Combining (aka "Bridging") ISO 9001:2008 and ISO 20000

S

Sweetsue28uk

Can anyone please help me? Over two years ago I implemented a system at work that led us to be certified to ISO 9001:2008. We have now merged with another company who are very heavily interwined with ITIL. I want to ensure that the work we have put in is not lost in the ITIL world. I am desperate to understand the bridging standard of ISO 20000 between these two differing worlds. Does anyone have an overview of this that you could provide me with so that I can approach my boss with what we have to what we would need. I am aware that there are 16 processes in this Standard that are linked to ITIL but that is the totality of my knowledge.

Any help would be much appreciated.

Sue
 

john.b

Involved In Discussions
Interesting question. I work in an IT services company that has done some implementation of ITIL processes, is certified to 9001, and considered 20000 certification so I can offer some thoughts.

In a sense 20000 is the IT service management oriented and detailed version of more general quality management standard and 9001 QMS system, and in another sense it is ITIL processes condensed into a management system, as you've stated. In other different senses it is not those things. You will probably want to review what 20000 and ITIL are before you decide to head towards an implementation. Obviously you would need to be working in an IT service management company to even consider that (although 20k moved away from "IT" towards general "SM" in wording, but that's still what it is).

If the company you have merged with ohas nly implemented a limited number of ITIL processes (eg. incident, problem, change management) then piling on the rest in a hurry is probably not going to work, regardless of why you try to. If there isn't a very clear and convincing business case for ITSM certification then no matter what processes are implemented it may not make sense. Aside from explicit customer demands and marketing edge system certification could assure through third party review that the individual processes function as a somewhat integrated system employing some degree of services provision best practices, of course, but that is the theory and the actual practice could differ.

The normal training starting point for ITIL, as you are no doubt aware, is taking an ITIL Foundation class. Even aside from doing that you could do an internet search and turn up materials that cover the same scope, perhaps just not as well tailored for passing the current version training course test. On-line research of ITSM and ITIL processes is a bit thinner than it would seem it should be. Most of what looks like a substantial resource is either an attempt that was dropped at some point or marketing for related services. General background texts that would get you through the introduction are plentiful but when it comes to implementation these would probably seem a bit too general, as almost all courses and references might even until well into the process.

It can get lost in the maze of different information and perspectives but it does make sense to implement some basic parts of a set of different related ITIL processes. "Service management" is the natural starting point in terms of how the theory flows but incident and change management are natural beginnings in terms of what gets implemented, a result of where most of the natural demand is. There is a lot more to that world but much of it depends on what makes sense based on your company's requirements.
 

Jadey52803

Starting to get Involved
Kind of related to this, but I could not find my exact question answered elsewhere. We are in the process of working towards ISO 9001 certification. At the same time, our Technology department is working towards ISO 27001. Can I/should I exclude the Technology part from our ISO 9001 scope? That is the only area where the design and development requirement would apply - as all other manufacturing is done based on specifications defined by our customers.

I'd appreciate any guidance recommendations here as I am just trying to keep up with all of the 9001 requirements and now trying to juggle the 27001 info while learning. :bonk:
 

Kronos147

Trusted Information Resource
I'd appreciate any guidance recommendations here as I am just trying to keep up with all of the 9001 requirements and now trying to juggle the 27001 info while learning. :bonk:

I was a 9001 auditor and reviewed 27001, was thinking of going there for a while. I did a combined stage 2 audit combined with a 27001 on one occasion.

The Annex SL makes the process easier. Figure out the things you do (your processes), figure out what requirements (9001, 27001, internal) should be fulfilled by which processes (matrix?) and check to see how compliant you are (internal audit). Document what's not there (non conformance reports), and adjust the processes (corrective action).

There is no magic other than to work with the tools 9001 and 27001 provide, and to make them work in a matter that is right for your organization (0.1 of both standards).
 

john.b

Involved In Discussions
Keep in mind that you have some flexibility, so what people offer as advise would be just that, their opinion. There isn't likely to be right answers out there, maybe just better and worse answers.

You want to start with the reason for implementing these systems, the function you want them to cover. That should provide some input as to what the scope should or shouldn't be.

With more details I could give a more complete answer, but it seems like overlap between the systems is a good thing, not a problem. You can use parts of 27001 that relate to 9001 as coverage for your 9001 system. With them serving different functions, quality versus information security, the overlap will be limited, but all the same I'd expect there to be some. Even if the same types of things are going on but the scope is different using standard procedures, standard document control, an internal audit process, etc. is going to make them work well together rather than to be a problem.

It would seem a shame to implement two different ISO systems covering overlapping scope and not integrate them to some extent, to not do the same things twice. All that aside, it may well make sense to limit scope to put that IT related services range out of scope of the system if it's not something you see as necessary to control in terms of quality.

It sounds like there could be a problem related to interpreting design and development, since you seem to be describing external design, but development would be a different thing. That's not what you asked about though, and again working from information fragments it's hard to extrapolate into details.

27001 isn't as complicated as it seems, although it makes sense to me to see the system in terms of levels, of doing different things at a higher organization level (more related to policy and general process) and then at lower level (more related to specific security controls), with a general process like risk assessment spanning the entire range. Here is a reference designed to work as a content starting point that might work to help explain it:

http://www.iso27001security.com/html/toolkit.html
 
Top Bottom