See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/308756945

Improvement of ISO/IEC 20000 standard through the combination with

ISO/IEC 27001

Article · November 2014

CITATIONS READS

0 1,450

4 authors, including:

Asmir Butkovic Nikos E Mastorakis

UCD School of Computer Science Technical University of Sofia
9 PUBLICATIONS   35 CITATIONS    970 PUBLICATIONS   5,669 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Optimal software quality management tools design View project

Visualization for Information Retrieval in Regional Distributed Environment View project

All content following this page was uploaded by Nikos E Mastorakis on 30 September 2016.

The user has requested enhancement of the downloaded file.

 Recent Researches in Electrical Engineering

Improvement of ISO/IEC 20000 standard through the combination with

ISO/IEC 27001
Anel Tanovic*, Asmir Butkovic **, Fahrudin Orucevic***, Nikos Mastorakis****
* Faculty of Electrical Engineering
Zmaja od Bosne bb, Sarajevo 71000, Bosnia and Herzegovina
** Police Support Agency of Bosnia and Herzegovina
Aleja Bosne Srebrene bb, Sarajevo 71000, Bosnia and Herzegovina
*** Faculty of Electrical Engineering
Zmaja od Bosne bb, Sarajevo 71000, Bosnia and Herzegovina
**** Technical University of Sofia
St.Kliment Ohridski Boulevard, Sofia 1756, Bulgaria
atanovic@etf.unsa.ba, asmir.butkovic@psa.gov.ba, forucevic@etf.unsa.ba, mastor@tu-sofia.bg

Abstract: - This paper presents the improvement of the existing ISO/IEC 20000 standard in telecommunication
industry by using the combination with ISO/IEC 27001 standard. The aim of this research is to integrate all
security benefits from ISO/IEC 27001 into the existing Information Security Management process which is the
part of ISO/IEC 20000 standard. For the reference model is taken the IPTV system from one Middleware
vendor from United Kingdom. The result of the work is the improved ISO/IEC 20000 standard which can be
implemented in any buisiness environment. The paper has also the professional contribution because it
describes the process of the improvement of one real IPTV system for telecom operators.

Key-Words: - ISO/IEC 20000, ISO/IEC 27001, IPTV system, Telecom Operator.

1 Introduction Middleware vendor from United Kingdom. Section

This paper presents the research connected to the
improvement of ISO/IEC 20000 standard. ISO/IEC
20000 standard describes the implementation of IT
Service Management System and it is based on ITIL
recommendations. Information security is also one
topic which is today very interesting for every
company. ISO/IEC 20000 has one process which
name is Information Security Management and
which has only basic functions [3], [4], [5]. On the
other side, we have ISO/IEC 27001 which is
responsible for the design, implementation and
maintenance of Information Security Management
System. This standard contains 113 security controls
which explain in details the process of Information
Security Management System design and
implementation. The aim of this paper is to improve
the existing ISO/IEC 20000 standard by taking all
advantages from ISO/IEC 27001 standard and to
improve the existing Information Security
Management process.
Section II. describes the process of design of IT
Service Management System by taking ISO/IEC
20000 standard. Section III. describes the process of
design of Information Security Management System
by taking ISO/IEC 27001 standard. Section IV.
shows the reference model used for this research
which is basically the IPTV system produced by one
V. shows the improved model of ISO/IEC 20000
standard and comparison of results before the
implementation and after the implementation of new
ISMS system. Section VI. is the conclusion of the
paper in which are described all advantages from a
new developed model of ISO/IEC 20000 standard.
This paper should increase the awareness of all
companies on the importance of implementation of
IT Service Management frameworks and standards.
Especially it is important in the field of the
information security so this is the reason why this
paper gets on importance because here we produced
a new version of ISO/IEC 20000 standard which has
new recommendations from information security
field.
2 Basic concepts for ISO/IEC 20000
ISO/IEC 20000-1:2011 represents the standard
responsible for planning, establishing,
implementing, operating, monitoring, reviewing,
maintaining and improving a Service Management
System (SMS). The requirements include the
design, transition, delivery and improvement of
services to fulfil agreed service requirements [3],
[4], [5]. This standard can be used by:
 An organization seeking services from
service providers and requiring assurance

