategy followed to harmonize the models involved is
presented in the next Section.
3. Configuring a Harmonization Strategy
This section describes the harmonization of standards ISO 27001 and ISO 20000-2 in
terms of the harmonization needs identified in an organization as well as the
harmonization strategy followed.
3.1. Organization’s Needs
Audisec carried out the integration of ISO 27001 and ISO 20000-2, taking into
account the needs identified. Audisec is an organization that provides consulting services
and support in the certification of ISO 20000 and ISO 27001. The needs expressed by
Audisec in connection with the carrying out of the harmonization of these models are:
To facilitate the ISO 20000 certification in organizations previously
certified under ISO 27001.
To reduce costs, time and resources associated with the reuse of efforts
previously employed in the certification of ISO 27001.
To minimize the complexity of implementing multiple models without
proper alignment and integration.
Based on these needs, the harmonization goal of the two standards focused on defining
a harmonization strategy made up of a set of methods which enabled the following to be
carried out:
i resolution of differences related to their structures,
ii comparison and identification of differences and similarities,
iii analysis of detail level and depth of standards, and
iv establishing of the degree of coverage, as well as the fulfillment of the ISO 27001
processes on those defined in ISO 20000-2.
3.2. Harmonization Strategy Configured
Project management for harmonizing ISO 27001 and ISO 20000-2 was carried out
with the implementation of elements defined in HFramework. These are: (i) a
harmonization process (HProcess) and a (ii) set of harmonization methods (HMethods).
The purpose of HProcess is to provide a guideline to facilitate the management of
tasks related to the definition and configuration of a harmonization strategy for carrying
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
220 Copyright ⓒ 2016 SERSC
out the harmonization of multiple models [14]. The purpose of HMethods is to provide a
set of methods which make it easier to configure a harmonization strategy (HStrategy),
taking into account the organization’s needs. HStrategy is the work product resulting
from the implementation of HProcess. That is, whereas HProcess provides information
about “what” to do, systematic configuration of an HStrategy describes the activities and
tasks which make it possible to know “how” to carry out the harmonization of multiple
models from the organization’s needs. Figure 1 shows a summary of the process, roles
and activities of HProcesses and HStrategy applied in the harmonization of ISO 27001
and ISO 20000-2. The processes presented in this paper use the notation of SPEM 2.0.
All this being so, and on the basis of the needs identified and the implementation of
HProcess in Audisec, an HStrategy was defined and configured according to two
methods: (i) a homogenization method (HoMethod), (ii) a comparison method
(CoMethod) and (iii) an integration method (IMethod). Incorporating these methods
allowed us to carry out the step-by-step harmonization of the models involved. In order to
organize and manage the people and activities throughout the strategy, this process
establishes two roles: the performers and the reviewers, along with three methods:
Method 1. Homogenization. This stage involved the tasks: (i) acquisition of
knowledge about the models involved, (ii) structure analysis and terminology, (iii)
identification of requirements and (iv) correspondence.
Method 2. Comparison. This stage involved the tasks: (i) designing the mapping,
(ii) carrying out the mapping, (iii) presenting the outcomes of the mapping and (iv)
analyzing the results of the mapping.
Method 3. Integration. (i) designing the integration, (ii) establishing integration
criteria, (iii) carrying out the integration, (iv) analyzing the results of the
integration and (v) presenting the integrated model.
Homogenization, comparison and integration are harmonization methods which make
up the Harmonization Framework, which is also available through the WEB [15]. A
detailed summary of these methods can be seen in homogenization [16], [17] and [18],
respectively.
A summary of the tasks of the HStrategy that were followed to harmonize the models
involved is presented in the next sections.
4. Harmonizing ISO 27001 and ISO 20000-2
4.1. Carrying out the Homogenization
The purpose of ISO 27001:2005 is to help organizations establish, implement, operate,
monitor, review, maintain and improve their Information Security Management Systems
(ISMS) [19]. The implementation of this rule brings great benefits which have to do
mainly with reducing the risk of data loss, theft or corruption of information.
