Table of contents

1. Abstract...........................................................................................................................3
2. Introduction....................................................................................................................4
3. IT Governance................................................................................................................5
3.1 Strategic alignment....................................................................................................6
3.2 Value delivery............................................................................................................6
3.3 Resource management...............................................................................................6
3.4 Risk management.......................................................................................................6
3.5 Performance measurement.........................................................................................7
4. Why IT Governance is Necessary?...............................................................................7
4.1 Benefits of IT Governance.........................................................................................7
5. COBIT (Control Objectives for Information and related Technology)....................8
5.1 COBIT Domains........................................................................................................9
5.1.1 Plan and Organise...............................................................................................9
5.1.2 Acquire and Implement.....................................................................................10
5.1.3 Deliver and Support..........................................................................................10
5.1.4 Monitor and Evaluate........................................................................................11
5.2 How Does COBIT Help Implement Effective IT Governance?..............................12
5.3 Why is COBIT valuable?.........................................................................................12
5.4 Limitations of COBIT..............................................................................................12
6. ITIL (Information Technology Infrastructure Library)..........................................13
6.1 ITIL v3.....................................................................................................................14
6.2.1 Service Strategy................................................................................................16
6.2.2 Service Design..................................................................................................17
6.2.3 Service Transition.............................................................................................18
6.2.4 Service Operation.............................................................................................18
6.2.5 Continual Service Improvement (CSI).............................................................18
7. COBIT and ITIL: The Alignment.............................................................................20
8. Conclusion....................................................................................................................23
9. References.....................................................................................................................24
10. Appendix : ITIL maps on CobiT Detailed level process.......................................A

1
 List of Figures

Figure 1: Five Outcomes of IT Governance........................................................................5

Figure 2: Plan and Organise.................................................................................................9
Figure 3: Acquire and Implement......................................................................................10
Figure 4: Deliver and Support...........................................................................................11
Figure 5: Deliver and Support...........................................................................................11
Figure 6: ITIL version 2 library [ILX]...............................................................................14
Figure 7: ITIL version 3.....................................................................................................15

2
1. Abstract

Organisations require a structured approach for managing these and other challenges.

This will ensure that there are agreed objectives for IT, good management controls in

place and effective monitoring of performance to keep on track and avoid unexpected

outcomes.

Management hopes for heightened understanding of the way IT is operated and the

likelihood of its being leveraged successfully for competitive advantage. Boards and

executive management need to extend governance to IT and provide the leadership,

organisational structures and processes that ensure that the enterprises IT sustains and

extends the enterprises strategies and objectives. IT governance is not an isolated

discipline; it is an integral part of overall enterprise governance. The need to integrate IT

governance with overall governance is similar to the need for IT to be an integral part of

the enterprise rather than something practiced in remote corners or ivory towers. An

increasingly educated and assertive set of stakeholders is concerned about the sound

management of its interests. This has led to the emergence of governance principles and

standards for overall enterprise governance. Furthermore, regulations establish board

responsibilities and require that the board of directors exercise due diligence in its roles.

Investors have also realised the importance of governance; research shows they are

willing to pay a premium of more than 20 percent on shares of enterprises that have

shown to have good governance practices in place.

1 McKinseys Investors Opinion Survey, June 2000

3
2. Introduction.

For many enterprises, information and the technology that supports it represent their most

valuable, but often least understood assets. Successful enterprises recognise the benefits

of information technology and use it to drive their stakeholders value. These enterprises

also understand and manage the associated risks, such as increasing regulatory

compliance and critical dependence of many business processes on information

technology (IT). To be able to manage an enterprise, good enterprise governance

practices have to be strictly followed.

Enterprise governance is a set of responsibilities and practices exercised by the board and

executive management with the goal of:

Providing strategic direction

Ensuring that objectives are achieved

Ascertaining that risks are managed appropriately

Verifying that the enterprises resources are used responsibly

Enterprise governance is about:

Conformance

Adhering to legislation, internal policies and audit requirements among others

Performance

Improving profitability, efficiency, effectiveness and growth.

4
3. IT Governance

An integral part of enterprise governance, consisting of the leadership, organisational

structures and processes that ensure that the enterprises IT sustains and extends the

organisations strategies and objectives.

IT
Governance
Domains

Resource
Management

Figure 1: Five Outcomes of IT Governance

Simply stated IT governance is the responsibility of the board and must be integrated into

the organizations enterprise governance structure. Boards and senior management must

know what to expect from their information security programs.

As shown in the Figure 1, the five basic outcomes of IT governance should include

Strategic alignment of information security

Value Delivery - optimizing information security investment

Resource Management

Risk Management manage and mitigate risks

5
 Performance Measurement - information security governance metrics

3.1 Strategic alignment

It focuses on ensuring the linkage of business and IT plans; on defining, maintaining and

validating the IT value proposition; and on aligning IT operations with enterprise

operations.

3.2 Value delivery

It is about executing the value proposition throughout the delivery cycle, ensuring that IT

delivers the promised benefits against the strategy, concentrating on optimising costs and

proving the intrinsic value of IT.

3.3 Resource management

It is about the optimal investment in, and the proper management of, critical IT resources:

applications, information, infrastructure and people. Key issues relate to the optimisation

of knowledge and infrastructure.

3.4 Risk management

Requires risk awareness by senior corporate officers, a clear understanding of the

enterprises Risk management appetite for risk understanding of compliance

requirements, transparency about the significant risks to the enterprise, and embedding of

risk management responsibilities in the organisation.

6
3.5 Performance measurement

Tracks and monitors strategy implementation, project completion, resource usage,

process performance and service delivery, using, for example, balanced scorecards that

translate strategy into action to achieve goals measurable beyond conventional

accounting.

4. Why IT Governance is Necessary?

IT governance is needed to ensure that the investments in IT generate value-reward-and

mitigate IT-associated risks, avoiding failure.

IT is central to organisational success effective and efficient delivery of services and

goods especially when the IT is designed to bring about change in an organisation. This

change process, commonly referred to as business transformation, is now the prime

enabler of new business models both in the private and public sectors. Business

transformation offers many rewards, but it also has the potential for many risks, which

may disrupt operations and have unintended consequences. The dilemma becomes how to

balance risk and rewards when using IT to enable organisational change.

4.1 Benefits of IT Governance

Increased predictability and reduced uncertainty of business operations

Protection from the potential for civil and legal liability

Structure to optimize the allocation of resources

Assurance of security policy compliance

Foundation for effective risk management.

7
 A level of assurance that critical decisions are not based on faulty information

Accountability for safeguarding information

5. COBIT (Control Objectives for Information and related

Technology)

Business orientation is the main theme of COBIT. It is designed to be employed not only

by users and auditors, but also, and more important, as comprehensive guidance for

management and business process owners. Increasingly, business practice involves the

full empowerment of business process owners so they have total responsibility for all

aspects of the business process. In particular, this includes providing adequate controls.

The COBIT framework provides a tool for the business process owner that facilitates the

discharge of this responsibility. The framework starts from a simple and pragmatic

premise: To provide the information that the organisation needs to achieve its objectives,

IT resources need to be managed by a set of naturally grouped processes.

The framework continues with a set of 34 high-level control objectives, one for each of

the IT processes, grouped into four domains: Plan and Organise, Acquire and Implement,

Deliver and Support, and Monitor. This structure covers all aspects of information and the

technology that supports it. By addressing these 34 high-level control objectives, the

business process owner can ensure that an adequate control system is provided for the IT

environment.

8
IT governance guidance is also provided in the COBIT framework. IT governance

provides the structure that links IT processes IT resources and information to enterprise

strategies and objectives. IT governance integrates optimal ways of planning and

organising, acquiring and implementing, delivering and supporting, and monitoring and

evaluating IT performance. IT governance enables the enterprise to take full advantage of

its information, thereby maximizing benefits, capitalising on opportunities and gaining

competitive advantage.

