Towards an Integrated Management System (IMS), harmonizing the

International Journal of Software Engineering and Its Applications

Vol. 10, No. 9 (2016), pp. 217-230

http://dx.doi.org/10.14257/ijseia.2016.10.9.18

ISSN: 1738-9984 IJSEIA

Copyright ⓒ 2016 SERSC

Towards an Integrated Management System (IMS), harmonizing

the ISO/IEC 27001 and ISO/IEC 20000-2 Standards

César Pardo1*

, Francisco J. Pino2 and Félix Garcia

3

1Electronic and Telecommunications Engineering Faculty, University of Cauca

Calle 5 # 4 – 70 Popayán, Colombia.

Tel: +57 28209800 ext. 2133

[email protected] 2 IDIS Research Group

Electronic and Telecommunications Engineering Faculty, University of Cauca

Calle 5 # 4 – 70 Popayán, Colombia.

Tel: +57 28209800 ext. 2133

[email protected] 3 ALARCOS Research Group

Information Systems and Technologies Department

UCLM–ITSI Institute of Technology and Information Systems

University of Castilla–La Mancha

Paseo de la Universidad, 4 – 13071 Ciudad Real, Spain.

Tel: +34 926 295300 ext.3747

{Felix.Garcia}@uclm.es

Abstract

In recent times, and in order to maintain an integrated, efficient and homogeneous

policy, Integrated Management Systems (IMS) have emerged as an opportunity to

improve processes related to Information Technology (IT) in organizations in a way that

is modular, consistent and orderly. The ISO 27001 and ISO 20000 standards provide

good practices for creating and/or strengthening management infrastructure whose

purpose is information security and IT services. In an attempt to provide information on

how these standards are related, as well as to facilitate their integration under a single

IMS, this article presents the harmonization strategy and results of the harmonization of

standards ISO 27001 and ISO 20000 in an organization. The work thereby supports

organizations which are interested in knowing how to carry out the harmonization of

these models. It also provides a detailed analysis of their similarities and differences,

showing an example of how to carry out the integration of related practices between ISO

27001 and ISO 20000-2. In addition, some benefits achieved by the organization are

presented.

Keywords: Multi-model, Harmonization, Information Security Management System

(ISMS), IT service management, Integrated Management Systems, Homogenization,

Comparison, Integration

1. Introduction

At present, there is a wide range of models and standards which can be used by

software organizations to carry out the improvement and certification of their processes.

For example: CMMI, ISO 9001, ISO 12207, ISO 90003, ITIL, COBIT, to name a few of

them.

* Corresponding Author: César Pardo, e-mail: [email protected].


Vol. 10, No. 9 (2016)

218 Copyright ⓒ 2016 SERSC

The interest of organizations in obtaining the certification of standards defined by the

International Organization for Standardization (ISO) has been increasing of late. This

concern has focused mainly on information approaches as a means of improving their

various departments through a single Integrated Management System (IMS) [1]. Two of

these approaches are the ISO 27001 and ISO 20000-2 standards. ISO 27001 provides a

wide description and controls related to information security. ISO 20000, for its part,

defines the practices and processes for managing services and IT management through

the use of an assistance service based on ITIL.

Although ISO 27001 and ISO 20000 provide support for different management

infrastructures in an organization, we believe that integrated institutionalization can have

large benefits; e.g., improving competitiveness, organizational development, security,

risk management, as well as improved corporate management and assurance to

stakeholders, and continuous improvement. Likewise, it has a positive impact on loyalty

and the attracting of new customers, thanks to provision of services that meet their needs

and expectations. It is possible that the appropriate integration of ISO 27001 and ISO

20000 may allow a strong and powerful combination for IT management to be generated

in an organization It would also encourage the reuse of the effort, time, money and

human talent involved in any improvement projects that had been carried out previously.

With the “reuse”, the organizations, especially small and medium enterprises (SMEs)

would reap immense benefits, because the effort and costs associated with the

implementation of a new model as compared to an institutionalized could be reduced, i.e.

a model implemented previously in an organization can meet the requirements with

regard to the new model to be implemented. The results obtained in this paper are an

example of the above, as are the comparison and harmonization of other models already

carried out, such as that performed between ISO 9001 and CMMI [2], ISO 15504 and

CMMI [3], amongst others.

In this sense, and in our effort to guide the organizations through the harmonization of

ISO 27001:2005 and ISO 20000-2:2005 (hereafter referred to as ISO 27001 and ISO

20000-2, respectively), this article presents the harmonization strategy used to

homogenize, compare and align the clauses of ISO 27001 with the clauses of ISO 20000-

2. A harmonization strategy allows multiple models to be put in harmony and consonance

with each other, through a set of methods configured systematically [4]. This paper

attempts to provide a guide for organizations to manage, homogenize, compare and

integrate the harmonized standards in this paper into a single management system.

