IRCA Briefing note ISO/IEC 20000-1: 2011



Similar documents
CQI briefing note. Annex SL

UK Aerospace Industry Controlled Other Party (ICOP) Auditor Authentication Scheme

ISO/IEC Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

iso20000templates.com

ISO :2005 Requirements Summary

EXIN IT Service Management Foundation based on ISO/IEC 20000

Client information note Assessment process Management systems service outline

Revision of ISO 9001 Quality Management Systems Requirements

ISO/IEC Part 1 the next edition

Benefits to the Quality Management System in implementing an IT Service Management Standard ISO/IEC

Quality Management Systems Foundation Training Course

WHITE PAPER CQI. Chartered Quality Institute

This interpretation of the revised Annex

ISO 9001 : 2000 Quality Management Systems Requirements

Introduction to the ISO/IEC Series

ITIL V3 and ISO/IEC 20000

Foundation Bridge in IT Service Management (ITSM) according to ISO/IEC Specification Sheet. ISO/IEC Foundation Bridge TÜV SÜD Akademie

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

Preparation Guide. IT Service Management Foundation Bridge based on ISO/IEC 20000

THE SMALL BUSINESS STANDARD

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

Name: Lynda Cooper Date: November 24th. Revising ISO/IEC to fit the future of service management

Gap Analysis of ISO 15189:2012 and ISO 15189:2007 in the field of Medical Testing

ITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting

ITIL 2011 Summary of Updates

ITSM Process Maturity Assessment

IT Organisation in Change

IT SERVICE MANAGEMENT POLICY MANUAL

This is a sample chapter from A Manager's Guide to Service Management. To read more and buy, visit BSI British

EA IAF/ILAC Guidance. on the Application of ISO/IEC 17020:1998

ISO/IEC ITIL Service Management V.2 V s V.3 Project ACE Andy Evans Programme Director and Strategic Programme Advisor

EXIN Foundation in IT Service Management based on ISO/IEC 20000

IT service management

Australian Standard. Information technology Service management. Part 2: Guidance on the application of service management systems

ITIL by Test-king. Exam code: ITIL-F. Exam name: ITIL Foundation. Version 15.0

This document is a preview generated by EVS

Trainning Education Services Av. Paulista, º andar SP Tel/Fax: 55+ (11)

WHITE PAPER IT SERVICE MANAGEMENT IT SERVICE DESIGN 101

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

GENERIC STANDARDS CUSTOMER RELATIONSHIPS FURTHER EXCELLENCE CUSTOMISED SOLUTIONS INDUSTRY STANDARDS TRAINING SERVICES THE ROUTE TO

CQI. Chartered Quality Institute

The ITIL Foundation Examination

An Overview of ISO/IEC family of Information Security Management System Standards

EDUCORE ISO Expert Training

1 Why should monitoring and measuring be used when trying to improve services?

Improving global standard to be a key driver of innovation. Colin MacNee. 2012, 2013, 2014 Duncan MacNee Limited.

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

The ITIL Foundation Examination

Asset Management Systems Scheme (AMS Scheme)

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

CHArTECH BOOkS MANAgEMENT SErIES INTrODuCINg ITSM AND ITIL A guide TO IT SErvICE MANAgEMENT

How to apply for and maintain. Training Organization Approval and Training Course Certification

ISO/IEC 27001:2013 webinar

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

NATO STANDARD AQAP-2310 NATO QUALITY MANAGEMENT SYSTEM REQUIREMENTS FOR AVIATION, SPACE AND DEFENCE SUPPLIERS

Procedure for Assessment of System and Software

Certification Process Requirements

ITIL V3 Service Lifecycle Key Inputs and Outputs

-Blue Print- The Quality Approach towards IT Service Management

Service Management. A framework for providing worlds class IT services

The ITIL v.3. Foundation Examination

What changes will ISO 9001:2015 bring?

