ITSMS vs. QMS: The Case for ISMS Integration
Field Operations Manager Dylan Harvie shares why integrating an IT Service Management System (ITSMS) with an Information Security Management System (ISMS) is more beneficial than with a Quality Management System (QMS). He highlights how this alignment addresses IT-specific risks and enhances service quality and operational efficiency.
Why should an ITSMS be integrated with an ISMS rather than a QMS and what are the benefits?
When it comes to managing IT services, integrating an IT Service Management System (ITSMS) with an Information Security Management System (ISMS) offers distinct advantages over integrating it with a Quality Management System (QMS). This alignment is particularly crucial given the unique demands and risks associated with IT service management.
ISO standards alignment
As with most standards we audit for at NQA, ISO 20000 shares a high-level management structure with several ISO standards, including ISO 9001, 14001, 45001, 22301, 27001, 50001, and 55001 – as shown in the NQA Annex SL comparison tool.
ISO 20000’s structure, particularly its Clause 8, significantly overlaps with ISO 27001 and its Annex A controls.
Here are key overlapping areas:
-
Information security policy: It must consider obligations within other implemented policies, appropriate standards and legislation, contractual requirements, and the relevance of information security within the provided or managed services.
-
Risk management: Appropriate controls should be determined to mitigate information security risks.
-
Incident management: This includes service requests and problem management, extending to information security incidents.
-
Asset management: Assets used to deliver managed service, particularly when it is a configured item (Although not explicitly mentioning information assets, best practices suggest their inclusion).
-
Management of business relationships and service levels: Involving internal and external suppliers, and customers acting as suppliers.
-
Capacity management: Ensuring service levels are maintained based on current and forecasted demands.
-
Change management: Planning and managing changes in service delivery.
-
SDLC References (or A.8 from ISO 27001 Annex A): Including planning new or changed services, design, build, transition, release, and deployment management.
-
Service continuity: Managing service availability and continuity in the event of significant disruptions.
While ISO 20000 and ISO 27001 share many mandatory elements (contained within Clauses 4-10), ISO 20000 also includes unique requirements, such as:
-
Knowledge Management (7.6): Retaining organisational knowledge and maintaining expertise to support ongoing operations and service delivery.
-
Management Review (9.3): Includes additional requirements focused on service delivery, performance, and resource forecasting.
-
Service Reporting (9.4): Determines the requirements for reporting on the performance and effectiveness of the management system and service delivery. Report must include decisions made based on findings arising from identifying trends and any output actions should be communicated to relevant parties. It also specifies that the metrics collated into this report are made up of all the reporting mechanisms referred to throughout the rest of the standard.
-
Service Portfolio: Covers service delivery and planning, as well as control of parties involved in the service lifecycle.
-
Supply and Demand Management: Includes budgeting and accounting for managed services, demand and capacity management.
-
Service Assurance: Manages customer demands, availability requirements, and ensures service continuity, similar to business continuity.
-
Availability Management: Housed within service assurance, considers risks related to service availability, continuity, and information security, based on agreed requirements/targets.
-
Service Cataloguing: Requires an up-to-date catalogue of services, including those in development and those planned for removal or modification. It may also include a compilation of services rolled into a tiered service.
-
Configuration Management: Each service should classify configured information (CI) by criticality, type, status and relationship to other services. CI should be uniquely identifiable and individually auditable to ensure integrity (traceability in this instance is pertinent).
Advantages of ISO 20000 certification: who benefits?
Certifying to this standard would greatly benefit companies of all sizes that provide managed IT services, IT help desk services, call centres, and similar operations. Many of these organisations implement various IT service management frameworks such as ITIL, COBIT, or Microsoft Operations. These frameworks align a company's IT services with its business needs and provide a set of best practices and methodologies to achieve this alignment.
Adopting a holistic approach to the IT services lifecycle, these frameworks assist organisations in delivering flexible and integrated IT services. They employ the most efficient methods to enhance operational efficiency, achieve consistent and high-quality service delivery, improve IT services, and reduce overall costs.
Currently, there are limited options for companies to gain certification for their chosen framework. ISO 20000 offers a means for organisations to verify and certify their IT service management framework, thereby increasing their desirability as service providers and boosting their market value and potential for securing more work and contracts.
ISO 20000 encompasses the most comprehensive Clause 8 among all standards and is notably more specific in its requirements, especially when compared to ISO 9001.
ISO 9001 often appears vague in its operational guidelines, as it needs to be adaptable to the diverse contexts of organisations across various industries. The operations detailed in ISO 20000 essentially provide a quality audit tailored specifically to IT service providers. Thus, it may be more advantageous for IT companies to seek ISO 20000 certification rather than ISO 9001, as the latter omits some critical elements and processes necessary for auditing IT organisations.
Final thoughts: Prioritising ISO 20000
To maximise the benefits of ISO 20000, the industry's perception of this standard must evolve. Companies should begin to stipulate ISO 20000 certification as a requirement rather than ISO 9001 when outsourcing IT activities, ensuring the highest quality of service throughout the supply chain.
In summary, achieving ISO 20000 certification rather than ISO 9001 would be advantageous for organisations involved in IT service activities, as well as for the industry as a whole. This approach ensures that IT organisations receive a tailored, IT-specific approach to quality management, as opposed to a generic one.
Ready to make the first step? Get in touch with our team.
Want to learn more about certification? Check out our webinars.