Appendix A: Related guidance
This is a common appendix across the ITIL core publications. It includes frameworks, best practices, standards, models and quality systems that complement and have synergy with the ITIL service lifecycle.
Section 2.1.7 describes the role of best practices in the public domain and references some of the publications in this appendix. Each core publication references this appendix where relevant.
Related guidance may also be referenced within a single ITIL core publication where the topic is specific to that publication.
A.1 ITIL GUIDANCE AND WEB SERVICES
ITIL is part of the Best Management Practice (BMP) portfolio of best-practice guidance (see section 1.3). BMP products present flexible, practical and effective guidance, drawn from a range of the most successful global business experiences. Distilled to its essential elements, the guidance can then be applied to every type of business and organization.
The BMP website (www.best-management-practice.com) includes news, reviews, case studies and white papers on ITIL and all other BMP best-practice guidance.
The ITIL official website (www.itil-officialsite.com) contains reliable, up-to-date information on ITIL – including information on accreditation and the ITIL software scheme for the endorsement of ITIL-based tools.
Details of the core publications are as follows:
Cabinet Office (2011). ITIL Service Strategy. TSO, London.
Cabinet Office (2011). ITIL Service Design. TSO, London.
Cabinet Office (2011). ITIL Service Transition. TSO, London.
Cabinet Office (2011). ITIL Service Operation. TSO, London.
Cabinet Office (2011). ITIL Continual Service Improvement. TSO, London.
The full ITIL glossary, in English and other languages, can be accessed through the ITIL official site at:
www.itil-officialsite.com/InternationalActivities/ITILGlossaries.aspx
The range of translated glossaries is always growing, so check this website for the most up-to-date list.
Details of derived and complementary publications can be found in the publications library of the Best Management Practice website at:
www.best-management-practice.com/Publications-Library/IT-Service-Management-ITIL/
A.2 QUALITY MANAGEMENT SYSTEM
Quality management focuses on product/service quality as well as the quality assurance and control of processes to achieve consistent quality. Total Quality Management (TQM) is a methodology for managing continual improvement by using a quality management system. TQM establishes a culture involving all people in the organization in a process of continual monitoring and improvement.
ISO 9000:2005 describes the fundamentals of quality management systems that are applicable to all organizations which need to demonstrate their ability to consistently provide products that meet customer and applicable statutory and regulatory requirements. ISO 9001:2008 specifies generic requirements for a quality management system.
Many process-based quality management systems use the methodology known as ‘Plan-Do-Check-Act’ (PDCA), often referred to as the Deming Cycle, or Shewhart Cycle, that can be applied to all processes. PDCA can be summarized as:
Plan Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization's policies.
Do Implement the processes.
Check Monitor and measure processes and product against policies, objectives and requirements for the product and report the results.
Act Take actions to continually improve process performance.
There are distinct advantages of tying an organization’s ITSM processes, and service operation processes in particular, to its quality management system. If an organization has a formal quality management system that complies with ISO 9001, then this can be used to assess progress regularly and drive forward agreed service improvement initiatives through regular reviews and reporting.
Visit www.iso.org for information on ISO standards.
See www.deming.org for more information on the W. Edwards Deming Institute and the Deming Cycle for process improvement.
A.3 RISK MANAGEMENT
A number of different methodologies, standards and frameworks have been developed for the assessment and management of risk. Some focus more on generic techniques widely applicable to different levels and needs, while others are specifically concerned with risk management relating to important assets used by the organization in the pursuit of its objectives. Each organization should determine the approach to risk management that is best suited to its needs and circumstances. It is possible that the approach adopted will leverage the ideas reflected in more than one of the recognized standards and/or frameworks.
Appendix C gives more information on risk management. See also:
Office of Government Commerce (2010). Management of Risk: Guidance for Practitioners. TSO, London.
ISO 31000:2009 Risk management – principles and guidelines.
ISO/IEC 27001: 2005 Information technology – security techniques – information security management systems – requirements.
