Information technology — Security
techniques — Guidance on the
integrated implementation of ISO/IEC
27001 and ISO/IEC 20000-1
Technologies de l’information — Techniques de sécurité — Guide sur
la mise en oeuvre intégrée d’ISO/IEC 27001 et ISO/IEC 20000-1
INTERNATIONAL
STANDARD
ISO/IEC
27013
Reference number
ISO/IEC 27013:2015(E)
Second edition
2015-12-01
©
ISO/IEC 2015
ii © ISO/IEC 2015 – All rights reserved
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
the requester.
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
www.iso.org
ISO/IEC 27013:2015(E)
ISO/IEC 27013:2015(E)
Foreword ........................................................................................................................................................................................................................................iv
Introduction
..................................................................................................................................................................................................................................v
1 Scope
................................................................................................................................................................................................................................. 1
2 Normative references
...................................................................................................................................................................................... 1
................................................................................................................................ 1
4
Overview
s of ISO/IEC
27001 and ISO/IEC 20000-1
.......................................................................................................... 2
4.1 Understanding the International Standards ................................................................................................................. 2
4.2 ISO/IEC 27001 concepts ................................................................................................................................................................. 2
4.3 ISO/IEC 20000-1 concepts ........................................................................................................................................................... 2
4.4 Similarities and differences ......................................................................................................................................................... 2
5 Approaches for integrated implementation
............................................................................................................................ 3
5.1 General ........................................................................................................................................................................................................... 3
5.2 Considerations of scope .................................................................................................................................................................. 4
5.3 Pre-implementation scenarios .................................................................................................................................................. 5
5.3.1 General...................................................................................................................................................................................... 5
................. 5
the standards ...................................................................................................................................................................... 6
each standard ..................................................................................................................................................................... 6
6 Integrated implementation considerations
............................................................................................................................. 7
6.1 General ........................................................................................................................................................................................................... 7
6.2 Potential challenges ............................................................................................................................................................................ 7
6.2.1 The usage and meaning of asset ......................................................................................................................... 7
6.2.2 Design and transition of services ...................................................................................................................... 8
6.2.3 Risk assessment and management .................................................................................................................. 8
6.2.4 Differences in risk acceptance levels .............................................................................................................. 9
6.2.5 Incident and problem management ................................................................................................................ 9
6.2.6 Change management ................................................................................................................................................. 11
6.3 Potential gains ...................................................................................................................................................................................... 12
..............................................................................................................12
6.3.2 Service level management and reporting ................................................................................................12
6.3.3 Management commitment ................................................................................................................................... 12
.............................................................................................................................................. 13
.......................................................................................................................13
.................................................................................................14
6.3.7 Supplier management .............................................................................................................................................. 14
.................................................................................................................................14
...................................................................................................... 15
6.3.10 Budgeting and accounting .................................................................................................................................... 15
Annex A (informative)
............................16
Annex B (informative) Comparison of ISO/IEC 27000 and ISO/IEC 20000-1 terms
........................................20
.............................................................................................................................................................................................................................39
© ISO/IEC 2015 – All rights reserved iii
Contents Page
ISO/IEC 27013:2015(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
members of ISO or IEC participate in the development of International Standards through technical
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
constitute an endorsement.
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL:
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, IT Security techniques.
iv © ISO/IEC 2015 – All rights reserved
ISO/IEC 27013:2015(E)
Introduction
experienced whether one International Standard is implemented before the other, or both International
management include the following:
service;
c) a reduction in implementation time due to the integrated development of processes common to
both standards;
in requirements.
The guidance in this International Standard is based upon the published versions of both ISO/IEC 27001
and ISO/IEC 20000-1.
the International Standards ISO/IEC 27001 and ISO/IEC 20000-1.
It is expected that all readers have access to copies of both ISO/IEC 27001 and ISO/IEC 20000-1.
This International Standard does not provide guidance associated with the various legislation and
© ISO/IEC 2015 – All rights reserved v
