The businesses of organizations are closely connected with IT as the development of society. It is suggested that the ISO standards systems, such as ISO 27001 and ISO 20000, can be applied in the management of organization. However, if several systems are implemented in an organization at the same time, it is easy to cause conflicts and disagreement.The paper divides the contents of different systems into two parts:common part and private part. The common part can be integrated in different forms. In term of the private part, at first, all service progresses should be recognized, then the information safety risk evaluation be conducted and safety control measures be selected, constructing the ISO service system and information safety management system.%随着社会的发展,组织业务和IT之间融合紧密。为此ISO组织提出了ISO 27001和ISO 20000等体系用于管理组织的IT应用,但组织内部实施多个体系时容易造成冲突和不一致现象。为此,本文提出将不同体系的具体内容划分为通用和专用部分,对通用部分采用不同形式的融合,对专用部分从服务出发,先识别各服务流程再进行信息安全风险评估和选择安全控制措施,进而构建IT服务体系和信息安全管理体系。
展开▼
