Why Integration Matters
Most IT service organizations pursuing ISO 20000 already hold or are actively pursuing ISO 27001 (Information Security Management) and/or ISO 22301 (Business Continuity Management). Running three separate management systems in parallel creates significant administrative duplication: three audit programs, three management reviews, three sets of policies, three document control systems, three improvement registers. The duplication is costly in terms of effort and staff time, and it creates inconsistency—different approaches to similar problems (incident management exists in both ISO 20000 and ISO 27001), different audit findings on related topics, and confusion about which standard governs which procedure. The Annex SL High Level Structure (HLS) common to all three standards was specifically designed to enable integration. The shared clauses in Annex SL (Clauses 4 through 10) have identical or near-identical requirements, enabling a single integrated management system to satisfy all three standards simultaneously.
The Integration Case: Quantified Efficiency Gains
For a typical organization with mature ISO 27001 certification, implementing ISO 20000 with full integration typically requires 30–40% less effort than implementing ISO 20000 as a standalone system. The effort reduction comes from: leveraging existing governance infrastructure rather than building three governance structures, sharing documented information (policy frameworks, risk management procedures, audit programs) rather than creating separate versions for each standard, eliminating duplicate records (one audit schedule covering all three rather than three separate audit schedules), and running one management review covering all three systems rather than three separate reviews.
For organizations implementing ISO 20000, ISO 27001, and ISO 22301 simultaneously from scratch, an integrated approach saves 40–50% compared to three parallel implementations. Organizations that implement the three standards sequentially (e.g., ISO 27001 first, then ISO 20000, then ISO 22301) but do not integrate them end up with three disconnected systems and higher total effort than a planned, integrated implementation from the start.
The Annex SL High Level Structure: Shared Elements
The HLS Design
The Annex SL High Level Structure ensures that ISO 20000, ISO 27001, and ISO 22301 have a common framework. Clauses 4 through 10 are identical across all three standards, enabling integration. The shared clauses are: Clause 4 (Context of the organization), Clause 5 (Leadership and commitment), Clause 6 (Planning), Clause 7 (Support), Clause 8 (Operation—with standard-specific content), Clause 9 (Performance evaluation), Clause 10 (Improvement).
Clause 4: Context of the Organization
All three standards require an assessment of the organizational context. An integrated approach: conduct one organizational context assessment covering external factors (market, regulatory, technological, competitive), internal factors (values, culture, governance, capabilities), and how they affect the management system. This single assessment informs the scope and strategy for all three management systems.
Clause 5: Leadership and Commitment
All three standards require top management commitment. An integrated approach: develop a unified management system policy, approved by the same executive (likely the CEO or CIO), that articulates the organization's commitment to quality service management, information security, and business continuity. One set of management commitments expressed in one policy, rather than three separate policies.
Clause 6: Planning
All three standards require planning (risks, objectives, change management). An integrated approach: use a single risk management process that assesses risks across service management, information security, and business continuity from a common risk framework. One risk register instead of three separate ones. One objective-setting process that establishes objectives for service management, security, and continuity aligned to organizational strategy. One change management procedure governing changes to all three management systems.
Clause 7: Support
Clause 7 requires resources, competence, awareness, communication, and documented information. An integrated approach: one document control system covering all three standards' procedures and records; one competence framework defining required skills for service management, security, and continuity roles; one awareness program addressing all three systems; one communication plan addressing management system communications.
Clause 8: Operation
Clause 8 content is standard-specific, so integration is limited. However, integration occurs at the interfaces: ISO 20000 incident management and ISO 27001 security incident response must be integrated (security incidents are escalated as major incidents in ISO 20000); ISO 20000 change management and ISO 27001 security review must be integrated (changes affecting information security are reviewed through both processes); ISO 20000 service continuity and ISO 22301 business continuity must be integrated.
Clause 9: Performance Evaluation
All three standards require monitoring, measurement, and internal audit. An integrated approach: one internal audit program covering all three standards; one set of KPIs covering service management, security, and continuity performance; one management review covering all three systems.
Clause 10: Improvement
All three standards require nonconformity management and continual improvement. An integrated approach: one nonconformity and corrective action process applicable to all three standards; one improvement register; one improvement review process.
Unique Elements That Cannot Be Integrated
ISO 27001 Annex A Controls
ISO 27001 Annex A specifies 93 security controls organized in 14 control objectives. Each organization must conduct a risk assessment, develop a Statement of Applicability documenting which controls are applicable and which are excluded (with justification), and implement the applicable controls. This risk treatment plan is unique to ISO 27001 and has no equivalent in ISO 20000 or ISO 22301. The Annex A controls and Statement of Applicability must be maintained separately as ISO 27001-specific documented information.
ISO 22301 Business Continuity Planning
ISO 22301 requires comprehensive business continuity planning covering all business functions and services. ISO 20000 service continuity management is a subset—it covers IT service continuity, but ISO 22301 covers the broader organization. An organization certified to ISO 22301 has a comprehensive BCP; ISO 20000 service continuity plans are derived from and aligned with that BCP. Organizations implementing only ISO 20000 (not ISO 22301) must still develop service continuity plans, but the scope is limited to IT services.