This paper proceeds as follows. Section 2 presents related work. Section 3 describes

the harmonization strategy designed from the needs of Audisec’s. Section 4 gives an

explanation of the harmonization of ISO 27001 and ISO 20000-2 through the

harmonization strategy configured. An example is also shown about how to carry out the

integration of the relationships established between the standards. Section 5 presents

some benefits expressed by organizations. Lastly, some relevant discussion is given,

along with the conclusions we have drawn and the future work we have planned.

2. Related Work

Based on the results of a systematic review performed in [5], which involves the

analysis of the proposals for the harmonization of multiple models, we can see some

studies that show an interest in integrating multiple models e.g., the PRIME project

funded by the Software Engineering Institute (SEI), which examines the value of

harmonization of multiple technologies, including: CMMI, Six Sigma, ITIL, ISO 27001,

among others [6]. Likewise, this institution has also conducted studies that focus on the

analysis of ISO standards and their integration with other models. Some of these studies

are, among others: analysis and integration of ITIL and ISO 20000 [7], the definition of

Integrated Management Systems (IMS) from ISO 9001 and ISO 27001 [8], ISO 9001,


Vol. 10, No. 9 (2016)

Copyright ⓒ 2016 SERSC 219

ISO 20000 and ISO 27001 [9], ISO 9001, ISO 14001 and OHSAS 18000 [10]. Other

studies carried out the comparison between specific models, i.e., between the same

family and between not more than two different models, e.g., usually we can find

mappings between ISO 9001 and CMMI [11], CMMI and ISO/IEC TR 15504-2:1998

[12, 13], to name a few examples. Although it is possible to see an extensive use of ISO

and SEI models in related work, the models used most in harmonization projects are ISO

9001, ISO 15504 and CMMI-DEV.

With regard to the existing literature, and considering that we did not find studies

which perform an analysis of the relationships and differences between ISO 27001 and

ISO 20000, this article presents the harmonization of these two standards. Furthermore,

this paper proposes a solution to the need expressed by AUDISEC, the consultancy

organization in ISO 27001 and ISO 20000, which is interested in carrying out the

implementation of these two approaches under a single IMS.

A detailed summary of the strategy followed to harmonize the models involved is

presented in the next Section.

3. Configuring a Harmonization Strategy

This section describes the harmonization of standards ISO 27001 and ISO 20000-2 in

terms of the harmonization needs identified in an organization as well as the

harmonization strategy followed.

3.1. Organization’s Needs

Audisec carried out the integration of ISO 27001 and ISO 20000-2, taking into

account the needs identified. Audisec is an organization that provides consulting services

and support in the certification of ISO 20000 and ISO 27001. The needs expressed by

Audisec in connection with the carrying out of the harmonization of these models are:

To facilitate the ISO 20000 certification in organizations previously

certified under ISO 27001.

To reduce costs, time and resources associated with the reuse of efforts

previously employed in the certification of ISO 27001.

To minimize the complexity of implementing multiple models without

proper alignment and integration.

Based on these needs, the harmonization goal of the two standards focused on defining

a harmonization strategy made up of a set of methods which enabled the following to be

carried out:

i resolution of differences related to their structures,

ii comparison and identification of differences and similarities,

iii analysis of detail level and depth of standards, and

iv establishing of the degree of coverage, as well as the fulfillment of the ISO 27001

processes on those defined in ISO 20000-2.

3.2. Harmonization Strategy Configured

Project management for harmonizing ISO 27001 and ISO 20000-2 was carried out

with the implementation of elements defined in HFramework. These are: (i) a

harmonization process (HProcess) and a (ii) set of harmonization methods (HMethods).

The purpose of HProcess is to provide a guideline to facilitate the management of

tasks related to the definition and configuration of a harmonization strategy for carrying


Vol. 10, No. 9 (2016)


out the harmonization of multiple models [14]. The purpose of HMethods is to provide a

set of methods which make it easier to configure a harmonization strategy (HStrategy),

taking into account the organization’s needs. HStrategy is the work product resulting

from the implementation of HProcess. That is, whereas HProcess provides information

about “what” to do, systematic configuration of an HStrategy describes the activities and

tasks which make it possible to know “how” to carry out the harmonization of multiple

models from the organization’s needs. Figure 1 shows a summary of the process, roles

and activities of HProcesses and HStrategy applied in the harmonization of ISO 27001

and ISO 20000-2. The processes presented in this paper use the notation of SPEM 2.0.