AS 9100 Rev C Quality Management System Manual. B&A Engineering Systems, Inc Business Park Drive, Suite A-1 Costa Mesa, CA 92626

Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL

Avon & Somerset Police Authority

GUIDE 62. General requirements for bodies operating assessment and certification/registration of quality systems

Maturity Model. March Version 1.0. P2MM Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce

EXIN.Passguide.EX0-001.v by.SAM.424q. Exam Code: EX Exam Name: ITIL Foundation (syllabus 2011) Exam

Availability Management: A CA Service Management Process Map

ISO Information Technology Service Management Systems Professional

ITIL Introducing service design

Service Catalog Management: A CA Service Management Process Map

BMC Software Consulting Services. Fermilab Computing Division Service Catalog & Communications: Process and Procedures

The ITIL Foundation Examination

NABL NATIONAL ACCREDITATION

Certification criteria for. OH&S Management Systems Foundation Training Course

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Enterprise ITSM software

ISO 9001:2015 Overview of the Revised International Standard

Tutorial: Service Portfolio design for NGIs Terminology, concepts, practical guidance

The ITIL Foundation Examination

Quick Guide: Meeting ISO Requirements for Asset Management

AEROSPACE STANDARD. Quality Management Systems - Requirements for Aviation, Space and Defense Organizations RATIONALE

The ITIL Foundation Examination

HP Service Manager. Software Version: 9.34 For the supported Windows and UNIX operating systems. Processes and Best Practices Guide

Free ITIL v.3. Foundation. Exam Sample Paper 1. You have 1 hour to complete all 40 Questions. You must get 26 or more correct to pass

The ITIL Foundation Examination Sample Paper A, version 5.1

NATO GUIDANCE ON THE USE OF THE AQAP 2000 SERIES

Software Quality Standards and. from Ontological Point of View SMEF. Konstantina Georgieva

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

The new Family of Standards & ISO/IEC 27001

Transcription:

IRCA Briefing note ISO/IEC 20000-1: 2011

How to apply for and maintain Training Organization Approval and Training Course Certification IRCA 3000 Contents Introduction 3 Summary of the changes within ISO/IEC 20000-1:2011 3 Overview 3 Detail review 4 1. Scope 4 2. Normative references 4 3. Terms and definitions 4 4. Service management system general requirements 4 5. Design and transition of new or changed services 5 6. Service delivery processes 5 7. Relationship processes 6 8. Resolution processes 6 9. Control processes 6-7 Appendix A 8 Copyright IRCA 2012 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without prior permission of the International Register of Certificated Auditors (IRCA). WWW.IRCA.ORG Page 2 of 9

IRCA Briefing note: ISO/IEC 20000:2011 Introduction The International Register of Certificated Auditors (IRCA) has prepared this briefing note to communicate to IRCA Certificated Auditors, IRCA Approved Training Organizations and other interested parties our understanding of ISO/IEC 20000-1:2011. The content of this briefing note is provided in good faith and is the opinion of IRCA. It should not be reproduced nor used for commercial purposes. IRCA Certificated Auditors and IRCA Approved Training Organizations are advised to familiarise themselves with ISO/IEC 20000-1:2011. The provision of IT services and the development of their underpinning Service Management Systems (SMS) has evolved considerably since the original standard was published in 2005. The sector has evolved from provision of internal corporate IT systems and bespoke outsourcing of corporate IT systems toward one that embraces consumerization and offers provision of more generic, utility IT services. Practices and methodologies such as ITIL have evolved alongside those developments. ISO/IEC 20000-1:2011 requirements and conformance controls have similarly changed to accommodate that. The 2011 revision also reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 Quality management systems Requirements and ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements, improving and enabling an integrated, process-based approach across disciplines as part of a business management system. Overview A principal constraint of ISO 20000-1:2005 when implementing or assessing the conformance of an IT Service Management System (ITSMS) was the number of mandated processes ; these were often worded such that they required auditor interpretation and agreement with the auditee. Throughout ISO/IEC 20000-1:2011 many of these process requirements are replaced with explicitly mandated documented procedures. Many are extended with prescribed minimum attributes that improve clarity of review, understanding of intent and support conforming implementation. As an indicator of the extent of changes to conformance requirements it is interesting to note that: ISO 20000-1:2005 had 171 shall statements ISO 20000-1:2011 has 257 shall statements (+50% approximately). The revision also reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 Quality management systems and ISO/IEC 27001:2005 Information security management systems. Auditors and assessors with experience of these standards will be familiar with the common themes and terminology. However those with experience only of ISO 20000-1:2005 may need to carefully review the current standard to ensure an appropriate understanding of revised conformance requirements. Some may view the modifications of ISO/IEC 20000-1:2011 as a substantial change. Others may think it largely captures good practices already implemented. IRCA s view is that publication of ISO/IEC 20000-1:2011 provides organizations implementing IT Service Management Systems and organizations needing to conduct audits of IT Service Management Systems an opportunity to re-assess their own practices and identify improvement opportunities. WWW.IRCA.ORG Page 3 of 9