On the other hand, according to Part 1 of ISO 20000:20005 [19], the purpose of ISO
20000 is to help organizations to improve the efficiency of providing technological
services through guidelines for quality IT service management. This rule also takes into
account aspects related to system capacity, levels of management when the system
changes, as well as financial budgeting and control and software distribution. In addition,
this rule takes into account aspects related to system capacity, as well as levels of
management when the system changes, along with financial budgeting and control and
software distribution.
Before carrying out the comparison of the two models, and as set out in the HStrategy
defined (see Figure 1), it was necessary to harmonize the models through the HoMethod
and the Common Structure Process Element (CSPE) template described in [16]. To carry
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
Copyright ⓒ 2016 SERSC 221
out the homogenization: (i) the information described in Part 1 of ISO 27000 or ISO
27001 and (ii) Part 2 of ISO 20000 or ISO 20000-2 were taken into account. Part 2 of
ISO 20000 was seen as relevant because this section describes the best practices or
requirements in terms of processes to comply with the standard.
The organization of the descriptions of each standard in the CSPE template allowed us
to compare the standards to a high level of abstraction. This first comparison enabled us
to see that ISO models analyzed are standards which define their requirements as
statements in each paragraph, which are contained within clauses, which in turn are
contained in major clauses (see Figure 2). Likewise, they do not define a process element
structure based on process, e.g. activities, tasks, steps or roles. Only ISO 20000-2 defines
objectives explicitly in relation to each major clause. This means that the performer
carried out the adaptation and exclusion of process elements of the CSPE template which
are not defined in standards, leaving only the necessary ones, i.e., process group (this is a
major clause), processes (these are clauses and sub-clauses), activities (paragraphs), tasks
(statements), artifacts (which are implicit in paragraphs and statements) and related
processes (related clauses). Table 1 shows an example of the homogenization of clause 8
of ISO 27001, related to ISMS improvement. Table 2 shows the syntax used to identify
the requirements in standards. The homogenization of the clauses in each standard was
performed in an iterative incremental approach (see process of harmonization strategy in
Figure 1).
Figure 1. Activity Diagram of HProcess Applied to Obtain an HStrategy
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
222 Copyright ⓒ 2016 SERSC
Figure 2. Structures used by ISO 20000-2:2005 and ISO 27001:2005
Table 1. Clause 8. ISMS improvement, ISO 27001
CSPE Template (adapted)
SD1. Process Category
ISMS improvement
SD2. Process ID Clause 8
Name ISMS improvement
SD1.3 Activities SC1.3 Artifacts
8.1 Continual improvement
The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results , analysis
of monitored events, corrective and preventive actions and management review (see 7).
It does
not define
artifacts.
8.2 Corrective action
The organization shall take action to eliminate
the cause of
nonconformities with the
ISMS requirements, in
order to prevent recurrence.
The documented procedure for corrective action shall define requirements for:
a) identifying nonconformities;
b) determining the causes of nonconformities; c) evaluating the need for actions to ensure that nonconformities do not
recur;
d) determining and implementing the corrective action needed;
e) recording results of action taken (see 4.3.3); and
f) reviewing of corrective action taken.
8.3 Preventive action The organization shall
determine action to eliminate the cause of
potential nonconformities
with the ISMS requirements in order to prevent their
occurrence. Preventive actions taken shall be
appropriate to the impact of
the potential problems.
The output from the management review shall include any decisions and actions related to the following.
a) Improvement of the effectiveness of the ISMS. b) Update of the risk assessment and risk treatment plan.
c) Modification of procedures and controls that effect information security, as
necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1) business requirements; 2) security
requirements; 3) business processes effecting the existing business requirements; 4) regulatory or legal requirements; 5) contractual obligations;
and 6) levels of risk and/or risk acceptance criteria. d) Resource needs. e)
Improvement to how the effectiveness of controls is being measured.