In addition, corresponding to each of the 34 high-level control objectives is an audit

guideline to enable the review of IT processes against COBITs 318 recommended

detailed control objectives to provide management assurance and/or advice for

improvement.

Specifically, COBIT provides maturity models for control over IT processes, so

management can map where the organisation is today, where it stands in relation to the

best in class in its industry and to international standards, and where the organisation

wants to be.

9
5.1 COBIT Domains

5.1.1 Plan and Organise

Figure 2: Plan and Organise

10
5.1.2 Acquire and Implement

This domain covers identifying IT requirements, acquiring the technology, and

implementing it within the companys current business processes. It also addresses the

development of a maintenance plan that a company should adopt in order to prolong the

life of an IT system and its components.

Figure 3: Acquire and Implement

5.1.3 Deliver and Support

The Deliver and Support domain focuses on the delivery aspects of the information

technology. It covers areas such as the execution of the applications within the IT system

and its results, as well as, the support processes that enable the effective and efficient

execution of these IT systems. These support processes include security issues and

training.

11
 Figure 4: Deliver and Support

5.1.4 Monitor and Evaluate

The Monitor and Evaluate domain deals with a companys strategy in assessing the needs

of the company and whether or not the current IT system still meets the objectives for

which it was designed and the controls necessary to comply with regulatory

requirements. Monitoring also covers the issue of an independent assessment of the

effectiveness of IT system in its ability to meet business objectives and the companys

control processes by internal and external auditors.

Figure 5: Deliver and Support

12
5.2 How Does COBIT Help Implement Effective IT Governance?

COBIT enables mapping of IT goals to business goals and vice versa. It provides a better

alignment, based on a business focus and more importantly, it gives a view of what IT

does that is understandable to management. There is also a shared understanding amongst

all stakeholders, based on a common language and the fulfillment of the COSO

requirements for the IT control environment.

5.3 Why is COBIT valuable?

Executives can expect the following results from the adoption of COBIT:

IT staff and executives will understand more fully how the business and IT can

work together for successful delivery of IT initiatives.

Full life-cycle costs of IT will become more transparent and predictable.

IT will deliver better quality and more timely information.

IT will deliver better quality services and more successful projects.

Security and privacy requirements will be clearer and implementation more easily

monitored.

IT-related risks will be managed more effectively.

Audits will be more efficient and successful.

IT compliance with regulatory requirements will be a normal management

practice.

13
5.4 Limitations of COBIT

Despite the various reasons for one to use COBIT, it still needs to be customized by

whoever wants to use it and to customize it, an analysis of the control requirements,

should be performed, based on the value driver, the risk profile and the IT infrastructure

and project portfolio.

6. ITIL (Information Technology Infrastructure Library)

Information Technology Infrastructure Library, ITIL is a set of concepts and policies for

best practice of Information Technology Service Management, developments and

operations. It describes the number of important IT practices with checklists, tasks and

procedures. It provides a framework for IT Service Management Practitioners to

demonstrate their knowledge and understanding of ITIL and to develop their professional

expertise through training and qualifications. IT organizations can customise to their

needs.

ITIL started in 1989 as IT Infrastructure Library compiled by W. Edwards Demings

which became v1. ITIL v2 came out in year 2000 to make ITIL more accessible and

more affordable. ITIL v2 was grouped into eight sets logically bounded by related

processes and the main one being Service Management set. While ITIL version 2 focused

mainly on what should be done to improve organization aims.

14
 Figure 6: ITIL version 2 library [ILX]

There was a request from practitioners to improve on this version and so as to meet the

increasing need businesses. As such in May 2007, the third version of ITIL came out in

five volumes revolving around the concept of Service Lifecycle structure. The third

version being much more prescriptive and gave more return on investment to businesses.

This section, the focus will be mainly on the IT practices of ITIL v3.

6.1 ITIL v3

ITIL v3 is an evolution of v2 by making ITIL even more accessible and more complete.

As mentioned earlier it is around the concept of Service Lifecycle structure which is as

shown below

15
 Figure 7: ITIL version 3

ITIL version has been long awaited by many practitioners and many international

organizations such as private and public sectors, examination bodies, businesses among

many others contributed in the development of ITIL version 3.

ITIL version 3 has many improvement compared to that of the second version. As

mentioned earlier it is more prescriptive, tells exactly how things should be done and

thirdly and more importantly for businesses, it provides a guidance on return on

investment to them. It has also an evolution in structure by classifying the different

sections and adding more details to them. The contents also faced four major evolutions.

The first evolution involved how to integrate business processes with IT technologies, it

aims at making business and IT a single inter dependable component rather than two

separate identities. The second evolution is that it included an integrated value service

16
network that brings together all business units such that they do not need to refer to third

party for prescription. The third evolution is that it makes service the centre point rather

than something to be done later. It provides a dynamic service portfolio for continuous

service improvement. Fourthly, the processes have been reviewed and refined in 5

volumes that meet the specific needs of organizations.

The five volumes are

Service Strategy

Service Design

Service Transition

Service Operation

Continuous Service Improvement

Each of the five volumes will be detailed as follows.

6.2.1 Service Strategy

Being the core of ITIL Service Lifecycle, it offers guidance on clarification and

prioritization of service provider investments in services by ensuring that the Service

Strategy is defined, maintained and implemented. It aims at helping IT organizations

improve and progress over time and is dependent mostly on market driven approach. It

also introduces new concepts such as value creation, market definition and solution

space. Its focus is mainly on enabling practical decision making based upon the

understanding service assets, structures and service economics. It fundamentally aims at

increasing the economic life of the services

17
6.2.2 Service Design

In order to meet the current and future business requirements, Service Design provides

guidance on the production and maintenance of IT policies, architectures, and documents

for the design of appropriate and innovative IT services solutions and processes. Service

Design aims at converting the business strategy into reality. Service Design addresses

how a planned service solution interacts with the larger business and technical

environments, service management systems required to support the service, processes

which interacts with the service, technology, and architecture required to support the

service, and the supply chain required to support the planned service.

Concepts and guidance include:

Service design objectives and elements

Selecting the service design model

Cost model

Benefit/risk analysis

Implementing service design

Measurement and control

18
6.2.3 Service Transition

Service transition relates to the delivery of services required by the business into

live/operational use. It aims to bridge the gap between projects and operations more

effectively. Service Transition is concerned with the quality and control of the delivery to

operations and provides example organization models to support transition, and guidance

on how to reduce variation of delivery. It includes service asset and configuration

management, the validation and testing, release and deployment management, change

management and knowledge management.

6.2.4 Service Operation

Service Operations ensures that there are end to end practices which support responsive

and stable services. It is the part of the lifecycle where the services and value is actually

directly delivered. It considers the monitoring of problems and the balance between

service reliability and costs. The functions include event management, incident

management, problem management, request fulfillment and access management

6.2.5 Continual Service Improvement (CSI)

Continual Service Strategy aims at aligning and realigning the IT services to meet the

changing business requirements. In order for it to be possible, there needs to be up front

planning, training and awareness, ongoing scheduling, roles creation, ownership

assignment and the core activities identified for it to be successful. It includes service

19
level management, service measurement and reporting and continual service

improvement.

20
7. COBIT and ITIL: The Alignment

The COBIT framework is aimed primarily at compliance and security and, as such,

ensures the IT governance for the operation of the IT services. ITIL describes a

systematic, professional procedure for the management of IT services. The library

forcefully puts the emphasis on the importance of meeting the corporate requirements

from the commercial aspect. IT service management under ITIL is geared purely towards

customer benefit and efficiency. Achieving the business objectives whilst simultaneously

meeting internal and external requirements is fundamental to ensuring a companys

medium and long-term success. The synergy between the two networks lies in the fact

that more formal control objectives of COBIT are aligned with the ITIL framework. This

link synchronizes the standards for the strategic orientation and increased efficiency of IT

service management with the auditing standards.

