ISO20000 and ISO17799, can we adopt both?

jacknson · Newbie Joined: Jan 04, 2007 Posts: 2

Dear Everyone, i need some help guys and girls. I need to adopt the ISO standard but i dont know which one? My firm provides security equipments and advice.

Can we adopt both, is it worth it?
Does part of ISO20000, section 6.6 consists of ISO17799? what are the similarities and differencies between these two series?
what about the ISO9000, i know this one is for quality management, can we adopt all three series?

Please help.
thanks a lot
Jack

UKVIKING · Posted: Fri Jan 05, 2007 3:34 am Post subject:

ISO 20000 must be completely implemented. All 16 disciplines (10 of which are ITIL related/Based. 1 Security (ISO 17799) etc) must be implemented and audit in order to achieve ISO 20000

The security ISO can implemented as is.
_________________
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter

jacknson · Newbie Joined: Jan 04, 2007 Posts: 2

UKVIKING · Posted: Sat Jan 06, 2007 9:26 pm Post subject:

Jacknson

The answer is yes

You can implement both ...

but in order to implement ISO 20000 you have to implement ALL 16 disciplines within ISO 20000 because your processes will be audited accroding to iSO20000:1 and ISO20000:2. I wrote a long commentary in another thread about the 16 disciplines.

One of tje disciplines within ISO 20000 is Information Security Management which ISO 17799 also covers... therefore if ISO 17799 is implemented, you have dealt with 1 of the 1 disciplines
_________________
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter

Justin · Newbie Joined: Jan 25, 2007 Posts: 1

Jack,

My former colleague John is absolutely spot on as usual. I shall just add to his comments. ISO17799 has now been replaced by ISO27001 but is essentially still the standard for IT Information Security Management. There is one aspect of ISO20000 dedicated to this. You can go for either but ISO20000 is dependent on the specified SCOPE and your interface to any suppliers of process to that scope, i.e. you may not have management control over your HR department but your scope relies on it to provide staff or a disciplinary process etc...

So, where John and I used to work we achieved ISO270001 for one part of the business and then achieved ISO20000 in that same part of the business but the assessors did not need to address the Information Security area as this had already been achieved by us attaining ISO27001 and thus concentrated on the other areas.

I hope this helps.

Justin

itsmer · Itiler Joined: Oct 11, 2006 Posts: 21

I am currently implementing ISO20k in an organisation which has already got ISO27001.
What you need to understand where your requirement and focus is. If security focus and commitment is required then, 27001 is good. Some companies may have a organisational/regulatory requirement (banks,bpo's)
I always feel both are required, even though there are overlaps.
For e.g Clause 6.3 (service continuity and availability) and clause 6.6 Information security management in ISO20000 overlap with bcp and dr of 27001 and also with security risk management, security incident reporting and so on..

Understand the your current strength. Both certifications need commitment from people (management and staff).
cheers


Create an account	Home · Topics · Downloads · Your Account · Submit News · Top 10


Logos/trademarks property of respective owner. Comments property of poster. Rest © 2004 Itil Community for Service Management & Foundation Certification. SV Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.