ISBN: 978-960-474-392-6 111

 Recent Researches in Electrical Engineering
that their service requirements will be
fulfilled
 An organization that requires a consistent
approach by all its service providers,
including those in a supply chain
 A service provider that intends to
demonstrate its capability for the design,
transition, delivery and improvement of
services that fulfil service requirements
 A service provider to monitor, measure and
review its service management processes
and services
 A service provider to improve the design,
transition, delivery and improvement of
services through the effective
implementation and operation of the SMS.
ISO/IEC 20000 consists of 13 processes (figure
1.):
1. Capacity Management – This process aims
to ensure that the capacity of IT services
and the IT infrastructure is able to deliver
the agreed service level targets in a cost
effective and timely manner [4].
2. Service Continuity & Availability
Management ensures which plans should be
put in place and managed to ensure that IT
Services can recover and continue with a
serious incident occur. This process also
defines all time periods in which services
should be available [3].
3. Service Level Management – This process
defines three types of contracts: Service
Level Agreements (contracts with
customers), Operation Level Agreements
(contracts between different organization
units) and Contracts (contracts with
suppliers) [5].
4. Service Reporting – This process is
responsible for the preparement of different
types of reports connected to the strategic
management decisions in the company [4].
5. Information Security Management – It
specifies the requirements for establishing,
implementing, operating, monitoring,
reviewing, maintaining and improving of
information security in the organization [4].
6. Budgeting & Accounting for services – The
aim of budgeting and accounting for IT
services is to budget for and provide
documentary evidence of the costs for
service provision [3].
7. Business Relationship Management – This
process is a formal approach to
understanding, defining, and supporting a
ISBN: 978-960-474-392-6
broad spectrum of inter-business activities
related to providing and consuming
knowledge and services via networks [5].
8. Supplier Management is process of of
strategically planning for, and managing, all
interactions with third party organizations
[3].
9. Incident and Service Request Management
– This process is responsible for
categorization, prioritetization and solving
all different kind of incidents and user
requests [4].
10. Problem Management – This process is
responsible for categorization,
prioritetization and solving all different kind
of problems [3].
11. Configuration Management – This is
a systems engineering process for
establishing and maintaining consistency of
a product's performance, functional and
physical attributes with its requirements,
design and operational information
throughout its life [5].
12. Change Management – This process
monitors all changes between all
organizational units inside one individual
company [3].
13. Release and Deployment Management –
This process aims to build, test and deliver
services to the customer [4].
3 Basic concepts for ISO/IEC 27001
ISO/IEC 27001 formally specifies an
Information Security Management System (ISMS),
a suite of activities concerning the management of
information security risks. The ISMS is an
overarching management framework through which
the organization identifies, analyzes and addresses
its information security risks [10]. The ISMS
ensures that the security arrangements are fine-tuned
to keep pace with changes to the security threats,
vulnerabilities and business impacts (figure 2.). The
standard covers all types of organizations (e.g.
commercial enterprises, government agencies, non-
profits), all sizes (from micro-businesses to huge
multinationals), and all industries or markets (e.g.
retail, banking, defense, healthcare, education and
government). The most important for the
implementation of this standard are security controls
which contain all necessary information related to
the important facts of the security. The organization
needs to implement all security controls to become
certified according to the ISO/IEC 27001 [9], [10].
It contains 113 security controls which are divided
in 14 groups:
112
 Recent Researches in Electrical Engineering
 A.5: Information security policies (2
controls)
 A.6: Organization of information security (7
controls)
 A.7: Human resource security - 6 controls
that are applied before, during, or after
employment
 A.8: Asset management (10 controls)
 A.9: Access control (14 controls)
 A.10: Cryptography (2 controls)
 A.11: Physical and environmental security
(15 controls)
 A.12: Operations security (14 controls)
 A.13: Communications security (7 controls)
 A.14: System acquisition, development and
maintenance (13 controls)
 A.15: Supplier relationships (5 controls)
 A.16: Information security incident
management (7 controls)
 A.17: Information security aspects of
business continuity management (4
controls)
 A.18: Compliance; with internal
requirements, such as policies, and with
external requirements, such as laws (8
controls)
4 Reference model
IPTV solution is a collective term of head-end
platform, transmission network and IP STB to
enable communication - broadcasting convergence
service that provides broadcasting, moving picture
contents and information to TV through IP network
[1]. With conversion from the conventional PC-
based subscriber terminal environment to IP STB
base centering on TV, IPTV solution provides
simple and convenient control function with the use
of remote controller [2]. It supports system
implementation capable of centralized STV
management in head-end. Figure 3. shows IPTV
system which is taken as the reference model for
this research.
IPTV service refers to the service of transmitting
a variety of contents and existing TV programs to
service subscriber's TV connected to set top box or
receiver by using IP (Internet protocol)-based
network. In a narrow sense, it extends the scope of
additional super high-speed Internet service to
provide VOD, etc. from PC to TV. In a wider
perspective, it actively receives broadcasting
channels in AV (audio/video) form by utilizing
super high-speed Internet service subscriber
network as the broadcasting medium [6], [8].
ISBN: 978-960-474-392-6
IPTV system provides total head-end to enable
communication - broadcasting convergence service,
which provides broadcasting or moving picture
contents and information to TV through IP network.
Centralized STB management from head-end is
possible [7].