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
Copyright ⓒ 2016 SERSC 223
Table 2. Syntax to Identify the Requirements in ISO Models Family
Syntax Description
1. Shall [verb]
2. Shall [verb] … and [verb]
This statement indicates the actions,
activities, tasks or procedures which the
organization that will develop it will have. It
is probable that this statement will be used
to describe one or several actions or to
derive processes.
3. Begins with [shall] or
shall [verb]
Identifies a list of derived requirements of
processes, procedures, activities or tasks.
4. Shall be [verb]
Indicates the characteristics associated with
a process, or possible roles or work
products.
5. Shall [include] Indicates the details that the organization
must include in a process or work product.
6. Shall be [verb] + [by],
[to] or [on]
This syntax helps to identify the detail of
some procedures or processes.
7. Documented, input,
output
Indicates a possible work product. It might
include some characteristics related to the
work product.
4.2. Designing the Comparison
After carrying out the homogenization of standards, the P carried out a low-level
comparison with regard to the information described in the tasks defined in the
comparison method (see Figure 3). The comparison supported comparative analysis of
descriptions from the point of view of all the relations of the elements classified as
activities. In that sense, the directionality of the comparison was a comparison of the ISO
27001 with regard to ISO 20000-2. The choice of the directionality took into account the
needs expressed by the organization: (i) expanding the market for ISO 20000 certified
organizations, (ii) certifying in ISO 20000 the organizations certified in ISO 27001 and
(iii) taking advantage of previous efforts in ISO 27001.
To express the degree of relationship between the tasks compared, a discrete scale or
scale of comparison was defined. The scale consists of the following elements: Not
related (N) (0%), weakly related (W) (1% to 15%), partially related (P) (16% to 50%),
largely related (L) (51% to 85%) and strongly related (S) (86% to 100%). From the
comparison scale we found two values to classify the results collected:
The degree of relationship (dR) can be found by dividing the number of
elements (statements) where a relationship (between two models) has been found,
by the total number of elements (statements) of one of the two models. It is
important to highlight that the numeric value assigned to a relationship is only
indicative of the extent to which a process element of a model A is addressed by
means of another process element of a model B.
The Fulfillment (F) can be found by taking into account the relationships found
between the models involved. However, unlike the dR, to find F, the number of
statements supported by a model A with respect to a model B is taken into account.
Hence, dR doesn’t take into account the number of relationships found in each
intersection during the comparison.
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
224 Copyright ⓒ 2016 SERSC
Figure 3. Activity Diagram of the Comparison Method
4.3. Carrying out the Mapping
The comparison was carried out according to comparison design. In this sense, the
analysis focused on a study of how the requirements of ISO 27001 address in some way
(or not), some aspects of the requirements of ISO 20000. As can be seen in Figure 4, the
comparison used the iterative and incremental approach to make it easier to manage the
complexity in comparing the entities concerned at a low level of abstraction. After each
iteration of comparison, the results were analyzed by two peer reviewers (see Figure 1).
The review verified the reliability of the results and the comparison method. Table 3
shows a detailed example of the relationship between the tasks identified in clause 8,
relating to ISO 27001, and clause 9.2.2 concerning the closing and review of an
application for change of ISO 20000-2. In Table 3, the F found means: 1 statement of
ISO 27001 supports 1 statement out of 3 of ISO 20000-2. Clause 8.2 therefore has a
fulfillment of 33% with regard to clause 9.2.2 of ISO 20000-2, i.e. ISO 27001 partially
supports the enforcement of clause 9.2.2.
Table 3. Comparison between Clause 8.2 of ISO 27001 and Clause 9.2.2 of ISO 20000-2
Some considerations:
- Direction of the comparison: From ISO 27001 to ISO
20000-2.
- Process elements for the comparison: Statements shall of
both standards.
- Research question: 1). What statements of ISO 27001 can
offer support to statements of ISO 20000-2?
2). What ISO 27001’s statements are strongly related to the
support to ISO 20000-2’s statements?
