Professional Documents
Culture Documents
1. Abstract...........................................................................................................................3
2. Introduction....................................................................................................................4
3. IT Governance................................................................................................................5
3.1 Strategic alignment....................................................................................................6
3.2 Value delivery............................................................................................................6
3.3 Resource management...............................................................................................6
3.4 Risk management.......................................................................................................6
3.5 Performance measurement.........................................................................................7
4. Why IT Governance is Necessary?...............................................................................7
4.1 Benefits of IT Governance.........................................................................................7
5. COBIT (Control Objectives for Information and related Technology)....................8
5.1 COBIT Domains........................................................................................................9
5.1.1 Plan and Organise...............................................................................................9
5.1.2 Acquire and Implement.....................................................................................10
5.1.3 Deliver and Support..........................................................................................10
5.1.4 Monitor and Evaluate........................................................................................11
5.2 How Does COBIT Help Implement Effective IT Governance?..............................12
5.3 Why is COBIT valuable?.........................................................................................12
5.4 Limitations of COBIT..............................................................................................12
6. ITIL (Information Technology Infrastructure Library)..........................................13
6.1 ITIL v3.....................................................................................................................14
6.2.1 Service Strategy................................................................................................16
6.2.2 Service Design..................................................................................................17
6.2.3 Service Transition.............................................................................................18
6.2.4 Service Operation.............................................................................................18
6.2.5 Continual Service Improvement (CSI).............................................................18
7. COBIT and ITIL: The Alignment.............................................................................20
8. Conclusion....................................................................................................................23
9. References.....................................................................................................................24
10. Appendix : ITIL maps on CobiT Detailed level process.......................................A
1
List of Figures
2
1. Abstract
Organisations require a structured approach for managing these and other challenges.
This will ensure that there are agreed objectives for IT, good management controls in
place and effective monitoring of performance to keep on track and avoid unexpected
outcomes.
Management hopes for heightened understanding of the way IT is operated and the
likelihood of its being leveraged successfully for competitive advantage. Boards and
organisational structures and processes that ensure that the enterprises IT sustains and
governance with overall governance is similar to the need for IT to be an integral part of
the enterprise rather than something practiced in remote corners or ivory towers. An
increasingly educated and assertive set of stakeholders is concerned about the sound
management of its interests. This has led to the emergence of governance principles and
responsibilities and require that the board of directors exercise due diligence in its roles.
Investors have also realised the importance of governance; research shows they are
willing to pay a premium of more than 20 percent on shares of enterprises that have
3
2. Introduction.
For many enterprises, information and the technology that supports it represent their most
valuable, but often least understood assets. Successful enterprises recognise the benefits
of information technology and use it to drive their stakeholders value. These enterprises
also understand and manage the associated risks, such as increasing regulatory
Enterprise governance is a set of responsibilities and practices exercised by the board and
Conformance
Performance
4
3. IT Governance
structures and processes that ensure that the enterprises IT sustains and extends the
IT
Governance
Domains
Resource
Management
Simply stated IT governance is the responsibility of the board and must be integrated into
the organizations enterprise governance structure. Boards and senior management must
As shown in the Figure 1, the five basic outcomes of IT governance should include
Resource Management
5
Performance Measurement - information security governance metrics
It focuses on ensuring the linkage of business and IT plans; on defining, maintaining and
operations.
It is about executing the value proposition throughout the delivery cycle, ensuring that IT
delivers the promised benefits against the strategy, concentrating on optimising costs and
It is about the optimal investment in, and the proper management of, critical IT resources:
applications, information, infrastructure and people. Key issues relate to the optimisation
requirements, transparency about the significant risks to the enterprise, and embedding of
6
3.5 Performance measurement
process performance and service delivery, using, for example, balanced scorecards that
accounting.
goods especially when the IT is designed to bring about change in an organisation. This
enabler of new business models both in the private and public sectors. Business
transformation offers many rewards, but it also has the potential for many risks, which
may disrupt operations and have unintended consequences. The dilemma becomes how to
7
A level of assurance that critical decisions are not based on faulty information
Technology)
Business orientation is the main theme of COBIT. It is designed to be employed not only
by users and auditors, but also, and more important, as comprehensive guidance for
management and business process owners. Increasingly, business practice involves the
full empowerment of business process owners so they have total responsibility for all
aspects of the business process. In particular, this includes providing adequate controls.
The COBIT framework provides a tool for the business process owner that facilitates the
discharge of this responsibility. The framework starts from a simple and pragmatic
premise: To provide the information that the organisation needs to achieve its objectives,
The framework continues with a set of 34 high-level control objectives, one for each of
the IT processes, grouped into four domains: Plan and Organise, Acquire and Implement,
Deliver and Support, and Monitor. This structure covers all aspects of information and the
technology that supports it. By addressing these 34 high-level control objectives, the
business process owner can ensure that an adequate control system is provided for the IT
environment.
