Appendix A

Service management system general requirements compared with ISO/IEC 9001 & ISO/IEC
27001.

ISO 20000:2011

ISO 9001:2008

ISO 27001:2005

4.1 Management responsibility

4.1.1 Management commitment
4.1.2 Service management policy
4.1.3 Authority, responsibility and
communication

5 Management responsibility
5.1 Management commitment
5.3 Quality policy
5.5 Responsibility, authority and
communication

4.1.4 Management representative

5.5.2 Management representative

4.2 Governance of processes operated

by other parties

7.4 Purchasing (approximate

correlation)

4.3 Documentation management

4.3.1 Establish and maintain
documents
4.3.2 Control of documents
4.3.3 Control of records
4.4 Resource management
4.4.1 Provision of resources
4.4.2 Human resources

4.2 Documentation requirements

4.2.1 General

5 Management responsibility
5.1 Management commitment
4.2.1 b) Define an ISMS policy...
5.1 c) establishing roles and
responsibilities for information security
and Annex A control1 A.6.1.2
(approximate correlation)
5.1 c) establishing roles and
responsibilities for information security
and Annex A controls1 A.6.1.1 &
A.6.1.2 (approximate correlation)
Numerous Annex A controls1 ,
particularly A.6.1.2 to A.6.1.6 and
A.6.2 (approximate correlation)
4.3 Documentation requirements
4.3.1 General

4.5 Establish and improve the SMS

Numerous references (as below)

4.5.1 Define scope

4.4.2 a) Quality manual QMS scope

definition
5.4.2 Quality management system
planning

4.5.2 Plan the SMS (Plan)

4.5.3 Implement and operate the SMS
(Do)
4.5.4 Monitor and review the SMS
(Check)
4.5.4.1 General
4.5.4.2 Internal audit
4.5.4.3 Management review
4.5.5 Maintain and improve the SMS
(Act)
4.5.5.1 General
4.5.5.2 Management of improvements

4.2.3 Control of documents

4.2.4 Control of records
6 Resource management
6.1 Provision of resources
6.2 Human resources

4.1 General requirements

(approximate correlation)
5.6 Management review

4.3.2 Control of documents

4.3.3 Control of records
5.2 Resource management
5.2.1 Provision of resources
5.2.2 Training, awareness and
competence
4.2 Establishing and managing the
ISMS
4.2.1 a) Define the scope and
boundaries of the ISMS
4.2.1 b) Define an ISMS policy,
through to j) Prepare a Statement of
Applicability (approximate correlation)
4.2.2 Implement and operate the ISMS
4.2.3 Monitor and review the ISMS

8.1 Measurement, analysis and

improvement - general
8.2.2 Internal audit
5.6 Management review
8.5 Improvement

4.2.3 Monitor and review the ISMS

8.5.1 Continual improvement

5.6 Management review

8.1 Continual improvement

7 Management review of the ISMS,
supplemented by 4.2.1 d) Identify the
risks to i) Obtain management
authorization (approximate
correlation)

6 Internal ISMS audits

7 Management review of the ISMS
8 ISMS improvement