COBIT defines 34 IT processes and includes tools for performance measurement

(outcome measures and performance drivers for all IT processes); a list of critical success

factors that provides concise, non-technical best practices for each IT process and

Maturity models to assist in benchmarking and decision-making for capability

improvements. COBIT systematically chronicles a checklist of all the things we ought to

be doing, and their properties, but ITIL explains how.

ITIL does not stand alone. It requires a framework of policy, process, procedures and

metrics that can give direction to IT operations (and ITIL activities.). COBIT and ITIL

together are a powerful force for IT Operational efficiency and effectiveness. ITIL is a

collection of best practices in Service Management, Security, Infrastructure Management,

21
and Application Management. Together they can make the process improvement task

much more achievable.

COBIT addresses the need for an IT organization to unambiguously understand the need

for technology-enabled business change. It does this by tying the business use of

information to the processes and resources used by IT to deliver that information. The IT

Infrastructure Library addresses a subset of the 34 COBIT processes that relate to the

delivery (defining services, quality of service and plan for its delivery) and support

(direct support for the restoration of service and changes to the infrastructure) of IT

services. While there is an overlap in some process areas, that overlap enables the

integration of the COBIT and ITIL frameworks.

ITIL is not an out-of-the-box solution and does not have to stand alone; in fact, an

organisation may struggle to effectively implement ITIL without some form of IT

governance framework. Whilst ITIL provides best practices on planning, designing, and

implementing effective ITSM capabilities, the addition of COBIT guidance and tools can

help an organisation ensure that its ITSM effort is better aligned with the business, and its

governance and internal control requirements. A point not to be overlooked here is that IT

governance does not only improve internal control but can also be a key facilitator in

aligning IT goals with those of the enterprise a key pillar of ITILs raison dtre.

The integration of COBIT with ITIL processes not only allows management to improve

processes and control-based elements, it also helps to demonstrate the level of IT

governance. With the utilisation of an industry standard set of controls (and common

terminology) facilitating the provision of assurance to both internal and external

22
assessors, this potentially reduces the time and effort required from both operational staff

and assessors in completing compliance-based initiatives.

The mappings are used to drill down from the COBIT Control Objectives into specific

Control Practices to beef up existing, or proposed, ITIL processes in order to help achieve

effective IT governance. These can be used to create specific process control points that

an organisation can measure compliance against. Not all the COBIT Domains map onto

ITIL. ITIL has many omissions compared to COBIT. ITIL focuses on operations, and

mostly ignores development/solutions. ITIL seldom ventures into project management or

portfolio management, and it skips a lot of aspects of request management.

There is no reason why, however, an organisation cannot utilise COBITs supporting

Control Objectives within these Domains to further improve business alignment and IT

governance.

23
8. Conclusion

To conclude, we can say that CobiT addresses what needs to be controlled and how that is

to be measured, and ITIL addresses how IT services are to be delivered and supported.

When implemented properly, both CobiT and ITIL provide the necessary framework of

good practices that enable and IT organization to clearly align itself with the goals of the

business, manage its resources to enable those goals through the optimized delivery of

information needed by the business, and the deliver IT services and provide for their

direct support.

24
9. References

Brisebois, Richard. Boyd,Greg. Shadid, Ziad. What is IT Governance?. Canada.

Web. 24 Oct.2009

Washington, Cheryl. Torner, Javier. IT Governance. Information Security

Governance: Guidance for Boards of Directors and Executive Management 2 nd

Edition: 2004. Web. 24 Oct.2009

IT Governance Institute and the Office of Government Commerce. Aligning

COBIT, ITIL and ISO 17799 for Business Benefit: Management Summary.

2005. web: 25 Oct. 2009

25
 10. Appendix : ITIL maps on CobiT Detailed level process
CobiT 4.1 Control Objective
PO1.1 IT value management
PO1.2 Business-IT alignment
PO1.3 Assessment of current
capability
and performance
PO1.4 IT strategic plan
PO1.5 IT tactical plans
PO1.6 IT portfolio management
Key Areas
PLAN AND ORGANISE
Business case
Allocation of funds
Benefit realisation
Business case evaluation
IT alignment with business
strategy
Bi-directional and reciprocal
involvement in strategic planning
Baseline of current performance
Assessment of business
contribution, functionality, stability,
complexity, costs, strengths and
weaknesses
Definition of IT goals
Contribution to enterprise
objectives,
budgets, funding, sourcing and
acquisition strategy
IT initiatives
Resource requirements
Monitoring and managing benefit
achievement
Defining, prioritising, managing
ITIL V3 Supporting Information
SS 2.2 What are services?
SS 3.1 Value creation
SS 3.4 Service structures
SS 4.4 Prepare for execution
SS 5.1 Financial management
SS 5.2 Return on investment
SS 5.3 Service portfolio
management
SS 5.4 Service portfolio
management method
SS 2.1 What is service
management?
SS 2.3 The business process
SS 2.4 Principles of service
management
SS 4.4 Prepare for execution
CSI 5.2 Assessments
SS 3.3 Service provider types
SS 3.5 Service strategy
fundamentals
SS 4.1 Define the market
SS 4.2 Develop the offerings
SS 4.3 Develop strategic assets
SS 4.4 Prepare for execution
SS 5.5 Demand management
SS 6.5 Sourcing strategy
SS 4.4 Prepare for execution
SS 7.1 Implementation through
the lifecycle
SS 7.2 Strategy and design
SS 7.3 Strategy and transitions
SS 7.4 Strategy and operations
SS 2.5 The service lifecycle
A

of effort
PO2.1 Enterprise information
architecture model
maintained
PO2.2 Enterprise data dictionary
and
data syntax rules
PO2.3 Data classification scheme
information
class
PO2.4 Integrity management
programmes
Clarifying outcomes and scope
Assigning accountability
Allocating resources and funding
Decision support analysis
Information architecture model
Corporate data model
Corporate data dictionary
Common data understanding
Information classes
Ownership
Retention
Access rules
Security levels for each
Integrity and consistency of data
SS 3.4 Service structures
SS 4.2 Develop the offerings
SS 4.3 Develop strategic assets
SS 5.3 Service portfolio
management
SS 5.4 Service portfolio
management methods
SS 5.5 Demand management
SD 3.4 Identifying and
documenting
business requirements and drivers
SD 3.6.1 Designing service
solutions
SD 3.6.2 Designing supporting
systems, especially the service
portfolio
SD 3.6 Design aspects
SD 3.6.3 Designing technology
architectures
SD 3.9 Service-oriented
architecture
SD 3.10 Business service
management
SD 5.2 Data and information
management
ST 4.7 Knowledge management
SD 5.2 Data and information
management
SD 7 Technology considerations
SD 5.2 Data and information
management
SD 5.2 Data and information
management
B

PO3.1 Technological direction
planning
PO3.2 Technology infrastructure
plan
PO3.3 Monitor future trends and
regulations
PO4.1 IT process framework
Available technologies
Enablement of IT strategy
Systems architecture
Technological direction
Migration strategies
Technological infrastructure plan
Acquisition direction
Economies of scale
Interoperability of platforms
Business sector, industry,
technology, infrastructure, legal and
regulatory trends
IT process structure and
relationships
Process ownership
Integration with business
processes,
enterprise portfolio management
and business change processes
ST 4.7 Knowledge management
SS 8 Technology and strategy
SD 3.6.3 Designing technology
architectures
SS 2.4 Principles of service
management
SD 4.3.5.7 Modelling and
trending
SS 2.6 Functions and processes
across the life cycle
SS 3.4 Service structures
SS 7.1 Implementation through
the life cycle
SS 9.1 Complexity
SS 9.2 Co-ordination and control
SS 9.3 Preserving value
SS 9.4 Effectiveness in
measurement
SD 2.4.2 Scope
SD 3.6.3 Designing technology
architectures
SD 3.6.4 Designing processes
SD 3.6.5 Design of measurement
systems and metrics
SD 4 Service design processes
SD 6.1 Functional roles analysis
SD 6.2 Activity analysis
SD 6.3 Skills and attributes
SD 6.4 Roles and responsibilities
SD 8 Implementing service
design
C
 SD App C Process
documentation
templates (example)
ST 3.2.7 Establish effective
controls and disciplines

