ITIL Implementation TIps

It is the framework which changes with each new technology and not just the picture within the frame. –Marshall McLuhan

The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITILv3 underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist. ITIL describes procedures, tasks and checklists that are not organization-specific, used by an organization for establishing a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. The names ITIL and IT Infrastructure Library are registered trademarks of the United Kingdom’s Office of Government Commerce (OGC) – now part of the Cabinet Office.

Following this move, the ownership is now listed as being with HM Government rather than OGC. ITIL v3 is an extension of ITIL v2 and fully replaced it following the completion of the withdrawal period on 30 June 2011.

ITIL v3 provides a more holistic perspective on the full life cycle of services, covering the entire IT organisation and all supporting components needed to deliver services to the customer, whereas v2 focused on specific activities directly related to service delivery and support. Most of the v2 activities remained untouched in v3, but some significant changes in terminology were introduced in order to facilitate the expansion.

All companies are quite different and CIOs may also have different understandings and experience of ITIL. Some think ITIL provides a tremendous amount of benefits to many global companies; while there are also many companies fail at its use and others using it as an excuse to slow down the speed of business. Is it one of those “old school” frameworks from the era when IT focused on risk mitigation and process integrity rather than customer satisfaction and business success? or does ITIL still add value in ITSM at digital speed? Some CIOs are abandoning ITIL, while others use it religiously. Is it still appropriate and why?

1. COMMON UNDERSTANDING OF ITIL IS VITAL TO ITS VALUE PROPOSITION IN ITSM 1) ITSL is a framework, not gospel. The elasticity and resiliency of any frame works starts with an understanding that we are trying to provide a foundation for continued success . . . the goal should not be the construction of a monolithic standard that is incapable of adapting to the changing needs.

ITIL is organized around a Service Lifecycle: which includes: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. The lifecycle starts with Service Strategy – understanding who the IT customers are, the service offerings that are required to meet the customers’ needs, the IT capabilities and resource that are required to develop these offerings and the requirements for executing successfully. Driven through strategy and throughout the course of delivery and support of the service, IT must always try to assure that cost of delivery is consistent with the value delivered to the customer. Service Design assures that new and changes services are designed effectively to meet customer expectations. The technology and architecture required to meet customer needs cost effectively is an integral part of Service Design. Additionally, processes required to manage services are also part of the design phase. Service management systems and tools that are necessary to adequately monitor and support new or modified services must be considered as well as mechanisms for measuring service levels, technology and process efficiency and effectiveness. Through the Service Transition phase of the lifecycle the design is built, tested and moved into production to assure that the business customer can achieve the desired value. This phase addresses managing changes, controlling the assets and configuration items (underlying components – hardware, software, etc) associated with new and changed systems, service validation and testing and transition planning to assure that users, support personnel and the production environment has been prepared for the release to production. Once transitioned, Service Operation then delivers the service on an ongoing basis, overseeing the daily overall health of the service. This includes managing disruptions to service through rapid restoration of incidents, determining the root cause of problems and detecting trends associated with recurring issues, handling daily routine end user requests and managing service access. Enveloping the Service Lifecycle is Continual Service Improvement (CSI). CSI offers a mechanism for IT to measure and improve the service levels, the technology and the efficiency and effectiveness or processes used in the overall management of services.

2) ITIL is Recipe: Don’t eat the recipe; eat what you make from it! ITIL doesn’t give you all the answers for one thing. It’s more a book of recopies than the finished article. It was intentionally designed to be a guideline and not the gospel. As such, it is expected to be tailored to meet the requirements of the organization. 3) ITIL is basically a detailed analysis of all the aspects of operations and recommendations for best practice. However, you can’t just implement ITIL as written; you have to use it as a guide for the development of operational procedures that suit your own operations. ITIL clearly doesn’t develop and adapt as quickly as some organizations change and therefore, operational managers have to use their brains to adapt to satisfy the needs of the organization in which they work. 4) ITIL is a set of best practices and a framework, and Best Practice is not a one-off implementation, nor is it self-sustaining. As Version 3 of ITIL underlines, there should be an iterative and interactive lifecycle approach to the various processes. Best Practice is an ongoing commitment, and not a time-restricted project. 5) ITIL is a guideline – not a standard. Weaving it into the fabric of compliance as a standard will continue to cause heartburn. The more we change, the more we often stay the same . . . in so many respects.

2. TOP TEN REASONS WHY ITIL FAILS OR SOME MOVE AWAY FROM IT

1) The #1 reason for anyone to move away from it, seems to be lack of flexibility and the CIO’s misconception that it adds more time to implementations, modernizations, and transformations

2) ITIL is not to blame. The implementation of ITIL is to blame. To be efficient, ITIL should never be a burden to the operational staff, but a toolbox to work efficiently. The administrative burden should be taken by the support system. ITIL is to frequently hijacked by administrative forces and turned into a nightmare of controlling layers

3) It takes too long for ITIL to keep up with trends and new technologies requiring different models, such as Cloud and other new architectures. They also feel it has required them to spend too much time on operational aspects.

4) Change Management Fails: The biggest failure in many organizations and their implementation of ITIL or other methodology is their strict adherence to the methodology without any consideration for adapting the methodology to their culture, business, technical infrastructure, operations, or even the circumstances of a given project.

5) Too Much IT Focus, not Enough Business Focus: TIL is still relevant, but sometimes organizations spend so long focusing on implementing the processes that they forget about basics – focusing on discovering what is the cause of the problem and constant improvement.

6) Some organizations treat ITIL as an end in itself rather than a tool to help IT efficiently and effectively deliver the services the organization needs to achieve its overall goals. It is also essential to take into account the skills and experience of the staff that will operate the process when designing it so that it doesn’t become overly prescriptive and takes advantage of their professional expertise. ITIL can help you get there, but it doesn’t have to be the end all. 100% adherence to any methodology is not necessarily a good thing.

7) Misunderstand that it is not mandatory in its entirety and that it is one of several tools and guidelines they can use. There is no reason why you can’t take the best of ITIL, the parts that work well in your company culture, and tailor the rest. Infrastructure and operations benefit greatly from well-designed, air-tight processes that can be automated. The goal should be to right-size ITIL for your organization without breaking the bank.

8) People take “it” too seriously. The key is to look for improvement opportunities to solve problems or increase value, not to simply pass some process audit and sending people on training is never the silver bullet. Otherwise ITIL just becomes the flavor of the day until the next fad comes along. Or when you start to expect it to be an all encompassing solution for IT is when you start to get into trouble. This is where you need to start to embrace other frameworks and even bring in your own creativity to be successful in the delivery of IT services.

9) Some believe ITIL is still relevant but it is costly, and that may explain why some are abandoning it. Efficiency should not come at all cost. The reason for failure is a mismatch of expectations and failure to deliver on what was perceived to be the outcome.

10) ITIL turns to be an inflexible doctrine that drags down the enterprise. Failed ITIL initiatives lies not with the service lifecycle management framework, but rather with the application of that framework. Fundamental, conceptual understanding of continuous improvement is lacking from many implementations.

3. DEFINE THE RIGHT SET OF QUESTIONS TO EVALUATE ITIL OBJECTIVELY ITIL gains some reputation, also cause confusions or even resource waste, if any comprehensive surveys are taken to ask ITIL users, what is the right set of questions shall you ask:

1) IT Maturity: on average, do ITIL users have significant higher IT maturity, or not so much difference?

2) Innovation: What matters now, innovation, most of businesses now also think IT as their innovation engine, so, do ITIL users have better capabilities to be innovate or less? Why.

3) Value: What are the key values it can bring to IT or business as a whole? How about value/cost ratio? How about User feedback and overall customer experience? How about short term win vs. Long term Perspective?

4) Agile: Is Agile complimentary to ITIL? Or does ITIL become the barrier for company to adopt Agile. Although Agile came out of the software development world, can things like kanban and scrum be used effectively by infrastructure and support teams?

5) Change: Can ITIL adapt to change? Is ITIL still an effective framework to embrace IT/Business Changes with right governance discipline? Or is ITIL an “old school framework” to be very rigid applying controls or stifle changes?

6) Simplicity: Does ITIL add the un-necessary restrictions on users/systems? Or It has the necessary design complexity to enforce service delivery?

7) Digitalization: Can ITIL framework help build business’s digital capabilities/maturity such as: business/IT integration, tailored solution, or a unified digital platform?

4. ITIL TIPS FOR CIOS

IT Service Management (ITSM) derives enormous benefits from a best practice approach. Because ITSM is driven both by technology and the huge range of organizational environments in which it operates, it is in a state of constant evolution. Best practice, based on expert advice and input from ITIL users is both current and practical, combining the latest thinking with sound, common sense guidance.

ITIL is not one Size fits All: TIL and other processes, can only work if tailored specifically to the environment a CIO finds him/herself in. What works for one organization may not work for another, even if implemented by the best ITIL practitioner in the business; and, sometimes the CIO may rightly take the decision that a bespoke process is what’s needed rather than a widely adopted one such as ITIL.