8
IT governance guidance is also provided in the COBIT framework. IT governance
provides the structure that links IT processes IT resources and information to enterprise
organising, acquiring and implementing, delivering and supporting, and monitoring and
competitive advantage.
improvement.
management can map where the organisation is today, where it stands in relation to the
best in class in its industry and to international standards, and where the organisation
wants to be.
9
5.1 COBIT Domains
10
5.1.2 Acquire and Implement
implementing it within the companys current business processes. It also addresses the
development of a maintenance plan that a company should adopt in order to prolong the
The Deliver and Support domain focuses on the delivery aspects of the information
technology. It covers areas such as the execution of the applications within the IT system
and its results, as well as, the support processes that enable the effective and efficient
execution of these IT systems. These support processes include security issues and
training.
11
Figure 4: Deliver and Support
The Monitor and Evaluate domain deals with a companys strategy in assessing the needs
of the company and whether or not the current IT system still meets the objectives for
which it was designed and the controls necessary to comply with regulatory
effectiveness of IT system in its ability to meet business objectives and the companys
12
5.2 How Does COBIT Help Implement Effective IT Governance?
COBIT enables mapping of IT goals to business goals and vice versa. It provides a better
alignment, based on a business focus and more importantly, it gives a view of what IT
all stakeholders, based on a common language and the fulfillment of the COSO
Executives can expect the following results from the adoption of COBIT:
IT staff and executives will understand more fully how the business and IT can
Security and privacy requirements will be clearer and implementation more easily
monitored.
practice.
13
5.4 Limitations of COBIT
Despite the various reasons for one to use COBIT, it still needs to be customized by
whoever wants to use it and to customize it, an analysis of the control requirements,
should be performed, based on the value driver, the risk profile and the IT infrastructure
Information Technology Infrastructure Library, ITIL is a set of concepts and policies for
operations. It describes the number of important IT practices with checklists, tasks and
demonstrate their knowledge and understanding of ITIL and to develop their professional
needs.
which became v1. ITIL v2 came out in year 2000 to make ITIL more accessible and
more affordable. ITIL v2 was grouped into eight sets logically bounded by related
processes and the main one being Service Management set. While ITIL version 2 focused
14
Figure 6: ITIL version 2 library [ILX]
There was a request from practitioners to improve on this version and so as to meet the
increasing need businesses. As such in May 2007, the third version of ITIL came out in
five volumes revolving around the concept of Service Lifecycle structure. The third
version being much more prescriptive and gave more return on investment to businesses.
This section, the focus will be mainly on the IT practices of ITIL v3.
6.1 ITIL v3
ITIL v3 is an evolution of v2 by making ITIL even more accessible and more complete.
shown below
15
Figure 7: ITIL version 3
ITIL version has been long awaited by many practitioners and many international
organizations such as private and public sectors, examination bodies, businesses among
ITIL version 3 has many improvement compared to that of the second version. As
mentioned earlier it is more prescriptive, tells exactly how things should be done and
sections and adding more details to them. The contents also faced four major evolutions.
The first evolution involved how to integrate business processes with IT technologies, it
aims at making business and IT a single inter dependable component rather than two
separate identities. The second evolution is that it included an integrated value service
16
network that brings together all business units such that they do not need to refer to third
party for prescription. The third evolution is that it makes service the centre point rather
than something to be done later. It provides a dynamic service portfolio for continuous
service improvement. Fourthly, the processes have been reviewed and refined in 5
Service Strategy
Service Design
Service Transition
Service Operation
Being the core of ITIL Service Lifecycle, it offers guidance on clarification and
improve and progress over time and is dependent mostly on market driven approach. It
also introduces new concepts such as value creation, market definition and solution
space. Its focus is mainly on enabling practical decision making based upon the
17
6.2.2 Service Design
In order to meet the current and future business requirements, Service Design provides
for the design of appropriate and innovative IT services solutions and processes. Service
Design aims at converting the business strategy into reality. Service Design addresses
how a planned service solution interacts with the larger business and technical
which interacts with the service, technology, and architecture required to support the
service, and the supply chain required to support the planned service.
Cost model
Benefit/risk analysis
18
6.2.3 Service Transition
Service transition relates to the delivery of services required by the business into
live/operational use. It aims to bridge the gap between projects and operations more
effectively. Service Transition is concerned with the quality and control of the delivery to
operations and provides example organization models to support transition, and guidance
management, the validation and testing, release and deployment management, change
Service Operations ensures that there are end to end practices which support responsive
and stable services. It is the part of the lifecycle where the services and value is actually
directly delivered. It considers the monitoring of problems and the balance between
service reliability and costs. The functions include event management, incident
Continual Service Strategy aims at aligning and realigning the IT services to meet the
assignment and the core activities identified for it to be successful. It includes service
19
level management, service measurement and reporting and continual service
improvement.