- Comparison goal: To determine which statements (shall)
of ISO 27001 have a close relationship with some statements
of ISO 20000-2. The goal is know what the degree of
fulfillment of the statements of ISO 20000-2 is, based on the
statements described in ISO 27001.
ISO 20000-2
9.2.2 Closing and reviewing the change
request.
All changes
should be reviewed for
success or failure after
implementati
on and any improvement
recorded.
Any
nonconformity
should be recorded
and acted
on.
Any weaknesses
or deficiencies identified in a
review of the change
management
process should be fed into plans for
improving the service.
dR & F ISO 27001 to ISO 20000-2: P (1 of 3) (in this
case dR and F are equal).
ISO 27001
Clause 8.2 Corrective action:
The organization shall take action to eliminate the
cause of nonconformities with the ISMS requirements, in order to prevent recurrence.
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
Copyright ⓒ 2016 SERSC 225
As for organizations interested in harmonization in the opposite direction, i.e., ISO
20000-2 to ISO 27001, they can find dR and F from the comparison performed. For
instance, taking into account the comparison in Table 2, F in the direction of ISO 20000-
2 to ISO 27001 is 100%, i.e., 1 statement of ISO 20000-2 supports 1 statement of 3 of
ISO 27001. Hence, clause 9.2.2 strongly supports the enforcement of clause 8.2.
Figure 4. Activity Diagram of the Integration Method
Table 2. Syntax to Identify the Requirements in ISO Models Family
Syntax Description
1. Shall [verb]
2. Shall [verb] … and [verb]
This statement indicates the actions,
activities, tasks or procedures which the
organization that will develop it will have. It
is probable that this statement will be used
to describe one or several actions or to
derive processes.
3. Begins with [shall] or
shall [verb]
Identifies a list of derived requirements of
processes, procedures, activities or tasks.
4. Shall be [verb]
Indicates the characteristics associated with
a process, or possible roles or work
products.
5. Shall [include] Indicates the details that the organization
must include in a process or work product.
6. Shall be [verb] + [by],
[to] or [on]
This syntax helps to identify the detail of
some procedures or processes.
7. Documented, input,
output
Indicates a possible work product. It might
include some characteristics related to the
work product.
4.4. Analyzing the Results of the Mapping
Based on the harmonization objectives defined and on the directionality of comparison,
the result of the comparisons was a ratio of one to many. Of the 133 relationships that
may exist between the processes of each model, (85) relationships were classified as N.
That is, 64% are not related in any way, and 36% (48) are related. That means that within
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
226 Copyright ⓒ 2016 SERSC
the 36% where some correspondence was identified, 5% (6) corresponds to Strongly
related relationships, 5% (6) corresponds to Largely related relationships, 24% (32)
corresponds to partially related relationships and 2% (3) to weakly related relationships.
It is possible to see that there are strongly related relationships between processes, i.e.,
these relationships come close to, or are at, 100% of relationship. This does not mean that
the processes are identical, but that all the statements analyzed in ISO 20000 have found
some relationship with a task of ISO 27001. Table 4 shows a summary of the comparison
performed between ISO 27001 and ISO 20000-2. In conclusion, it is possible to see a
relationship between the two models. The ISO 27001 standard supports compliance of
36% of the statements defined by ISO 20000.
Based on the results obtained, it is possible to identify some similarities and
differences between ISO 27001 and ISO 20000-2; e.g., in terms of the Information
Security Management System we can note that ISO 27001 presents a series of controls
and objectives to ensure information security. For its part, ISO 20000-2 delves into the
risks associated with the operation and maintenance of the controls proposed in ISO
27001. In this regard, ISO 20000 extends the description of the controls, describing in
greater detail the manner in which they must be performing. This feature can be observed
in several of the clauses compared, but these relationships were not identified because
this first comparison of the standards was performed only at the level of descriptions of
their terms and did not involve the controls and objectives defined in Annex A of ISO
27001. In that sense, it is possible to establish more relationships. As future work we will
address the comparison of the models, taking into account the controls and objectives
defined in ISO 27001.