All this being so, and on the basis of the needs identified and the implementation of

HProcess in Audisec, an HStrategy was defined and configured according to two

methods: (i) a homogenization method (HoMethod), (ii) a comparison method

(CoMethod) and (iii) an integration method (IMethod). Incorporating these methods

allowed us to carry out the step-by-step harmonization of the models involved. In order to

organize and manage the people and activities throughout the strategy, this process

establishes two roles: the performers and the reviewers, along with three methods:

Method 1. Homogenization. This stage involved the tasks: (i) acquisition of

knowledge about the models involved, (ii) structure analysis and terminology, (iii)

identification of requirements and (iv) correspondence.

Method 2. Comparison. This stage involved the tasks: (i) designing the mapping,

(ii) carrying out the mapping, (iii) presenting the outcomes of the mapping and (iv)

analyzing the results of the mapping.

Method 3. Integration. (i) designing the integration, (ii) establishing integration

criteria, (iii) carrying out the integration, (iv) analyzing the results of the

integration and (v) presenting the integrated model.

Homogenization, comparison and integration are harmonization methods which make

up the Harmonization Framework, which is also available through the WEB [15]. A

detailed summary of these methods can be seen in homogenization [16], [17] and [18],

respectively.

A summary of the tasks of the HStrategy that were followed to harmonize the models

involved is presented in the next sections.

4. Harmonizing ISO 27001 and ISO 20000-2

4.1. Carrying out the Homogenization

The purpose of ISO 27001:2005 is to help organizations establish, implement, operate,

monitor, review, maintain and improve their Information Security Management Systems

(ISMS) [19]. The implementation of this rule brings great benefits which have to do

mainly with reducing the risk of data loss, theft or corruption of information.

On the other hand, according to Part 1 of ISO 20000:20005 [19], the purpose of ISO

20000 is to help organizations to improve the efficiency of providing technological

services through guidelines for quality IT service management. This rule also takes into

account aspects related to system capacity, levels of management when the system

changes, as well as financial budgeting and control and software distribution. In addition,

this rule takes into account aspects related to system capacity, as well as levels of

management when the system changes, along with financial budgeting and control and

software distribution.

Before carrying out the comparison of the two models, and as set out in the HStrategy

defined (see Figure 1), it was necessary to harmonize the models through the HoMethod

and the Common Structure Process Element (CSPE) template described in [16]. To carry


Vol. 10, No. 9 (2016)


out the homogenization: (i) the information described in Part 1 of ISO 27000 or ISO

27001 and (ii) Part 2 of ISO 20000 or ISO 20000-2 were taken into account. Part 2 of

ISO 20000 was seen as relevant because this section describes the best practices or

requirements in terms of processes to comply with the standard.

The organization of the descriptions of each standard in the CSPE template allowed us

to compare the standards to a high level of abstraction. This first comparison enabled us

to see that ISO models analyzed are standards which define their requirements as

statements in each paragraph, which are contained within clauses, which in turn are

contained in major clauses (see Figure 2). Likewise, they do not define a process element

structure based on process, e.g. activities, tasks, steps or roles. Only ISO 20000-2 defines

objectives explicitly in relation to each major clause. This means that the performer

carried out the adaptation and exclusion of process elements of the CSPE template which

are not defined in standards, leaving only the necessary ones, i.e., process group (this is a

major clause), processes (these are clauses and sub-clauses), activities (paragraphs), tasks

(statements), artifacts (which are implicit in paragraphs and statements) and related

processes (related clauses). Table 1 shows an example of the homogenization of clause 8

of ISO 27001, related to ISMS improvement. Table 2 shows the syntax used to identify

the requirements in standards. The homogenization of the clauses in each standard was

performed in an iterative incremental approach (see process of harmonization strategy in

Figure 1).

Figure 1. Activity Diagram of HProcess Applied to Obtain an HStrategy


Vol. 10, No. 9 (2016)


Figure 2. Structures used by ISO 20000-2:2005 and ISO 27001:2005

Table 1. Clause 8. ISMS improvement, ISO 27001

CSPE Template (adapted)

SD1. Process Category

ISMS improvement

SD2. Process ID Clause 8

Name ISMS improvement

SD1.3 Activities SC1.3 Artifacts

8.1 Continual improvement

The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results , analysis

of monitored events, corrective and preventive actions and management review (see 7).

It does

not define

artifacts.

8.2 Corrective action

The organization shall take action to eliminate

the cause of

nonconformities with the

ISMS requirements, in

order to prevent recurrence.

The documented procedure for corrective action shall define requirements for:

a) identifying nonconformities;

b) determining the causes of nonconformities; c) evaluating the need for actions to ensure that nonconformities do not

recur;

d) determining and implementing the corrective action needed;

e) recording results of action taken (see 4.3.3); and

f) reviewing of corrective action taken.

8.3 Preventive action The organization shall

determine action to eliminate the cause of

potential nonconformities

with the ISMS requirements in order to prevent their

occurrence. Preventive actions taken shall be

appropriate to the impact of

the potential problems.