Detail review Many clauses of ISO 20000-1:2005 began with a statement of the objective of that clause (though not clauses titled General or Background ). These have been removed and do not appear in ISO/IEC 20000-1:2011. 1. Scope It is this section that confirms the applicability of the standard to the whole service management system lifecycle. The general use cases described in 1.1 a) to f) are derived and developed from those in ISO 20000-1:2005 to clarify the perspectives of the service provider, the organization seeking services from a provider and the assessor or auditor of conformity. Figure 2 the Service Management System diagram promotes a more consistent view of the relationship of elements of ISO/IEC 20000-1:2011. Most notably, the relationship with customers and other stakeholders is added. The service management system requirements and design and transition of new or changed services are added as layers in the diagram to demonstrate their context and relationship with service delivery, resolution, relationship and control processes. Also of note, release and deployment management is subsumed into the category of control processes. Clause 1.2 Application is added documenting further clarification of requirements for conformance. Here it is acknowledged that parts of the service delivery (clauses 5 to 9) may be provided by other parties and that evidence of process governance from these sources is admissible. However, it is emphasised that service management responsibility, governance of other parties involved in service provision, documentation management, resource management and service establishment and improvement defined in clause 4 must be evidenced only by the service provider. No part of that clause may be delegated or contracted to another party. ISO/IEC TR 20000-3 provides additional guidance on scope definition and applicability including further explanation about the governance of processes operated by other parties. 2. Normative references This empty clause is added only for the purpose of clause numbering alignment with ISO/IEC 20000-2. 3. Terms and definitions As would be expected from a technical revision, there are now 37 defined terms in ISO /IEC 20000-1:2011 compared with the 15 listed in ISO 20000-1:2005. Many of the additional terms are adopted or adapted from ISO 9000:2005 Quality management systems Fundamentals and vocabulary, ISO 27000:2009 Information technology Security techniques Information security management systems Overview and vocabulary and others are consistent with ITIL v3 (although ISO/IEC 20000-1:2011 is independent of any specific implementation methodology). For example, clause 3.11 defines information security as preservation of confidentiality, integrity and accessibility of information. Accessibility is inconsistent with ISO 27000:2009 which uses the term availability, however accessibility is used here to avoid conflict with the existing ISO/IEC 20000-1:2011 definition of [IT service] availability as per clause 3.1 of this standard. The improved consistency of terms used with other management systems standards is a welcome assistance enabling an integrated, process-based approach across disciplines. However before undertaking a conformity assessment, care is needed to thoroughly review the defined terms to ensure a common understanding of the idiosyncrasies of some adapted terms. 4. Service management system general requirements The use of clause 4 to define management system requirements reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 and ISO/ IEC 27001:2005. Clause 4 of this standard is an extensive redevelopment of clauses 3 and 4 of ISO 20000-1:2005, transferring the mature management system principles established by ISO 9001 into this standard. It is not a like-for-like adoption, however; while the requirements and terminology may be familiar, clause 4 of this standard amalgamates equivalent elements from a number of ISO 9001 (and, similarly, ISO 27001) clauses as outlined in Appendix A. 4.1 Management responsibility is a thorough re-work of ISO 20000-1:2005 clause 3.1, introducing a number of additional requirements. Top management commitment, policy management, authority and responsibility are specified and the requirements of the Management Representative are defined in more detail. ISO 20000-1:2005 required mutual agreement of interpretation of the term supplier when assessing conformance of service delivery dependencies through the supplier management clause ( supplier was not a defined term in that standard, although clause 7.2 Figure 3 indicated an intention to consider only external suppliers). ISO/IEC 20000-1:2011 introduces clause 4.2 Governance of processes operated by other parties to acknowledge and clarify the range of parties involved in contributing to successful service delivery (internal service provider groups, external suppliers or customer contributions). Further, you will recall from clause 1.2 that a service provider cannot rely on evidence of the governance of processes operated by other parties for the requirements in Clause 4 : Conformance now requires the service provider to demonstrate both an awareness of the range of service delivery dependencies and governance of those concerns. ISO/IEC TR 20000-3 provides further guidance about the governance of processes operated by other parties. Clause 4.3 Documentation management defines a more prescribed documentation set for the SMS and introduces formalised document and record controls. A notable addition is the explicit requirement to document a catalogue of services as a separate and distinct document from the Service Level Agreement (SLA); this foundation document is referred to again in support of service design and its purpose clarified in clause 6.1 Service level management. 4.4 Resource management clarifies the SMS definition of WWW.IRCA.ORG Page 4 of 9