Table 4. General Results of Comparison between Clause 8.2 of ISO 27001 and Clause 9.2.2 of ISO 20000-2
Some considerations:
- Direction of the
comparison: From ISO 27001
to ISO 20000-2.
- Process elements for the
comparison: Statements shall
be of both standards.
- Research question: 1).
What statements of ISO 27001
can offer support to statements
of ISO 20000-2?
2). What ISO 27001’s
statements are strongly related
with the support to ISO
20000-2’s statements?
- Comparison goal: To
determine which statements
(shall) of ISO 27001 have a
close relationship with some
statements of ISO 20000-2.
The goal is know what the
degree of fulfillment of the
statements of ISO 20000-2 is,
based on the statements
described in ISO 27001.
- C: Clauses
ISO/IEC 20000-2
Cla
use
3 T
he
man
agem
ent
syst
em
Cla
use
4.1
Pla
n s
erv
ice
man
agem
ent
(Pla
n)
Cla
use
4.2
Im
ple
men
t se
rvic
e m
anag
emen
t an
d p
rov
ide
the
serv
ices
(D
o)
Cla
use
4.3
Mo
nit
ori
ng
, m
easu
ring
and r
evie
win
g (
Chec
k)
Cla
use
4.4
Co
nti
nu
al i
mp
rov
emen
t (A
ct)
Cla
use
5 P
lannin
g a
nd i
mple
men
tin
g n
ew o
r ch
anged
ser
vic
es
Cla
use
6.1
Ser
vic
e le
vel
man
agem
ent
Cla
use
6.2
Ser
vic
e re
port
ing
Cla
use
6.3
Ser
vic
e co
nti
nuit
y a
nd
avai
lab
ilit
y m
anag
emen
t
Cla
use
6.4
Bu
dg
etin
g a
nd a
ccoun
tin
g f
or
IT s
erv
ices
Cla
use
6.5
Cap
acit
y m
anag
emen
t
Cla
use
6.6
Info
rmat
ion
sec
uri
ty m
anag
emen
t
Cla
use
7.2
Bu
sin
ess
rela
tion
ship
man
agem
ent
Cla
use
7.3
Suppli
er m
anag
emen
t
Cla
use
8.2
Inci
den
t m
anag
emen
t
Cla
use
8.3
Pro
ble
m m
anag
emen
t
Cla
use
9.1
Co
nfi
gu
rati
on
man
agem
ent
Cla
use
9.2
Ch
ange
man
agem
ent
Cla
use
10
.1 R
elea
se m
anag
emen
t p
roce
ss
ISO 27001
C4.2 Establishing and
managing the ISMS L P P L P N W N P P N S P N W L L P S
C4.3 Documentation
requirements P N N N N N N P N N N S P N N P L P P
C5.1 Management
commitment N N N P N S N N N N N S N N N N N N N
C5.2 Resource management P N N P N P N N N N N P S P P S N L P C6 Internal ISMS audits P N N N N N N N N N N P N N N N P N N C7. Management review of N N N P N N N N N N N N P N N N N P N
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
Copyright ⓒ 2016 SERSC 227
the ISMS
C8. ISMS improvement P N N P P N N N W N N N N N N N P P N
Scale of comparison
Not related (N) (0%) N
Weakly related (W) (1% to 15%) W
Partially related (P) (16% to 50%) P
Largely related (L) (51% to 85%) L
Strongly related (S) (86% to 100%) S
5. Integrating ISO 27001 and ISO 20000-2
On the basis of the results obtained in the comparison stage and following IMethod
(see Figure 4), in Table 5 we present an example, which shows how to carry out the
integration between two related clauses of ISO 27001 and ISO 20000-2. The unified
clause column shows the content of a unified practice, which integrates the content of
clause 8.2 of ISO 27001 and clause 9.2.2 of ISO 20000-2. The result is a combination of
the best practices into a single practice. The ISO 20000-2 column indicates whether there
is a relationship between the content of unified practice and ISO 20000-2. The
explanation column describes additional information. The ISO 20000-2 relationship
column indicates that clause 9.2.2 of ISO 27001 has a correspondence to ISO 20000-2,
i.e., the clauses 8.2. The square brackets […] indicate the information added into unified
practice; they thereby reflect a modification by insertion. The characters << >> indicate
the deleted content and thus reflect a modification by erasing. Table 6 shows the final
result of the unified clause 8.2. This clause contains certain content of clause 9.2.2 of ISO
20000-2 which is not contained in ISO 27001. Organizations can use this method to
define their integrated processes or unified models.