The output from the management review shall include any decisions and actions related to the following.

a) Improvement of the effectiveness of the ISMS. b) Update of the risk assessment and risk treatment plan.

c) Modification of procedures and controls that effect information security, as

necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1) business requirements; 2) security

requirements; 3) business processes effecting the existing business requirements; 4) regulatory or legal requirements; 5) contractual obligations;

and 6) levels of risk and/or risk acceptance criteria. d) Resource needs. e)

Improvement to how the effectiveness of controls is being measured.


Vol. 10, No. 9 (2016)


Table 2. Syntax to Identify the Requirements in ISO Models Family

Syntax Description

1. Shall [verb]

2. Shall [verb] … and [verb]

This statement indicates the actions,

activities, tasks or procedures which the

organization that will develop it will have. It

is probable that this statement will be used

to describe one or several actions or to

derive processes.

3. Begins with [shall] or

shall [verb]

Identifies a list of derived requirements of

processes, procedures, activities or tasks.

4. Shall be [verb]

Indicates the characteristics associated with

a process, or possible roles or work

products.

5. Shall [include] Indicates the details that the organization

must include in a process or work product.

6. Shall be [verb] + [by],

[to] or [on]

This syntax helps to identify the detail of

some procedures or processes.

7. Documented, input,

output

Indicates a possible work product. It might

include some characteristics related to the

work product.

4.2. Designing the Comparison

After carrying out the homogenization of standards, the P carried out a low-level

comparison with regard to the information described in the tasks defined in the

comparison method (see Figure 3). The comparison supported comparative analysis of

descriptions from the point of view of all the relations of the elements classified as

activities. In that sense, the directionality of the comparison was a comparison of the ISO

27001 with regard to ISO 20000-2. The choice of the directionality took into account the

needs expressed by the organization: (i) expanding the market for ISO 20000 certified

organizations, (ii) certifying in ISO 20000 the organizations certified in ISO 27001 and

(iii) taking advantage of previous efforts in ISO 27001.

To express the degree of relationship between the tasks compared, a discrete scale or

scale of comparison was defined. The scale consists of the following elements: Not

related (N) (0%), weakly related (W) (1% to 15%), partially related (P) (16% to 50%),

largely related (L) (51% to 85%) and strongly related (S) (86% to 100%). From the

comparison scale we found two values to classify the results collected:

The degree of relationship (dR) can be found by dividing the number of

elements (statements) where a relationship (between two models) has been found,

by the total number of elements (statements) of one of the two models. It is

important to highlight that the numeric value assigned to a relationship is only

indicative of the extent to which a process element of a model A is addressed by

means of another process element of a model B.

The Fulfillment (F) can be found by taking into account the relationships found

between the models involved. However, unlike the dR, to find F, the number of

statements supported by a model A with respect to a model B is taken into account.

Hence, dR doesn’t take into account the number of relationships found in each

intersection during the comparison.


Vol. 10, No. 9 (2016)


Figure 3. Activity Diagram of the Comparison Method

4.3. Carrying out the Mapping

The comparison was carried out according to comparison design. In this sense, the

analysis focused on a study of how the requirements of ISO 27001 address in some way

(or not), some aspects of the requirements of ISO 20000. As can be seen in Figure 4, the

comparison used the iterative and incremental approach to make it easier to manage the

complexity in comparing the entities concerned at a low level of abstraction. After each

iteration of comparison, the results were analyzed by two peer reviewers (see Figure 1).

The review verified the reliability of the results and the comparison method. Table 3

shows a detailed example of the relationship between the tasks identified in clause 8,

relating to ISO 27001, and clause 9.2.2 concerning the closing and review of an

application for change of ISO 20000-2. In Table 3, the F found means: 1 statement of

ISO 27001 supports 1 statement out of 3 of ISO 20000-2. Clause 8.2 therefore has a

fulfillment of 33% with regard to clause 9.2.2 of ISO 20000-2, i.e. ISO 27001 partially

supports the enforcement of clause 9.2.2.

Table 3. Comparison between Clause 8.2 of ISO 27001 and Clause 9.2.2 of ISO 20000-2

Some considerations:

- Direction of the comparison: From ISO 27001 to ISO

20000-2.

- Process elements for the comparison: Statements shall of

both standards.

- Research question: 1). What statements of ISO 27001 can

offer support to statements of ISO 20000-2?

2). What ISO 27001’s statements are strongly related to the

support to ISO 20000-2’s statements?

- Comparison goal: To determine which statements (shall)

of ISO 27001 have a close relationship with some statements

of ISO 20000-2. The goal is know what the degree of

fulfillment of the statements of ISO 20000-2 is, based on the

statements described in ISO 27001.

ISO 20000-2

9.2.2 Closing and reviewing the change

request.

All changes

should be reviewed for

success or failure after

implementati

on and any improvement

recorded.

Any

nonconformity

should be recorded

and acted

on.

