Differences between standards

Frequently asked differences

ISO 9001 is fairly a general standard focusing on quality management system, for all type of organizations. However ISO 20000 is purely IT service quality. Domains such as configuration management have no ISO 9000 equivalence. Organizations choosing to implement ISO 9001 for IT departments should chose ISO 20000 as the latter provide a better return on investment.


ISO 9001 is fairly a general standard focusing on quality management system, for all type of organizations. However ISO 20000 is purely IT service quality. Domains such as configuration management have no ISO 9000 equivalence. Organizations choosing to implement ISO 9001 for IT departments should chose ISO 20000 as the latter provide a better return on investment.


The concept of 'quality' and 'customer satisfaction' is a generic objective that exists in both; The principle of Plan-do-check-act is common to all management system standards.


ISO 20000 focuses on quality of IT service delivery, whereas ISO 27001 focuses on information (including IT) risks especially vulnerabilities and their controls; ISO 20000 has components of IT service risks; ISO 27001 has coverage on other aspects such as legal, physical and HR security whereas ISO 20000 focuses on IT risks only; Journey of compliance of one standard can reduce the compliance journey of the other by almost half;


One of the key domains of ISO 20000 is information security;
There are several controls on ISO 27001 which are common such as service provider SLA, reference to control on external service providers.

Journey of compliance of one standard can reduce the compliance journey of the other by almost half;


The definition of information in PCI DSS is any card information that is 'stored, processed, and transmitted' in the client environment. The definition of information in ISO 27001 is 'anything that has a business value'.

Both standards are aimed at data protection, the difference in PCI-DSS lies is detailing and specificity. ISO 27001 on other hand is much more generic.

PCI-DSS is very specific on how a control implementation has to be achieved and in case a primary control is not implemented the scope of compensatory control is well defined. ISO 27001 on the other hand has a room for interpretation and may suffer implementation compromise in the hands of the implementers. Elements on database security are much more specific in PCI DSS than ISO 27001.


At the network layer, PCI-DSS principles are fairly covered in ISO 27001. Both standards have a reference to continual improvement.


ISO 27001 is an information risk management standard aimed at an organisation, and to protect their own asset; SSAE-16 is an attestations standard by a US based CPA is aimed at ensuring that service provider has implemented all risk management controls including information security governance.


SSAE 16 implementation can be partly demonstrated by ISO 27002/ISO 27001. A certified ISO 27001 organisation can definitely achieve faster SSAE 16 compliance.


BS 259999 is more holistic whereas ISO 27001 is more information infrastructure; BS 25999 ensures that your 'cash generating' functions are up and running at the earliest in case of a disaster;

ISO 27001 is focused somewhat 'inwards' focusing on protection of assets; it aims at ensuring that critical application/information system that support 'cash generation' are restored;

ISO 27001 as a standard is much more detailed (in terms of 133 control specifications) whereas BS 25999 is generic, and the interpretation can be subject to misuse;

BS 25999 focuses on restoration whereas ISO 27001 focuses on prevention;


ISO 9001 is a management system standard for quality management system, whereas ISO 27001 is for information security management system. The eventual output of ISO 9001 is a customer satisfaction, whereas for ISO 27001 it is information risk reduction.


Both standards focus on risk assessment as a common point but the objectives are different. ISO 27001 focuses on removing vulnerabilities whose exploit that can result in an incident, whereas BS 25999 focuses on restoration vulnerabilities such as not having a plan in place;


The only area that is common is the existence of document management system and the spirit of plan-do-check-act.


BS 25999 is about business services, whereas ISO 20000 is about IT services;

ISO 20000 has a domain - 'IT service continuity' which requires a plan in case of an outcome;

BS 25999 requires a plan for each individual event and outcome and encompass personnel, infrastructure and network failures;


Requirement for a documented management system is common all management standard;

Processes such as change management are common;


********************************************************************************************************************************************************

Information reflects opinions of Probal Choudhuri (Founder - CEO) - Coral eSecure. The reader should understand the difference in the context of a macro analysis, rather than micro analysis. Please do not hesitate to write to him at pc@www.coralesecure.com.

Disclaimer: Coral does not guarantee the accuracy of the above listed information as they are subject to regular changes. Coral shall not be held responsible for any action taken resulting in loss due to information reference made herein. Some of the interpretation involved the opinion of Coral consultants and their experience, which is a result of several years of consulting, implementation and training experience. There can be situations where readers may disagree with such opinions.