ISO 20000 Clause 8 Practices
ISO 20000 Clause 8 specifies service management practices: incident management, problem management, service request management, change management, release and deployment management, configuration management, availability management, capacity management, and service continuity management. These practices are unique to ISO 20000. While security incidents are addressed in ISO 27001 incident response procedures, ISO 20000 incident management is broader and covers all incident types. The ISO 20000 practices require separate procedures and records.
Integration Architecture: How to Structure the Integrated System
Four-Level Architecture
Level 1: Governance Documents (shared across all three standards). This includes: Management System Policy (one unified policy document addressing commitment to service management, security, and continuity), Organizational Context Assessment (one assessment covering factors affecting all three systems), Scope Statement (scope of each standard and whether they align), and Risk Management Framework (one framework used for all three standards).
Level 2: Management System Plans (per standard). This includes: Service Management Plan (for ISO 20000), ISMS Policy Framework (for ISO 27001, detailing how ISMS policies implement the overarching management system policy), BCM Program Plan (for ISO 22301). These plans are separate because each standard has different planning requirements, but they all reference and align with Level 1 governance documents.
Level 3: Practice Procedures (per standard). This includes: ISO 20000 service management practice procedures (incident, change, configuration, etc.), ISO 27001 control implementation procedures (authentication controls, encryption procedures, etc.), ISO 22301 business continuity procedures (BCP development, testing, invocation). These procedures are standard-specific and do not have equivalents across standards.
Level 4: Records and Evidence (per standard and practice). This includes: incident records (ISO 20000), security incident logs (ISO 27001), business continuity test records (ISO 22301). These records are generated by the practices and procedures and form the evidence auditors examine.
Practical Integration Decisions
Scope Alignment
Should all three standards cover the same organizational scope? For IT service providers, the answer is typically yes—IT service management, information security, and business continuity all apply to the same IT services and infrastructure. However, scope may be staggered for larger organizations: ISO 27001 might cover the entire IT organization; ISO 20000 might cover only customer-facing services; ISO 22301 might focus on critical services. When scope differs, the integrated management system must document and explain the differences.
Certification Body Selection
Using the same Certification Body (CB) for all three standards enables combined audits. Combined audits are 25–35% more efficient than conducting three separate audits (auditors can examine integrated processes once rather than three times; audit scheduling is simpler). The CB must have auditors competent in all three standards. When selecting a CB, verify that the CB can audit all three standards (many CBs specialize in one or two standards).
Combined Audit Scheduling
How to plan the combined audit program? Initial combined audit covering all three standards for Clause 4–7 (governance) and standard-specific Clauses 8–10. Subsequent surveillance audits (annually or twice yearly) covering all three standards. Planning: how many auditor-days do you need? Initial combined audit typically requires 5–7 auditor-days; surveillance audits typically require 3–4 auditor-days per year.
Team Structure
In an integrated management system, the team structure might include: Chief Information Officer or equivalent (overall responsibility for all three systems), Service Management Manager (responsible for ISO 20000 compliance), Chief Information Security Officer (responsible for ISO 27001), Business Continuity Manager (responsible for ISO 22301). These roles may be separate people (large organization) or combined (small organization). Whoever is responsible for governance (usually the CIO) must ensure the three roles work together.
The Security-Service Management Interface
Incident Management and Security Incident Response
ISO 20000 incident management covers all incident types. ISO 27001 requires security incident response procedures. Integration: security incidents are a category within incident management. A security incident (data breach, unauthorized access, malware infection) is classified and triaged as an incident in ISO 20000 incident management. If it is a major security incident (widespread data breach, regulatory breach), it triggers security incident response procedures aligned with ISO 27001 requirements. Incident and security incident procedures must reference each other.
Change Management and Security Review
Changes to systems that handle sensitive information or affect security controls must undergo both ISO 20000 change management and ISO 27001 security review. Integration: change records include a security review field. Before a change is approved by CAB, if the change affects information security, a security review is conducted (does the change expose security vulnerabilities? Does it require new security controls?). The security review is documented in the change record.
Configuration Management and Asset Management
ISO 20000 CMDB tracks configuration items. ISO 27001 requires asset management (identifying and maintaining information assets). Integration: the CMDB is used to identify information assets (which CIs handle sensitive data, which systems process personal information). A unified CI and asset register means no duplicate records. Asset classification (public, internal, confidential) is captured as a CI attribute.
Service Continuity and Business Continuity
ISO 20000 service continuity plans are derived from and aligned with ISO 22301 business continuity plans. Integration: BCP identifies which business functions depend on which IT services. Service continuity plans for those IT services are designed to support the business continuity requirements. RTO and RPO targets in service continuity plans must align with business continuity planning timelines.