Cloud Transformation: Which role ITIL can play in such transformation? With more and more companies adopting cloud, the opportunity has never been greater for IT to transform into a service-oriented organization and grow the business it serves. According to IDG research, more than one third of current IT budgets are allocated to cloud solutions. However, in their haste to adopt the cloud, CIOs may be missing an opportunity: the chance to use this transition to reshape IT.

Key to success is IT transformation to services broker. With a service lifecycle approach, organizations can increase the velocity of IT service delivery and operate efficiently, without sacrificing governance. CIO must see what they can get out of ITIL and at the same time what is the best for the organization to adopt. No one is forcing anyone rather it is just a tool which help you to be more vigilant and smart. CIOs must see the ROI using this tool for business in terms of value addition, controls, business benefits etc.

BUILDING TRUST THROUGH TRANSPARENCY: In many organizations, IT needs to gain the trust of the business. Research to measure business perception of IT across many companies clearly demonstrates that, while IT is seen as an important partner, it receives low ratings in areas such as budget effectiveness, business understanding, and communication, any framework should enforce such transparency. CIOs should have in-depth understanding of ITIL at strategic Level: most CIOs, including those who actively champion ITSM, have little more than superficial understanding of the ITIL, or the implications of adopting ITSM processes. Worse, they rarely regard the effort as a true organizational transformation effort touching every aspect of the IT organization, and many aspects of the enterprise organization. Be pragmatic not dogmatic. An organization has to balance the time it spends on process (ITIL) and the time it spends on products/deliverables. If the ITIL implementation became such a focus that the organization loses traction on deliverables, then it a re-balancing would be in order. Embrace Agile: Agile Scrum and IT management, many organizations use agile as mainstream software development methodology, and even as management discipline, that said, what is needed from effective framework is the governance process also being agile enough to adapt to changes Social Collaboration: The emerging ITSM solutions may add social collaboration in service management to build up a better democratic environment, such as DevOps to converge IT development & operation for improving agility, the CIO’s evaluation for new tools may also include how the framework support the new trend and deliver innovative IT services & solutions.

Value Driven Questions being asked by CIOs: ‘how much of this particular process or method should I implement in this role to get the business to where it needs to be?’. The answer to that question should never be based on the technology in use in the business, rather on the particular needs of the business – including taking into account where it currently sits with regards to the good practices proposed by ITIL and other methods out there.

As a reference framework, ITIL is not a “one size fits all” solution. CIOs should be innovators, not lemmings. Use what makes sense, apply it in a way that considers what’s unique about your organization but without abandoning the spirit of the framework. IT becomes business catalyst to build competitive uniqueness, how do you differentiate yourself from other IT organizations, besides standardization, there’re optimization and innovation, IT is shaping your business, but framework is not strategy. Do not let ITIL or any other framework ruin your common sense. Take it as a guideline but put your own flavors and ingredients. Select a mix of framework, toolset and process architectures to improve flexibility and agility for speed of business change, doing better with less, and doing more with innovation.

TOGAF

TOGAF is an architecture framework. TOGAF provides the methods and tools for assisting in the acceptance, production, use, and maintenance of an enterprise architecture. It is based on an iterative process model supported by best practices and a re-usable set of existing architecture assets.

SO/IEC 42010:2007 defines “architecture” as:

“The fundamental organization of a system, embodied in its components, their relationships to each other and the environment, and the principles governing its design and evolution.”

TOGAF embraces but does not strictly adhere to ISO/IEC 42010:2007 terminology. In TOGAF, “architecture” has two meanings depending upon the context:

  1. A formal description of a system, or a detailed plan of the system at component level to guide its implementation
  2. The structure of components, their inter-relationships, and the principles and guidelines governing their design and evolution over time

TOGAF considers the enterprise as a system and endeavors to strike a balance between promoting the concepts and terminology of ISO/IEC 42010:2007 – ensuring that usage of terms defined by ISO/IEC 42010:2007 is consistent with the standard – and retaining other commonly accepted terminology that is familiar to the majority of the TOGAF readership.

There are four architecture domains that are commonly accepted as subsets of an overall enterprise architecture, all of which TOGAF is designed to support:

  • The Business Architecture defines the business strategy, governance, organization, and key business processes.
  • The Data Architecture describes the structure of an organization’s logical and physical data assets and data management resources.
  • The Application Architecture provides a blueprint for the individual applications to be deployed, their interactions, and their relationships to the core business processes of the organization.
  • The Technology Architecture describes the logical software and hardware capabilities that are required to support the deployment of business, data, and application services. This includes IT infrastructure, middleware, networks, communications, processing, standards, etc.

Architecture Development Method

The TOGAF Architecture Development Method (ADM) provides a tested and repeatable process for developing architectures. The ADM includes establishing an architecture framework, developing architecture content, transitioning, and governing the realization of architectures.

All of these activities are carried out within an iterative cycle of continuous architecture definition and realization that allows organizations to transform their enterprises in a controlled manner in response to business goals and opportunities.

Phases within the ADM are as follows:

  • The Preliminary Phase describes the preparation and initiation activities required to create an Architecture Capability including customization of TOGAF and definition of Architecture Principles.
  • Phase A: Architecture Vision describes the initial phase of an architecture development cycle. It includes information about defining the scope of the architecture development initiative, identifying the stakeholders, creating the Architecture Vision, and obtaining approval to proceed with the architecture development.
  • Phase B: Business Architecture describes the development of a Business Architecture to support the agreed Architecture Vision.
  • Phase C: Information Systems Architectures describes the development of Information Systems Architectures to support the agreed Architecture Vision.
  • Phase D: Technology Architecture describes the development of the Technology Architecture to support the agreed Architecture Vision.
  • Phase E: Opportunities & Solutions conducts initial implementation planning and the identification of delivery vehicles for the architecture defined in the previous phases.
  • Phase F: Migration Planning addresses how to move from the Baseline to the Target Architectures by finalizing a detailed Implementation and Migration Plan.
  • Phase G: Implementation Governance provides an architectural oversight of the implementation.
  • Phase H: Architecture Change Management establishes procedures for managing change to the new architecture.
  • Requirements Management examines the process of managing architecture requirements throughout the ADM.

Deliverables, Artifacts, and Building Blocks

Architects executing the ADM will produce a number of outputs as a result of their efforts, such as process flows, architectural requirements, project plans, project compliance assessments, etc. The TOGAF Architecture Content Framework   provides a structural model for architectural content that allows major work products to be consistently defined, structured, and presented.

The Architecture Content Framework uses the following three categories to describe the type of architectural work product within the context of use:

  • A deliverable is a work product that is contractually specified and in turn formally reviewed, agreed, and signed off by the stakeholders. Deliverables represent the output of projects and those deliverables that are in documentation form will typically be archived at completion of a project, or transitioned into an Architecture Repository as a reference model, standard, or snapshot of the Architecture Landscape at a point in time.
  • An artifact is an architectural work product that describes an aspect of the architecture. Artifacts are generally classified as catalogs (lists of things), matrices (showing relationships between things), and diagrams (pictures of things). Examples include a requirements catalog, business interaction matrix, and a use-case diagram. An architectural deliverable may contain many artifacts and artifacts will form the content of the Architecture Repository.
  • A building block represents a (potentially re-usable) component of business, IT, or architectural capability that can be combined with other building blocks to deliver architectures and solutions.Building blocks can be defined at various levels of detail, depending on what stage of architecture development has been reached. For instance, at an early stage, a building block can simply consist of a name or an outline description. Later on, a building block may be decomposed into multiple supporting building blocks and may be accompanied by a full specification. Building blocks can relate to “architectures” or “solutions”.
    • Architecture Building Blocks (ABBs) typically describe required capability and shape the specification of Solution Building Blocks (SBBs). For example, a customer services capability may be required within an enterprise, supported by many SBBs, such as processes, data, and application software.
    • Solution Building Blocks (SBBs) represent components that will be used to implement the required capability. For example, a network is a building block that can be described through complementary artifacts and then put to use to realize solutions for the enterprise.

The relationships between deliverables, artifacts, and building blocks are shown in Figure 1.

Figure -1: Relationships between Deliverables, Artifacts, and Building Blocks

For example, an Architecture Definition Document is a deliverable that documents an architecture description. This document will contain a number of complementary artifacts that are views of the building blocks relevant to the architecture. For example, a process flow diagram (an artifact) may be created to describe the target call handling process (a building block). This artifact may also describe other building blocks, such as the actors involved in the process (e.g., a Customer Services Representative). An example of the relationships between deliverables, artifacts, and building blocks is illustrated in Figure 2

Figure 2: Example – Architecture Definition Document

Enterprise Continuum

TOGAF includes the concept of the Enterprise Continuum, which sets the broader context for an architect and explains how generic solutions can be leveraged and specialized in order to support the requirements of an individual organization. The Enterprise Continuum is a view of the Architecture Repository that provides methods for classifying architecture and solution artifacts as they evolve from generic Foundation Architectures to Organization-Specific Architectures. The Enterprise Continuum comprises two complementary concepts: the Architecture Continuum and the Solutions Continuum.

An overview of the structure and context for the Enterprise Continuum is shown in Figure 3.

Figure -3: Enterprise Continuum


Architecture Repository

Supporting the Enterprise Continuum is the concept of an Architecture Repository which can be used to store different classes of architectural output at different levels of abstraction, created by the ADM. In this way, TOGAF facilitates understanding and co-operation between stakeholders and practitioners at different levels.

By means of the Enterprise Continuum and Architecture Repository, architects are encouraged to leverage all other relevant architectural resources and assets in developing an Organization-Specific Architecture.

In this context, the TOGAF ADM can be regarded as describing a process lifecycle that operates at multiple levels within the organization, operating within a holistic governance framework and producing aligned outputs that reside in an Architecture Repository. The Enterprise Continuum provides a valuable context for understanding architectural models: it shows building blocks and their relationships to each other, and the constraints and requirements on a cycle of architecture development.

The structure of the TOGAF Architecture Repository is shown in Figure  4.

Figure 4: TOGAF Architecture Repository StructureThe major components within an Architecture Repository are as follows:

  • The Architecture Metamodel describes the organizationally tailored application of an architecture framework, including a metamodel for architecture content.
  • The Architecture Capability defines the parameters, structures, and processes that support governance of the Architecture Repository.
  • The Architecture Landscape is the architectural representation of assets deployed within the operating enterprise at a particular point in time. The landscape is likely to exist at multiple levels of abstraction to suit different architecture objectives.
  • The Standards Information Base (SIB) captures the standards with which new architectures must comply, which may include industry standards, selected products and services from suppliers, or shared services already deployed within the organization.
  • The Reference Library provides guidelines, templates, patterns, and other forms of reference material that can be leveraged in order to accelerate the creation of new architectures for the enterprise.
  • The Governance Log provides a record of governance activity across the enterprise.

Establishing and Maintaining an Enterprise Architecture Capability

In order to carry out architectural activity effectively within an enterprise, it is necessary to put in place an appropriate business capability for architecture, through organization structures, roles, responsibilities, skills, and processes. An overview of the TOGAF Architecture Capability is shown in Figure 5.

Figure 5: TOGAF Architecture Capability Overview


Establishing the Architecture Capability as an Operational Entity

Barring architecture capabilities set up to purely support change delivery programs, it is increasingly recognized that a successful enterprise architecture practice must sit on a firm operational footing. In effect, an enterprise architecture practice must be run like any other operational unit within a business; i.e., it should be treated like a business. To this end, and over and above the core processes defined within the ADM, an enterprise architecture practice should establish capabilities in the following areas:

  • Financial Management
  • Performance Management
  • Service Management
  • Risk Management
  • Resource Management
  • Communications and Stakeholder Management
  • Quality Management
  • Supplier Management
  • Configuration Management
  • Environment Management

Central to the notion of operating an ongoing architecture is the execution of well-defined and effective governance, whereby all architecturally significant activity is controlled and aligned within a single framework.

As governance has become an increasingly visible requirement for organizational management, the inclusion of governance within TOGAF aligns the framework with current business best practice and also ensures a level of visibility, guidance, and control that will support all architecture stakeholder requirements and obligations.

The benefits of architecture governance include:

  • Increased transparency of accountability, and informed delegation of authority
  • Controlled risk management
  • Protection of the existing asset base through maximizing re-use of existing architectural components
  • Proactive control, monitoring, and management mechanisms
  • Process, concept, and component re-use across all organizational business units
  • Value creation through monitoring, measuring, evaluation, and feedback
  • Increased visibility supporting internal processes and external parties’ requirements; in particular, increased visibility of decision-making at lower levels ensures oversight at an appropriate level within the enterprise of decisions that may have far-reaching strategic consequences for the organization
  • Greater shareholder value; in particular, enterprise architecture increasingly represents the core intellectual property of the enterprise – studies have demonstrated a correlation between increased shareholder value and well-governed enterprises
  • Integrates with existing processes and methodologies and complements functionality by adding control capabilities

Using TOGAF with Other Frameworks

Two of the key elements of any enterprise architecture framework are:

  • A definition of the deliverables that the architecting activity should produce
  • A description of the method by which this should be done

With some exceptions, the majority of enterprise architecture frameworks focus on the first of these – the specific set of deliverables – and are relatively silent about the methods to be used to generate them (intentionally so, in some cases).

Because TOGAF is a generic framework and intended to be used in a wide variety of environments, it provides a flexible and extensible content framework that underpins a set of generic architecture deliverables.

As a result, TOGAF may be used either in its own right, with the generic deliverables that it describes; or else these deliverables may be replaced or extended by a more specific set, defined in any other framework that the architect considers relevant.

In all cases, it is expected that the architect will adapt and build on the TOGAF framework in order to define a tailored method that is integrated into the processes and organization structures of the enterprise. This architecture tailoring may include adopting elements from other architecture frameworks, or integrating TOGAF methods with other standard frameworks, such as ITIL, CMMI, COBIT, PRINCE2, PMBOK, and MSP. Guidelines for adapting the TOGAF ADM

As a generic framework and method for enterprise architecture, TOGAF provides the capability and the collaborative environment to integrate with other frameworks. Organizations are able to fully utilize vertical business domains, horizontal technology areas (such as security or manageability), or application areas (such as e-Commerce) to produce a competitive enterprise architecture framework which maximizes their business opportunities.


COBIT

COBIT 5 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®) and related standards from the International Organization for Standardization (ISO).

Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

Overview

COBIT was first released in 1996; the current version, COBIT 5, was published in 2012. Its mission is “to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.”.

COBIT, initially an acronym for ‘Control objectives for information and related technology’, defines a set of generic processes to manage IT. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model. The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes.

The COBIT framework

The framework provides good practices across a domain and process framework.

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT 4.1 is illustrated by a process model that subdivides IT into four domains (Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run and monitor. It is positioned at a high level and has been aligned and harmonized with other, more detailed, IT standards and good practices such as COSO, ITIL, ISO 27000, CMMI, TOGAF and PMBOK. COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that link the good practice models with governance and business requirements.

The COBIT 4.1 framework specification can be obtained as a complimentary PDF at the ISACA download website. (Free self-registration may be required.)

COBIT 5 was released in June 2012.COBIT 5 consolidates and integrates the COBIT 4.1, Val IT 2.0 and Risk IT frameworks, and draws from ISACA’s IT Assurance Framework (ITAF) and the Business Model for Information Security (BMIS). It aligns with frameworks and standards such as Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO), Project Management Body of Knowledge (PMBOK), PRINCE2 and The Open Group Architecture Framework (TOGAF).

Releases

COBIT has had five major releases:

  • In 1996, the first edition of COBIT was released.
  • In 1998, the second edition added “Management Guidelines”.
  • In 2000, the third edition was released.
    • In 2003, an on-line version became available.
  • In December 2005, the fourth edition was initially released.
    • In May 2007, the current 4.1 revision was released.
  • COBIT 5 was released in June 2012. It consolidates and integrates the COBIT 4.1, Val IT 2.0 and Risk IT frameworks, and also draws significantly from the Business Model for Information Security (BMIS) and ITAF.

Components

The COBIT components include:

  • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements
  • Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor.
  • Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process.
  • Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes
  • Maturity models: Assess maturity and capability per process and helps to address gaps.

Other ISACA Publications based on the COBIT framework include:

  • Board Briefing for IT Governances, 2nd Edition
  • COBIT and Application Controls
  • COBIT Control Practices, 2nd Edition
  • IT Assurance Guide: Using COBIT
  • Implementing and Continually Improving IT Governance
  • COBIT Quickstart, 2nd Edition
  • COBIT Security Baseline, 2nd Edition
  • IT Control Objectives for Sarbanes-Oxley, 2nd Edition
  • IT Control Objectives for Basel II
  • COBIT User Guide for Service Managers
  • COBIT Mappings (to ISO/IEC 27002, CMMI, ITIL, TOGAF, PMBOK etc.)
  • COBIT Online

COBIT and Sarbanes-Oxley

Companies that are publicly traded in the US are subject to the Sarbanes-Oxley Act of 2002. According to the IIA, COBIT is one of the most commonly used frameworks to comply with Sarbanes-Oxley.

Benefits

COBIT 5 helps enterprises of all sizes:

  • Maintain high-quality information to support business decisions
  • Achieve strategic goals and realize business benefits through the effective and innovative use of IT
  • Achieve operational excellence through reliable, efficient application of technology
  • Maintain IT-related risk at an acceptable level
  • Optimize the cost of IT services and technology
  • Support compliance with relevant laws, regulations, contractual agreements and policies

Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.

COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.

The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.

Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).

Managementplans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

The five COBIT 5 principles:

1.Meeting Stakeholder Needs

2.Covering the Enterprise End-to-end

3.Applying a Single Integrated Framework

4.Enabling a Holistic Approach

5.Separating Governance From Management

 Enablers

COBIT is a framework developed for IT process management with a strong focus on control. These scales need to be practical to apply and reasonably easy to understand. The topic of IT process management is inherently complex and subjective and, therefore, is best approached through facilitated assessments that raise awareness, capture broad consensus and motivate improvement. These assessments can be performed either against the maturity level descriptions as a whole or with more rigour against each of the individual statements of the descriptions. Either way, expertise in the enterprise’s process under review is required.

The advantage of a maturity model approach is that it is relatively easy for management to place itself on the scale and appreciate what is involved if improved performance is needed. The scale includes 0 because it is quite possible that no process exists at all. The 0-5 scale is based on a simple maturity scale showing how a process evolves from a non-existent capability to an optimised capability.

However, process management capability is not the same as process performance. The required capability, as determined by business and IT goals, may not need to be applied to the same level across the entire IT environment, e.g., not consistently or to only a limited number of systems or units. Performance measurement,  is essential in determining what the enterprise’s actual performance is for its IT processes.

Although a properly applied capability already reduces risks, an enterprise still needs to analyse the controls necessary to ensure that risk is mitigated and value is obtained in line with the risk appetite and business objectives. These controls are guided by COBIT’s control objectives.

Although it is difficult to imagine today, there was a time in the not-too-distant past the term “governance” was not used so often or so freely. Based on Latin and Greek words referring to the steering of a ship, governance was a concept primarily restricted to the CEO’s office and the boardroom.

But several global business catastrophes over the last few decades brought the term to the forefront of business thinking. Massive trader fraud at Barings Bank and Société Générale uncovered a breakdown in the monitoring of internal processes. Enron’s phenomenal success was revealed to be due, in some measure, to systematic, long-term, organized accounting fraud. WorldCom, Global Crossing and Tyco followed, and soon there was a clear and widely accepted need for more rigorous governance over companies’ systems of internal control. Increasingly, legislation is being passed to address this need. Worldwide, regulations such as Basel II, the Canadian Privacy Act, HIPAA, Australia’s Corporate Law Economic Reform Program and the Sarbanes-Oxley Act have moved governance to the top of agendas at all layers within enterprises.

This demonstrates that, although the highly publicized enterprise meltdowns may have focused more attention on formalized systems of governance, considerable thought and exploration had already gone into the basic concepts. As stakeholder issues, corporate social responsibility, enterprise risk management and alliances became an increasingly critical component of enterprise success, many astute enterprise leaders realized the need for effective and efficient governance around these issues.

The various legislative acts mentioned above may have reinforced the already existing focus on governance, but they did not necessarily bring clarity to the topic. Different views of governance have arisen, leading to confusion on the relationships among them. How does corporate governance relate to enterprise governance? What about the differing views brought about by increased dependency on intellectual capital, people, information technology—isn’t there a need for governance of these as well? What governance principles apply to open collaboration (“wiki”) sites, whose multiple authors and shared intellectual property create muddied ownership issues? As governance issues have become increasingly complex and critical to the business, those who need to understand and apply these concepts often find themselves wishing “if only someone would put all this on a page, so I could see how it fits together.”

Governance—Beyond Compliance
Although compliance is a powerful driver, there are more profound reasons to implement effective and efficient governance. Enterprise complexity, corporate responsibility, transparency—all these facets of the current business environment bring challenges that governance can address. Among the other drivers for efficient and effective governance:

  • Transparency, as stakeholders wish to be aware of the decisions, mechanisms and results of the enterprises in which they have an interest
  • Enterprises’ need to practice and demonstrate corporate responsibility
  • Creation of the extended enterprise, as enterprises’ growing appreciation of the benefits of collaboration has led to an increasingly large and complex network of relationships and strategic partners (joint ventures, wiki partners, etc.), among which delegation of accountability and decision-making rights  must be accomplished
  • Multiple stakeholders’ varying understanding and acceptance of value and risk
  • Enterprises’ increased dependence on strategic assets (e.g., people, knowledge, communications infrastructure, energy infrastructure, intellectual capital, information technology, information) or on external parties (e.g., outsourcing, strategic alliances) and the critical need for 24/7 access to them.
  • Data and information are especially important assets, as they form the basis for informed business decisions; bad data can lead to bad decisions.

The end result is an increasingly complex web, characterized by multiple layers of detail, requirements and interdependencies. This initiative has been undertaken to help clarify and provide ways to maneuver through the governance maze.

The governance mapping initiative was undertaken for many reasons. In addition to gaining a better understanding of the governance space and how the many components fit together, the intent is to populate the resulting maps in ways that will help all organizations dealing with these topics gain a better comprehension of what and who are operating in the governance space. Ultimately, it is hoped that the final product will encourage and assist enterprises to apply effective and efficient governance concepts within their own structures.

The mapping will therefore provide enterprises with guidance on existing standards, frameworks and methodologies that can assist them in implementing effective governance quickly and efficiently, and that incorporate the best practices appropriate to them. Information plays a vital role in the space and fosters good communication among related parties for better governance.

Therefore, the long-term plan is to populate the map—starting with the version that features IT governance (since that is ITGI’s area of expertise)—with four basic types of information:

  1. The leading international guidance, standards and frameworks relating to the disciplines reflected on the map. It is not intended to include all the guidance documents that exist, at this stage. The first iterations of the map will focus on what are considered the “top” guidance documents.Many frameworks can apply to many areas on the map; this map places them where their primary focus lies.
    In addition to showing just the “alphabet soup” of acronyms, each listing will be linked to further information describing the issuing body, the general purpose of the guidance, and the ways in which it specifically addresses the space in the governance map to which it has been assigned. ITGI’s worldwide cadre of experts will make inroads into this, but ultimately external assistance will be requested.
  2. The people involved in each view of governance—specifically the roles, responsibilities, credentials and qualifications of each
  3. The organizations that offer complementary products or services in each area
  4. ITGI’s own products and service offerings. Other organizations may wish to do the same for their own portfolio.

The mapping and description of the relevant frameworks, standards and methodologies will provide enterprises with practical guidance on governance implementation by clarifying aspects such as:

  • The scope of the framework, standard or methodology (e.g., COBIT’s positioning as a comprehensive process and control framework covering all IT processes vis-à-vis The Open Group Architecture Framework’s [TOGAF] positioning within the enterprise architecture domain)
  • Particular suitability to specific industries (where these exist)
  • Expected benefits from the application of the relevant framework, standard or methodology
  • Current uptake and reach (e.g., global reach for Committee of Sponsoring Organizations of the Treadway Commission [COSO])

ITIL – Information Technology Infrastructure Library

The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist.

ITIL describes processes, procedures, tasks and checklists that are not organization-specific, used by an organization for establishing integration with the organization’s strategy, delivering value and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.

The acronym ITIL is a registered trademark of the United Kingdom’s Cabinet Office. Following this move, the ownership is now listed as being with HM Government rather than OGC. The publications continue to be Crown Copyright.

History

Responding to growing dependence on IT, the UK Government’s Central Computer and Telecommunications Agency (CCTA) in the 1980s developed a set of recommendations. It recognised that without standard practices, government agencies and private sector contracts had started independently creating their own IT management practices.

The IT Infrastructure Library originated as a collection of books, each covering a specific practice within IT service management. ITIL was built around a process-model based view of controlling and managing operations often credited to W. Edwards Deming and his plan-do-check-act (PDCA) cycle.

After the initial publication in 1989–96, the number of books quickly grew within ITIL v1 to more than 30 volumes.

In 2000/2001, to make ITIL more accessible (and affordable), ITIL v2 consolidated the publications into eight logical “sets” that grouped related process-guidelines to match different aspects of IT management, applications, and services. The Service Management sets (Service Support and Service Delivery) were by far the most widely used, circulated, and understood[citation needed] of ITIL v2 publications.

    In April 2001 the CCTA was merged into the Office of Government Commerce (OGC), an office of the UK Treasury.

    In 2006, the ITIL v2 glossary was published.

    In May 2007, this organisation issued version 3 of ITIL (also known as the ITIL Refresh Project) consisting of 26 processes and functions, now grouped into only 5 volumes, arranged around the concept of Service lifecycle structure. Version 3 is now known as ITIL 2007 Edition.

    In 2009, the OGC officially announced that ITIL v2 certification would be withdrawn and launched a major consultation as per how to proceed.

    In July 2011, the 2011 edition of ITIL was published, providing an update to the version published in 2007. The OGC is no longer listed as the owner of ITIL, following the consolidation of OGC into the Cabinet Office. The 2011 edition is owned by HM Government.

Overview of ITIL 2007 Edition

ITIL 2007 Edition (previously known as version 3) is an extension of ITIL v2 and fully replaced it following the completion of the withdrawal period on 30 June 2011.[4] ITIL 2007 provides a more holistic perspective on the full life cycle of services, covering the entire IT organisation and all supporting components needed to deliver services to the customer, whereas v2 focused on specific activities directly related to service delivery and support. Most of the v2 activities remained untouched in 2007, but some significant changes in terminology were introduced in order to facilitate the expansion.

Changes and characteristics of the 2011 edition of ITIL

A summary of changes has been published by HM Government. In line with the 2007 edition, the 2011 edition consists of five core publications – Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement. ITIL 2011 is an update to the ITIL framework that addresses significant additional guidance with the definition of formal processes which were previously implied but not identified, as well as correction of errors and inconsistencies.

There are twenty-six processes listed in ITIL 2011 edition and described below that shows which core publication provides the main content for each process.

ITIL 2007 has five volumes, published in May 2007 and updated in July 2011 as ITIL 2011 for consistency:

    ITIL Service Strategy

    ITIL Service Design

    ITIL Service Transition

    ITIL Service Operation

    ITIL Continual Service Improvement

Service strategy

As the centre and origin point of the ITIL Service Lifecycle, the ITIL Service Strategy (SS) volume provides guidance on clarification and prioritization of service-provider investments in services. More generally, Service Strategy focuses on helping IT organizations improve and develop over the long term. In both cases, Service Strategy relies largely upon a market-driven approach. Key topics covered include service value definition, business-case development, service assets, market analysis, and service provider types.

List of covered processes:

  •     IT service management
  •     Service Portfolio Management
  •     Financial management for IT services
  •     Demand Management
  •     Business relationship management

For candidates in the ITIL Intermediate Capability stream, the Service Offerings and Agreements (SOA) Qualification course and exam are most closely aligned to the Service Strategy (SS) Qualification course and exam in the Lifecycle stream.

Financial management for IT services

IT Financial Management comprises the discipline of ensuring that the IT infrastructure is obtained at the most effective price (which does not necessarily mean cheapest) and calculating the cost of providing IT services so that an organization can understand the costs of its IT services. These costs may then be recovered from the customer of the service. This is the 2nd component of service delivery process.

Service design

The Service Design (SD) volume provides good-practice guidance on the design of IT services, processes, and other aspects of the service management effort. Significantly, design within ITIL is understood to encompass all elements relevant to technology service delivery, rather than focusing solely on design of the technology itself. As such, service design addresses how a planned service solution interacts with the larger business and technical environments, service management systems required to support the service, processes which interact with the service, technology, and architecture required to support the service, and the supply chain required to support the planned service. Within ITIL, design work for an IT service is aggregated into a single service design package (SDP). Service design packages, along with other information about services, are managed within the service catalogues.

List of covered processes:

    Design coordination (Introduced in ITIL 2011 Edition)

    Service Catalogue

    Service level Management

    Availability Management

    Capacity Management

    IT Service Continuity Management (ITSCM)

    Information Security Management System

    Supplier Management

Service-level management

Service-level management provides for continual identification, monitoring and review of the levels of IT services specified in the Service-level agreements (SLAS). Service-level management ensures that arrangements are in place with internal IT support-providers and external suppliers in the form of Operational Level Agreements OLAS and Underpinning Contracts (UCLS), respectively. The process involves assessing the impact of change upon service quality and SLAS. The service-level management process is in close relation with the operational processes to control their activities. The central role of Service-level management makes it the natural place for metrics to be established and monitored against a benchmark.

Service-level management is the primary interface with the customer (as opposed to the user serviced by the service desk). Service-level management is responsible for:

    Ensuring that the agreed IT services are delivered when and where they are supposed to be

    Liaising with availability management, capacity management, incident management and problem management to ensure that the required levels and quality of service are achieved within the resources agreed with financial management

    Producing and maintaining a service catalog (a list of standard IT service options and agreements made available to customers)

    Ensuring that appropriate IT service continuity plans exist to support the business and its continuity requirements.

The service-level manager relies on the other areas of the service delivery process to provide the necessary support which ensures the agreed services are provided in a cost-effective, secure and efficient manner.

Availability management

Availability management targets allowing organizations to sustain the IT service-availability to support the business at a justifiable cost. The high-level activities realize availability requirements, compile availability plan, monitor availability, and monitor maintenance obligations.

Availability management addresses the ability of an IT component to perform at an agreed level over a period of time.

    Reliability: Ability of an IT component to perform at an agreed level at described conditions.

    Maintainability: The ability of an IT component to remain in, or be restored to an operational state.

    Serviceability: The ability for an external supplier to maintain the availability of component or function under a third-party contract.

    Resilience: A measure of freedom from operational failure and a method of keeping services reliable. One popular method of resilience is redundancy.

    Security: A service may have associated data. Security refers to the confidentiality, integrity, and availability of that data. Availability gives a clear overview of the end-to-end availability of the system.

Capacity management

Capacity management supports the optimum and cost-effective provision of IT services by helping organizations match their IT resources to business demands. The high-level activities include:

    Application Sizing

    Workload Management

    Demand Management

    Modelling

    Capacity Planning

    Resource Management

    Performance Management

Capacity management is focused on strategic capacity, including capacity of personnel (e.g., human resources, staffing and training), system capacity, and component (or tactical) capacity.

IT service continuity management

IT service continuity management (ITSCM) covers the processes by which plans are put in place and managed to ensure that IT Services can recover and continue even after a serious incident occurs. It is not just about reactive measures, but also about proactive measures – reducing the risk of a disaster in the first instance.

ITSCM is regarded by the application owners as the recovery of the IT infrastructure used to deliver IT Services, but as of 2009 many businesses practice the much further-reaching process of business continuity planning (BCP), to ensure that the whole end-to-end business process can continue should a serious incident occur (at primary support level).

ITSCM involves the following basic steps:

    Prioritising the activities to be recovered by conducting a business impact analysis (BIA)

    Performing a risk assessment (aka risk analysis) for each of the IT services to identify the assets, threats, vulnerabilities and countermeasures for each service.

    Evaluating the options for recovery

    Producing the contingency plan

    Testing, reviewing, and revising the plan on a regular basis.

Information security management system

The ITIL-process Security Management  describes the structured fitting of information security in the management organisation. ITIL security management is based on the code of practice for information security management system (ISMS) now known as ISO/IEC 27002.

A basic goal of security management is to ensure adequate information security. The primary goal of information security, in turn, is to protect information assets against risks, and thus to maintain their value to the organization. This is commonly expressed in terms of ensuring their confidentiality, integrity and availability, along with related properties or goals such as authenticity, accountability, non-repudiation and reliability.

Mounting pressure for many organisations to structure their information security management systems in accordance with ISO/IEC 27001 requires revision of the ITIL v2 security management volume, which culminated in the release of the 2007 edition.

Service transition

Service transition (ST), as described by the ITIL service transition volume,[7] relates to the delivery of services required by a business into live/operational use, and often encompasses the “project” side of IT rather than business as usual (BAU). This area also covers topics such as managing changes to the BAU environment.

List of ITIL processes in service transition:

    Transition planning and support

    Change management

    Service asset and configuration management

    Release and deployment management

    Service validation and testing

    Change evaluation

    Knowledge management

Change management

Change management aims to ensure that standardised methods and procedures are used for efficient handling of all changes. A change is an event that results in a new status of one or more configuration items (CIS), and which is approved by management, cost-effective, enhances business process changes (fixes) – all with a minimum risk to IT infrastructure.

The main aims of change management include:

    Minimal disruption of services

    Reduction in back-out activities

    Economic use of resources involved in the change

Common change management terminology includes:

    Change: the addition, modification or removal of CIS

    Request For Change (RFC) or, in older terminology, Change Request (CR): a form used to record details of a request for a change and is sent as an input to Change Management by the Change Requestor

    ITIL v2 – Forward Schedule of Changes (FSC): schedule that contains details of all forthcoming Changes.

    ITIL 2007 – Change Schedule (CS): schedule that contains details of all forthcoming Changes, and references historical data. Many people still refer to the known term FSC.

Service asset and configuration management

Service asset and configuration management is primarily focused on maintaining information (i.e., configurations) about Configuration Items (i.e., assets) required to deliver an IT service, including their relationships. Configuration management is the management and traceability of every aspect of a configuration from beginning to end and it includes the following key process areas under its umbrella:

    Identification,

    Planning,

    Change Control,

    Change Management,

    Release Management, and

    Maintenance.

Release and deployment management

Release and deployment management is used by the software migration team for platform-independent and automated distribution of software and hardware, including license controls across the entire IT infrastructure. Proper software and hardware control ensures the availability of licensed, tested, and version-certified software and hardware, which functions as intended when introduced into existing infrastructure. Quality control during the development and implementation of new hardware and software is also the responsibility of Release Management. This guarantees that all software meets the demands of the business processes.

The goals of release management include:

    Planning the rollout of software

    Designing and implementing procedures for the distribution and installation of changes to IT systems

    Effectively communicating and managing expectations of the customer during the planning and rollout of new releases

    Controlling the distribution and installation of changes to IT systems

Release management focuses on the protection of the live environment and its services through the use of formal procedures and checks.

A Release consists of the new or changed software and/or hardware required to implement approved changes. Release categories include:

    Major software releases and major hardware upgrades, normally containing large amounts of new functionality, some of which may make intervening fixes to problems redundant. A major upgrade or release usually supersedes all preceding minor upgrades, releases and emergency fixes.

    Minor software releases and hardware upgrades, normally containing small enhancements and fixes, some of which may have already been issued as emergency fixes. A minor upgrade or release usually supersedes all preceding emergency fixes.

    Emergency software and hardware fixes, normally containing the corrections to a small number of known problems.

Releases can be divided based on the release unit into:

    Delta release: a release of only that part of the software which has been changed. For example, security patches.

    Full release: the entire software program is deployed—for example, a new version of an existing application.

    Packaged release: a combination of many changes—for example, an operating system image which also contains specific applications.

Service operation

Service Operation (SO) aims to provide best practice for achieving the delivery of agreed levels of services both to end-users and the customers (where “customers” refer to those individuals who pay for the service and negotiate the slas). Service operation, as described in the ITIL Service Operation volume, is the part of the lifecycle where the services and value is actually directly delivered. Also the monitoring of problems and balance between service reliability and cost etc. Are considered. The functions include technical management, application management, operations management and service desk as well as, responsibilities for staff engaging in Service Operation.

List of processes:

    Event management

    Incident management

    Request fulfillment

    Problem management

    Access management

Functions

Service desk

The service desk is one of four ITIL functions and is primarily associated with the Service Operation lifecycle stage. Tasks include handling incidents and requests, and providing an interface for other ITSM processes. Features include:

    Single point of contact (SPOC) and not necessarily the first point of contact (FPOC)

    Single point of entry

    Single point of exit

    Easier for customers

    Data integrity

    Streamlined communication channel

Primary purposes of a service desk include:

    Incident control: life-cycle management of all service requests

    Communication: keeping a customer informed of progress and advising on workarounds

The service desk function can have various names, such as:

    Call center: main emphasis on professionally handling large call volumes of telephone-based transactions

    Help desk: manage, co-ordinate and resolve incidents as quickly as possible at primary support level

    Service desk: not only handles incidents, problems and questions but also provides an interface for other activities such as change requests, maintenance contracts, software licenses, service-level management, configuration management, availability management, financial management and IT services continuity management

The three types of structure for consideration:

    Local service desk: to meet local business needs – practical only until multiple locations requiring support services are involved

    Central service desk: for organisations having multiple locations – reduces operational costs[citation needed] and improves usage of available resources

    Virtual service desk: for organisations having multi-country locations – can be situated and accessed from anywhere in the world due to advances[when?] In network performance and telecommunications, reducing operational costs[citation needed] and improving usage of available resources

Application management

ITIL application management  encompasses a set of best practices proposed to improve the overall quality of IT software development and support through the life-cycle of software development projects, with particular attention to gathering and defining requirements that meet business objectives.

Software asset management (SAM) is a primary topic of itilv2 and is closely associated with the ITIL Application Management function. SAM is the practice of integrating people, processes, and technology to allow software licenses and usage to be systematically tracked, evaluated, and managed. The goal of SAM is to reduce IT expenditures, human resource overhead and risks inherent in owning and managing software assets.

SAM practices include:

    Maintaining software license compliance

    Tracking inventory and software asset use

    Maintaining standard policies and procedures surrounding definition, deployment, configuration, use, and retirement of software assets and the definitive software library.

SAM represents the software component of IT asset management. This includes hardware asset management because effective hardware inventory controls are critical to efforts to control software. This means overseeing software and hardware that comprise an organization’s computers and network.

An event may indicate that something is not functioning correctly, leading to an incident being logged. Events may also indicate normal activity, or a need for routine intervention such as changing a tape. Event management depends on monitoring, but it is different. Event management generates and detects notifications, whilst monitoring checks the status of components even when no events are occurring. Events may be detected by a CI sending a message, or by a management tool polling the CI. After an event has been detected it may lead to an Incident, Problem or Change, or it may simply be logged in case the information is needed. Response to an event may be automated or may require manual intervention. If actions are needed then a trigger, such as an SMS message or an incident being automatically logged, can alert support staff.

Incident management

 : Incident management (ITSM)

Incident management aims to restore normal service operation as quickly as possible and minimise the adverse effect on business operations, thus ensuring that the best possible levels of service quality and availability are maintained. ‘Normal service operation’ is defined here as service operation within service-level agreement (SLA) limits.

An incident is defined as:

    2007: An unplanned interruption to an IT service or a reduction in the quality of an IT service. Failure of a configuration item that has not yet impacted service is also an incident. For example, failure of one disk from a mirror set.

    V2: An event which is not part of the standard operation of a service and which causes or may cause disruption to or a reduction in the quality of services and customer productivity.

The objective of incident management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, at a cost-effective price. The transformation between event-to-incident is the critical junction where Application Performance Management (APM) and ITIL come together to provide tangible value back to the business.[13]

Request fulfillment

Request fulfillment (or request management) focuses on fulfilling Service Requests, which are often minor (standard) changes (e.g., requests to change a password) or requests for information.

Problem management

 : Problem management

Problem management aims to resolve the root causes of incidents and thus to minimise the adverse impact of incidents and problems on business that are caused by errors within the IT infrastructure, and to prevent recurrence of incidents related to these errors. A ‘problem’ is the unknown underlying cause of one or more incidents, and a ‘known error’ is a problem that is successfully diagnosed and for which either a work-around or a permanent resolution has been identified. The CCTA (Central Computer and Telecommunications Agency) defines problems and known errors as follows

    A problem is a condition often identified as a result of multiple incidents that exhibit common symptoms. Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant.

    A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequent development of a work-around.

Problem management differs from incident management. The principal purpose of problem management is to find and resolve the root cause of a problem and thus prevent further incidents; the purpose of incident management is to return the service to normal level as soon as possible, with smallest possible business impact.

The problem-management process is intended to reduce the number and severity of incidents and problems on the business, and report it in documentation to be available for the first-line and second line of the help desk. The proactive process identifies and resolves problems before incidents occur. Such processes include:

    Trend analysis

    Targeting support action

    Providing information to the organisation

The error control process iteratively diagnoses known errors until they are eliminated by the successful implementation of a change under the control of the Change Management process.

The problem control process aims to handle problems in an efficient way. Problem control identifies the root cause of incidents and reports it to the service desk. Other activities are:

    Problem identification and recording

    Problem classification

    Problem investigation and diagnosis

A technique for identifying the root cause of a problem is to use an Ishikawa diagram, also referred to as a cause-and-effect diagram, tree diagram, or fishbone diagram. Alternatively, a formal Root Cause Analysis method such as Apollo Root Cause Analysis can be implemented and used to identify causes and solutions. An effective root cause analysis method and/or tool will provide the most effective/efficient solutions to address problems in the Problem Management process.

Identity management/access and identity management

Identity management (idm) less commonly called Access and Identity Management (AIM) as a process focuses on granting authorised users the right to use a service, while preventing access to non-authorised users. Certain identity management processes executes policies defined in Information Security Management System.

Continual service improvement (CSI)

Continual service improvement, defined in the ITIL continual service improvement volume,[9] aims to align and realign IT services to changing business needs by identifying and implementing improvements to the IT services that support the business processes. It incorporates many of the same concepts articulated in the Deming Cycle of Plan-Do-Check-Act. The perspective of CSI on improvement is the business perspective of service quality, even though CSI aims to improve process effectiveness, efficiency and cost effectiveness of the IT processes through the whole lifecycle. To manage improvement, CSI should clearly define what should be controlled and measured.

CSI needs to be treated just like any other service practice.[citation needed] There needs to be upfront planning, training and awareness, ongoing scheduling, roles created, ownership assigned,and activities identified to be successful. CSI must be planned and scheduled as process with defined activities, inputs, outputs, roles and reporting. Continual Service Improvement and Application Performance Management (APM) are two sides of the same coin. They both focus on improvement with APM tying together service design, service transition, and service operation which in turn helps raise the bar of operational excellence for IT.[14]

Improvement initiatives typically follow a seven-step process:

    Identify the strategy for improvement

    Define what you will measure

    Gather the data

    Process the data

    Analyse the information and data

    Present and use the information

    Implement improvement

Overview of ITIL v2

The eight ITIL version 2 books and their disciplines are:

The IT service management sets

    1. Service Support

    2. Service Delivery

Other operational guidance

    3. ICT infrastructure management

    4. Security management

    5. Application management

    6. Software asset management

To assist with the implementation of ITIL practices a further book was published (Apr 9, 2002) providing guidance on implementation (mainly of Service Management):

    7. Planning to implement service management

And this has more recently (Jan 26, 2006) been supplemented with guidelines for smaller IT units, not included in the original eight publications:

    8. ITIL Small-scale implementation

Service support

The Service Support[15] ITIL discipline focuses on the User of the IT services and is primarily concerned with ensuring that they have access to the appropriate services to support the business functions.

