With newly refreshed ISO/IEC 20000 alignment to ISO 9001 and ISO/IEC 27001, I thought it would be nice to have a set of more detailed information about relations between these three, all in one place.
For new people here:
- ISO 9001 is a Quality Management standard
- ISO/IEC 27001 is an Information Security norm
- ISO/IEC 20000 is dealing with Service Management. It was developed on ITIL V2 basis and is now in a second edition. Have a look at posts:
If a company already adopted a Quality Management mindset from 9001, then going either for 27001 (Information Security Management) or 20000 (Service Management) is a natural thing. Usually the order of implementation is determined by local market demand and governmental regulation of the core business (Financial organizations, Service providers, military...).
Implementation of ISO/IEC 27001 brings a significant market advantage to a Service Provider, since it is often a requirement in tenders, especially in European countries. It will make you care about security, both yours and of your customer. In the beginning it will feel a bit restraining, but for a good reason. It will significantly reduce risks of losing contracts due to information security reasons.
ISO/IEC 20000 requires a broad specter of implemented processes, but if you are a service providing organization with some experience and knowledge of ITIL (could it be otherwise?), then it shouldn't be a problem. It will only make you define neglected or less cared for aspects and Service Management processes.
Here is a simple diagram I use in presentations to communicate a quick win-win feeling to the audience:
|How ISO 9001, 27001 and 20000 overlap|
And here is a table of more detailed relations.
|ISO 9001 - ISO/IEC 27001 - ISO/IEC 20000 Mapping|
This is still a working version of the table, but still pretty usable. Hope you enjoy it. If it displays too small for you when clicked on, you can copy it with rightclick and paste it to your favorite text or picture editor. Or, click here on my Google pages.