ISACA (2009). The Risk IT Framework (based on COBIT, see section A.5).
A.4 GOVERNANCE OF IT
Corporate governance refers to the rules, policies, processes (and in some cases, laws) by which businesses are operated, regulated and controlled. These are often defined by the board or shareholders, or the constitution of the organization; but they can also be defined by legislation, regulation or consumer groups.
ISO 9004 (Managing for the sustained success of an organization – a quality management approach) provides guidance on governance for the board and executive of an organization.
The standard for corporate governance of IT is ISO/IEC 38500. The purpose of this standard is to promote effective, efficient and acceptable use of IT in all organizations by:
Assuring stakeholders (including consumers, shareholders and employees) that, if the standard is followed, they can have confidence in the organization’s corporate governance of IT
Informing and guiding directors in governing the use of IT in their organization
Providing a basis for objective evaluation of the corporate governance of IT.
Typical examples of regulations that impact IT include: financial, safety, data protection, privacy, software asset management, environment management and carbon emission targets.
Further details are available at www.iso.org
ITIL Service Strategy references the concepts of ISO/IEC 38500 and how the concepts can be applied.
A.5 COBIT
The Control OBjectives for Information and related Technology (COBIT) is a governance and control framework for IT management created by ISACA and the IT Governance Institute (ITGI).
COBIT is based on the analysis and harmonization of existing IT standards and good practices and conforms to generally accepted governance principles. It covers five key governance focus areas: strategic alignment, value delivery, resource management, risk management and performance management. COBIT is primarily aimed at internal and external stakeholders within an enterprise who wish to generate value from IT investments; those who provide IT services; and those who have a control/risk responsibility.
COBIT and ITIL are not ‘competitive’, nor are they mutually exclusive – on the contrary, they can be used in conjunction as part of an organization’s overall governance and management framework. COBIT is positioned at a high level, is driven by business requirements, covers the full range of IT activities, and concentrates on what should be achieved rather than how to achieve effective governance, management and control. ITIL provides an organization with best-practice guidance on how to manage and improve its processes to deliver high-quality, cost-effective IT services. The following COBIT guidance supports strategy management and continual service improvement (CSI):
COBIT maturity models can be used to benchmark and drive improvement.
Goals and metrics can be aligned to the business goals for IT and used to create an IT management dashboard.
The COBIT ‘monitor and evaluate’ (ME) process domain defines the processes needed to assess current IT performance, IT controls and regulatory compliance.
Further details are available at www.isaca.org and www.itgi.org
A.6 ISO/IEC 20000 SERVICE MANAGEMENT SERIES
ISO/IEC 20000 is an internationally recognized standard for ITSM covering service providers who manage and deliver IT-enabled services to internal or external customers. ISO/IEC 20000-1 is aligned with other ISO management systems standards such as ISO 9001 and ISO/IEC 27001.
One of the most common routes for an organization to achieve the requirements of ISO/IEC 20000 is by adopting ITIL best practices. ISO/IEC 20000-1 is based on a service management system (SMS). The SMS is defined as a management system to direct and control the service management activities of the service provider. ISO/IEC 20000 includes:
ISO/IEC 20000-1:2005 – Information technology – Service management – Part 1: Specification
ISO/IEC 20000-1:2011 – Information technology – Service management – Part 1: Requirements for a service management system (the most recent edition of the ISO/IEC 20000 standard)
ISO/IEC 20000-2:2005 – Information technology – Service management – Part 2: Code of practice (being updated to include guidance on the application of service management systems and to support ISO/IEC 20000-1:2011)
ISO/IEC 20000-3:2005 – Information technology – Service management – Part 3: Scope and applicability
ISO/IEC TR 20000-4 – Information technology – Service management – Part 4: Process reference model
ISO/IEC TR 20000-5:2010 – Information technology – Service management – Part 5: Exemplar implementation plan for ISO/IEC 20000-1.