ST 4 Service transition processes

ST 6.1 Generic roles
ST 8 Implementing service
transition

SO 2.3 Functions and processes

across the life cycle
SO 4 Service operation
processes

SO 4.6 Operational activities of

processes covered in other life
cycle phases
SO 6 Organising for service
operation
SO 8 Implementing service
operation

CSI 3.11 Frameworks, models,

standards and quality systems
CSI 4 Continual service
improvement processes
CSI 4.1.1 Integration with the
rest of the life cycle stages and
service management processes
CSI 5.2 Assessments
CSI 5.5 The Deming Cycle
CSI 8 Implementing continual
service improvement

PO4.2 IT strategy committee Board direction SD 2.4.2 Scope

IT governance
Strategic direction
Review of investments
PO4.4 Organisational placement of SS 6.1 Organisational
the Business significance of IT development

IT function CIO reporting lines SO 3.2.4 Reactive vs. proactive

organisations

PO4.5 IT organisational structure Organisational alignment with SS 2.6 Functions and processes
business needs across the life cycle
SS 6.1 Organisational
development

D
 SS 6.2 Organisational
departmentalisation
SS 6.3 Organisational design
SS 6.5 Sourcing strategy
SS App B2 Product managers
SD 6.3 Skills and attributes
ST 4.2.6.8 Change advisory
board

ST 6.2 Organisational context for

transitioning a service

ST 6.3 Organisation models to

support service transition

SO 3.1 Functions, groups, teams,

departments and divisions
SO 3.2 Achieving balance in
service operation
SO 3.3 Providing service
SO 6.1 Functions
SO 6.2 Service desk

SO 6.3 Technical management

SO 6.4 IT operations
management

SO 6.5 Application management

SO 6.7 Service operation
organisation structures

PO4.6 Establishment of roles and Explicit roles and responsibilities SS 2.6 Functions and processes
Clear accountabilities and end-
responsibilities user across the life cycle
authorities SD 6.2 Activity analysis

SD 6.4 Roles and responsibilities

ST 6.3 Organisation models to

support service transition

SO 6.6 Service operation roles

and responsibilities
CSI 6 Organising for continual
service improvement

E

PO4.7 Responsibility for IT quality
assurance (QA)
PO4.8 Responsibility for risk,
security
and compliance
PO4.9 Data and system ownership
PO4.11 Segregation of duties
PO4.12 IT staffing
PO4.15 Relationships
PO5.1 Financial management
framework
PO5.2 Prioritisation within IT budget
PO5.3 IT budgeting
Ownership of IT risks in the
business
Roles for managing critical risks
Enterprisewide risk and security
management
System-specific security
Direction on risk appetite and
acceptance of residual risks SD 6.4 Roles and responsibilities
Ownership of IT risks in the
business SD 6.4 Roles and responsibilities
Roles for managing critical risks
Enterprisewide risk and security
management
System-specific security
Direction on risk appetite and
acceptance of residual risks
Enablement of business
ownership SO 6.3 Technical management
of data
Decision making about
information
classification
ST 3.2.13 Assure the quality of
Proper execution of roles and the
responsibilities new or changed service
Avoidance of compromise of SO 5.13 Information security
management and service
critical processes operation
Number and competency; SO 6.2 Service desk
requirements evaluation
Optimal co-ordination SD 4.2.5.9 Develop contracts
Communications and liaison and relationships
Portfolio management SS 3.1 Value creation
Investment and cost management SS 5.1 Financial management
of IT assets SS 5.2 Return on investment
SS App A Present value of an
annuity
Allocation of IT resources SS 5.2 Return on investment
Optimisation of ROI SS 5.3 Service portfolio
management
SS 5.4 Service portfolio
management methods
Budgeting process SS 5.2.2 Return on investment
Ensuring that budget is in line with
investment portfolio of programmes
and services
Budget review and approval
F
PO5.4 Cost management
PO5.5 Benefit management
PO6.1 IT policy and control
environment
PO6.2 Enterprise IT risk and control
framework
PO6.5 Communication of IT
objectives
and direction
PO7.4 Personnel training
PO8.1 Quality management system
PO8.2 IT standards and quality
practices
PO8.3 Development and acquisition
Comparison of costs to budgets
Cost reporting
Remediation of cost deviations
from plan
Benefits monitoring and analysis
Improvement of ITs contribution
Maintenance of business cases
Management philosophy and
operating style
Integrity, ethics, competences,
accountability and responsibility
Culture of value delivery while
managing risks
Promulgating and controlling
policy
Alignment with enterprise risk
and control
Awareness and understanding of
business and IT objectives
Organisational induction and
ongoing training to raise technical
and management skill levels
Standard approach aligned to
business requirements covering
quality requirements and criteria
Policies and methods for
detecting
and correcting quality
nonconformance
PO8.2 IT standards and quality
practices
Life cycle standards for
deliverables
SS 5.1 Financial management
(esp. 5.1.2.7)
SS 2.2 What are services?
SS 5.1 Financial management
SS 5.2 Return on investment
ST 4.4.5.10 Review and close
service transition
ST 4.4.5.8 Early life support
SS 6.4 Organisational culture
ST 5.1 Managing
communications
and commitment
SO 3.6 Communication
SD 6.3 Skills and attributes
SS 7.5 Strategy and
improvement
ST 4.4.5.3 Build and test
SS 7.5 Strategy and
improvement
ST 3.2.13 Assure the quality of
the
new or changed service
ST 4.5 Service validation and
testing
(ITIL is not just focused on ST, but
on
ongoing test of the service)
CSI App A Complementary
guidance
SS 6.5 Sourcing strategy
G
standards
PO8.4 Customer focus Customer-oriented QMS
Roles and responsibilities for
conflict
resolution
PO8.5 Continuous improvement Communication processes
promoting continuous improvement
SD 3.5 Design activities
SD 3.6 Design aspects
SD 3.9 Service-oriented
architecture
SD 3.11 Service design models
SD 5.3 Application management
SD 7 Technology considerations
ST 3.2.3 Adopt a common
framework and standards
ST 4.1.4 Policies, principles and
basic concepts
ST 4.1.5.1 Transition strategy
SS 5.5 Demand management
SD 4.2.5.4 Collate, measure and
improve customer satisfaction
ST 3.2.6 Establish and maintain
relationships with stakeholders
SD 4.2.5.7 Conduct service
reviews and instigate
improvements within an overall
security information officer (SIO)
SO 5.14 Improvement of
operational activities
CSI 1 Introduction
CSI 2 Service management as
a practice
CSI 3 Continual service
improvement principles
CSI 4.1 The seven-step
improvement process
CSI 4.1.1 Integration with the
rest of the life cycle stages and
service management processes
CSI 4.4 Return on investment
for CSI
CSI 4.5 Business questions
for CSI
CSI 5 Continual service
improvement methods and
techniques
CSI 5.1 Methods and techniques
CSI 5.5 The Deming Cycle
CSI 5.6 CSI and other service
H
 management processes
CSI 5.6.7 Summary
CSI 6 Organising for continual
service improvement
CSI 8 Implementing continual
service improvement
CSI 9 Challenges, critical
success
factors and risks
PO8.6 Quality measurement, Monitoring compliance to QMS
monitoring and CSI 5.2 Assessments
and review value of QMS CSI 5.3 Benchmarking
CSI 5.4 Measuring and reporting
frameworks
PO9.1 IT risk management
framework Alignment to enterprise risk SS 9.5 Risks
framework SD 4.5.5.1 Stage 1Initiation