Any weaknesses

or deficiencies identified in a

review of the change

management

process should be fed into plans for

improving the service.

dR & F ISO 27001 to ISO 20000-2: P (1 of 3) (in this

case dR and F are equal).

ISO 27001

Clause 8.2 Corrective action:

The organization shall take action to eliminate the

cause of nonconformities with the ISMS requirements, in order to prevent recurrence.


Vol. 10, No. 9 (2016)


As for organizations interested in harmonization in the opposite direction, i.e., ISO

20000-2 to ISO 27001, they can find dR and F from the comparison performed. For

instance, taking into account the comparison in Table 2, F in the direction of ISO 20000-

2 to ISO 27001 is 100%, i.e., 1 statement of ISO 20000-2 supports 1 statement of 3 of

ISO 27001. Hence, clause 9.2.2 strongly supports the enforcement of clause 8.2.

Figure 4. Activity Diagram of the Integration Method

Table 2. Syntax to Identify the Requirements in ISO Models Family

Syntax Description

1. Shall [verb]

2. Shall [verb] … and [verb]

This statement indicates the actions,

activities, tasks or procedures which the

organization that will develop it will have. It

is probable that this statement will be used

to describe one or several actions or to

derive processes.

3. Begins with [shall] or

shall [verb]

Identifies a list of derived requirements of

processes, procedures, activities or tasks.

4. Shall be [verb]

Indicates the characteristics associated with

a process, or possible roles or work

products.

5. Shall [include] Indicates the details that the organization

must include in a process or work product.

6. Shall be [verb] + [by],

[to] or [on]

This syntax helps to identify the detail of

some procedures or processes.

7. Documented, input,

output

Indicates a possible work product. It might

include some characteristics related to the

work product.

4.4. Analyzing the Results of the Mapping

Based on the harmonization objectives defined and on the directionality of comparison,

the result of the comparisons was a ratio of one to many. Of the 133 relationships that

may exist between the processes of each model, (85) relationships were classified as N.

That is, 64% are not related in any way, and 36% (48) are related. That means that within


Vol. 10, No. 9 (2016)


the 36% where some correspondence was identified, 5% (6) corresponds to Strongly

related relationships, 5% (6) corresponds to Largely related relationships, 24% (32)

corresponds to partially related relationships and 2% (3) to weakly related relationships.

It is possible to see that there are strongly related relationships between processes, i.e.,

these relationships come close to, or are at, 100% of relationship. This does not mean that

the processes are identical, but that all the statements analyzed in ISO 20000 have found

some relationship with a task of ISO 27001. Table 4 shows a summary of the comparison

performed between ISO 27001 and ISO 20000-2. In conclusion, it is possible to see a

relationship between the two models. The ISO 27001 standard supports compliance of

36% of the statements defined by ISO 20000.

Based on the results obtained, it is possible to identify some similarities and

differences between ISO 27001 and ISO 20000-2; e.g., in terms of the Information

Security Management System we can note that ISO 27001 presents a series of controls

and objectives to ensure information security. For its part, ISO 20000-2 delves into the

risks associated with the operation and maintenance of the controls proposed in ISO

27001. In this regard, ISO 20000 extends the description of the controls, describing in

greater detail the manner in which they must be performing. This feature can be observed

in several of the clauses compared, but these relationships were not identified because

this first comparison of the standards was performed only at the level of descriptions of

their terms and did not involve the controls and objectives defined in Annex A of ISO

27001. In that sense, it is possible to establish more relationships. As future work we will

address the comparison of the models, taking into account the controls and objectives

defined in ISO 27001.

Table 4. General Results of Comparison between Clause 8.2 of ISO 27001 and Clause 9.2.2 of ISO 20000-2

Some considerations:

- Direction of the

comparison: From ISO 27001

to ISO 20000-2.

- Process elements for the

comparison: Statements shall

be of both standards.

- Research question: 1).

What statements of ISO 27001

can offer support to statements

of ISO 20000-2?

2). What ISO 27001’s

statements are strongly related

with the support to ISO

20000-2’s statements?

- Comparison goal: To

determine which statements

(shall) of ISO 27001 have a

close relationship with some

statements of ISO 20000-2.

The goal is know what the

degree of fulfillment of the

statements of ISO 20000-2 is,

based on the statements

described in ISO 27001.

