{"id":8624,"date":"2016-03-07T22:09:21","date_gmt":"2016-03-07T22:09:21","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=8624"},"modified":"2025-07-10T19:13:42","modified_gmt":"2025-07-10T19:13:42","slug":"iso-27001-vs-itil-similarities-and-differences","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2016\/03\/07\/iso-27001-vs-itil-similarities-and-differences\/","title":{"rendered":"ISO 27001 vs. ITIL: Similarities and differences"},"content":{"rendered":"<p>IT services are one of the main pathways for information to flow through organizations, their clients and partners, and as legal and contractual requirements are increasingly including information protection demands (the healthcare industry is an example), these services and their management practices must evolve to adapt to this new scenario. But, how can we do that properly and in a cost-effective way?<\/p>\n<p>This article will present an overview of how <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, an ISO standard focused on information security management, and <a href=\"https:\/\/staging.advisera.com\/20000academy\/what-is-itil\/\" target=\"_blank\" rel=\"noopener noreferrer\">ITIL<\/a>, a public-private framework that focuses on IT services management, are related considering information protection, and how they can be used together to increase their benefits to an organization\u2019s business.<\/p>\n<h3 style=\"padding-bottom: 10px;\">General facts<\/h3>\n<p>Here is some information you may find useful for an initial understanding of ISO 27001 and ITIL:<\/p>\n<table class=\"table\" style=\"text-align: left; width: 100%;\" border=\"0\" cellspacing=\"2\" cellpadding=\"2\">\n<thead>\n<tr>\n<td style=\"width: 50%;\">ISO 27001<\/td>\n<td style=\"width: 50%;\">ITIL<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>International standard<\/td>\n<td>Best practice framework<\/td>\n<\/tr>\n<tr>\n<td>Defines requirements for the establishment, implementation, maintenance, and continual improvement of an <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=isms-scope-document\" target=\"_blank\" rel=\"noopener noreferrer\">Information Security Management System (ISMS)<\/a>.<\/td>\n<td>Presents a set of best practices for IT service management, giving guidance on the provision of quality IT services and the processes, functions, and other capabilities needed to support them.<\/td>\n<\/tr>\n<tr>\n<td>Applicable to any type and size of organization.<\/td>\n<td>Applicable to almost every type of IT environment.<\/td>\n<\/tr>\n<tr>\n<td>Implementation and certification are optional.<\/td>\n<td>Implementation is not subject to certification.<\/td>\n<\/tr>\n<tr>\n<td>Current version: ISO 27001:2013<\/td>\n<td>Current version: ITIL 2011 edition<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"padding-top: 10px;\">As you can see, ISO 27001 has a direct definition concerning information protection, while ITIL\u2019s is more indirect. This is so because the term \u201cITIL\u201d refers to a multitude of practices to manage and provide quality of IT services, like financial management and request fulfillment. However, since information security is also a critical aspect in IT service management and quality in IT services, ITIL does cover information security as one of its support processes (security management), and integrates information security into most of the processes in the framework.<\/p>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>ISO 27001 structure<\/h2>\n<p>ISO 27001 consists of 11 clauses and 114 generic <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=statement-of-applicability\" target=\"_blank\" rel=\"noopener noreferrer\">security controls<\/a>\u00a0grouped into 13 sections (the Annex A). For more information, read these articles: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2013\/01\/28\/a-first-look-at-the-new-iso-27001-2013-draft-version\/\" target=\"_blank\" rel=\"noopener\">A first look at the new ISO 27001<\/a>\u00a0and <a href=\"\/27001academy\/iso-27001-controls\/\" target=\"_blank\" rel=\"noopener noreferrer\">An overview of ISO 27001:2013 Annex A<\/a>.<\/p>\n<p>One of the ISO 27001 limitations is that it does not provide detail on what to do to fulfill requirements or implement controls, only about what you need to achieve. For detailing, you can use ISO 27002 as guidance. For more information, read this article: <a href=\"\/27001academy\/knowledgebase\/iso-27001-vs-iso-27002\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 vs. ISO 27002<\/a>.<\/p>\n<h2><strong>ITIL structure and similarities and differences with ISO 27001<\/strong><\/h2>\n<p>On the other hand, the ITIL framework consists of 26 processes and four functions, based on a five-stage service lifecycle approach:<\/p>\n<p><strong><em>Service strategy (4 processes):<\/em><\/strong> involves the alignment of IT strategy to overall business goals and expectations, for ensuring value aggregation to the organization. This stage can be related to ISO 27001 clause 4 (Context of the organization).<\/p>\n<p><strong><em>Service design (7 processes):<\/em><\/strong> involves ensuring IT services meet business objectives balancing cost, functionality, and performance. One of the processes in service design is security management, and because the use of many similar concepts (e.g., CIA triad, security controls, etc.), it can be covered by ISO 27001 clause 6 (Planning). For more information, read this article: <a href=\"https:\/\/staging.advisera.com\/20000academy\/blog\/2014\/04\/01\/anything-shouldnt-taken-granted-information-security-management\/\" target=\"_blank\" rel=\"noopener noreferrer\">If anything shouldn\u2019t be taken for granted\u2026 it\u2019s Information Security Management<\/a>.