Posted: Fri Jan 05, 2007 12:29 am Post subject: ISO20000 and ISO17799, can we adopt both?
Dear Everyone, i need some help guys and girls. I need to adopt the ISO standard but i dont know which one? My firm provides security equipments and advice.
Can we adopt both, is it worth it?
Does part of ISO20000, section 6.6 consists of ISO17799? what are the similarities and differencies between these two series?
what about the ISO9000, i know this one is for quality management, can we adopt all three series?
ISO 20000 must be completely implemented. All 16 disciplines (10 of which are ITIL related/Based. 1 Security (ISO 17799) etc) must be implemented and audit in order to achieve ISO 20000
The security ISO can implemented as is.
Thank you for your quick reply. However i am still a bit confused.Can i implement both ISO20000 and ISO17799. Could you or anyone else elaborate a little bit more on this subject please.
Joined: Sep 16, 2006 Posts: 3544 Location: London, UK
Posted: Sat Jan 06, 2007 9:26 pm Post subject:
The answer is yes
You can implement both ...
but in order to implement ISO 20000 you have to implement ALL 16 disciplines within ISO 20000 because your processes will be audited accroding to iSO20000:1 and ISO20000:2. I wrote a long commentary in another thread about the 16 disciplines.
One of tje disciplines within ISO 20000 is Information Security Management which ISO 17799 also covers... therefore if ISO 17799 is implemented, you have dealt with 1 of the 1 disciplines _________________ John Hardesty
ITSM Manager's Certificate (Red Badge)
Change Management is POWER & CONTROL. /....evil laughter
Posted: Thu Jan 25, 2007 8:11 pm Post subject: ISO20000 and ISO27001
My former colleague John is absolutely spot on as usual. I shall just add to his comments. ISO17799 has now been replaced by ISO27001 but is essentially still the standard for IT Information Security Management. There is one aspect of ISO20000 dedicated to this. You can go for either but ISO20000 is dependent on the specified SCOPE and your interface to any suppliers of process to that scope, i.e. you may not have management control over your HR department but your scope relies on it to provide staff or a disciplinary process etc...
So, where John and I used to work we achieved ISO270001 for one part of the business and then achieved ISO20000 in that same part of the business but the assessors did not need to address the Information Security area as this had already been achieved by us attaining ISO27001 and thus concentrated on the other areas.
Posted: Wed Jan 31, 2007 11:01 pm Post subject: great
I am currently implementing ISO20k in an organisation which has already got ISO27001.
What you need to understand where your requirement and focus is. If security focus and commitment is required then, 27001 is good. Some companies may have a organisational/regulatory requirement (banks,bpo's)
I always feel both are required, even though there are overlaps.
For e.g Clause 6.3 (service continuity and availability) and clause 6.6 Information security management in ISO20000 overlap with bcp and dr of 27001 and also with security risk management, security incident reporting and so on..
Understand the your current strength. Both certifications need commitment from people (management and staff).
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum