Doing More with Less: IT Framework Integration

April 17, 2009
By George Spafford

Understanding how the many IT frameworks work together is the first step towards using them appropriately, writes ITSMWatch columnist George Spafford of Pepperweed Consulting.

With the economic downturn organizations are pushing to drive down costs while improving quality. To shorten the learning curve and improve the likelihood of success, proven business and IT frameworks relating to quality and other disciplines are being reviewed for insights on how to improve effectiveness and efficiency. IT groups not familiar with the various frameworks and how they may integrate are apt to make wrong decisions or allow business management to make wrong decisions.

Given the plethora of frameworks that IT may be involved with, it only makes sense to review some of the most common ones at a very high-level and then discuss how they can work together. The following are common frameworks that IT may well encounter:

Control Objectives for Information and related Technologies (COBIT) – This identifies controls that are used in process design to mitigate risks. Once an organization understands risks and wants to identify how to mitigate those risks, then COBIT can help.

Information Technology Infrastructure Library (ITIL) – This collection of five books codifies IT Service Management (ITSM) and the associated lifecycle of IT services with supporting best practice processes. The ITIL guidance begins with Service Strategy, then Service Design, Service Transition, Service Operation and Continuous Service Improvement.

ISO/IEC 20000:2005 – This is the international standard for ITSM. It is split into two parts: 20000-1 identifies the standard itself and what an organization must do to be accredited; 20000-2 is the code of practice that identifies opportunities for improvement. At this time, it is based on ITIL v2 and whereas ITIL does not have a certification associated with it, ISO 20000 does.

ISO/IEC 27000:2005– This is the international standard for information security and at this time has two parts also and there are plans to add more in the future. 27001 outlines the requirements for the standard. The 27002 Code of Practice document gets into more details around the controls.

ISO 9000 – This generic name relates to a collection of standards that help define a quality management system. While it originated in manufacturing it can be found in many different types of organizations.

Lean Six Sigma (LSS) – This is a combined quality management approach that blends Lean’s desire to move faster and create value with Six Sigma’s approach to reduce defects and re-work. As a result, LSS addresses defects and time wasted as it seeks to increase overall speed while reducing cost.

Leveraging the Frameworks

In reviewing the above, we can make some broad groupings. ISO 9000 and LSS can be found in organizations around the world and are not IT centric. The others are specific to IT so let’s begin there:

COBIT is used to mitigate controls and recommends what to do but doesn’t give details around how to design the control. In fact, controls need solid processes to be effective and then that raises the other frameworks. ITIL provides very good guidance on IT Service Management processes. For perspectives on how to design processes that embody controls relating the change management, release, incident management and other areas relating to service, ITIL is very good.

Now, ISO 20000 and ITIL do overlap. Right now, they are also a bit disparate because of ISO 20000’s grounding in ITIL v2. Groups pursuing ISO 20000 may benefit from the additional guidance that can be found in ITIL v3 but still must make sure they follow the requirements set forth in the standard in order to be certified. For groups looking to show their clients they are focused on providing quality services, an ISO 20000 certification is one way to do that.

To be clear, ITIL is very much focused on improving the quality of services that IT provides. It’s drawback is that it does not carry a certification. For example, when a tool claims to be “ITIL Compliant”, that is just a marketing term because no such certification exists. Likewise, a practitioner company can be assessed and receive objective recommendations on how to improve but there isn’t a certification like there is for ISO 20000.

Returning to COBIT and process guidance, if controls around information security are needed, then ISO 27000 can be used for additional guidance. For organizations that want to market their attention to information certification, becoming certified in ISO 27000 and identifying such is one approach.

ISO 9000, Lean, Six Sigma or LSS are all quality management frameworks the overall organization may be pursuing. Many business managers and executives have formal training and experience with these approaches to quality. What they do not have exposure to is ITIL. If there is pressure to stop an ITIL implementation because LSS is being pursued, for example, then it needs to be explained that ITIL can provide reference practices for groups pursuing process improvement. If ITIL is not used, then process improvement will be limited. For instance, it may be identified that the handling of incidents needs to be streamlined. Without referring to ITIL, the stakeholders involved can only try to improve their approach based on what they know.

In closing, there are many frameworks in the world today; far more than the handful mentioned in this article. IT groups seeking to improve their processes would do well to understand what other groups are doing, both within the firm as well as in the industry, and the direction the overall organization is taking. IT can then plan how to best continuously improve the services that they provide to create and protect value for the organization.

George Spafford is a principal consultant with Pepperweed Consulting and a long-time IT professional. George's professional focus is on compliance, security, management and overall process improvement.