Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27013:2015 — Information Security Management — Guidance on Integrated Implementation of ISO/IEC 27001 and ISO/IEC 20000-1
Integrating information security management and IT service management for operational excellence
1. Why Integrate ISO/IEC 27001 and ISO/IEC 20000-1?
ISO/IEC 27013:2015 provides guidance on the integrated implementation of ISO/IEC 27001 (information security management) and ISO/IEC 20000-1 (service management). These two standards share a common high-level structure (Annex SL), similar PDCA process models, and overlapping governance requirements, making them natural candidates for integration. Organizations that operate both an ISMS and an IT service management system (SMS) often find that maintaining them as separate, siloed systems leads to duplication of effort, inconsistent processes, and missed opportunities for operational synergy.
The key insight of ISO/IEC 27013 is that information security is not a standalone function but an integral dimension of service quality and reliability. Integrating security controls into service management processes produces more resilient and cost-effective outcomes.
The 2015 edition provides a structured mapping between the requirements of both standards, identifying areas of commonality, complementarity, and potential conflict. It recognizes that many organizations implementing ISO/IEC 20000-1 for IT service management also need ISO/IEC 27001 certification to address information security risks, and vice versa. Rather than managing two separate compliance programs, an integrated approach reduces audit burden, streamlines management system documentation, and enables security to be built into service design from the outset rather than bolted on as an afterthought.
2. Integrated Management System Approach
The integrated approach recommended by ISO/IEC 27013 centers on a unified management system that satisfies the requirements of both standards through a single set of policies, processes, and governance structures. This begins with the establishment of an integrated policy framework that addresses both information security objectives and service management objectives within a coherent strategic context. The standard provides detailed guidance on how to map the specific requirements of each standard to a unified process architecture, avoiding duplication while ensuring that all mandatory requirements are addressed.
| Process Area | ISO/IEC 27001 Requirements | ISO/IEC 20000-1 Requirements | Integrated Approach |
|---|---|---|---|
| Policy & Governance | ISMS policy, risk assessment methodology, security objectives | Service management policy, service objectives, governance framework | Unified policy document with dual-purpose objectives; single management review meeting covering both ISMS and SMS |
| Risk Management | Information security risk assessment and treatment | Service risk assessment, service continuity, availability management | Combined risk register with security, service, and business perspective; unified risk treatment planning |
| Incident Management | Security incident reporting, response, and lessons learned | Service incident management, problem management, request fulfillment | Integrated incident management process with security classification; combined problem and root cause analysis |
| Supplier Management | Information security in supplier agreements, monitoring supplier security | Supplier management, performance monitoring, contract management | Unified supplier governance framework; combined security and service performance reviews |
| Audit & Review | Internal ISMS audit, management review, corrective actions | Internal SMS audit, service reporting, management review, continual improvement | Integrated internal audit program covering both standards; unified corrective action tracking system |
Integration does not mean dilution. Organizations must ensure that the specific mandatory requirements of each standard are demonstrably met. A gap analysis against both standards’ checklists is essential before pursuing dual certification.
3. Implementation Roadmap
A successful integrated implementation typically follows a phased approach over 12 to 18 months. The first phase involves a comparative gap analysis that assesses the organization’s current management system against the requirements of both standards, identifying overlap areas that can be unified and gaps that require new or enhanced capabilities. This analysis should involve stakeholders from both information security and service management teams to ensure buy-in and capture domain-specific requirements. A formal gap assessment matrix should be created that maps each clause of ISO/IEC 27001 to the corresponding clause of ISO/IEC 20000-1, noting where requirements overlap, complement each other, or stand alone.
Phase two focuses on designing the integrated management system architecture, including unified process documentation, role definitions that combine security and service responsibilities, and integrated performance metrics that track both security and service outcomes. Phase three implements the integrated system, with particular attention to training staff on combined procedures, deploying integrated tooling for incident and problem management, and establishing unified reporting dashboards for management visibility. Phase four validates the integrated system through internal audit, management review, and ultimately external certification audits against both standards. A key success factor is the appointment of an integrated management system owner with authority over both security and service management domains. Organizations should also consider the cultural aspects of integration: information security teams and service management teams often have different professional backgrounds, priorities, and vocabularies, and deliberate effort is required to build a shared understanding and collaborative working relationship between these groups.
Organizations that implement an integrated ISMS and SMS report 20-35% reduction in management overhead, faster audit cycles, and improved alignment between security investments and service quality objectives. The integrated approach also facilitates better communication between security and service teams, reducing friction and enabling more agile responses to changing business requirements.
Frequently Asked Questions
Q: Can an organization achieve ISO/IEC 27001 and ISO/IEC 20000-1 certification simultaneously using this guidance?
A: Yes. ISO/IEC 27013 is specifically designed to facilitate combined certification. Many certification bodies offer integrated audits that assess compliance with both standards in a single engagement, reducing total audit time and cost by up to 30% compared to separate certification processes.
A: Yes. ISO/IEC 27013 is specifically designed to facilitate combined certification. Many certification bodies offer integrated audits that assess compliance with both standards in a single engagement, reducing total audit time and cost by up to 30% compared to separate certification processes.
Q: What if my organization already has one certification and wants to add the other?
A: The standard provides guidance for both greenfield implementations and phased integration. If you already have an ISMS or SMS in place, assess the existing system against the other standard’s requirements and extend processes rather than rebuilding from scratch. This incremental approach typically takes 6 to 9 months.
A: The standard provides guidance for both greenfield implementations and phased integration. If you already have an ISMS or SMS in place, assess the existing system against the other standard’s requirements and extend processes rather than rebuilding from scratch. This incremental approach typically takes 6 to 9 months.
Q: Does the integrated approach require a single documentation set?
A: Not necessarily. The standard recommends a unified policy framework and process architecture, but some operational procedures may remain separate where they serve distinct purposes. The key requirement is that the integration is coherent and avoids conflicts or gaps between the two management systems.
A: Not necessarily. The standard recommends a unified policy framework and process architecture, but some operational procedures may remain separate where they serve distinct purposes. The key requirement is that the integration is coherent and avoids conflicts or gaps between the two management systems.
Q: How does the integrated approach affect internal audit resource requirements?
A: An integrated management system enables combined internal audits that assess both ISMS and SMS requirements in a single audit engagement, reducing auditor time while providing more comprehensive coverage. Internal auditors should be competent in both standards and in understanding their interrelationships.
A: An integrated management system enables combined internal audits that assess both ISMS and SMS requirements in a single audit engagement, reducing auditor time while providing more comprehensive coverage. Internal auditors should be competent in both standards and in understanding their interrelationships.