Some options which are included in IP STB
which are supported by this system:
 Supporting a variety of codec, such as
WMV and MPEG 1/2/4 as well as H.264
 Supporting push (download) type VOD
service linked to head-end
 Simultaneous play function while
downloading contents
 Real-time streaming function
 Providing convenient GUI screen through
middleware and browser
 Supporting Internet connection function by
using wired and wireless media
 A variety of video outputs including
composite, component, S-Video and HDMI
 Audio output, such as analog audio and
SPDIF, etc.
 Digital TV tuner (optional)
 Supporting a variety of interfaces, such as
WLAN, HDMI and USB, etc.
 Upgraded remote controlling through
linkage to head-end.
5 Integration process and results
Information Security Management process from
ISO 20000 will be replaced with Plan-Do-Check-
Act cycle which is the basis of ISO 27001. All 113
security controls which are divided in these 14
groups will be the part of a new model of ISO
20000. Figure 4. shows this integration process. All
other ISO 20000 processes are unchanged. The aim
of this integration is to see are there any differences
on results for other processes after this integration.
Table I. contains results before the
implementation with ISO 27001 standard and after
the implementation with this standard. Results have
showed that all ISO 20000 processes are
implemented with the average implementation of
76.69% before the implementation of ISO 27001
[2]. Especially bad were implemented processes
from Service Delivery group of processes and
Resolution processes. Information Security
Management process has achieved the result of 76%
of the successful implementation. Seven processes
have achieved a positive result which is above 75%
of the successful implementation and six processes
were under this border.
113
 Recent Researches in Electrical Engineering
Results have showed that all ISO 20000
processes are implemented with the average
implementation of 81.53% after the implementation
of ISO 27001. All 13 processes have achieved now
a positive result which is above the border of 75%
of the successful implementation. Information
Security Management process has achieved a better
result for almost 9% which means that the result is
now 85% in total. Capacity Management has
achieved a better result for 5% which is 79% in total
for this process, Service Continuity & Availability
Management has achieved a better result for 10%
which is 81% in total for this process, Service Level
Management has achieved a better result for 13%
which is 78% in total for this process, Supplier
Management has achieved a better result for 8%
which is 76% in total for this process, Incident and
Service Request Management has achieved a better
result for 9% which is 78% in total for this process
and Problem Management has achieved a better
result for 7% which is 79% in total for this process.
6 Conclusion
Results from the previous section have showed
that a new performed model of ISO/IEC 20000 has
achieved a better result for 4.84% than a previous
model. It means that functions connected to the
security are not connected only to Information
Security Management process but also to other
processes. ISO/IEC 27001 contains 14 different
security groups which influence strongly on some
other processes and which are the part of this
standard [7], [8]. These security controls include all
these topics: information security policy,
organization of information security, human
resource security, asset management, access
controls, cryptography, physical and environmental
security, operations connected to the security,
communication operations connected to the security,
system development, maintenance and acquisition,
supplier relationships, information security incident
management, information security aspects
connected to the business continuity management
and compliance with internal and external
requirements.
A new performed model of ISO/IEC 20000 is
produced on a test environement on one IPTV
system which is produced in UK. Future research in
this field is directed in the implementation of the
same improved model in other business
environments which include insurance companies,
power companies, microcredit organizations,
brokerage houses etc. The aim of all these different
researches is to confirm the validity of the new
improved model of ISO/IEC 20000 and to get the
ISBN: 978-960-474-392-6
proof that this model can be implemented in any
business environment. Our future research in this
area will be connected only to the improvement of
ISO/IEC 20000 in the field of information security
and we will test a new model in all these different
business environments but also make a combination
with some other ITSM frameworks and standards
especially MoR, CobiT, eTOM, ISO/IEC 22301,
ISO/IEC 27005 and ISO/IEC 31000. This paper has
also opened a new section of researches which
needs to be finished in this area and which should
produce a new version of ISO/IEC 20000 which
should be produced directly from ISO International.
References:
[1] J.H. Deutscher and C. Felden, “Model Concept
to Determine the Optimal Maturity of IT
Service Management Processes”, 8th
International Conference on Computer and
Information Science (ICIS 2009), pp. 543-548,
2009.
[2] K.Begic and A. Tanovic, “Improvement of
implementation of ISO/IEC 20000 Edition 2
standard in IT systems of Telecom operator
through the comparison with ITIL V3 best
practises”, 20th Telecommunication Forum
(TELFOR), pp. 32-35, 2012.
[3] M.Rovers, “ISO/IEC 20000:2011 – A Pocket
Guide”, Van Haren Publishing, February 2013.
[4] M.Kunas, “Implementing Service Quality Based
on ISO/IEC 20000”, ITGP, October 2012.
[5] D.Clifford, “Implementing ISO/IEC 20000
Certification – The Roadmap (ITSM Library)”,
Van Haren Publishing, February 2008.
[6] M.Alojail and B.Corbitt, “ITIL maturity model
of IT outsourcing: Evidence from a “leading
user””, 9th Iberian Conference on Information
Systems and Technologies (CISTI 2014), pp. 1-
5, 2014.
[7] M.Vicente, N.Gama, and M.M. da Silva, “Using
ArchiMate to Represent ITIL Metamodel”, 15th
Conference on Business Informatics (CBI), pp.
270-275, 2013.
[8] H.B. Esmaili, H. Gardesh, and S.S.Sikari,
“Validating ITIL maturity to strategic business
– IT alignment”, 2nd International Conference
on Computer Technology and Development
(ICCTD), pp. 556-561, 2010.
[9] K.Pecina, R.Estremera, A.Bilbao, and E.Bilbao,
“Physical and Logical Security management
organization based model on ISO 31000 and
ISO 27001”, IEEE International Carnahan
Conference on Security Technology (ICCST
2011), pp. 1-5, October 2011.
114
 Recent Researches in Electrical Engineering