resources (omitted from clause 2) as human, technical, information and financial resources with the conformance requirements for determination and provision of these. 4.5 Service management system planning and implementation, derived from ISO 20000-1:2005 clause 4, has been re-worked in this standard. While the principles and structural outline have been maintained, there are numerous detailed requirement changes throughout which remove many points of ambiguity and interpretation and enable improved consistency of application. For example, the service management plan shall now contain or reference.....statutory and regulatory requirements... and...criteria for accepting risks, analogous to ISO 27001 information security management system control requirements. Due to the broad and detailed redevelopment, a thorough review of clause 4 is required to become familiar with and understand the revised and new conformance requirements. 5. Design and transition of new or changed services Practices and requirements defined by ISO 20000-1:2005 clause 5 have been reworked and expanded to create clause 5 in this standard. Clause 5.1 re-emphasises change management as the prime controlling process. While acknowledging that the planning and design of new or changed services may result in some proposed changes that are rejected, the clause makes clear that the service provider shall take necessary actions to ensure that the remaining accepted changes are sufficient to perform the new or changed service effectively (an indirect conformance requirement for post-change effectiveness monitoring and review that is made more explicitly in clause 9.2). Clauses 5.2 and 5.3 list quite comprehensive requirements for planning, design and development of new or changed services including specific requirements for services that are to be removed (mothballed, closed or retired) and due diligence of dependencies with other parties contributing to the provision of service components. 5.4 Transition of new or changed services redefines requirements for pre-deployment service testing against service provider and stakeholder pre-agreed acceptance criteria, use of the revised release and deployment control process to migrate the service into the live environment and a post-deployment review against expected outcomes. 6. Service delivery processes The overall structure and purpose of this clause remains unchanged. However, a detailed review reveals many additional conformance requirements where ISO 20000-1:2005 statements have been clarified and refined. More significant changes are outlined below. There are two notable changes to clause 6.1 Service level management. The first change updates the ISO 20000-1:2005 requirement that each service was to be defined, agreed and documented in one or more SLAs. ISO/IEC 20000-1:2011 recognises that a customer may contract a portfolio of IT services from a provider and that these shall now be be defined in a catalogue of services for that customer that includes the dependencies between services and service components. This is then supplemented with one or more SLAs for each of the services being delivered. The other change echoes Governance of processes operated by other parties (clause 4.2): Distinct from supplier management (addressed later in clause 7.2), the final paragraph of clause 6.1 mandates governance requirements for service components provided by an internal group or the customer. Clause 6.2 Service reporting is broadly unchanged in principle, however the conformance requirements for service report context and content is more prescribed. 6.3 Service continuity and availability management has been expanded and logically restructured into three subclauses with clarified conformance requirements as follows. Clause 6.3.1 Service continuity and availability requirements re-emphasises risk assessment of service continuity and availability as the first step in identifying and agreeing requirements with the customer and other interested parties. However in assessing the conformance of a service provider that delivers a standardised service to a range of customers, the continuity and availability of that service would be risk-assessed and service level targets committed as part of the pre-contract service specification and SLA offered to those customers. The commercial contract would then constitute customer agreement to those prescribed continuity and availability commitments. 6.3.2 Service continuity and availability plans does not continue the former requirement to ensure that requirements are met as agreed in all circumstances as that contradicted the risk-based nature of service continuity and availability management. The clause does prescribe service continuity plan and service availability plan content, with the note that these plans may be combined into one document. 6.3.3 Service continuity and availability monitoring and testing drops the requirement to review the plans at least annually ; This standard takes an event-driven approach to mandate review after testing the plans or after invoking the service continuity plan. As previously, Service continuity and availability plans shall be re-tested after major changes to the service environment. Further, the tests are to be conducted against continuity and availability requirements, results recorded and reviewed, necessary actions taken and the result of those actions reported. 6.4 Budgeting and accounting for services remains broadly unchanged although the revised layout and wording aids clarification. One notable addition is the requirement for a defined interface between the budgeting and accounting for services process and other financial management processes. Similarly, 6.5 Capacity management generally replicates the previous version of the standard, though again there are subtle changes. The scope of resources to be managed WWW.IRCA.ORG Page 5 of 9

