While most will recognize and have in-depth knowledge of one or two of these service management philosophies, we thought it necessary to level-set not only the core structural information, but to also describe the improvement models that are integral to each framework.
COBIT (Control Objectives for Information and Related Technology) is a business framework for the governance and management of enterprise IT. With aspects in security, quality and compliance, its focus is not necessarily on how to execute a process, but rather what should be done to ensure proper control of that process. Therefore, you won’t technically implement COBIT from the bottom up, but use it as a tool to help you control processes from the top down as a part of a larger governance initiative.
Starting out as a tool designed for IT auditors to assist in the control of IT, it has grown into a model to assist with compliance requirements as well. It helps enterprises understand IT systems, and guides decisions around the level of security, risk and control that is necessary to protect assets through the leverage of an IT governance model.
By using stakeholder needs as the starting point for governance and management activities, COBIT offers a holistic and integrated view of enterprise governance and management of IT that uses consistent and common language. This framework has many rich capabilities, notably the introduction of GEIT (Governance of Enterprise IT) principles, increased focus on enablers, new and modified processes, the separation of governance and management, revised and expanded goals and metrics, and a new process capability model to name just a few.
There are several documents and tools to choose from in the overall COBIT product family. These can be found at www.isaca.org/cobit and include:
The building blocks of the COBIT framework are leveraged through the use of five principles and seven enablers (see Figure 1).
Note that the Principle “Enabling a Holistic Approach” gives rise to the Enablers.
At the core of any framework are processes. COBIT5 has 37 processes in five domains.
These five domains support the separation of governance and management by aligning EDM with governance processes and BAI, DSS, and MEA with a typical Plan-Build-Run-Monitor approach. See Figure 3.
The ISO/IEC 20000 family of documents define the international Standard for IT service management with a goal of establishing a common reference for IT service delivery. There are several parts to the Standard, which revolve around the auditable Part 1 (26 pages) and includes:
Simply, Part 1 defines the internationally accepted requirements for the Service Management System (SMS) which include the “…design, transition, delivery and improvement of services that fulfil service requirements and provide value for both the customer and service provider.”8
Developed originally as a UK national Standard (BS 15000), the early “edition” was a method allowing consistent measurement indicating compliance to ITIL ‘best practices,’ thus allowing organizations to declare themselves compliant. The international community quickly saw the benefit of BS 15000 and moved it through the process to create the international Standard, ISO/IEC 20000-1:2005. ISO/IEC 20000 continually improves following and driving ITIL improvements. Incorrectly known as the “ITIL Standard,” ISO/IEC 20000 is a service management product in its own right. It demands an integrated process approach based in the PDCA methodology across all aspects of the SMS and services. Combining the SMS with the PDCA drives value-driven service delivery, customer satisfaction and monitored, reviewed and improved services based on objectives and agreed measurements.
The unique aspect of ISO/IEC 20000-1 is the definition of a service management system. A service provider must “…plan, establish, implement, operate, monitor, review, maintain and improve an SMS” throughout the span of service activities (e.g. design, transition, delivery and improvement). Specifically, the SMS includes very clear requirements for management responsibility, governance of processes operated by other parties, document and resource management, and the explicit activities of establishing and improving the SMS following the PDCA methodologies.
The SMS provides the management foundation for the well-known service management processes divided into four main groupings:
Lastly, there is an overall set of requirements for the design and transition of new or changed services. This set of requirements nicely defines the flow of activities beginning with planning for the new or changed service (e.g. requirements gathering, resource management, communication, testing, dependencies, service acceptance criteria, etc.) and progressing through the design, development and transitioning of the new or changed service. Retiring an obsolete service falls under this section as well.
Part 1 is brilliant in its brevity – the requirements are concise and clear. What is not provided by Part 1 is the “how to do.” Part 2 and the other Parts provide further clarification and great insight to the requirements as well as specific examples to fulfil the requirements but, again, the “how to do” is still not prescribed. It is clearly up to the organization and their unique working environment to define how to meet the requirements and then document them. ISO/IEC 20000 family of documents is, in our opinion, the place to start any information gathering for an “adopt and adapt” initiative. Then utilize the other Service Management frameworks and standards as a body of knowledge to complete the “how.”
Table 2 lists the processes and the corresponding section numbering from the source document. These numbers are important to the mapping information found the Appendix.
The Information Technology Infrastructure Library (ITIL) describes a framework of best practices for the provision of quality services. ITIL is only one of part of a suite of publications that describe IT service management. The activities, processes, functions and capabilities documented in ITIL provide guidance that should be analysed by an organization to define an ‘adopt and adapt’ program of activities to improve service delivery based on their individual needs, culture, organizational structure, and so on. The use of public frameworks and standards benefit the organization as the “wheel isn’t reinvented” and the organization can create their own efficiencies from what has already been learned.
