Information security is no small matter! The necessity of ISO20000 and ISO27001

With the rapid development of the internet, our lives are becoming increasingly information-based, and information technology is getting closer to our daily lives. Of course, the development of anything has two sides; while informatization changes life and brings convenience, it also carries considerable risks.

01

According to statistics, two companies worldwide go bankrupt every minute due to information security issues. Among all information security incidents, only 20%-30% are caused by hacker attacks or other external reasons, while 70%-80% result from negligence or intentional leaks by internal employees; at the same time, 78% of corporate data breaches come from improper operations by internal staff. Therefore, enterprise information security construction requires both internal and external efforts to build a comprehensive enterprise information security solution. A certain electronic hardware expansion software service manufacturer, with business development from hardware products to software services, increasingly relies on informatization. The importance of information security assurance, especially the protection of trade secrets, is becoming more prominent. How to properly strengthen information security construction within reasonable investment to minimize or avoid economic losses and impacts on the enterprise caused by information leakage, loss, or damage is a key concern.

The company can improve its management level and information security standards overall by obtaining ISO 27001 and ISO 20000 certifications.

02

ISO 20000 is an IT service management standard aimed at organizations, designed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an IT service management system (ITSM).

ISO/IEC 27001 is the basis for a comprehensive or partial information security management system assessment of an organization. It can serve as the standard for auditing and certifying an organization's comprehensive or partial information security management system.

Currently, many enterprises obtain ISO 20000 certification after ISO 27001 certification to improve overall IT service quality. However, many companies are unclear about the relationship between the ISO 20000 IT service management standard and the ISO 27001 information security management standard.

As is well known, the new version of ISO 27001 was officially released on October 19, 2019. Below is an explanation of the relationship between ISO 27001 and ISO 20000.

03

Different focus of the subjects

ISO 20000 is process-centered, defining a series of relatively abstract process objectives, while ISO 27001 focuses on control points/control measures, which are more specific.

Different emphasis in system standards

ISO 20000 is a quality system standard aimed at IT service management, whereas ISO 27001 is a quality standard specification aimed at information security. ISO 20000 emphasizes achieving quality management standards through processes, while ISO 27001 emphasizes achieving information security management goals through risk control points.

Common characteristics of system standards

For example: incident management, business continuity management, information asset management, etc. Most enterprises choose to implement ISO 20000 and ISO 27001 certification projects together to fully leverage the complementary features of the two systems, thereby more comprehensively and systematically controlling the company's service operation and maintenance system and security management.

Different scopes

ISO 20000 applies to the IT service department of an enterprise, usually the IT department; ISO 27001 applies to the entire enterprise, including not only the IT department but also business, finance, human resources, and other departments.

There is an essential difference between ISO 20000 certification and ISO 27001 certification: ISO 20000 is an IT information technology service management system, while ISO 27001 is an information security management system.

In terms of information security protection, we certainly cannot rely solely on our management system. Under the premise that our management system provides us with certain direction and foundation, we must implement the standards and engrain information security awareness in our minds. Only by being constantly vigilant about information security can we achieve true information security protection.