is explicitly listed as human, technical, information and financial resources. Further, there is a subtle change of wording that mandates the required outcome: ISO 20000-1:2005 stated that Methods, procedures and techniques shall be identified to monitor service capacity, tune service performance and provide adequate capacity. An arguable interpretation of this statement is that the provider could identify methods, procedures and techniques without actually committing to use these to provide adequate capacity. ISO/IEC 20000-1:2011 requires quite unambiguously that The service provider shall provide sufficient capacity to fulfil agreed capacity and performance requirements. 6.6 Information security management has been reworked to improve alignment with the requirements of ISO 27001. It has been divided into clauses covering information security policy, [risk] controls and change and incident management. The new policy and control requirements, although lightweight compared with ISO 27001, are more prescriptive than the previous version of this standard and may challenge some organizations that have not implemented an information security management system conforming to ISO 27001. In comparison, 6.6.3 Information security changes and incidents should be less challenging as this generally replicates the requirements of the previous version of this standard to integrate information security management into existing change management, incident management and improvement processes. 7. Relationship processes The overall structure and content of this clause remains unchanged, though there are some detailed changes. 7.1 Business relationship management has more focus upon the customer and is less prescriptive about the relationship with other stakeholders. The annual service review specified in ISO 20000-1:2005 has been replaced in this standard by the requirement for an unspecified communication mechanism, enabling a variety of arrangements from an annual review to a continuous, on-demand review tailored to business requirements. The purpose of this communication is defined, though the wording is a little ambiguous; a reasonable interpretation is recommended as to promote [mutual] understanding of the business environment in which the services operate and requirements for new or changed services. This would enable, for example: the service provider to remain aware of the customer s business and operational environment and requirements for change arising from the customer, and the service provider to respond to changes in their own strategic and commercial environment and improve, adjust or replace elements of a generic service provided to a number of customers. Whilst the requirements for management of customer complaints remains unchanged, customer satisfaction now takes a pragmatic view and enables measurements and analysis based on a representative sample of the customers and users of the services. 7.2 Supplier management now documents a prescriptive list of elements that must be included or referenced in a supplier contract. The annual major review of the [supplier] contract or formal agreement specified in ISO 20000-1:2005 has been replaced with the more passive requirement to monitor the performance of the supplier at planned intervals. Of particular note are the replacement of two process requirements with: the requirement for the supplier contract to define or reference activities and responsibilities for termination of the contract and the transfer of services to a different party, ensuring that this is proactively addressed and documented before the need for transfer or termination arises, and the requirement for a documented procedure to manage contractual disputes. 8. Resolution processes 8.1 Incident and service request management acknowledges contemporary practice in many organizations to process incident reports and service change requests through one customer-facing unit and one common process; in this standard, the administration of service requests is lifted out of the Change management clause and placed here. The standard requires the incident and service request management process to be defined by two separate documented procedures for incident and service request lifecycle management from recording to closure. Information to be made available to personnel performing the process is prescribed and includes information from the Release and deployment management process. The final paragraph prescribes how Major incidents are now to be managed using a documented procedure. 8.2 Problem management remains broadly unchanged although the revised layout and wording aids clarity. One notable improvement is the explicit acknowledgement that not all problems are permanently resolvable; commercial, technical or external constraints may prevent that from happening. The clause now states that where the root cause has been identified, but the problem has not been permanently resolved, the service provider shall identify actions to reduce or eliminate the impact of the problem on the services. 9. Control processes Configuration and change management clauses are significantly more prescriptive in this version of the standard. 9.1 Configuration management requirement changes include: minimum mandatory asset information fields for each CI in the CMDB, a documented procedure for recording, controlling and tracking versions of CIs that incorporates asset-risk-based control, master copies of CIs recorded in the CMDB shall be stored WWW.IRCA.ORG Page 6 of 9

