The new ISO/IEC Technical Report 20000-7 has been published, titled Guidance on the integration and correlation of ISO/IEC 20000-1:2018 to ISO 9001:2015 and ISO/IEC 27001:2013.
This report provides guidance on how to run an integrated management system based on ISO/IEC 20000-1 (service management system, SMS), ISO 9001 (quality management system, QMS) and ISO/IEC 27001 (information security management system, ISMS). These three standards are quite close to each other and there are many organisations that run two of these or all three together.
What are the main benefits and caveats when integrating these three standards into one management system?
Annex L (formerly known as Annex SL) of the ISO/IEC Consolidated Directives, Part 1 was designed as the common high-level structure (HLS) and requirements for management system standards. Since the 2018 edition, ISO/IEC 20000-1 follows the HLS as well; ISO 9001:2015 and ISO/IEC 27001:2013 both did so from their dates of publication as well.
You might say that with Annex L everything is in place to integrate the three standards in a single management system. Up to a point, this is true: up to 40% of the requirements is identical. However, each committee developing these standards have made their own little changes and additions to the Annex L text, which need to be considered carefully when applying the Annex L requirements to the different standards. For example, ISO/IEC 20000-1 applies many of the Annex L requirements to “the SMS and the services“, where the other two standards only apply them to the QMS and ISMS, respectively. Furthermore, in some areas, such as management review, the different committees have made various different additions to the requirements that need to be reconciled when integrating the management systems.
In practice, the scopes of an SMS, QMS and ISMS may be somewhat different: in any organisation, it may be decided that for some reason, team A is not in scope of the ISMS, but is in scope of the SMS and QMS. A QMS scope is often organisation-based, where an ISMS scope is often more location-based, due to physical security considerations.
Care should therefore be taken to review to what extent the scopes of the three standard coincide or not, which may limit the amount of integration that is possible.
Where the content of clauses 4-7 and 9-10 is strongly based on Annex L in all three standards, there are other (sub-)clauses (e.g., Clause 8) and controls (from ISO/IEC 27001 Annex A) that can be integrated. A couple of examples follows.
- Even though ISO 9001 has been written more with a product focus than a service focus, elements from its clause 8 that are to do with requirements gathering, and design and development can with flexible interpretation be applied to services. In this way, these requirements from ISO 9001 have a degree of overlap with requirements in ISO/IEC 20000-1, clause 8.5 Service design, build and transition.
- ISO/IEC 20000-1 clause 8.7.3 deals with information security and is completely aligned with the requirements of ISO/IEC 27001, albeit in a very concise and simplified manner. Implementing an ISMS will therefore simply fulfil the requirements of ISO/IEC 20000-1, clause 8.7.3.
- Several controls from Annex A of ISO/IEC 27001 are to do with the control of external suppliers (e.g. A.14.2.7, A.15). If these controls are deemed applicable and have been implemented, these help conforming to the requirements of both ISO/IEC 20000-1, clause 8.3.4 Supplier management, and ISO 9001, clause 8.4 Control of externally provided processes, products and services. There is of course not a 100% match between the standards in this area. Extensive correlation notes between all clauses of the three standards are provided in Annex B and C of ISO/IEC 20000-7.
There is ample opportunity to integrate management systems, not only due to Annex L, but also in various other areas. This technical report is just one example of how this can be done.
Dolf van der Haven was Project Editor of ISO/IEC 20000-7, with Co-editors Lynda Cooper, Mario Rui Costa, Lynn Penn and Eileen Forrester