The document discusses implementing an integrated IT service management system (SMS) and information security management system (ISMS) based on ISO/IEC 20000-1 and ISO/IEC 27000 standards. It describes how ISO/IEC 27001 fits into the information security requirements of ISO/IEC 20000. There are key benefits to an integrated system, including providing credible and secure services, lower implementation costs, reduced timelines by developing common processes together, and eliminating duplication between the standards. An integrated system also promotes understanding between service and security personnel.

1. Implementing Service Management
System and IT Security management
with Integrated ISO/IEC 2000-1 and
ISO/IEC 27000-series
By:
Septafiansyah Dwi P.
Institut Teknologi Bandung

2. ITSM or SMS
IT service management, is a concept that combines with system
management, network management, system development
management and incident management, problem management,
service management, security and so on helping enterprises to manage
the process of constructing, implement, maintaining, and planning for
IT system through effective management method (Tang, 2009).

3. ISO 20000 – Standar in IT Service
Management
What is it?
The formulation of ITIL practices into an international standard
Management of 13 key IT services to meet business requirements
(predominantly internally focused)
Specifies a number of closely related processes that brought together will
help ensure that an organisation delivers managed IT services to its internal
customers
Comprehensive but not exhaustive
Planning, implementing, monitoring, improvement of new and changed
services

4. The benefits ISO 20000
• A consistent approach to service management
• IT service provision becomes measurable and accountable
• Consistent levels of service are agreed
• Improved communication flows between IT and the business
• IT gain better understanding of the business requirement
• Reduced risk of business failure
• A reduction in the number of avoidable and repeat incidents
• Higher availability of systems and services

5. Service management system
1. Scope
1.1. General
1.2.
Application
2.No
rmati
ve
refre
nces
3.
Term
s and
defin
itions
4. SMS general requirements
4.1.
Manageme
nt
responsibilit
y
4.2.
Governance
of processes
operated by
other
parties
4.3
Documentat
ion
managemen
t
4.4
Resource
managemen
t
Establish
and
improvethe
SMS ..
5. Design and transition of
new or changed service
5.1 General
5.2 Plan
new or
changed
services
5.3 Design
and
developmen
t of new or
changed
services
5.4
Transition
of new or
changed
services
6. Service delivery process
6.1 Service
level
managemen
t
6.2 Service
reporting
6.3 Service
continuity
and
availability
managemen
t
6.4
Budgeting
and
accounting
for services
6.5
Capacity
managemen
t
6.6
Information
security
managemen
t
7.
Relationsip
process
7.1.
Business
relationship
managemen
t
7.2 Supplier
managemen
t
8.
Resolution
process
8.1. Incident
and service
request
managemen
t
8.2
Problem
managemen
t
9. Control process
9.1
Configuratio
n
managemen
t
9.2 Change
managemen
t
9.3 Release
and
deployment
managemen
t

6. Implementing PDCA to service managment
Plan
•Establishing
•Documenting
•Agreeing SMS
Do
•Implementing
•Operating the SMS
Check
•Monitoring,
•Measuring,
•Reviewing SMS
Act
•Improving the SMS
•Improving the service
Policies Objectives Plans Process
Service Management System
SMS
Service
Management
Process
Service

7. Indonesia Hot Topic Issue

8. ISO27001
ISO27001 is the standard for establishing, controlling, monitoring and
improving an Information Security Management System (ISMS). It
provides the requirements for an ISMS framework as well as 133
controls (much like the “shalls” in ISO 20000.) (Implement ISO, 2012)
It is compatible with other standards such as NIST 800-53, ISO 27005,
COSO, Detiknas. and uses a risk-based assesment approach to
determine the scope of its implementation within an organisation. The
main goals of the ISO 27001 standard are to manage information
security, maintain business continuity and comply with regulation. It
addresses all information,physical security, environmental aspects,
outsourcing issues, etc.

9. The benefits ISO27000
• Reduction in possibly damaging/embarrassing information leaks and
failures
• Total risk mitigation, security of brand equity
• Reduction in costs due to fewer security incidents
• Common policies and control across the whole organisation
• Increased staff awareness
• Better monitored and audited systems and information flows
• The risk significantly reduced

10. “where does the ISO 20000-1 fit in with ISO 27001?”

11. Integrated SMS and ISMS
It is ISO 27001 which fits in to ISO 20000 and specifically in Section 6.6
Information Security Management. This section addresses information
security policy, controls and changes/incidents as related to IT-based
information. ISO 27001 can provide much further details and information
in terms of setting up security elements in your organisation. ISO 27001
tells you “how” to do it rather than stating that you “have” to do it.
In other words, aim to combine some of the implementation activities
such as the audit review / risk assesment. There are advantages to having
a single audit team to look at both Management Systems. This eliminates
redundancies and gives good value for money and make Polinela
established one of aspect in good governance university. As stated
above, both standards use common management approaches, are both
based on processes and also use the PDCA principles.

12. Advantages in integrated management
system
There are a number of advantages in implementing an integrated management system which
takes into account not only the services provided but also the protection of information assets.
These benefits can be experienced whether one standard is implemented before the other, or
both standards are implemented simultaneously. Management and organizational processes, in
particular, can derive benefit from the similarities between the International Standards and
their common objectives.
Key benefits of an integrated implementation include:
a) the credibility, to internal or external customers of the organization, of an effective and
secure service;
b) the lower cost of an integrated programme of two projects, where achieving both service
management and information security are part of an organization’s strategy;
c) a reduction in implementation time due to the integrated development of processes
common to both standards;
d) elimination of unnecessary duplication;
e) a greater understanding by service management and security personnel of each others’
viewpoints;

13. 감사합니다