- C: Clauses

ISO/IEC 20000-2

Cla

use

3 T

he

man

agem

ent

syst

em

Cla

use

4.1

Pla

n s

erv

ice

man

agem

ent

(Pla

n)

Cla

use

4.2

Im

ple

men

t se

rvic

e m

anag

emen

t an

d p

rov

ide

the

serv

ices

(D

o)

Cla

use

4.3

Mo

nit

ori

ng

, m

easu

ring

and r

evie

win

g (

Chec

k)

Cla

use

4.4

Co

nti

nu

al i

mp

rov

emen

t (A

ct)

Cla

use

5 P

lannin

g a

nd i

mple

men

tin

g n

ew o

r ch

anged

ser

vic

es

Cla

use

6.1

Ser

vic

e le

vel

man

agem

ent

Cla

use

6.2

Ser

vic

e re

port

ing

Cla

use

6.3

Ser

vic

e co

nti

nuit

y a

nd

avai

lab

ilit

y m

anag

emen

t

Cla

use

6.4

Bu

dg

etin

g a

nd a

ccoun

tin

g f

or

IT s

erv

ices

Cla

use

6.5

Cap

acit

y m

anag

emen

t

Cla

use

6.6

Info

rmat

ion

sec

uri

ty m

anag

emen

t

Cla

use

7.2

Bu

sin

ess

rela

tion

ship

man

agem

ent

Cla

use

7.3

Suppli

er m

anag

emen

t

Cla

use

8.2

Inci

den

t m

anag

emen

t

Cla

use

8.3

Pro

ble

m m

anag

emen

t

Cla

use

9.1

Co

nfi

gu

rati

on

man

agem

ent

Cla

use

9.2

Ch

ange

man

agem

ent

Cla

use

10

.1 R

elea

se m

anag

emen

t p

roce

ss

ISO 27001

C4.2 Establishing and

managing the ISMS L P P L P N W N P P N S P N W L L P S

C4.3 Documentation

requirements P N N N N N N P N N N S P N N P L P P

C5.1 Management

commitment N N N P N S N N N N N S N N N N N N N

C5.2 Resource management P N N P N P N N N N N P S P P S N L P C6 Internal ISMS audits P N N N N N N N N N N P N N N N P N N C7. Management review of N N N P N N N N N N N N P N N N N P N


Vol. 10, No. 9 (2016)


the ISMS

C8. ISMS improvement P N N P P N N N W N N N N N N N P P N

Scale of comparison

Not related (N) (0%) N

Weakly related (W) (1% to 15%) W

Partially related (P) (16% to 50%) P

Largely related (L) (51% to 85%) L

Strongly related (S) (86% to 100%) S

5. Integrating ISO 27001 and ISO 20000-2

On the basis of the results obtained in the comparison stage and following IMethod

(see Figure 4), in Table 5 we present an example, which shows how to carry out the

integration between two related clauses of ISO 27001 and ISO 20000-2. The unified

clause column shows the content of a unified practice, which integrates the content of

clause 8.2 of ISO 27001 and clause 9.2.2 of ISO 20000-2. The result is a combination of

the best practices into a single practice. The ISO 20000-2 column indicates whether there

is a relationship between the content of unified practice and ISO 20000-2. The

explanation column describes additional information. The ISO 20000-2 relationship

column indicates that clause 9.2.2 of ISO 27001 has a correspondence to ISO 20000-2,

i.e., the clauses 8.2. The square brackets […] indicate the information added into unified

practice; they thereby reflect a modification by insertion. The characters << >> indicate

the deleted content and thus reflect a modification by erasing. Table 6 shows the final

result of the unified clause 8.2. This clause contains certain content of clause 9.2.2 of ISO

20000-2 which is not contained in ISO 27001. Organizations can use this method to

define their integrated processes or unified models.

Table 5. Partial Example of a Unified Practice Integrating ISO 27001 and ISO 20000-2

Unified Practice

(Clause 8.2 Corrective action: has been taken as basis practice).

ISO 20000-2

relationship

Explanation

[Any nonconformity should be recorded and acted

on]. [Then, ] <<The>> organization shall take action to eliminate the cause of nonconformities with the

ISMS requirements, in order to prevent recurrence.

Statement 2 of clause

9.2.2 Closing and reviewing the change

request.

Clause 9.2.2 of ISO 20000-2

offers complement to practice 8.2 of ISO 27001.

Table 6. Clause 8.2 Unified

Clause 8.2 Corrective action

Any nonconformity should be recorded and acted on. The organization

shall then take action to eliminate the cause of nonconformities with the

ISMS requirements, in order to prevent recurrence.

6. Some Benefits Reported by Audisec

With the harmonization of standards ISO 27001 and ISO 20000-2, Audisec reported

several benefits, some of these, and the most significant ones are:

When two ISO models such as ISO 27001 and ISO 20000-2 are being

harmonized, it is conceivable that, as they are structurally compatible standards, it

may not be necessary to carry out the homogenization of their process elements

using a common structure of process elements as a CSPE template. However, the

semantic analysis done to organize the statements of the clauses in the common

structure improved the understanding of the standards, as it facilitated the

identification, interpretation, internalization and classification of descriptions under

a process-oriented structure that is more detailed and easier to apply as a reference

model. An example is presented in Table 1.