PO9.2 Establishment of risk context Internal and external context and SS 9.5 Risks
goals of each assessment SD 4.5.5.1 Stage 1Initiation
SD 4.5.5.2 Stage 2
Requirements
and strategy
PO9.3 Event identification Important threats exploiting SS 9.5 Risks
SD 4.5.5.2 Stage 2
vulnerabilities having negative Requirements
business impact and strategy
Risk registry ST 9 Challenges, critical success
factors and risks
CSI 5.6.3 IT service continuity
management
PO9.4 Risk assessment Likelihood and impact of all SS 9.5 Risks
SD 4.5.5.2 Stage 2
identified risks Requirements
Qualitative and quantitative and strategy
assessment SD 8.1 Business impact analysis
Inherent and residual risk (not in detail)
ST 4.6 Evaluation
PO9.5 Risk response Cost-effective controls mitigating SS 9.5 Risks
exposure SD 4.5.5.3 Stage 3
Risk avoidance strategies in
terms of Implementation
avoidance, mitigation or
acceptance ST 4.6 Evaluation

PO9.6 Maintenance and monitoring

of a Prioritising and planning risk SS 9.5 Risks
risk action plan responses SD 4.5.5.4 Stage 4Ongoing
Costs, benefits and
responsibilities operation

I

PO10.3 Project management
approach
PO10.4 Stakeholder commitment
PO10.5 Project scope statement
PO10.7 Integrated project plan
PO10.8 Project resources
PO10.11 Project change control
AI1.1 Definition and maintenance of
business functional and technical
requirements
Monitoring deviations
Approach commensurate with
size,
complexity and requirements of
each project
Project governance structure
Project sponsors
Commitment and participation of
stakeholders
Approval of nature and scope of
project
Integrated plan covering business
and IT resources
Activities and interdependencies
between projects
Responsibilities, relationships,
authorities, and performance
criteria
of project team
Planning procurement of
resources
Change control system for each
project (cost, schedule, scope,
quality)
ACQUIRE AND IMPLEMENT
Identifying, prioritising and
specifying requirements for all
initiatives related to investment
programmes
ST 3.2 Policies for service
transition
ST 3.2.6 Establish and maintain
relationships with stakeholders
ST 3.2.12 Ensure early
involvement
in the service life cycle
SD 3.4 Identifying and
documenting
business requirements and drivers
SD 3.5 Design activities
SD App D Design and planning
documents and their contents
ST 3.2.11 Proactively manage
resources across service
transitions
ST 3.2.10 Anticipate and manage
course corrections
SS 7.5 Strategy and
improvement
SS 8.1 Service automation
SD 3.2 Balanced design
SD 3.3 Identifying service
requirements
SD 3.4 Identifying and
documenting business
requirements and drivers
SD 3.5 Design activities
SD 3.6.1 Designing service
solutions
SD 3.6.2 Designing supporting
systems, especially the service
portfolio
SD 3.6.3 Designing technology
J

AI1.2 Risk analysis report
AI1.3 Feasibility study and
formulation
of alternative courses of action
AI1.4 Requirements and feasibility
decision and approval
AI2.1 High-level design
AI2.2 Detailed design
AI2.4 Application security and
availability
AI2.7 Development of application
software
Analysis of all significant threats
and
potential vulnerabilities affecting the
requirements
Alternative solutions to satisfying
business requirements assessed
by
the business and IT
Business sponsors approval of
requirements, feasible options,
solutions and the acquisition
approach
Translation of business
requirements
to high-level design for acquisition
Alignment with technological
direction and information
architecture
Technical design and application
requirements
Criteria for acceptance
Security and availability
requirements addressed
Developing functionality in
accordance with design, standards
architectures
SD 3.6.4 Designing processes
SD 3.6.5 Design of measurement
systems and metrics
SD 3.8 Design constraints
SD 3.9 Service-oriented
architecture
SD 4.3.5.8 Application sizing
SD App D Design and planning
documents and their contents
ST 3.2.5 Align service transition
plans with the business needs
SD 2.4.2 Scope
SD 3.6 Design aspects
SD 4.5.5.2 Stage 2
Requirements
and strategy
SD 3.6.1 Designing service
solutions
SD 3.7.1 Evaluation of alternative
solutions
ST 3.2.4 Maximise reuse of
established processes and
systems
SD 3.6.1 Designing service
solutions
SD 3.6.1 Designing service
solutions
SD 3.6.3 Designing technology
architectures
SS 8.2 Service interfaces
SD 4.2.5.2 Determine, document
and agree requirements for new
services and produce service level
requirements (SLR)
SD 5.3 Application management
SD 3.6.1 Designing service
solutions
SO 4.4.5.11 Errors detected in
the
development environment
SD 3.7.3 Develop the service
solution
K

AI2.9 Applications requirements
management
AI3.1 Technological infrastructure
acquisition plan
AI3.2 Infrastructure resource
protection and availability
AI3.3 Infrastructure maintenance
AI3.4 Feasibility test environment
AI4.1 Planning for operational
solutions
and QA requirements
Legal and contractual
requirements
followed by third-party developers
Tracking status of all
requirements
through change management
process
Acquisition, implementation and
maintenance plan for infrastructure,
aligned with business need and
technological direction
Protection of resources using
security and auditability measures
Use of sensitive infrastructure
Change control, patch
management,
upgrade strategies and security
requirements
Development and test
environments;
feasibility and integration tests
Identification and planning of all
technical, operational and usage
aspects of solutions
ST 3.2.6 Establish and maintain
relationships with stakeholders
ST 3.2.10 Anticipate and manage
course corrections
SD 3.6.3 Designing technology
architectures
SD 4.6.5.1 Security controls
SO 5.4 Server management and
support
SO 5.4 Server management
and support
SO 5.5 Network management
SO 5.7 Database administration
SO 5.8 Directory services
management
SO 5.9 Desktop support
SO 5.10 Middleware
management
SO 5.11 Internet/web
management
ST 4.4.5.1 Planning
ST 4.4.5.2 Preparation for build,
test and deployment
ST 4.4.5.3 Build and test
ST 4.5.5.7 Test clean up and
closure
ST 4.5.7 Information
management
SD 3.6.1 Designing service
solutions
ST 3.2.5 Align service transition
plans with the business needs
ST 3.2.9 Plan release and
deployment packages
ST 4.4.5.1 Planning
ST 4.4.5.2 Preparation for build,
test and deployment
ST 4.4.5.5 Plan and prepare for
deployment
L

AI4.2 Knowledge transfer to
business
management
AI4.3 Knowledge transfer to end
users
AI4.4 Knowledge transfer to
operations
and support staff
AI5.1 Procurement control
AI5.2 Supplier contract management
AI5.3 Supplier selection
AI5.4 IT resources acquisition
AI6.1 Change standards and
procedures
Enable ownership, delivery,
quality
and internal control of solution
End-user knowledge and skills for
use as part of business processes
Knowledge and skills to enable
operation and support of systems
and infrastructure
Standards and procedures
aligned to
enterprise procurement process
Contract initiation and life cycle
m anagement
Fair and formal selection process
Viable best fit to requirements
Protection of enterprise interests
in
contractual agreements
Rights and obligations of all
parties
Formal change management
procedures
Standardised approach
ST 3.2.5 Align service transition
plans with the business needs
ST 4.7 Knowledge management
ST 3.2.8 Provide systems for
knowledge transfer and decision
support
ST 4.4.5.8 Early life support
ST 4.7 Knowledge management
ST 3.2.8 Provide systems for
knowledge transfer and decision
support
ST 4.4.5.5 Plan and prepare for
deployment
ST 4.7 Knowledge management
SO 3.7 Documentation
SO 4.4.5.11 Errors detected in
the
development environment
SO 4.6.6 Knowledge
management
(as operational activities)
SD 3.7.2 Procurement of the
preferred solution
SD 4.2.5.9 Develop contracts
and
relationships
SD 4.7.5.3 Establishing new
suppliers and contracts
SD 3.7.1 Evaluation of alternative
solutions
SD 4.7.5.3 Establishing new
suppliers and contracts
SD App I Example contents of a
statement of requirement (SoR)
and/or invitation to tender (ITT)
SD 3.7.2 Procurement of the
preferred solution
SD 3.2 Balanced design
SD 3.7 The subsequent design
activities
ST 3.2 Policies for service
transition
ST 3.2.1 Define and implement
a formal policy for service
M