A closely related publication that is under development is ISO/IEC TR 15504-8 – Process assessment model for IT service management.
Further details can be found at www.iso.org or www.isoiec20000certification.com
Organizations using ISO/IEC 20000-1: 2005 for certification audits will transfer to the new edition, ISO/IEC 20000-1: 2011.
ITIL guidance supports organizations that are implementing service management practices to achieve the requirements of ISO/IEC 20000-1: 2005 and the new edition ISO/IEC 20000-1: 2011.
Other references include:
Dugmore, J. and Lacy, S. (2011). Introduction to ISO/IEC 20000 Series: IT Service Management. British Standards Institution, London.
Dugmore, J. and Lacy, S. (2011). BIP 0005: A Manager’s Guide to Service Management (6th edition). British Standards Institution, London.
A.7 ENVIRONMENTAL MANAGEMENT AND GREEN/SUSTAINABLE IT
The transition to a low-carbon economy is a global challenge. Many governments have set targets to reduce carbon emissions or achieve carbon neutrality. IT is an enabler for environmental and cultural change that will help governments to achieve their targets – for example, through enabling tele- and video-conferencing, and remote and home working. However, IT is also a major user of energy and natural resources. Green IT refers to environmentally sustainable computing where the use and disposal of computers and printers are carried out in sustainable ways that do not have a negative impact on the environment.
Appendix E in ITIL Service Design includes further information on environmental architectures and standards. Appendix E in ITIL Service Operation also provides useful considerations for facilities management, including environmental aspects.
The ISO 14001 series of standards for an environment management system is designed to assure internal and external stakeholders that the organization is an environmentally responsible organization. It enables an organization of any size or type to:
Identify and control the environmental impact of its activities, products or services
Improve its environmental performance continually
Implement a systematic approach to setting and achieving environmental objectives and targets, and then demonstrating that they have been achieved.
Further details are available at www.iso.org
A.8 ISO STANDARDS AND PUBLICATIONS FOR IT
ISO 9241 is a series of standards and guidance on the ergonomics of human system interaction that cover people working with computers. It covers aspects that impact the utility of a service (whether it is fit for purpose) such as:
ISO 9241-11:1999 Guidance on usability
ISO 9241-210:2010 Human-centred design for interactive systems
ISO 9241-151:2008 Guidance on world wide web user interfaces.
ISO/IEC JTC1 is Joint Technical Committee 1 of ISO and the International Electrotechnical Commission (IEC). It deals with information technology standards and other publications.
SC27 is a subcommittee under ISO/IEC JTC1 that develops ISO/IEC 27000, the information security management system (ISMS) family of standards. For further details, Appendix C includes information on ISO/IEC 27001. SC7 is a subcommittee under ISO/IEC JTC1 that covers the standardization of processes, supporting tools and supporting technologies for the engineering of systems, services and software. SC7 publications include:
ISO/IEC 20000 Information technology – service management (see section A.6)
ISO/IEC 19770-1 Information technology – software asset management processes. ISO/IEC 19770-2:2009 establishes specifications for tagging software to optimize its identification and management
ISO/IEC 15288 Systems and software engineering – systems life cycle processes. The processes can be used as a basis for establishing business environments – e.g. methods, procedures, techniques, tools and trained personnel
ISO/IEC 12207 Systems and software engineering – software life cycle processes
ISO/IEC 15504 Process assessment series. Also known as SPICE (software process improvement and capability determination), it aims to ensure consistency and repeatability of the assessment ratings with evidence to substantiate the ratings. The series includes exemplar process assessment models (PAM), related to one or more conformant or compliant process reference model (PRM). ISO/IEC 15504-8 is an exemplar process assessment model for IT service management that is under development
ISO/IEC 25000 series – provides guidance for the use of standards named Software product Quality Requirements and Evaluation (SQuaRE)
ISO/IEC 42010 Systems and software engineering — recommended practice for architectural description of software-intensive systems.