ITIL® Service Lifecycle Publications, 2011 Edition
So where do these ‘best practices’ originate? ITIL is based on various sources (e.g. standards, industry practices, academic research, training and education and internal experience) though the work of a variety practitioners (e.g. employees, customers, suppliers, advisers and technologies). Business requirements (e.g. legal, regulatory, customers, corporate mission, etc.) create knowledge that is fit for business purposes and has defined objectives, a specific context and measurable purpose.
As a ‘public domain’ set of best practices, the information held within ITIL is more likely to be used and improved via use and as such, offers an advantage over proprietary knowledge and processes. Thus, a great deal of the success of ITIL has been due to the fact that the information has been readily and easily available and the vocabulary used in the books has found general acceptance. Additionally, ITIL is vendor-neutral, non-prescriptive and represents best practices from industry leaders of best-in-class service providers. Adopting ITIL enables organizations to:
ITIL is based on the concept of a five-stage service lifecycle. A brief description of each stage is below:
More information around ITIL and its educational schema can be found at www.itil-officialsite.com.
Table 3 lists the processes and the corresponding section numbering from the source documents. These numbers are important to the mapping information found the Appendix.
Within COBIT 5 Implementation, the “Implementation Life Cycle” is the core concept and is key to the COBIT5 framework. This reference guide provides a good practice approach to continual improvement that can be used to implement the various components of a governance framework. As with all improvement lifecycles, it can be tailored to meet specific enterprise needs.
It is well-known that any improvement initiative should be driven by the business need of creating value, and to ensure that this value is realized, adoption of efforts should be viewed from several different perspectives. Additionally, efforts should have the right mix of sponsorship, proper scope, well-understood objectives, and should fit the overall appetite for change that the enterprise can absorb.
The implementation lifecycle, illustrated in Figure 5, provides a methodology for organizations to leverage clearly defined (iterative) steps to adopt the COBIT framework. The three interrelated components and their associated steps are shown in the following table.
This approach clearly indicates that all three components need to be addressed and that they are interrelated – any major improvement effort (like the deployment of a new or changed service or process) requires the control that good program management will bring as well as some changes within the organization, specifically, understand and addressing the organizational change tolerance as well as developing and enhancing the cultural environment for continual improvement. There are seven phases; each defining a main activity within that component. The seven phases are:
Many process-based management systems (i.e. ISO9001, ISO/IEC 20000, ISO/IEC 27001, etc.) are underpinned by the Deming Cycle (Plan-Do-Check-Act - PDCA). The power of this methodology is in its absolute simplicity – four easy to understand steps that drive continual review and assessment of a process or activity. Briefly, PDCA can be condensed as such:
PDCA is meant to be iterative with each cycle moving the process closer and closer to the defined “ultimate” goal. What is interesting is that the success of PDCA is based on the capture of knowledge from previous iterations. This increase of knowledge within each iteration allows one to refine the ultimate goal, which may very well be an initial “best guess,” to something that is more appropriate and focused on true business need. This methodology allows for movement where the sometimes overwhelming “ready, aim, aim, aim, aim, aim….” actions of getting it “perfect” the first time and never accomplishing anything are now replaced with a “ready, aim, fire, aim, fire” action. Between each “aim, fire” sequence, the lessons learned are applied to the next. This is more “forgiving” than having a specific, “set in stone” goal that on paper, is fantastic but when operationalized, very unrealistic. Now, learning and improvement are a constant rather than a side-effect of, possibly, a very expensive and limited value exercise.
PDCA underpins the activities and processes of the Service Management System (SMS) as described in ISO/IEC 20000-1. Also, it is quite easy to see where the ITIL Service Lifecycle holds the PDCA elements:
One improvement method found within the 2011 ITIL literature is the CSI Approach (formally CSI Model or CSI Plan). This approach can be summarized in six steps (see Figure 7):
Deming’s PDCA can easily be seen in this model with the first three steps fulfilling “Plan” and then the remaining steps match up directly with the final three Deming components.
This approach is valid in any and every aspect of the business. Frankly, we have followed this model on our consulting engagements – it’s clear and simple and it demands a focus on the business need, thus providing value for the customer and service provider. Apply this model not only to in-place services and functions but also to the ones that are only in the planning or ‘pre-planning’ stages. Following this specific model can prevent design flaws, provide focus for strategic activities, and improve transition measures and on-going operational activities because the focus is on the end goal – achievement of business outcome. The question “how does the proposed improvement allow for the achievement of organizational goals?” is now definitively answered.
ITIL® Service Lifecycle Publications, 2011 Edition
We think it is fairly clear that these three improvement models have a bit of overlap. The main point here is that as a service manager you adopt and adapt a model – be it the Implementation Lifecycle, Deming or the CSI Approach, or one of the many other models available. Or better yet, create something that works for you and your clients, always remembering the many elements to consider to ensure a robust improvement.
4Free to members and non-members of ISACA. All other volumes are available for purchase for non-members.
5Under review – currently in preliminary status
6 Under development
7On hold status pending ISO/ITTF decision on publication
8 ISO/IEC 20000-1:2011, Information Technology – Service Management – Part 1: Service management system requirements