To a business, customers and users are the entry point to the process model. They get involved in service support by:

    Asking for changes

    Needing communication, updates

    Having difficulties, queries

    Real process delivery

The service desk functions as the single contact-point for end-users’ incidents. Its first function is always to document (“create”) an incident. If there is a direct solution, it attempts to resolve the incident at the first level. If the service desk cannot solve the incident then it is passed to a 2nd/3rd level group within the incident management system. Incidents can initiate a chain of processes: incident management, problem management, change management, release management and configuration management. This chain of processes is tracked using the configuration management database (CMDB), – ITIL refers to configuration management system (CMS), which records each process, and creates output documents for traceability (quality management). Note – CMDB/CMS does not have to be a single database. The solution can be Federated.

Service delivery

The service delivery  discipline concentrates on the proactive services the ICT must deliver to provide adequate support to business users. It focuses on the business as the customer of the ICT services (compare with: service support). The discipline consisted of the following processes:

    Service level management

    Capacity management

    IT service continuity management

    Availability management

    Financial management

ICT infrastructure management

Information and Communication Technology (ICT) management[17] processes recommend best practice for requirements analysis, planning, design, deployment and ongoing operations management and technical support of an ICT infrastructure.

The infrastructure management processes describe those processes within ITIL that directly relate to the ICT equipment and software that is involved in providing ICT services to customers.

    ICT design and planning

    ICT deployment

    ICT operations

    ICT technical support

These disciplines are less well understood than those of service management and therefore often some of their content is believed to be covered ‘by implication’ in service management disciplines.

ICT design and planning

ICT design and planning provides a framework and approach for the strategic and technical design and planning of ICT infrastructures. It includes the necessary combination of business (and overall IS) strategy, with technical design and architecture. ICT design and planning drives both the procurement of new ICT solutions through the production of statements of requirement (“SOR”) and invitations to tender (“ITT”) and is responsible for the initiation and management of ICT Programmes for strategic business change. Key outputs from design and planning are:

    ICT strategies, policies and plans

    The ICT overall architecture & management architecture

    Feasibility studies, itts and sors

    Business cases

ICT deployment management

ICT deployment provides a framework for the successful management of design, build, test and roll-out (deploy) projects within an overall ICT programme. It includes many project management disciplines in common with PRINCE2, but has a broader focus to include the necessary integration of release management and both functional and non functional testing.

ICT operations management

ICT operations management provides the day-to-day technical supervision of the ICT infrastructure. Often confused with the role of incident management from service support, operations has a more technical bias and is concerned not solely with incidents reported by users, but with events generated by or recorded by the infrastructure. ICT operations may often work closely alongside incident management and the service desk, which are not-necessarily technical, to provide an ‘operations bridge’. Operations, however should primarily work from documented processes and procedures and should be concerned with a number of specific sub-processes, such as: output management, job scheduling, backup and restore, network monitoring/management, system monitoring/management, database monitoring/management storage monitoring/management. Operations are responsible for the following:

    A stable, secure ICT infrastructure

    A current, up to date operational documentation library (“ODL”)

    A log of all operational events

    Maintenance of operational monitoring and management tools.

    Operational scripts

    Operational procedures

ICT technical support

ICT technical support is the specialist technical function for infrastructure within ICT. Primarily as a support to other processes, both in infrastructure management and service management, technical support provides a number of specialist functions: research and evaluation, market intelligence (particularly for design and planning and capacity management), proof of concept and pilot engineering, specialist technical expertise (particularly to operations and problem management), creation of documentation (perhaps for the operational documentation library or known error database). There are different levels of support under the ITIL structure, these being primary support level, secondary support level and tertiary support level, higher-level administrators being responsible for support at primary level.

The Known Error Database (KEDB) database contains all known error records. This database is created by problem management and used by incident management and problem management, and as part of service knowledge management systems.[18]

Planning to implement service management

The ITIL discipline – planning to implement service management[19] attempts to provide practitioners with a framework for the alignment of business needs and IT provision requirements. The processes and approaches incorporated within the guidelines suggest the development of a continuous service improvement program (CSIP) as the basis for implementing other ITIL disciplines as projects within a controlled program of work. Planning to implement service management focuses mainly on the service management processes, but also applies generically to other ITIL disciplines. Components include:

    Creating vision

    Analysing organisation

    Setting goals

    Implementing IT service management

Small-scale implementation

ITIL Small-scale implementation[20] provides an approach to ITIL framework implementation for smaller IT units or departments. It is primarily an auxiliary work that covers many of the same best practice guidelines as planning to implement service management, service support, and service delivery but provides additional guidance on the combination of roles and responsibilities, and avoiding conflict between ITIL priorities.

Related frameworks

A number of frameworks exist in the field of IT Service Management alongside ITIL.

Descendants

Microsoft Operations Framework

The Microsoft Operations Framework (MOF) is based on ITIL v2. While ITIL deliberately aims to be platform-agnostic, MOF is designed by Microsoft to provide a common management framework for its products. Microsoft has mapped MOF to ITIL as part of their documentation of the framework.[21]

FITS

The British Educational Communications and Technology Agency (BECTA) used ITIL as the basis for their development of Framework for ICT Technical Support (FITS). Their aim was to develop a framework appropriate for British schools, which often have very small IT departments. FITS became independent from BECTA in 2009 and is now maintained and supported by The FITS Foundation. FITS is now used in excess of a thousand schools in the UK, Australia and Norway as the standard for ICT Service Management in the Education sector (Video: What people are saying).

Other frameworks

ITIL is generally equivalent to the scope of the ISO/IEC 20000 standard (previously BS 15000).[22] While it is not possible for an organization to be certified as being ITIL compliant, certification of an organisation is available for ISO20000 [2].

COBIT is an IT governance framework and supporting toolset developed by ISACA. ISACA view ITIL as being complementary to COBIT. They see COBIT as providing a governance and assurance role while ITIL providing guidance for service management.[23]

The enhanced Telecom Operations Map etom published by the telemanagement Forum offers a framework aimed at telecommunications service providers. In a joined effort, TM Forum and itsmf developed an Application Note to etom (GB921) that shows how the two frameworks can be mapped to each other. It addresses how etom process elements and flows can be used to support the processes identified in ITIL.[24][25]

IBM Tivoli Unified Process (ITUP) is aligned with ITIL, but is presented as a complete, integrated process model compatible with IBM’s products.

Certification

Individuals

An itilv2 Foundation Badge.

The certification scheme differs between ITIL v2 and ITIL 2007/2011, and bridge examinations (now retired) allowed owners of v2 certificates to transfer to the new program.[citation needed] ITIL v2 offers three certification levels: Foundation, Practitioner and Manager. These were progressively discontinued in favor of the new scheme introduced along with the publication of the 2007 Edition. ITIL certification levels are now: Foundation, Intermediate, Expert and Master. In addition, the single-process practitioner certifications that were offered by OGC for version 2 have now been replaced and the offering expanded by what are known are complementary certification.

The ITIL certification scheme now offers a modular approach. Each qualification is assigned a credit value; so that upon successful completion of the module, the candidate is rewarded with both a certification and a number of credits. At the lowest level – Foundation – candidates are awarded a certification and two credits. At the Intermediate level, a total of 15 or 16 credits can be earned. These credits may be accumulated in either a “Lifecycle” stream or a “Capability” stream; or combination thereof. Each Lifecycle module and exam is three credits. Each Capability module and corresponding exam is four credits. A candidate wanting to achieve the Expert level will have, among other requirements, to gain the required number of credits  . That is accomplished with two from Foundations, then 15 or 16 from Intermediate, and finally five credits from the “Managing Across the Lifecycle” exam. Together, the total of 22 or 23 earned credits allows a person to request designation as an ITIL Expert.

The complementary certifications also have point values, ranging from 0.5 to 1.5 credits, which can be applied towards ITIL Expert certification. However, only a maximum of six credits from complementary certifications can be applied towards the Expert certification.

The ITIL Certification Management Board (ICMB) manages ITIL certification. The Board includes representatives from interested parties within the community around the world. Members of the Board include (though are not limited to) representatives from the UK Office of Government Commerce (OGC), APM Group (APMG), The Stationery Office (TSO), ITIL Examination Panel, Examination Institutes (eis) and the IT Service Management Forum International (itsmf) as the recognised user group.

Since the early 1990s, EXIN and ISEB had been setting up the ITIL based certification program, developing and providing ITIL exams at three different levels: Foundation, Practitioner and Manager. EXIN[30] and BCS/ISEB[31] (the British Computer Society) had from that time onwards been the only two examination providers in the world to develop formally acknowledged ITIL certifications, provide ITIL exams and accredit ITIL training providers worldwide. These rights were obtained from OGC, the British government institution and owner of the ITIL trademark.[citation needed] OGC signed over the management of the ITIL trademark and the accreditation of examination providers to APM Group in 2006. Now, after signing a contract with EXIN,[30] BCS/ISEB, LOYALIST CERTIFICATION SERVICES [3],PEOPLECERT Group and other certification bodies, APM Group has accredited them as official examination bodies, to offer ITIL exams and accredit ITIL training providers.[citation needed]

On July 20, 2006, the OGC signed a contract with the APM Group to become its commercial partner for ITIL accreditation from January 1, 2007.[32] APMG manage the ITIL Version 3 exams.