in secure physical or electronic libraries referenced by the configuration records, audit of the records stored in the CMDB at planned intervals. 9.2 Change management requirement changes include: minimum change management policy content, Removal or transfer of a service shall be classified as a change to a service with the potential to have a major impact, a documented procedure to record, classify, assess and approve requests for change, a documented procedure for managing emergency changes. The requirements to manage requests for change are similarly more robust as follows: Requests for change classified as having the potential to have a major impact on the services or the customer shall be managed using the design and transition of new or changed services process. All other requests for change to CIs defined in the change management policy shall be managed using the change management process. The service provider and interested parties shall make decisions on the acceptance of requests for change The activities required to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. The service provider shall review changes for effectiveness (ISO 20000-1:2005 required only that changes shall be reviewed for success ). 9.3 Release and deployment management, now recognised as a control process, has an overall purpose and content that remains unchanged, although there are some detailed changes. Notable additional requirements are as follows. There is now an explicit requirement to coordinate the deployment plan with the change management process and include references to the related requests for change, known errors and problems which are being closed through the release. Planning must also include the dates for deployment of each release, the associated deliverables and intended methods of deployment. The definition of an emergency release must be documented and the release managed according to a documented procedure that interfaces to the emergency change procedure. For each release, acceptance criteria for the release must be agreed with the customer and interested parties. Prior to deployment, the release must be verified against the agreed acceptance criteria and approved. If the criteria are not met, the customer and interested parties must be involved in the decision about what actions are necessary to proceed. WWW.IRCA.ORG Page 7 of 9

Appendix A Service management system general requirements compared with ISO/IEC 9001 & ISO/IEC 27001. ISO 20000:2011 ISO 9001:2008 ISO 27001:2005 4.1 Management responsibility 5 Management responsibility 5 Management responsibility 4.1.1 Management commitment 5.1 Management commitment 5.1 Management commitment 4.1.2 Service management policy 5.3 Quality policy 4.2.1 b) Define an ISMS policy... 4.1.3 Authority, responsibility and communication 5.5 Responsibility, authority and communication 5.1 c) establishing roles and responsibilities for information security and Annex A control 1 A.6.1.2 (approximate correlation) 4.1.4 Management representative 5.5.2 Management representative 5.1 c) establishing roles and responsibilities for information security and Annex A controls 1 A.6.1.1 & A.6.1.2 (approximate correlation) 4.2 Governance of processes operated by other parties 7.4 Purchasing (approximate correlation) Numerous Annex A controls 1, particularly A.6.1.2 to A.6.1.6 and A.6.2 (approximate correlation) 4.3 Documentation management 4.2 Documentation requirements 4.3 Documentation requirements 4.3.1 Establish and maintain documents 4.2.1 General 4.3.1 General 4.3.2 Control of documents 4.2.3 Control of documents 4.3.2 Control of documents 4.3.3 Control of records 4.2.4 Control of records 4.3.3 Control of records 4.4 Resource management 6 Resource management 5.2 Resource management 4.4.1 Provision of resources 6.1 Provision of resources 5.2.1 Provision of resources 4.4.2 Human resources 6.2 Human resources 5.2.2 Training, awareness and competence 4.5 Establish and improve the SMS Numerous references (as below) 4.2 Establishing and managing the ISMS 4.5.1 Define scope 4.4.2 a) Quality manual QMS scope definition 4.2.1 a) Define the scope and boundaries of the ISMS 4.5.2 Plan the SMS (Plan) 5.4.2 Quality management system planning 4.2.1 b) Define an ISMS policy, through to j) Prepare a Statement of Applicability (approximate correlation) 4.5.3 Implement and operate the SMS 4.1 General requirements (approximate 4.2.2 Implement and operate the ISMS (Do) correlation) 4.5.4 Monitor and review the SMS 5.6 Management review 4.2.3 Monitor and review the ISMS (Check) 4.5.4.1 General 8.1 Measurement, analysis and 4.2.3 Monitor and review the ISMS improvement - general 4.5.4.2 Internal audit 8.2.2 Internal audit 6 Internal ISMS audits 4.5.4.3 Management review 5.6 Management review 7 Management review of the ISMS 4.5.5 Maintain and improve the SMS 8.5 Improvement 8 ISMS improvement (Act) 4.5.5.1 General 8.5.1 Continual improvement 8.1 Continual improvement 4.5.5.2 Management of improvements 5.6 Management review 7 Management review of the ISMS, supplemented by 4.2.1 d) Identify the risks to i) Obtain management authorization (approximate correlation) 1. ISO 27001:2005 conformance does not require implementation of all control objectives and controls in Annex A of the standard as these are selected based upon the defined scope of the Information Security Management System. However, it would be very unusual for an organisation to justify exclusion of control objectives and controls defined in A.6.1. WWW.IRCA.ORG Page 8 of 9

International Register of Certificated Auditors (IRCA) 2nd Floor North Chancery Exchange 10 Furnival Street London EC4A 1AB United Kingdom Email: irca@irca.org Tel: +44 (0) 20 7245 6833 Fax: +44 (0) 20 7245 6755 WWW.IRCA.ORG

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information