What is ITIL and how does it relate to information security?
ITIL = Information Technology Infrastructure Library. It's a framework for IT service management (organising IT operations and processes) — not a security standard, but security controls live inside many ITIL processes.
ITIL answers a different question than an ISMS does. An ISMS (ISO 27001) asks "is our information adequately protected?"; ITIL asks "is our IT delivering services reliably and repeatably?" The two overlap because good operations are a precondition for good security: you cannot enforce a security policy on assets you don't inventory, or respond to incidents you have no process to triage. ITIL provides exactly that operational scaffolding, structuring IT into named processes:
- Incident management — restore service fast after a disruption
- Problem management — find and remove the root cause behind repeat incidents
- Change management — approve and track changes so nothing breaks silently
- Configuration management (CMDB) — keep an authoritative inventory of assets
- Service catalogue / service level management — define and measure what IT promises
Several ISO 27001 controls (change approval, incident response, asset inventory) map almost 1:1 onto these ITIL processes, which is why a mature ITIL shop usually passes an ISMS audit with far less effort — the evidence the auditor wants already exists as a by-product of running operations well.
Tip: ITIL is owned by PeopleCert (which acquired AXELOS in 2021). v4 (latest) shifts the vocabulary from "processes" to "practices" and "value streams" — when someone cites ITIL controls, ask which version, as legacy shops still run v2/v3.
Go deeper:
ITIL (Wikipedia) — the IT-service-management practices and how v4 reframes processes as practices and value streams.
PeopleCert ITIL certifications — the current owner's official ITIL scheme (Foundation to higher levels).