Table 5. Partial Example of a Unified Practice Integrating ISO 27001 and ISO 20000-2
Unified Practice
(Clause 8.2 Corrective action: has been taken as basis practice).
ISO 20000-2
relationship
Explanation
[Any nonconformity should be recorded and acted
on]. [Then, ] <<The>> organization shall take action to eliminate the cause of nonconformities with the
ISMS requirements, in order to prevent recurrence.
Statement 2 of clause
9.2.2 Closing and reviewing the change
request.
Clause 9.2.2 of ISO 20000-2
offers complement to practice 8.2 of ISO 27001.
Table 6. Clause 8.2 Unified
Clause 8.2 Corrective action
Any nonconformity should be recorded and acted on. The organization
shall then take action to eliminate the cause of nonconformities with the
ISMS requirements, in order to prevent recurrence.
6. Some Benefits Reported by Audisec
With the harmonization of standards ISO 27001 and ISO 20000-2, Audisec reported
several benefits, some of these, and the most significant ones are:
When two ISO models such as ISO 27001 and ISO 20000-2 are being
harmonized, it is conceivable that, as they are structurally compatible standards, it
may not be necessary to carry out the homogenization of their process elements
using a common structure of process elements as a CSPE template. However, the
semantic analysis done to organize the statements of the clauses in the common
structure improved the understanding of the standards, as it facilitated the
identification, interpretation, internalization and classification of descriptions under
a process-oriented structure that is more detailed and easier to apply as a reference
model. An example is presented in Table 1.
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
228 Copyright ⓒ 2016 SERSC
The harmonization strategy has allowed a systematic harmonization guide to
be defined, and this has facilitated the analysis, identification of differences and
support opportunities between ISO 27001 and ISO 20000-2. According to Audisec,
“the strategy of harmonization was a practical and powerful guide for carrying out
the harmonization of ISO 27001 and ISO 20000-2”.
With the results obtained, the organization has developed a software tool to
support the ISO 20000 consulting process. This tool has been developed taking into
account the relationships found between ISO 27001 and ISO 20000-2. Based on the
results, we may affirm that the tool has reduced the effort involved in the
institutionalization of ISO 20000 in organizations that had implemented ISO 27001
previously. Figure 5 shows an example of the comparison between clause 5.1 of
ISO 27001 and clause 5.1 of ISO 20000-2 (we maintain the original screen shot,
which is in Spanish).
Figure 5. Comparison between ISO 27001 and ISO 20000-2 by Means Audisec’s Tool
7. Conclusions
In this paper we have presented the harmonization of standards ISO 27001 and ISO
20000-2. To carry out the harmonization of these standards, a harmonization strategy has
been defined and configured, made up of a homogenization method, a comparison
method and an integration method. The harmonization strategy obtained is the result of
the implementation of a harmonization process, which supports the definition and
configuration of strategies for harmonization of multiple models.
Both ISO 27001 and ISO 20000-2 describe objectives and best practices for improving
the management systems of organizations through two different approaches, namely
information security and IT service. Although these standards describe practices for
different approaches, it is possible to find similarities in their descriptions, as well as a
different level of detail. This feature suggests that the similarities identified can be
harmonized and integrated under one management system, impacting positively on: (i)
the cost, (ii) time and (iii) associated resources, which can be different if they are
implemented separately. In that sense, the comparison made in this work of ISO 20000-2
and ISO 27001 can be a practical benefit for ISO 27001 certified organizations when they
are seeking to institutionalize the processes of ISO 20000-2.