AI6.2 Impact assessment,
prioritisation
and authorisation
AI6.3 Emergency changes
AI6.4 Change status tracking and
reporting
Assessing impact, categorising,
prioritising and authorising
Process for defining, raising,
testing,
documenting, assessing and
authorising emergency changes
Tracking and reporting of all
changesrejected, approved,
in-process and completed
transition
ST 3.2.2 Implement all changes
to services through service
transition
ST 3.2.7 Establish effective
controls and disciplines
ST 4.1 Transition planning
and support
ST 4.1.4 Policies, principles and
basic concepts
ST 4.2 Change management
ST 4.2.6.1 Normal change
procedure
ST 5 Service transition common
operation activities
ST 6 Organising for service
transition
ST 6.3 Organisation models to
support service transition
ST 6.4 Service transition
relationship with other life cycle
stages
SO 4.6.1 Change management
(as operational activities)
ST 4.2.6.2 Create and record
requests for change
ST 4.2.6.3 Review the request
for change
ST 4.2.6.4 Assess and evaluate
the change
ST 4.2.6.5 Authorising the
change
ST 4.2.6.6 Co-ordinating change
implementation
ST 4.2.6.8 Change advisory
board
ST 4.6 Evaluation
SO 4.3.5.1 Menu selection
SO 4.3.5.2 Financial approval
SO 4.3.5.3 Other approval
ST 4.2.6.9 Emergency changes
ST 3.2.13 Assure the quality of
the new or changed service
ST 3.2.14 Proactively improve
quality during service transition
ST 4.1.5.3 Planning and
N

AI6.5 Change closure and Change implementation and
documentation documentation updates
Training of users and operations
AI7.1 Training in
accordance with implementation
plan
AI7.2 Test plan Test plan defining roles and
responsibilities
AI7.3 Implementation plan Implementation plan including
fallback and backout strategies
Secure test environment based
AI7.4 Test environment on
operational conditions
Independently testing changes
AI7.6 Testing of changes prior
to migration
co-ordinating service transition
ST 4.1.6 Provide transition
process support
ST 4.2.6.4 Assess and evaluate
the change
ST 4.2.6.7 Review and close
change record
ST 4.4.5.10 Review and close
service transition
ST 4.4.5.9 Review and close
a deployment
SO 4.3.5.5 Closure
ST 4.4.5.2 Preparation for build,
test and deployment
ST 4.5.5.1 Validation and test
management
ST 4.5.5.2 Plan and design test
ST 4.5.5.3 Verify test plan and
test design
ST 4.5.5.4 Prepare test
environment
ST 3.2.9 Plan release and
deployment packages
ST 4.1.5.2 Preparation for
service
transition
ST 4.4.5.2 Preparation for build,
test and deployment
ST 4.4.5.3 Build and test
ST 4.4.5.4 Service testing and
pilots
ST 4.4.5.5 Plan and prepare for
deployment
ST 3.2.14 Proactively improve
quality during service transition
ST 4.4.5.2 Preparation for build,
test
and deployment
ST 4.4.5.3 Build and test
ST 4.4.5.4 Service testing and
pilots
ST 3.2.14 Proactively improve
quality during service transition
ST 4.4.5.4 Service testing and
pilots
ST 4.5.5.5 Perform tests
O

AI7.7 Final acceptance test
AI7.8 Promotion to production
AI7.9 Post-implementation review
DS1 Service level management
framework
DS1.2 Definition of services
Business process owners and
stakeholders evaluating outcome of
testing
Controlled handover to
operations,
software distribution, parallel
processing
Evaluating whether objectives
have
been met and benefits realised
Action plan to address issues
DELIVER AND SUPPORT
Formal service level management
process and continuous alignment
to business requirements
Facilitating common
understanding
between customer and provider
Services defined based on
service
characteristics and business
requirements in a service catalogue
ST 4.5.5.6 Evaluate exit criteria
and
report
ST 4.4.5.4 Service testing and
pilots
ST 4.5.5.5 Perform tests
ST 4.5.5.6 Evaluate exit criteria
and report
ST 4.4.5.5 Plan and prepare for
deployment
ST 4.4.5.6 Perform transfer,
deployment and retirement
SO 4.3.5.4 Fulfilment
ST 3.2.13 Assure the quality of
the
new or changed service
ST 4.1.5.3 Planning and
co-ordinating service transition
ST 4.4.5.10 Review and close
service transition
ST 4.4.5.7 Verify deployment
ST 4.4.5.9 Review and close a
deployment
ST 4.6 Evaluation
SO 4.3.5.5 Closure
SS 2.6 Functions and processes
across the life cycle
SS 4.3 Develop strategic assets
SS 4.4 Prepare for execution
SS 7.2 Strategy and design
SS 7.3 Strategy and transitions
SS 7.5 Strategy and
improvement
SD 4.2.5.1 Designing SLA
frameworks
SD 4.2.5.9 Develop contracts
and relationships
SS 4.2 Develop the offerings
SS 4.3 Develop strategic assets
SS 5.4 Service portfolio
management methods
SS 5.5 Demand management
SS 7.2 Strategy and design
SS 7.3 Strategy and transitions
SS 7.4 Strategy and operations
SS 7.5 Strategy and
improvement
P

DS1.3 Service level agreements
DS1.4 Operating level agreements
DS1.5 Monitoring and reporting of
service level achievements
DS1.6 Review of service level
agreements and contracts
DS2.1 Identification of all supplier
relationships
Defining SLAs based on customer
requirements and IT capabilities
Service metrics, roles and
responsibilities
Definition of technical delivery to
support the SLA(s)
Continuous monitoring of service
performance
Regular review of SLAs and
underpinning contracts for
effectiveness and being up to date
Categorising services according
to supplier type, significance and
SS 8.2 Service interfaces
SD 3 Service design principles
SD 3.1 Goals
SD 3.2 Balanced design
SD 3.4 Identifying and
documenting business
requirements and drivers
SD 3.5 Design activities
SD 3.6 Design aspects
SD 4.1 Service catalogue
management
SD 4.2.5.2 Determine, document
and agree upon requirements for
new services and produce SLR
SD App F Sample SLA and
operating level agreement (OLA)
SD 4.2.5.5 Review and revise
underpinning agreements and
service scope
SD App F Sample SLA and OLA
SS 5.3 Service portfolio
management
SD 4.2.5.3 Monitor service
performance against SLA
SD 4.2.5.6 Produce service
reports
SD 4.2.5.7 Conduct service
reviews
and instigate improvements within
an overall SIO
SD 4.2.5.10 Complaints and
compliments
SD 4.3.8 Information
management
CSI 4.2 Service reporting
CSI 4.3 Service measurement
SD 4.2.5.4 Collate, measure and
improve customer satisfaction
SD 4.2.5.5 Review and revise
underpinning agreements and
service scope
SD 4.2.5.8 Review and revise
SLAs,
service scope and underpinning
agreements
SS 7.3 Strategy and transitions
SD 4.7.5.1 Evaluation of new
Q

DS2.2 Supplier relationship
management
DS2.3 Supplier risk management
DS2.4 Supplier performance
monitoring
DS3.1 Performance and capacity
planning
DS3.2 Current performance and
capacity
DS3.3 Future performance and
capacity
DS3.4 IT resources availability
criticality
Liaising with regard to customer
and
supplier issues
Trust and transparency
Risk identification, contract
conformance and supplier viability
Meeting business requirements,
adherence to contract and
competitive performance
Ensuring capacity and
performance
are available to meet SLAs
Assessment of current
performance
and capacity
Forecasting of resource
requirements
Workload trends
Provision of resources,
contingencies, fault tolerance and
resource prioritisation
suppliers and contracts
SD 4.7.5.2 Supplier
categorisation
and maintenance of the supplier
and contracts database (SCD)
SD 4.2.5.9 Develop contracts
and
relationships
SD 4.7.5.2 Supplier
categorisation
and maintenance of the supplier
and contracts database (SCD)
SD 4.7.5.4 Supplier and contract
management and performance
SD 4.7.5.5 Contract renewal and/
or termination
SD 4.7.5.3 Establishing new
suppliers and contracts
SD 4.7.5.5 Contract renewal and/
or termination
SD 4.7.5.4 Supplier and contract
management and performance
Ensuring capacity and
performance
are available to meet SLAs
SD 4.3.5.2 Service capacity
management
SD 4.3.5.3 Component capacity
management
SO 4.1.5.2 Event notification
SO 4.1.5.3 Event detection
SO 5.4 Server management and
support
CSI 4.3 Service measurement
SD 4.3.5.1 Business capacity
management
SD 4.3.5.2 Service capacity
management
SD 4.3.5.3 Component capacity
management
SD 4.3.5.7 Modelling and
trending
SD 4.3.8 Information
management
SD 4.3.5.3 Component capacity
management
SD 4.3.5.4 The underpinning
activities of capacity
R

DS3.5 Monitoring and reporting
DS4.1 IT continuity framework
DS4.2 IT continuity plans
DS4.3 Critical IT resources
DS4.4 Maintenance of the IT
continuity
plan
DS4.5 Testing of the IT continuity
plan
DS4.6 IT continuity plan training
Maintaining and tuning
performance
and capacity, and reporting service
availability to the business
Enterprisewide consistent
approach
to continuity management
Individual continuity plans based
on
framework
Business impact analysis
Resilience, alternative processing
and recovery
Focus on critical infrastructure,
resilience and prioritisation
Response for different time
periods
Changing control to reflect
changing business requirements
Regular testing
Implementing action plan
Regular training for all concerned
management
SD 4.4 Availability management
SD 4.4.5.1 The reactive activities
of availability management
SD 4.4.5.2 The proactive
activities
of availability management
SO 4.6.5 Availability
management
(as operational activities)
CSI 5.6.1 Availability
management
SD 4.3.5.4 The underpinning
activities of capacity
management
SD 4.3.5.5 Threshold
management
and control
SD 4.3.5.6 Demand
management
SD 4.4.5.1 The reactive activities
of availability management
SD 4.5 IT service continuity
management
SD 4.5.5.1 Stage 1Initiation
CSI 5.6.3 IT Service continuity
management
SD 4.5.5.2 Stage 2
Requirements and strategy
SD 4.5.5.3 Stage 3
Implementation
SD App K The typical contents of
a recovery plan
SD 4.4.5.2 The proactive
activities
of availability management
SD 4.5.5.4 Stage 4Ongoing
operation
SD 4.5.5.4 Stage 4Ongoing
operation
SD 4.5.5.3 Stage 3
Implementation
SD 4.5.5.4 Stage 4Ongoing
operation
SD 4.5.5.3 Stage 3
S

DS4.7 Distribution of the IT
continuity
plan
DS4.8 IT services recovery and
resumption
DS4.9 Offsite backup storage
DS4.10 Post-resumption review
DS5.1 Management of IT security
DS5.2 IT security plan
DS5.3 Identity management
DS5.4 User account management
parties
Proper and secure distribution to
all
authorised parties
Planning for period when IT is
recovering and resuming services
Business understanding and
investment support
Offsite storage of all critical
media,
documentation and resources
needed in collaboration with
business process owners
Regular management
assessment of plans
High-level placement of security
management to meet business
needs
Translation of business, risk and
compliance requirements into a
security plan
Identification of all users (internal,
external and temporary) and their
activity
Life cycle management of user
accounts and access privileges
Implementation
SD 4.5.5.4 Stage 4Ongoing
operation
SD 4.5.5.3 Stage 3
Implementation
SD 4.5.5.4 Stage 4Ongoing
operation
SD 4.4.5.2 The proactive
activities
of availability management
SD 4.5.5.4 Stage 4Ongoing
operation
SD 4.5.5.2 Stage 2
Requirements and strategy
SO 5.2.3 Backup and restore
SD 4.5.5.3 Stage 3
Implementation
SD 4.5.5.4 Stage 4Ongoing
operation
SD 4.6 Information security
management
SO 5.13 Information security
management and service
operation
SD 4.6.4 Policies/principles/basic
concepts
SD 4.6.5.1 Security controls
(highlevel
coverage, not in detail)
SO 4.5 Access management
SO 4.5 Access management
SO 4.5.5.1 Requesting access
SO 4.5.5.2 Verification
SO 4.5.5.3 Providing rights
SO 4.5.5.4 Monitoring identity
status
SO 4.5.5.5 Logging and tracking
access
SO 4.5.5.6 Removing or
restricting
rights
T

DS5.5 Security testing, surveillance
and monitoring
DS5.6 Security incident definition
DS5.7 Protection of security
technology
DS5.10 Network security
DS6.1 Definition of services
DS6.2 IT accounting
DS6.3 Cost modelling and charging
DS6.4 Cost model maintenance
DS7.1 Identification of education
and
training needs
DS8.1 Service desk
DS8.2 Registration of customer
queries
Proactive testing of security
implementation
Timely accreditation
Timely reporting of unusual
events
Definition and classification of
security incident characteristics
Resistance to tampering
Controls to authorise access and
information flows from and to
networks
Identification of all costs linked to
IT services and associated
business processes
Allocation of costs according to
enterprise cost model
IT costing models based on
service
definitions, and charge-back
process
Regular review and benchmark of
cost/recharge model
Training curriculum for each group
of employees
User interface
Call handling
Incident classification and
prioritisation based on services and
SLAs
Logging and tracking of all calls,
incidents, service requests and
information needs
SO 4.5.5.6 Removing or
restricting
rights
SO 5.13 Information security
management and service
operation
SD 4.6.5.1 Security controls
(highlevel
coverage, not in detail)
SD 4.6.5.2 Management of
security breaches and incidents
SO 5.4 Server management and
support
SO 5.5 Network management
SS 5.1 Financial management
SD 4.1 Service catalogue
management
SS 5.1 Financial management
SS 5.1 Financial management
SS 7.2 Strategy and design
SS 5.1 Financial management
SO 5.13 Information security
management and service
operation
SO 5.14 Improvement of
operational
activities
SO 4.1 Event management
SO 4.2 Incident management
SO 6.2 Service desk
SO 4.1.5.3 Event detection
SO 4.1.5.4 Event filtering
SO 4.1.5.5 Significance of events
SO 4.1.5.6 Event correlation
SO 4.1.5.7 Trigger
SO 4.2.5.1 Incident identification
SO 4.2.5.2 Incident logging
SO 4.2.5.3 Incident
categorisation
SO 4.2.5.4 Incident prioritisation
SO 4.2.5.5 Initial diagnosis
U