SC7 is working on the harmonization of standards in the service management, software and IT systems domains. Further details are available at www.iso.org
A.9 ITIL AND THE OSI FRAMEWORK
At around the time that ITIL V1 was being written, the International Standards Organization launched an initiative that resulted in the Open Systems Interconnection (OSI) framework. Since this initiative covered many of the same areas as ITIL V1, it is not surprising that there was considerable overlap.
However, it is also not surprising that they classified their processes differently, used different terminology, or used the same terminology in different ways. To confuse matters even more, it is common for different groups in an organization to use terminology from both ITIL and the OSI framework.
The OSI framework made significant contributions to the definition and execution of ITSM programmes and projects around the world. It has also caused a great deal of debate between teams that do not realize the origins of the terminology that they are using. For example, some organizations have two change management departments – one following the ITIL change management process and the other using the OSI installation, moves, additions and changes (IMAC) model. Each department is convinced that it is completely different from the other, and that it is performing a different role. Closer examination will reveal that there are several areas of commonality.
In service operation, the management of known errors may be mapped to fault management. There is also a section related to operational capacity management, which can be related to the OSI concept of performance management.
Information on the set of ISO standards for the OSI framework is available at: www.iso.org
A.10 PROGRAMME AND PROJECT MANAGEMENT
Large, complex deliveries are often broken down into manageable, interrelated projects. For those managing this overall delivery, the principles of programme management are key to delivering on time and within budget. Best management practice in this area is found in Managing Successful Programmes (MSP).
Guidance on effective portfolio, programme and project management is brought together in Portfolio, Programme and Project Offices (P3O), which is aimed at helping organizations to establish and maintain appropriate business support structures with proven roles and responsibilities.
Structured project management methods, such as PRINCE2 (PRojects IN Controlled Environments) or the Project Management Body of Knowledge (PMBOK) developed by the Project Management Institute (PMI), can be used when improving IT services. Not all improvements will require a structured project approach, but many will, due to the sheer scope and scale of the improvement. Project management is discussed in more detail in ITIL Service Transition.
Visit www.msp-officialsite.com for more information on MSP.
Visit www.p3o-officialsite.com for more information on P3O.
Visit www.prince-officialsite.com for more information on PRINCE2.
Visit www.pmi.org for more information on PMI and PMBOK.
See also the following publications:
Cleland, David I. and Ireland, Lewis R. (2006). Project Management: Strategic Design and Implementation (5th edition). McGraw-Hill Professional.
Haugan, Gregory T. (2006). Project Management Fundamentals. Management Concepts.
Office of Government Commerce (2009). Managing Successful Projects with PRINCE2. TSO, London.
Cabinet Office (2011). Managing Successful Programmes. TSO, London.
Office of Government Commerce (2008). Portfolio, Programme and Project Offices. TSO, London.
The Project Management Institute (2008). A Guide to the Project Management Body of Knowledge (PMBOK Guide) (4th edition). Project Management Institute.
A.11 ORGANIZATIONAL CHANGE
There is a wide range of publications that cover organizational change including the related guidance for programme and project management referred to in the previous section.
Chapter 5 in ITIL Service Transition covers aspects of organizational change elements that are an essential part of, or a strong contributor towards, service transition. ITIL Service Transition and ITIL Continual Service Improvement (this volume) refer to Kotter’s ‘eight steps for organizational change’.
Visit www.johnkotter.com for more information. See also the following publications:
Kotter, John P. (1996). Leading Change. Harvard Business School Press.
Kotter, John P. (1999) What Leaders Really Do. Harvard Business School Press.
Kotter, J. P. (2000). Leading change: why transformation efforts fail. Harvard Business Review January–February.
Kotter, John P. and Cohen, Dan S. (2002) The Heart of Change: Real-Life Stories of How People Change their Organizations. Harvard Business School Press.
Kotter, J. P. and Schlesinger, L. C. (1979). Choosing strategies for change. Harvard Business Review Vol. 57, No. 2, p.106.