It has been possible to note that there is a partial relationship of 36%. This means that
there are 48 relationships where ISO 27001 offers some kind of support for the processes
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
Copyright ⓒ 2016 SERSC 229
of ISO 20000-2. Although the amount of strongly-related relationships found is only
around 10%, it is important to highlight that while ISO 27001 and ISO 20000-2 define
best practices for different implementation approaches, models are not totally different
and it is thereby possible to find close relationships. For instance, ISO 27001 provides
greater coverage for the practices related to the management system and control process,
i.e. clause 3 (71%) and clause 7 (64%), respectively.
The conceptual relationships established between the two standards have been
identified under the criteria and experience of the performer responsible for the analysis
and comparison of models. As future work we will carry out an empirical study that
allows there to be a mapping of the standards using the opinion of several experts and/or
practitioners involved in the use of ISO 27001 and ISO 20000 in some organizations.
This validation would enable the correspondence between these standards to be checked,
not only from a theoretical point of view, but also from an empirical and practical
standpoint.
Acknowledgments
This work has been funded by the projects: (i) INGENIOSO (PEII-2014-050-P, Junta
de Comunidades de Castilla-La Mancha and FEDER), (ii) SEQUOIA (Ministerio de
Economía y Competitividad and Fondo Europeo de Desarrollo Regional - FEDER,
TIN2015-63502-C3-1-R) ,(iii) U-CSCL Project (Universidad del Cauca, VRI-3713) and
(iv) MCSS-TI Project (Universidad del Cauca, VRI-4358). César Pardo and Francisco J.
Pino acknowledge the contribution of the University of Cauca, where they work as an
assistant professor and full professor respectively.
References
[1] ITGI, Editor, “COBIT Mapping: Mapping of ITIL V3 with COBIT 4.1”, IT Governance Institute
(ITGI) and Office of Government Commerce (OGC), (2008).
[2] ITIL, “Information Technology Infrastructure Library V3”, (2010). [Online]. Available: http://www.itil-
officialsite.com/.
[3] ITGI, “Risk IT: Framework for Management of IT Related Business Risks”, (2009). [Online].
Available: www.isaca.org/.
[4] ITGI, Editor, "VAL IT Framework 2.0". EEUU: IT Governance Institute, (2008).
[5] ISO, “Information technology security techniques code of practice for information security
management - ISO 27002:2005”, (2005). [Online]. Available: www.iso.org/.
[6] ISO, “ISO/IEC 27001: Information Security Management System (ISMS) requirements”, (2005).
[Online]. Available: www.iso.org/.
[7] BIS, “International Convergence of Capital Measurement and Capital Standards - BASEL II”, Bank for
International Settlements, (2006).
[8] P. Sarbanes and G. Oxley, “Sarbanes-Oxley Act of 2002”, (2002).
[9] COSO, “The Committee of Sponsoring Organization (COSO)”, (1985).
[10] ITGI, “IT Control Objectives for BASEL II: The importance of Governance and Risk Management for
compliance”, (2007). [Online]. Available: http://www.itgi.org.
[11] C. Pardo, F. J. Pino, F. García, M. Piattini and M. T. Baldassarre, “Trends in Harmonization of Multiple
Reference Models”, in Evaluation of Novel Approaches to Software Engineering, CCIS, L. A. M.
Loucopoulos and P., Eds. Springer-Verlag, (Special edition best papers proceedings of the ENASE
2010, extended and updated paper), (2011), pp. 61–73.
[12] J. Siviy, P. Kirwan, L. Marino and J. Morley, “The Value of Harmonization Multiple Improvement
Technologies: A Process Improvement Professional’s View”, Software Engineering Institute, Carnegie
Mellon, (2008).