[10] K.Beckers, S.Fassbender, M.Heisel, and Reliability and Security (ARES 2012), pp. 242 –
H.Schmidt, “Using Security Requirements 248, August 2012.
Engineering Approaches to Support ISO 27001
Information Security Management Systems
Development and Documentation”, 7th
International Conference on Availability,

Figure 1. ISO/IEC 20000 process model

Figure 2. Requirements of ISO 27001 ISMS

ISBN: 978-960-474-392-6 115

 Recent Researches in Electrical Engineering

Figure 3. IPTV System

Figure 4. Improved model for ISO/IEC 20000 standard

TABLE I. RESULTS BEFORE AND AFTER THE IMPLEMENTATION OF ISO 27001

ISO 20000 process Results before the Results after the
implementation of implementation of
ISO 27001 ISO 27001
Capacity Management 74% 79%
Service Continuity & Availability Management 71% 81%
Service Level Management 65% 78%
Service Reporting 84% 84%
Information Security Management 76% 85%
Budgeting & Accounting for services 81% 81%
Business Relationship Management 78% 80%
Supplier Management 68% 76%
Incident and Service Request Management 69% 78%
Problem Management 72% 79%
Configuration Management 86% 86%
Change Management 85% 85%
Release and Deployment Management 88% 88%

ISBN: 978-960-474-392-6 116

View publication stats