Vol. 10, No. 9 (2016)


The harmonization strategy has allowed a systematic harmonization guide to

be defined, and this has facilitated the analysis, identification of differences and

support opportunities between ISO 27001 and ISO 20000-2. According to Audisec,

“the strategy of harmonization was a practical and powerful guide for carrying out

the harmonization of ISO 27001 and ISO 20000-2”.

With the results obtained, the organization has developed a software tool to

support the ISO 20000 consulting process. This tool has been developed taking into

account the relationships found between ISO 27001 and ISO 20000-2. Based on the

results, we may affirm that the tool has reduced the effort involved in the

institutionalization of ISO 20000 in organizations that had implemented ISO 27001

previously. Figure 5 shows an example of the comparison between clause 5.1 of

ISO 27001 and clause 5.1 of ISO 20000-2 (we maintain the original screen shot,

which is in Spanish).

Figure 5. Comparison between ISO 27001 and ISO 20000-2 by Means Audisec’s Tool

7. Conclusions

In this paper we have presented the harmonization of standards ISO 27001 and ISO

20000-2. To carry out the harmonization of these standards, a harmonization strategy has

been defined and configured, made up of a homogenization method, a comparison

method and an integration method. The harmonization strategy obtained is the result of

the implementation of a harmonization process, which supports the definition and

configuration of strategies for harmonization of multiple models.

Both ISO 27001 and ISO 20000-2 describe objectives and best practices for improving

the management systems of organizations through two different approaches, namely

information security and IT service. Although these standards describe practices for

different approaches, it is possible to find similarities in their descriptions, as well as a

different level of detail. This feature suggests that the similarities identified can be

harmonized and integrated under one management system, impacting positively on: (i)

the cost, (ii) time and (iii) associated resources, which can be different if they are

implemented separately. In that sense, the comparison made in this work of ISO 20000-2

and ISO 27001 can be a practical benefit for ISO 27001 certified organizations when they

are seeking to institutionalize the processes of ISO 20000-2.

It has been possible to note that there is a partial relationship of 36%. This means that

there are 48 relationships where ISO 27001 offers some kind of support for the processes


Vol. 10, No. 9 (2016)


of ISO 20000-2. Although the amount of strongly-related relationships found is only

around 10%, it is important to highlight that while ISO 27001 and ISO 20000-2 define

best practices for different implementation approaches, models are not totally different

and it is thereby possible to find close relationships. For instance, ISO 27001 provides

greater coverage for the practices related to the management system and control process,

i.e. clause 3 (71%) and clause 7 (64%), respectively.

The conceptual relationships established between the two standards have been

identified under the criteria and experience of the performer responsible for the analysis

and comparison of models. As future work we will carry out an empirical study that

allows there to be a mapping of the standards using the opinion of several experts and/or

practitioners involved in the use of ISO 27001 and ISO 20000 in some organizations.

This validation would enable the correspondence between these standards to be checked,

not only from a theoretical point of view, but also from an empirical and practical

standpoint.

Acknowledgments

This work has been funded by the projects: (i) INGENIOSO (PEII-2014-050-P, Junta

de Comunidades de Castilla-La Mancha and FEDER), (ii) SEQUOIA (Ministerio de

Economía y Competitividad and Fondo Europeo de Desarrollo Regional - FEDER,

TIN2015-63502-C3-1-R) ,(iii) U-CSCL Project (Universidad del Cauca, VRI-3713) and

(iv) MCSS-TI Project (Universidad del Cauca, VRI-4358). César Pardo and Francisco J.

Pino acknowledge the contribution of the University of Cauca, where they work as an

assistant professor and full professor respectively.

References

[1] ITGI, Editor, “COBIT Mapping: Mapping of ITIL V3 with COBIT 4.1”, IT Governance Institute

(ITGI) and Office of Government Commerce (OGC), (2008).

[2] ITIL, “Information Technology Infrastructure Library V3”, (2010). [Online]. Available: http://www.itil-

officialsite.com/.

[3] ITGI, “Risk IT: Framework for Management of IT Related Business Risks”, (2009). [Online].

Available: www.isaca.org/.

[4] ITGI, Editor, "VAL IT Framework 2.0". EEUU: IT Governance Institute, (2008).

[5] ISO, “Information technology security techniques code of practice for information security

management - ISO 27002:2005”, (2005). [Online]. Available: www.iso.org/.

[6] ISO, “ISO/IEC 27001: Information Security Management System (ISMS) requirements”, (2005).

[Online]. Available: www.iso.org/.

[7] BIS, “International Convergence of Capital Measurement and Capital Standards - BASEL II”, Bank for

International Settlements, (2006).

[8] P. Sarbanes and G. Oxley, “Sarbanes-Oxley Act of 2002”, (2002).

[9] COSO, “The Committee of Sponsoring Organization (COSO)”, (1985).

