LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is ITIL and how does it relate to information security?

ITIL = Information Technology Infrastructure Library. It's a framework for IT service management (organising IT operations and processes) — not a security standard, but security controls live inside many ITIL processes.

ITIL answers a different question than an ISMS does. An ISMS (ISO 27001) asks "is our information adequately protected?"; ITIL asks "is our IT delivering services reliably and repeatably?" The two overlap because good operations are a precondition for good security: you cannot enforce a security policy on assets you don't inventory, or respond to incidents you have no process to triage. ITIL provides exactly that operational scaffolding, structuring IT into named processes:

  • Incident management — restore service fast after a disruption
  • Problem management — find and remove the root cause behind repeat incidents
  • Change management — approve and track changes so nothing breaks silently
  • Configuration management (CMDB) — keep an authoritative inventory of assets
  • Service catalogue / service level management — define and measure what IT promises

Several ISO 27001 controls (change approval, incident response, asset inventory) map almost 1:1 onto these ITIL processes, which is why a mature ITIL shop usually passes an ISMS audit with far less effort — the evidence the auditor wants already exists as a by-product of running operations well.

Tip: ITIL is owned by PeopleCert (which acquired AXELOS in 2021). v4 (latest) shifts the vocabulary from "processes" to "practices" and "value streams" — when someone cites ITIL controls, ask which version, as legacy shops still run v2/v3.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026