DS8.3 Incident escalation
DS8.4 Incident closure
DS8.5 Reporting and trend analysis
DS9.1 Configuration repository and
baseline
DS9.2 Identification and
maintenance
of configuration items
DS9.3 Configuration integrity review
DS10.1 Identification and
classification
of problems
DS10.2 Problem tracking and
resolution
Incident escalation according to
limits in SLAs
Recording of resolved and
unresolved incidents
Reports of service performance
and
trends of recurring problems
Recording configuration items,
monitoring and recording all assets,
and implementing a baseline for
every system and service as a
change recovery checkpoint
Configuration procedures to
support logging of all changes in
configuration database
Periodic review of configuration
data
integrity
Control of licensed software and
unauthorised software
Problem classification, allocation
to
support staff
Audit trails, tracking and analysis
of
root causes of all problems
Initiating solutions to address root
causes
SO 4.3.5.1 Menu selection
SO 4.1.5.8 Response selection
SO 4.2.5.6 Incident escalation
SO 4.2.5.7 Investigation and
diagnosis
SO 4.2.5.8 Resolution and
recovery
SO 5.9 Desktop support
SO 4.1.5.10 Close event
SO 4.2.5.9 Incident closure
SO 4.1.5.9 Review and actions
CSI 4.3 Service measurement
(vague
SS 8.2 Service interfaces
ST 4.1.5.2 Prepare for service
transition
ST 4.3.5.2 Management and
planning
ST 4.1.5.2 Prepare for service
transition
ST 4.3.5.3 Configuration
identification
ST 4.3.5.4 Configuration control
ST 4.3.5.5 Status accounting and
reporting
ST 4.3.5.6 Verification and audit
SO 5.4 Server management and
support
SO 7 Technology considerations
(especially for licensing,
mentioned in SO 7.1.4)
SO 4.4.5.1 Problem detection
SO 4.4.5.3 Problem
categorisation
SO 4.4.5.4 Problem prioritisation
SO App C Kepner and Tregoe
SO App D Ishikawa diagrams
SO 4.4.5.2 Problem logging
SO 4.4.5.5 Problem investigation
and diagnosis
SO 4.4.5.6 Work-arounds
SO 4.4.5.7 Raising a known error
record
SO 4.4.5.8 Problem resolution
V

DS10.3 Problem closure
DS11.1 Business requirements for
data management
DS11.2 Storage and retention
arrangements
DS11.5 Backup and restoration
DS11.6 Security requirements for
data
management
DS12.2 Physical security measures
DS12.3 Physical access
DS12.4 Protection against
environmental factors
DS12.5 Physical facilities
management
DS13.1 Operations procedures and
instructions
DS13.2 Job scheduling
DS13.3 IT infrastructure monitoring
Closure procedures after
elimination
of error or alternative approach
Input form design
Minimising errors and omissions
Error-handling procedures
Document preparation
Segregation of duties
Legal requirements
Retrieval and reconstruction
mechanisms
Data input by authorised staff
Securing the location, including
protection from unauthorised
access, natural risks and power
outages
Controlled access to premises by
all parties
Monitoring and control of
environmental factors
Management of facilities
according
to business, legal and regulatory
requirements
Procedures and familiarity with
operational tasks
Organisation of job schedules
maximising throughput and
utilisation to meet SLAs
Monitoring infrastructure for
critical events
Logging of information to
enable review
SO 4.4.5.9 Problem closure
SO 4.4.5.10 Major problem
review
SD 5.2 Data and information
management
SD 5.2 Data and information
management
SO 5.6 Storage and archive
SO 5.2.3 Backup and restore
SD 5.2 Data and information
management
SO App E Detailed description of
facilities management
SO App E Detailed description of
facilities management
SO App F Physical access
control
SO App E Detailed description of
facilities management
SO 5.12 Facilities and data
centre
management
SO 3.7 Documentation
SO 5 Common service operation
activities
SO App B Communication in
service operation
SD 4.3.5.5 Threshold
management
and control
SD 4.3.5.6 Demand
management
SO 5.2.2 Job scheduling
SO 5.3 Mainframe management
SD 4.3.5.4 The underpinning
activities of capacity
management
SD 4.3.5.5 Threshold
management
and control
SO 4.1 Event management
SO 4.1.5.1 Event occurs
W

DS13.4 Sensitive documents and
output devices
DS13.5 Preventive maintenance for
hardware
ME1.1 Monitoring approach
ME1.2 Definition and collection of
monitoring data
ME1.3 Monitoring method
Physical safeguards for sensitive
assets, and negotiable instruments
Maintenance to reduce impact of
failures
MONITOR AND EVALUATE
General monitoring framework
Integration with corporate
approach
Balanced set of objectives
approved
by stakeholders
Benchmarks, availability and
collection of measurable data
Method for capturing and
reporting
results
SO 4.1.5.9 Review and actions
SO 5.2.1 Console management/
operations bridge
SO 5.2.4 Print and output
SO 5.3 Mainframe management
SO 5.4 Server management
and support
SD 8.5 Measurement of service
design
ST 4.5.5.1 Validation and test
management
SO 3.5 Operational health
CSI 4.1 The seven-step
improvement process
CSI 4.1a Step oneDefine what
you should measure
CSI 4.1b Step twoDefine what
you can measure
CSI 4.1.1 Integration with the
rest of the life cycle stages and
service management processes
CSI 4.1.2 Metrics and
measurement
CSI 4.3 Service measurement
CSI 4.4 Return on investment
for CSI
CSI 4.5 Business questions
for CSI
CSI 5.1 Methods and techniques
CSI 5.2 Assessments
SD 4.2.5.10 Complaints and
compliments
CSI 4.1c Step threeGathering
data
CSI 4.1d Step fourProcessing
the data
ST 4.5.5.2 Plan and design test
ST 4.5.5.3 Verify test plan and
test design
ST 4.5.5.4 Prepare test
environment
CSI 4.1b Step twoDefine what
you can measure
CSI 4.1f Step sixPresenting
and
using the information
X

ME1.4 Performance assessment
ME1.5 Board and executive
reporting
ME1.6 Remedial actions
ME4.1 Establishment of an IT
governance framework
ME4.2 Strategic alignment
ME4.3 Value delivery
ME4.5 Risk management
CSI 5.4 Measuring and reporting
frameworks
Review of performance against SD 4.2.5.7 Conduct service
targets reviews and instigate
Remedial actions improvements within an
Root cause analysis overall SIO
CSI 3 Continual service
improvement principles
CSI 4.1e Step fiveAnalysing
the data
CSI 5.3 Benchmarking
CSI 8 Implementing continual
service improvement
CSI 4.1f Step sixPresenting
Reports of ITs contribution to the and
business for service and
investment using the information
portfolios and programmes CSI 4.2 Service reporting
Follow-up on and remediation of
all CSI 4.1g Step seven
performance issues Implementing corrective action
IT governance framework aligned
to CSI 3.10 Governance
CSI App A Complementary
enterprise governance guidance
Based on suitable IT process and
control model
Confirmation framework ensuring
compliance and confirming delivery
of enterprise strategy for IT
Board understanding of IT
strategy, SD 3.10 Business service
strategic direction, confidence management
and trust between business and
IT, co-responsibility for strategic
decisions, and benefit realisation
Delivery of optimum value to SS 3.1 Value creation
support enterprise strategy
Understanding of expected
business outcomes; effective
business cases; management of
economic life cycle and realisation
of benefits; enforcement of
portfolio, programme and project
management; and business
ownership of investments
Appetite for risk, appropriate risk SS 9.5 Risks
management practices, embedding
risk responsibilities, regular
assessment of risk and transparent
Y
 risk reporting
ME4.6 Performance measurement Confirming objectives have been
met, reviewing any remedial
actions, reporting performance to
senior management and enabling
review of progress
SS 4.4 Prepare for execution
SS 9.4 Effectiveness in
measurement
SD 3.6.5 Design of measurement
systems and metrics
CSI 4.3 Service measurement