Kotter, John P., Rathgeber, Holger, Mueller, Peter and Johnson, Spenser (2006). Our Iceberg Is Melting: Changing and Succeeding Under Any Conditions. St. Martin’s Press.
A.12 SKILLS FRAMEWORK FOR THE INFORMATION AGE
The Skills Framework for the Information Age (SFIA) enables employers of IT professionals to carry out a range of human resource activities against a common framework including a skills audit, planning future skill requirements, development programmes, standardization of job titles and functions, and resource allocation.
SFIA provides a standardized view of the wide range of professional skills needed by people working in IT. SFIA is constructed as a simple two-dimensional matrix consisting of areas of work on one axis and levels of responsibility on the other. It uses a common language and a sensible, logical structure that can be adapted to the training and development needs of a very wide range of businesses.
Visit www.sfia.org.uk for further details.
A.13 CARNEGIE MELLON: CMMI AND ESCM FRAMEWORK
The Capability Maturity Model Integration (CMMI) is a process improvement approach developed by the Software Engineering Institute (SEI) of Carnegie Mellon University. CMMI provides organizations with the essential elements of effective processes. It can be used to guide process improvement across a project, a division or an entire organization. CMMI helps integrate traditionally separate organizational functions, sets process improvement goals and priorities, provides guidance for quality processes, and suggests a point of reference for appraising current processes. There are several CMMI models covering different domains of application.
The eSourcing Capability Model for Service Providers (eSCM-SP) is a framework developed by ITSqc at Carnegie Mellon to improve the relationship between IT service providers and their customers.
Organizations can be assessed against CMMI models using SCAMPI (Standard CMMI Appraisal Method for Process Improvement).
For more information, see www.sei.cmu.edu/cmmi/
A.14 BALANCED SCORECARD
A new approach to strategic management was developed in the early 1990s by Drs Robert Kaplan (Harvard Business School) and David Norton. They named this system the ‘balanced scorecard’. Recognizing some of the weaknesses and vagueness of previous management approaches, the balanced scorecard approach provides a clear prescription as to what companies should measure in order to ‘balance’ the financial perspective. The balanced scorecard suggests that the organization be viewed from four perspectives, and it is valuable to develop metrics, collect data and analyse the organization relative to each of these perspectives:
The learning and growth perspective
The business process perspective
The customer perspective
The financial perspective.
Some organizations may choose to use the balanced scorecard method as a way of assessing and reporting their IT quality performance in general and their service operation performance in particular.
Further details are available through the balanced scorecard user community at www.scorecardsupport.com
A.15 SIX SIGMA
Six Sigma is a data-driven process improvement approach that supports continual improvement. It is business-output-driven in relation to customer specification. The objective is to implement a measurement-oriented strategy focused on process improvement and defects reduction. A Six Sigma defect is defined as anything outside customer specifications.
Six Sigma focuses on dramatically reducing process variation using statistical process control (SPC) measures. The fundamental objective is to reduce errors to fewer than 3.4 defects per million executions (regardless of the process). Service providers must determine whether it is reasonable to expect delivery at a Six Sigma level given the wide variation in IT deliverables, roles and tasks within IT operational environments.
There are two primary sub-methodologies within Six Sigma: DMAIC (Define, Measure, Analyse, Improve, Control) and DMADV (Define, Measure, Analyse, Design, Verify). DMAIC is an improvement method for existing processes for which performance does not meet expectations, or for which incremental improvements are desired. DMADV focuses on the creation of new processes. For more information, see:
George, Michael L. (2003). Lean Six Sigma for Service: How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions. McGraw-Hill.
Pande, Pete and Holpp, Larry (2001) What Is Six Sigma? McGraw-Hill.
Pande, Peter S., Neuman, Robert P. and Cavanagh, Roland R. (2000). The Six Sigma Way: How GE, Motorola, and Other Top Companies are Honing their Performance. McGraw-Hill.