ISO IEC 27013:2021 pdf download – Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
For ISO/IEC 27001, the definition of the organization is that which is covered by the ISMS. As with an SMS, an ISMS can be applied to part or all of an entity and can include services delivered by the organization. The ISMS scope can also be defined exclusively by a clear physical boundary, such as a security perimeter around a specific site or part of a site. In some cases, the full requirements specified in ISO/IEC 20000-1 and ISO/IEC 27001 cannot be implemented for all, or even part, of the organization’s activities. This can be the case if, for example, an organization cannot conform to the requirements specified in ISO/IEC 20000-1 because other parties provide or operate all the services, service components or processes in the scope of the SMS. ISO/IEC 20000-1:2018, 8.2.3, states that not all services, service components and processes can be provided by other parties – the organization itself should provide at least some of these. An organization can implement an SMS and an ISMS with some overlap between the different scopes. Where activities lie within the scope of both ISO/IEC 20000-1 and ISO/IEC 27001, the integrated management system should take both ISO/IEC 20000-1 and ISO/IEC 27001 into consideration (see Annex A ). Differences in scope can result in some services included in the SMS being excluded from the scope of the ISMS. Equally, the SMS can exclude processes and functions of the ISMS. For example, some organizations choose to implement an ISMS only in their operation and communication functions, while application management services are included in their SMS but not in the ISMS. Alternatively, the ISMS can cover all the services, while the SMS can cover only the services for a particular customer or some services for all customers. The organization should align the scopes of the management systems as much as possible to ensure successful integration and to maximize the benefits of the integrated management system. NOTE Guidance on scope definition for ISO/IEC 20000-1 is available in ISO/IEC 20000-3. Guidance on the scope definition for ISO/IEC 27001 is available in ISO/IEC 27003. 5.3 Pre-implementation scenarios 5.3.1 General An organization planning an integrated management system can be in one of three states, as described in 5.3.2 to 5.3.4 . In all cases, the organization has some form of management processes or it would not exist. Subclauses 5.3.2 , 5.3.3 and 5.3.4 provide suggestions for implementation in each of the three states described in 5.1. 5.3.2 Neither standard is currently used as the basis for a management system It is easy to assume that, where neither an ISMS or an SMS is implemented, there are no policies, processes and procedures and that, therefore, the situation is simple to deal with. However, this is a misconception. All organizations have some form of management system, which may simply be its processes, plans and policies. This should be adapted to achieve conformity with the requirements specified in either ISO/IEC 27001 and ISO/IEC 20000-1, or both. The decision regarding the order in which the requirements for the ISMS and the SMS will be implemented should be based on business needs and priorities. Decisions can be influenced by the primary driver, for example, competitive positioning or the need to demonstrate conformity to a customer or other interested party. Another important decision is whether to implement both an SMS and an ISMS concurrently or sequentially. If the implementation is sequential, either the SMS or the ISMS is implemented and then that management system is extended to include the additional requirements of the other. Both an SMS and an ISMS can be implemented concurrently, if implementation activities and efforts can be coordinated and duplication minimized. However, depending on the nature of the organization, it can be prudent to start with the requirements specified in one standard and then expand the management system to include the requirements of the other.