[13] J. Siviy, P. Kirwan, J. Morley and L. Marino, “Maximizing your Process Improvement ROI through
Harmonization”, Software Engineering Institute (SEI). Carnegie Mellon University, (2008).
[14] ITGI, “Aligning Cobit 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit,” IT Governance Institute
(ITGI) and Office of Government Commerce (OGC), (2008).
[15] S. M. Lemus, F. J. Pino and M. Piattini, “Towards a Model for Information Technology Governance
applicable to the Banking Sector”, Proceedings of the fifth International Congress on IT Governance
and Service Management (ITGSM 2010), Madrid, Spain, (2010) June 10, pp. 1–6.
[16] ITGI, Editor, COBIT 4.1: Framework, control objectives, management guidelines and maturity models,
3rd ed. EEUU: IT Governance Institute, (2007).
International Journal of Software Engineering and Its Applications
Vol. 10, No. 9 (2016)
230 Copyright ⓒ 2016 SERSC
[17] ITGI, , Editor, VAL IT Framework 2.0, 3rd ed. EEUU: IT Governance Institute, (2008).
[18] C. Pardo, F. J. Pino, F. García, M. Piattini and M. T. Baldassarre. From chaos to the systematic
harmonization of multiple reference models: A harmonization framework applied in two case studies.
Journal of Systems and Software, vol. 86, no.1, (2013), pp. 125-143.
[19] ARMONÍAS: A Process for Driving Multi-models Harmonization, ARMONÍAS Project, (2009),
[Online]. Available: http://alarcos.esi.uclm.es/armonias/
[20] C. Pardo, F. Pino, F. García and M. Piattini, “Homogenization of Models to Support multi-model
processes in Improvement Environments”, Proceedings fourth International Conference on Software
and Data Technologies, Sofía, Bulgaria, (2009) July 26-29, pp. 151-156.
[21] F. Pino, M. T. Balssarre, M. Piattini and G. Visaggio, “Harmonizing maturity levels from CMMI-DEV
and ISO/IEC 15504”, Journal of Software Maintenance and Evolution: Research and Practice, vol. 22,
(2010), pp. 279-296.
Authors
César Pardo, He was born in Popayán (Colombia). He received
the MSc. and PhD. degrees in Computer Science from the University
of Castilla-La Mancha (UCLM) of Ciudad Real (Spain). He is
currently assistant professor at Engineering Faculty at University of
Cauca (Colombia). His research interests include software processes,
software process improvement, agile methodologies, estimation of
projects, software quality, harmonization of multiple models and
standards and quality characteristics of process-supported software
products. He is also Scrum Master certified by Alliance Inc. He is
the author of one book, co-author of seven chapters of books, co-
author of more than 50 research papers between journals and
conferences, and the owner of two intellectual properties (IP). He is
member of several national and international committees. César
Pardo acknowledges the contribution of the University of Cauca,
where he works as an assistant professor. Contact details:
Universidad of Cauca, Calle 5 No. 4 – 70, Popayán, Colombia;
Francisco J. Pino, He has a European PhD in Computer Science
from the University of Castilla-La Mancha (UCLM), Spain. He is
currently a full professor at the Electronic and Telecommunications
Engineering Faculty at the University of Cauca, in Popayán
(Colombia). He is a member of the IDIS Research Group and his
research interest is Software process improvement in small
companies and Harmonization of multiple improvement
technologies. Contact details: Universidad of Cauca, Calle 5 No. 4 –
70, Popayán, Colombia; [email protected].
Félix García, He received his MSc. (2001) and PhD (2004)
degrees in Computer Science from the University of Castilla-La
Mancha (UCLM). He is currently an associate professor in the
Department of Information Technologies and Systems at the UCLM.
He is a member of the Alarcos Research Group and his research
interests include business process management, software processes,
software measurement, and agile methods. Contact details: Escuela
Superior de Informática, Paseo de la Universidad 4, 13071-Ciudad
Real, Spain; [email protected].