<\/p>\n<p><strong><em>Service transition (7 processes):<\/em><\/strong> involves ensuring that new, modified, and retired IT services are meeting the needs of the business, and that changes are managed and controlled effectively. This stage can be related to ISO 27001 clause 8 (Operation) and control A.12.1.2 \u2013 Change management.<\/p>\n<p><strong><em>Service operation (5 processes):<\/em><\/strong> involves ensuring that IT services are operated securely and reliably to support the business needs. This stage can be related to ISO 27001 clause 8 (Operation).<\/p>\n<p><strong><em>Continual service improvement (3 processes):<\/em><\/strong> involves the improvement of the quality, efficiency, and effectiveness of IT services, while reducing costs. This stage can be related to ISO 27001 clauses 9 (Performance evaluation) and 10 (Continual improvement).<\/p>\n<p>As you can see, though ISO 27001 and ITIL have different presentations, they share a similar approach to the PDCA cycle, which facilitates working with them together.<\/p>\n<table class=\"table\" style=\"text-align: left; width: 100%;\" border=\"0\" cellspacing=\"2\" cellpadding=\"2\">\n<thead>\n<tr>\n<td style=\"width: 15%;\">PDCA Cycle<\/td>\n<td style=\"width: 45%;\">ISO 27001:2013 clauses<\/td>\n<td style=\"width: 40%;\">ITIL stages<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Plan<\/td>\n<td>\n<p style=\"text-align: left;\">Clause 4 &#8211; Context of the organization<\/p>\n<p style=\"text-align: left;\">Clause 5 \u2013 Leadership<\/p>\n<p style=\"text-align: left;\">Clause 6 \u2013 Planning<\/p>\n<p style=\"text-align: left;\">Clause 7 \u2013 Support<\/p>\n<\/td>\n<td>\n<p style=\"text-align: left;\">Service strategy<\/p>\n<p style=\"text-align: left;\">Service design<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>Do<\/td>\n<td>Clause 8 \u2013 Operation<\/td>\n<td>\n<p style=\"text-align: left;\">Service transition<\/p>\n<p style=\"text-align: left;\">Service operation<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>Check<\/td>\n<td>Clause 9 \u2013 Performance evaluation<\/td>\n<td>Continual service improvement<\/td>\n<\/tr>\n<tr>\n<td>Act<\/td>\n<td>Clause 10 \u2013 Continual improvement<\/td>\n<td>Continual service improvement<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"padding-top: 10px;\">Additionally, like ISO 27001, ITIL lacks \u201chow to do\u201d details on how the processes should be implemented, though it provides detailed descriptions concerning objectives, activities to be done, inputs, and outputs, in addition to checklists, all to provide room for organizations to tailor them according to their needs. A rough comparison would be to think of ITIL as if the contents of ISO 27002 were included in ISO 27001.<\/p>\n<h2>How do we use ITIL and ISO 27001 together?<\/h2>\n<p>There is no exact answer for this question, since it depends on the organization and its requirements. One approach is to start ISO 27001 implementation first, because it covers general information security management (of which the IT environment is only a part), and after that go for ITIL, which will provide more implementation details.<\/p>\n<p>Another alternative is to consider the ISO 27001 elements for each ITIL stage and implement them in sequence according to an ITIL implementation schedule.<\/p>\n<p>For more information about ISO 27001 and ITIL implementation, see these materials: <a href=\"\/27001academy\/free-downloads\/\" target=\"_blank\" rel=\"noopener noreferrer\">Diagram of ISO 27001:2013 Implementation<\/a>\u00a0and <a href=\"https:\/\/staging.advisera.com\/20000academy\/free-downloads\/\" target=\"_blank\" rel=\"noopener noreferrer\">ITIL implementation diagram<\/a>.<\/p>\n<p>The important thing here is that you see both ISO 27001 and ITIL as complementary material that can help an organization to provide customer services with proper security.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To implement ISO 27001 easily and efficiently,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a><span class=\"notion-enable-hover\" data-token-index=\"2\">\u00a0<em>of Conformio, the leading ISO 27001 compliance software.<\/em><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>IT services are one of the main pathways for information to flow through organizations, their clients and partners, and as legal and contractual requirements are increasingly including information protection demands (the healthcare industry is an example), these services and their management practices must evolve to adapt to this new scenario. But, how can we do &#8230;<\/p>\n","protected":false},"author":41,"featured_media":8625,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,904,995,996,997],"class_list":["post-8624","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-itil","tag-best-practice","tag-standard","tag-framework"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/8624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=8624"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/8624\/revisions"}],"predecessor-version":[{"id":104409,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/8624\/revisions\/104409"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/8625"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=8624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=8624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=8624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}