Service Management & Information Security

ISO 27013:2021 Guidance on the Integrated Implementation of ISO/IEC 27001 and ISO/IEC 20000-1 provides a clear explanation of the areas where a Service Management System and an Information Security Management System overlap, and where they differ. In ISO 20000-1, Clause 9.7.3 identifies that an organization must have an information security program, but it does not mandate the use of the ISO 27001 standard for information security. However, at a minimum an organization must have an information security policy structure, information security controls, and an information security incident approach.

Here are some notable areas where organizations need to understand and manage the differences between service management and information security management:

• Risk management: Risks to services do not always fall within the information security objectives of confidentiality, integrity and availability. An organization’s approach to service management risk needs to consider how the delivery of services might be (or potential could be) compromised, disrupted, or otherwise impacted adversely.

• Incident management: An incident can be a service incident, an information security incident, both, or neither. When a SEV-1 incident occurs, the priority of the service management team is to restore the service as soon as possible. However, this may be certain information security interests, like preservation of evidence, at risk. ISO 27013 explains how to address such challenges.

NOTE: Due to new statutory, regulatory, and other perspectives, new forms of incidents can emerge. Artificial intelligence (AI) is a recent example. An AI incident, as may be defined by law, may be a service incident, an information security incident, both, or neither.

NOTE: ISO 20000-7:2019 Guidance on the Integration and Correlation of ISO/IEC 20000-1:2018 to ISO 9000-1:2015 and ISO/IEC 27001:2013 was withdrawn in mid-2022 just prior to the release of the revised ISO 27001 revision.