APMG maintains a voluntary register of ITIL certified practitioners at their Successful Candidate Register.[33]

Pins

Following the passing an APMG/EXIN exam in IT service management (based on ITIL), some people will wear a metal pin on their shirt or jacket. This badge, provided by the ITSMF with basic gold color is set in the form of the ITIL-logo. The ITIL pins consist of a small, diamond-like structure. The meaning and the shape of the diamond is meant to depict coherence in the IT industry (infrastructure as well). The four corners of the pin symbolise service support, service delivery, infrastructure management and IT management.

There are five colors of ITIL pins – each corresponds to the color of the associated core publication:

    ITIL Foundation Badge (Pastel Green). This ITIL lapel pin takes its color from the ITIL Service Strategy book and is awarded on successful completion of the ITIL Foundation exam.

    ITIL Intermediate Capability Badge (Burgundy). There are four ITIL Capability courses. (RCV, OSA, SOA, PPO). You are able to apply for this lapel pin once you have passed each exam. Some examination institutes such as APMG International will send the pins automatically with the candidate’s certificate. This badge shares its color with the ITIL Service Transition book.

    ITIL Intermediate Lifecycle Badge (Teal). For each of the five ITIL Lifecycle courses (SS, SD, ST, SO, CSI), candidates receive this lapel pin after passing the exam. The color for this pin is based on the ITIL Service Operation book.

    ITIL Expert Badge (Lilac). This is currently the highest qualification available with ITIL. The lapel pin is awarded a candidate attains 22 credits through a combination of ITIL training courses. The pin takes its color from the ITIL Continual Service Improvement book.

    ITIL Master Badge (Purple, with the letter M in the middle). Currently in pilot phase this qualification has no training course or exam associated with it. To gain qualification as an ITIL Master, candidates have to have his/her work peer-reviewed by a panel of experts. Once an ITIL Expert has achieved this status, the ITIL Master can wear a lapel pin based on the color of the ITIL Service Design book.

There are three colors of ITIL V2 pins:

    Itilv2 Foundation Badge (green)

    Itilv2 Practitioner Badge (blue)

    Itilv2 Manager Badge (red)

Exam candidates who have successfully passed the examinations for ITIL will receive their appropriate pin from APMG, EXIN or their certification provider regional office or agent.

Organizations

Organizations and management systems cannot claim certification as “ITIL-compliant”. An organization that has implemented ITIL guidance in IT Service Management (ITSM), may however, be able to achieve compliance with and seek certification under ISO/IEC 20000. Note that there are some significant differences between ISO/IEC20000 and ITIL[34]

    ISO20000 only recognises the management of financial assets, not assets which include “management, organization, process, knowledge, people, information, applications, infrastructure and financial capital”, nor the concept of a “service asset”. So ISO20000 certification does not address the management of ‘assets’ in an ITIL sense.

    ISO20000 does not recognise Configuration Management System (CMS) or Service Knowledge Management System (SKMS), and so does not certify anything beyond Configuration Management Database (CMDB).

    An organization can obtain ISO20000 certification without recognising or implementing the ITIL concept of Known Error, which is usually considered essential to ITIL.

Criticism

Unbalanced scales.svg

            This article’s Criticism or Controversy section may compromise the article’s neutral point of view of the subject. Please integrate the section’s contents into the article as a whole, or rewrite the material. (February 2013)

ITIL has been criticised on several fronts, including:

    The books are not affordable for non-commercial users

    Implementation and accreditation requires specific training

    Debate over ITIL falling under BSM or ITSM frameworks

    The ITIL details are not aligned with the other frameworks like ITSM

Rob England (also known as “IT Skeptic”) has criticised the protected and proprietary nature of ITIL. He urges the publisher, Cabinet Office, to release ITIL under the Open Government Licence (OGL).

CIO Magazine columnist Dean Meyer has also presented some cautionary views of ITIL,[37] including five pitfalls such as “becoming a slave to outdated definitions” and “Letting ITIL become religion.” As he notes, “…it doesn’t describe the complete range of processes needed to be world class. It’s focused on … Managing ongoing services.”

In a 2004 survey designed by Noel Bruton (author of “How to Manage the IT Helpdesk” and “Managing the IT Services Process”), organisations adopting ITIL were asked to relate their actual experiences in having implemented ITIL. Seventy-seven percent of survey respondents either agreed or strongly agreed that “ITIL does not have all the answers”. ITIL exponents accept this, citing ITIL’s stated intention to be non-prescriptive, expecting organisations to engage ITIL processes with existing process models. Bruton notes that the claim to non-prescriptiveness must be, at best, one of scale rather than absolute intention, for the very description of a certain set of processes is in itself a form of prescription.[38]

While ITIL addresses in depth the various aspects of service management, it does not address enterprise architecture in such depth. Many of the shortcomings in the implementation of ITIL do not necessarily come about because of flaws in the design or implementation of the service management aspects of the business, but rather the wider architectural framework in which the business is situated. Because of its primary focus on service management, ITIL has limited utility in managing poorly designed enterprise architectures, or how to feed back into the design of the enterprise architecture.

Closely related to the architectural criticism, ITIL does not directly address the business applications which run on the IT infrastructure; nor does it facilitate a more collaborative working relationship between development and operations teams. The trend toward a closer working relationship between development and operations is termed: devops. This trend is related to increased application release rates and the adoption of agile software development methodologies. Traditional service management processes have struggled to support increased application release rates – due to lack of automation – and/or highly complex enterprise architecture.

Some researchers group ITIL with lean, Six Sigma and Agile software development operations management.[citation needed] Applying Six Sigma techniques to ITIL brings the engineering approach to ITIL’s framework. Applying Lean techniques promotes continuous improvement of the ITIL’s best practices. However, ITIL itself is not a transformation method, nor does it offer one. Readers are required to find and associate such a method. Some vendors have also included the term Lean when discussing ITIL implementations, for example “Lean-ITIL”. The initial consequences of an ITIL initiative tend to add cost with benefits promised as a future deliverable.[citation needed] ITIL does not provide usable methods “out of the box” to identify and target waste, or document the customer value stream as required by Lean, and measure customer satisfaction.[who?]

ITIL Implementation scenario

You can’t change people. This is a known ideology and maybe a true one. People must change themselves. Perhaps this is why Corporate Executives, IT Directors and others are slow to implement ITIL best practices. Many like the ITIL approach and the projected cost savings but don’t know exactly where to start.
Some feel company culture must change before any other type of change within IT departments will be accepted. Others think everyone must be an ITIL believer before the changes can take place.
So how can a company start with ITIL? In a recent poll done by Benchmark
Learning most companies started with a blend of the ITIL processes Incident, Problem, Change and Release Management; however, the most popular focus was on Change Management. Practitioners like the ability to change things in an orderly way, the increased efficiency and the alignment of IT Services to business requirements and goals. The result is a shift in culture change. As one ITIL practitioner stated, “We led by example but did not make people drink. We made them thirsty.”
For other organizations, simply setting up a Single Point of Contact (SPOC) in a Service Desk, where Incidents are recorded, has resulted in improved customer service. Maybe it wasn’t overnight, but slowly internal customers and end-users started to change their behavior as how they utilized IT changed and as their level of satisfaction rose. The end-user was being ‘fixed.’ As a result people were starting to change, if only in their perception of IT, and so was company culture. Henry David Thoreau said, “Things do not change, we change.” So make a change in your IT processes; start slowly by changing yourself. The overall cultural change you can affect may be great.

The main benefits of ITIL include:
• Alignment with business needs. ITIL becomes an asset to the business when IT can proactively recommend solutions as a response to one or more business
needs. The IT Strategy Group recommended in Service Strategy and the implementation of Service Portfolio Management gives IT the opportunity to understand the business’ current and future needs and develop service offerings that can address them.
• Negotiated achievable service levels.
Business and IT become true partners when they can agree upon realistic service levels that deliver the necessary value at an acceptable cost.
• Predictable, consistent processes. Customer expectations can be set and are easier to meet through the use of predictable processes that are consistently used. Also, good practice processes are foundational and can assist in laying the groundwork to meet
regulatory compliance requirements.
• Efficiency in service delivery. Welldefined processes with clearly documented accountability for each activity as recommended through the use of a RACI matrix can significantly increase the efficiency of processes. In conjunction with the evaluation of
efficiency metrics that indicate the time required to perform each activity, service
delivery tasks can be optimized.
• Measurable, improvable services and processes. The adage that you can’t manage what you can’t measure rings true here. Consistent, repeatable processes can be measured and therefore can be better tuned for accurate delivery and overall effectiveness. For example, presume that a critical success factor for incident management is to reduce the time to restore service. When predictable, consistent processes are used key performance indicators such as Mean Time To Restore Service can be captured to determine whether this KPi is trending in a positive or negative direction so that the appropriate adjustments can be made. Additionally, under ITIL guidelines, services are
designed to be measurable. With the proper metrics and monitoring in place, IT organizations can monitor SLAs and make improvements as necessary.
• A common language – terms are defined.