Common Integration Failures
Failure 1: Separate document control systems for each standard. This creates document duplication and version drift. A policy is updated for ISO 27001 but not for ISO 20000 and ISO 22301, resulting in inconsistent policy across standards. Solution: single document control system for all three standards; versions managed once.
Failure 2: Separate management reviews for each standard. Three management reviews per year covering the same organization with no coordination. Finding identified in ISO 27001 management review is not discussed in ISO 20000 management review, leading to inconsistent response. Solution: single management review covering all three systems.
Failure 3: Separate improvement registers. Improvements are tracked separately for each standard, with no view of the overall improvement portfolio. Improvement addressing an issue in both ISO 20000 and ISO 27001 is tracked twice. Solution: single improvement register with traceability to all three standards.
Failure 4: Auditors from different CBs examining the same processes and issuing contradictory findings. ISO 27001 auditor and ISO 20000 auditor examine the change management process and issue different findings about compliance. Solution: use the same CB for all three standards and require alignment in audit approach.
Failure 5: Integration only on paper (integrated policy documents) but not in practice (change management still runs separately from security review). Integrated documentation without operational integration. Solution: change management SOP explicitly requires security review when applicable; change records have security review checkboxes that auditors verify are completed.
| KEY CONCEPT | Integration does not mean combining everything into one document. It means designing the management system so shared elements (governance, risk management, audit program, management review) are managed once, and standard-specific elements (security controls, IT practices, business continuity plans) are managed separately but with clear linkages. This is different from writing a single monolithic document that tries to address all three standards at once (which creates confusion). The architecture is: unified governance → separate management system plans aligned to governance → standard-specific procedures and records. |
HLS Clause Integration Opportunities
| Clause | ISO 20000 Requirement | ISO 27001 Equivalent | ISO 22301 Equivalent | Integration Approach |
|---|---|---|---|---|
| 4: Context | Understand external and internal context affecting SMS | Understand context affecting ISMS | Understand context affecting BCM | Single organizational context assessment shared by all three |
| 5: Leadership | Top management commitment to SMS | Top management commitment to ISMS | Top management commitment to BCM | Single unified management system policy addressing all three |
| 6: Planning | Risk assessment, objectives, change planning for SMS | Information security risk assessment and objectives | Business continuity risk assessment and objectives | Single integrated risk management process and risk register |
| 7: Support | Resources, competence, communication, documented information for SMS | Resources, competence, awareness for ISMS | Resources, competence, awareness for BCM | Single document control system, competence framework, communication plan |
| 8: Operation | Service management practices (incident, change, etc.) | Security controls (A.5 through A.14) | Continuity strategy, plans, testing | Integration at interfaces: incident-to-security incident, change-to-security review, continuity-to-BCP |
| 9: Performance | SMS KPIs, internal audit, management review | ISMS KPIs, internal audit, management review | BCM KPIs, internal audit, management review | Single internal audit program, single management review covering all three |
| 10: Improvement | Nonconformity, corrective action, continual improvement | Same for ISMS | Same for BCM | Single nonconformity process, single improvement register |
Integration Decision Matrix
| Integration Decision | Recommended Approach | Efficiency Gain | Implementation Consideration | |
|---|---|---|---|---|
| Governance & Policy | Single unified management system policy and governance structure shared by all three standards | 30–40% reduction in policy documentation effort | Define how policy addresses specific requirements of each standard without creating three separate policy documents | |
| Risk Management | Single risk management process and risk register covering service management, information security, and business continuity risks | 25–35% reduction in risk assessment effort | Risk register must categorize risks by standard to ensure all standard-specific risks are addressed | |
| Internal Audit Program | Single combined audit program covering all three standards, using same auditors and schedule | 25–35% reduction in audit effort | Audit team must be competent in all three standards or include auditors from each standard on each audit | |
| Management Review | Single management review meeting covering performance, risks, improvement, and compliance for all three systems | 40–50% reduction in management review effort | Agenda and metrics must address all three standards without becoming unwieldy (typically 2–3 hour meeting) | |
| Certification Body Selection | Use single CB competent in all three standards rather than separate CBs | 25–35% reduction in audit costs and scheduling complexity | Verify CB has auditors competent in all three standards and experience with integrated audits | |
| IMPORTANT | When a CB audits an integrated management system, they will examine whether the system genuinely operates as one integrated system or whether it is three separate systems with a common cover page. The test is operational: does incident management actually escalate security incidents through security incident response procedures? Does change management actually require security review for security-relevant changes? Does the CMDB actually support security asset management? If integration is only documented but not operational, the auditors will identify this and issue findings. Genuine integration requires operational discipline and ongoing vigilance. | |||
| BITLION INSIGHT | Bitlion GRC integrated management system module provides a unified platform for ISO 20000, ISO 27001, and ISO 22301 with: single policy management system; unified risk register supporting all three standards; combined internal audit program template; consolidated management review reporting; integrated incident and security incident management; change management with security review workflow; unified CMDB and asset register; and combined improvement tracking. Organizations implementing all three standards can achieve 40–50% effort reduction through Bitlion integration capabilities. |