[10] ITGI, “IT Control Objectives for BASEL II: The importance of Governance and Risk Management for

compliance”, (2007). [Online]. Available: http://www.itgi.org.

[11] C. Pardo, F. J. Pino, F. García, M. Piattini and M. T. Baldassarre, “Trends in Harmonization of Multiple

Reference Models”, in Evaluation of Novel Approaches to Software Engineering, CCIS, L. A. M.

Loucopoulos and P., Eds. Springer-Verlag, (Special edition best papers proceedings of the ENASE

2010, extended and updated paper), (2011), pp. 61–73.

[12] J. Siviy, P. Kirwan, L. Marino and J. Morley, “The Value of Harmonization Multiple Improvement

Technologies: A Process Improvement Professional’s View”, Software Engineering Institute, Carnegie

Mellon, (2008).

[13] J. Siviy, P. Kirwan, J. Morley and L. Marino, “Maximizing your Process Improvement ROI through

Harmonization”, Software Engineering Institute (SEI). Carnegie Mellon University, (2008).

[14] ITGI, “Aligning Cobit 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit,” IT Governance Institute

(ITGI) and Office of Government Commerce (OGC), (2008).

[15] S. M. Lemus, F. J. Pino and M. Piattini, “Towards a Model for Information Technology Governance

applicable to the Banking Sector”, Proceedings of the fifth International Congress on IT Governance

and Service Management (ITGSM 2010), Madrid, Spain, (2010) June 10, pp. 1–6.

[16] ITGI, Editor, COBIT 4.1: Framework, control objectives, management guidelines and maturity models,

3rd ed. EEUU: IT Governance Institute, (2007).


Vol. 10, No. 9 (2016)


[17] ITGI, , Editor, VAL IT Framework 2.0, 3rd ed. EEUU: IT Governance Institute, (2008).

[18] C. Pardo, F. J. Pino, F. García, M. Piattini and M. T. Baldassarre. From chaos to the systematic

harmonization of multiple reference models: A harmonization framework applied in two case studies.

Journal of Systems and Software, vol. 86, no.1, (2013), pp. 125-143.

[19] ARMONÍAS: A Process for Driving Multi-models Harmonization, ARMONÍAS Project, (2009),

[Online]. Available: http://alarcos.esi.uclm.es/armonias/

[20] C. Pardo, F. Pino, F. García and M. Piattini, “Homogenization of Models to Support multi-model

processes in Improvement Environments”, Proceedings fourth International Conference on Software

and Data Technologies, Sofía, Bulgaria, (2009) July 26-29, pp. 151-156.

[21] F. Pino, M. T. Balssarre, M. Piattini and G. Visaggio, “Harmonizing maturity levels from CMMI-DEV

and ISO/IEC 15504”, Journal of Software Maintenance and Evolution: Research and Practice, vol. 22,

(2010), pp. 279-296.

Authors

César Pardo, He was born in Popayán (Colombia). He received

the MSc. and PhD. degrees in Computer Science from the University

of Castilla-La Mancha (UCLM) of Ciudad Real (Spain). He is

currently assistant professor at Engineering Faculty at University of

Cauca (Colombia). His research interests include software processes,

software process improvement, agile methodologies, estimation of

projects, software quality, harmonization of multiple models and

standards and quality characteristics of process-supported software

products. He is also Scrum Master certified by Alliance Inc. He is

the author of one book, co-author of seven chapters of books, co-

author of more than 50 research papers between journals and

conferences, and the owner of two intellectual properties (IP). He is

member of several national and international committees. César

Pardo acknowledges the contribution of the University of Cauca,

where he works as an assistant professor. Contact details:

Universidad of Cauca, Calle 5 No. 4 – 70, Popayán, Colombia;

[email protected].

Francisco J. Pino, He has a European PhD in Computer Science

from the University of Castilla-La Mancha (UCLM), Spain. He is

currently a full professor at the Electronic and Telecommunications

Engineering Faculty at the University of Cauca, in Popayán

(Colombia). He is a member of the IDIS Research Group and his

research interest is Software process improvement in small

companies and Harmonization of multiple improvement

technologies. Contact details: Universidad of Cauca, Calle 5 No. 4 –

70, Popayán, Colombia; [email protected].

Félix García, He received his MSc. (2001) and PhD (2004)

degrees in Computer Science from the University of Castilla-La

Mancha (UCLM). He is currently an associate professor in the

Department of Information Technologies and Systems at the UCLM.

He is a member of the Alarcos Research Group and his research

interests include business process management, software processes,

software measurement, and agile methods. Contact details: Escuela

Superior de Informática, Paseo de la Universidad 4, 13071-Ciudad

Real, Spain; [email protected].

mailto:[email protected]



Documents

Towards an Integrated Management System (IMS), harmonizing the