Overview
Establish information security management within the SMS per Clause 6.6 of ISO/IEC 20000-1:2011. This skill produces an information security policy for service management, identifies security controls mapped to specific services, defines the security risk assessment approach, and establishes security incident management – including alignment with ISO 27001 where an ISMS already exists.
Clause 6.6 requires that information security is embedded in service delivery, not treated as a separate discipline. Controls must be mapped to the services they protect, incidents must escalate from general incident management to the security team, and personnel must be aware of their security responsibilities. If your organization also holds ISO 27001, this skill documents the alignment points to avoid duplicating controls and creating conflicting documentation.
For a step-by-step walkthrough, see the ISO 20000 SMS workspace tutorial .
What It Covers
- Information security policy – objectives, scope, principles, and roles for SMS security
- Security controls by domain – access management, physical security, network security, data protection, endpoint security, application security
- Service-to-control mapping – which controls protect which services
- Security risk assessment – threat modeling, likelihood/impact scoring, risk treatment, residual risk
- Security incident management – classification, escalation from general incident process, investigation, notification
- Security awareness – mandatory training, role-specific modules, phishing awareness
- ISO 27001 alignment – shared controls, integrated risk registers, joint management review
Example Conversation
You: We need to establish information security management for our ISO 20000 SMS. We have 5 services in our catalog and we’re also working toward ISO 27001 certification.
Agent: I’ll build the SMS information security policy and controls register. Since you’re also pursuing ISO 27001, we’ll document the alignment points. Let me understand your current security posture:
- Do you have an existing information security policy or are we starting from scratch?
- What security tools and controls are already in place? (SSO, firewall, antivirus, encryption, etc.)
- How are security incidents handled today – is there a formal process?
You: We have a basic security policy but it’s not tied to our services. We use Azure AD for SSO, CrowdStrike for endpoint protection, Fortinet firewalls, and BitLocker/FileVault for disk encryption. Security incidents go through our general helpdesk today with no formal escalation to a security team.
Agent: Good baseline. I’ll structure the security controls into domains and map them to your services. Let me propose the control framework:
Domain Key Controls Services Covered Access Management SSO via Azure AD, role-based access, quarterly access reviews All 5 services Physical Security Data center badge access, visitor log, environmental monitoring ERP, File Storage Network Security Fortinet firewall, network segmentation, VPN encryption All 5 services Data Protection BitLocker/FileVault, TLS in transit, data classification ERP, Email, File Storage Endpoint Security CrowdStrike, patch management, MDM for mobile All 5 services Application Security Vulnerability scanning, code review (for ERP customizations) ERP, Intranet The critical gap is your security incident process. I’ll define an escalation path from ServiceNow general incidents to a security triage team. Which team members should be on the security incident escalation list?
You: Our IT Manager, the Network Engineer, and our external security consultant should be the first responders. The IT Director makes decisions about breach notification.
Agent: I’ll document the escalation chain: general helpdesk identifies potential security incident, escalates to IT Manager for triage, Network Engineer and external consultant join for investigation, IT Director authorizes external notification if needed. For ISO 27001 alignment, I’ll reference your emerging ISMS risk register and map shared controls to avoid duplication. Let me build the register and validate…
Result:
security_policy_validator– PASS. Policy covers access management, physical security, network security, and data protection. All controls mapped to at least one service. Incident management classification, escalation, and notification defined.
Sample Output Excerpt
The skill produces a structured JSON security controls register. Here is a representative excerpt showing the policy, two control entries, and the incident management configuration.
{
"policy": {
"title": "SMS Information Security Policy",
"version": "1.0",
"owner": "IT Manager",
"review_frequency": "annual",
"scope": "All services, supporting infrastructure, and personnel within the SMS",
"objectives": [
"Protect confidentiality, integrity, and availability of information supporting service delivery",
"Comply with regulatory and contractual security requirements",
"Align SMS security controls with the emerging ISO 27001 ISMS"
]
},
"controls": [
{
"control_id": "SEC-001",
"domain": "access_management",
"control_name": "Single Sign-On and Role-Based Access",
"description": "All service access authenticated via Azure AD SSO with role-based authorization. Quarterly access reviews for privileged accounts.",
"services": ["SVC-001", "SVC-002", "SVC-003", "SVC-004", "SVC-005"],
"implementation_status": "implemented",
"iso27001_reference": "A.9.2 User access management"
},
{
"control_id": "SEC-004",
"domain": "data_protection",
"control_name": "Encryption at Rest and in Transit",
"description": "BitLocker/FileVault for endpoints, TLS 1.2+ for all service communications, database-level encryption for ERP and email stores.",
"services": ["SVC-001", "SVC-002", "SVC-003"],
"implementation_status": "implemented",
"iso27001_reference": "A.10.1 Cryptographic controls"
}
],
"incident_management": {
"classification_criteria": "Any event that compromises confidentiality, integrity, or availability of service information assets",
"escalation_process": "Helpdesk identifies -> IT Manager triages -> Network Engineer + external consultant investigate -> IT Director authorizes notification",
"notification_requirements": "Regulatory notification within 72 hours for personal data breaches; customer notification per SLA terms",
"post_incident_review": "Mandatory post-incident review within 5 business days for all confirmed security incidents"
},
"iso27001_alignment": {
"status": "in_progress",
"shared_risk_register": true,
"joint_management_review": "planned",
"note": "SMS security controls reference ISMS controls where available to avoid duplication"
}
}
Extension Tools
security_policy_validator
Validates security-controls.json against ISO/IEC 20000-1:2011 Clause 6.6 requirements:
| Check | What It Does |
|---|---|
| Required domains | Controls must cover access management, physical security, network security, and data protection |
| Service mapping | Every control must be mapped to at least one service (no generic, unmapped controls) |
| Policy section | The register must include a policy section with title, owner, and review frequency |
| Incident management | Classification criteria, escalation process, and notification requirements must be defined |
| Implementation status | Flags controls missing an implementation status (implemented, planned, not applicable) |
Getting Started
Start by activating the ISO 20000 Information Security Management skill. The agent will check for your organization profile and service catalog, then guide you through defining the security policy, identifying controls per domain, and mapping them to services.
Have this information ready:
- Your service catalog and organization profile
- Existing security policies, tools, and controls (SSO, firewalls, endpoint protection, encryption)
- Current security incident handling process (or lack thereof)
- Regulatory requirements that affect security (GDPR, PCI DSS, industry-specific)
- ISO 27001 ISMS status if applicable (existing, planned, or not pursuing)
If your organization is also pursuing ISO 27001, this skill documents the alignment points so SMS security controls reference rather than duplicate the ISMS, avoiding conflicting documentation.