20
7. COBIT and ITIL: The Alignment
The COBIT framework is aimed primarily at compliance and security and, as such,
ensures the IT governance for the operation of the IT services. ITIL describes a
forcefully puts the emphasis on the importance of meeting the corporate requirements
from the commercial aspect. IT service management under ITIL is geared purely towards
customer benefit and efficiency. Achieving the business objectives whilst simultaneously
medium and long-term success. The synergy between the two networks lies in the fact
that more formal control objectives of COBIT are aligned with the ITIL framework. This
link synchronizes the standards for the strategic orientation and increased efficiency of IT
(outcome measures and performance drivers for all IT processes); a list of critical success
factors that provides concise, non-technical best practices for each IT process and
ITIL does not stand alone. It requires a framework of policy, process, procedures and
metrics that can give direction to IT operations (and ITIL activities.). COBIT and ITIL
together are a powerful force for IT Operational efficiency and effectiveness. ITIL is a
21
and Application Management. Together they can make the process improvement task
COBIT addresses the need for an IT organization to unambiguously understand the need
for technology-enabled business change. It does this by tying the business use of
information to the processes and resources used by IT to deliver that information. The IT
Infrastructure Library addresses a subset of the 34 COBIT processes that relate to the
delivery (defining services, quality of service and plan for its delivery) and support
(direct support for the restoration of service and changes to the infrastructure) of IT
services. While there is an overlap in some process areas, that overlap enables the
ITIL is not an out-of-the-box solution and does not have to stand alone; in fact, an
governance framework. Whilst ITIL provides best practices on planning, designing, and
implementing effective ITSM capabilities, the addition of COBIT guidance and tools can
help an organisation ensure that its ITSM effort is better aligned with the business, and its
governance and internal control requirements. A point not to be overlooked here is that IT
governance does not only improve internal control but can also be a key facilitator in
aligning IT goals with those of the enterprise a key pillar of ITILs raison dtre.
The integration of COBIT with ITIL processes not only allows management to improve
governance. With the utilisation of an industry standard set of controls (and common
22
assessors, this potentially reduces the time and effort required from both operational staff
The mappings are used to drill down from the COBIT Control Objectives into specific
Control Practices to beef up existing, or proposed, ITIL processes in order to help achieve
effective IT governance. These can be used to create specific process control points that
an organisation can measure compliance against. Not all the COBIT Domains map onto
ITIL. ITIL has many omissions compared to COBIT. ITIL focuses on operations, and
Control Objectives within these Domains to further improve business alignment and IT
governance.
23
8. Conclusion
To conclude, we can say that CobiT addresses what needs to be controlled and how that is
to be measured, and ITIL addresses how IT services are to be delivered and supported.
When implemented properly, both CobiT and ITIL provide the necessary framework of
good practices that enable and IT organization to clearly align itself with the goals of the
business, manage its resources to enable those goals through the optimized delivery of
information needed by the business, and the deliver IT services and provide for their
direct support.
24
9. References
Web. 24 Oct.2009
COBIT, ITIL and ISO 17799 for Business Benefit: Management Summary.
25
10. Appendix : ITIL maps on CobiT Detailed level process
PO1.6 IT portfolio management Defining, prioritising, managing SS 2.5 The service lifecycle
A
programmes SS 3.4 Service structures
Clarifying outcomes and scope SS 4.2 Develop the offerings
SD 7 Technology considerations
PO2.3 Data classification scheme Information classes SD 5.2 Data and information
Ownership management
Retention
Access rules
Security levels for each
information
class
PO2.4 Integrity management Integrity and consistency of data SD 5.2 Data and information
management
B
ST 4.7 Knowledge management
PO3.1 Technological direction
planning Available technologies SS 8 Technology and strategy
Enablement of IT strategy
Systems architecture
Technological direction
Migration strategies
PO3.2 Technology infrastructure
plan Technological infrastructure plan SD 3.6.3 Designing technology
Acquisition direction architectures
Economies of scale
Interoperability of platforms
PO3.3 Monitor future trends and Business sector, industry, SS 2.4 Principles of service
regulations technology, infrastructure, legal and management
SD 4.3.5.7 Modelling and
regulatory trends trending
PO4.1 IT process framework IT process structure and SS 2.6 Functions and processes
relationships across the life cycle
Process ownership SS 3.4 Service structures
Integration with business
processes, SS 7.1 Implementation through
enterprise portfolio management the life cycle
and business change processes SS 9.1 Complexity
C
SD App C Process
documentation
templates (example)
ST 3.2.7 Establish effective
controls and disciplines
PO4.5 IT organisational structure Organisational alignment with SS 2.6 Functions and processes
business needs across the life cycle
SS 6.1 Organisational
development
D
SS 6.2 Organisational
departmentalisation
SS 6.3 Organisational design
SS 6.5 Sourcing strategy
SS App B2 Product managers
SD 6.3 Skills and attributes
ST 4.2.6.8 Change advisory
board
PO4.6 Establishment of roles and Explicit roles and responsibilities SS 2.6 Functions and processes
Clear accountabilities and end-
responsibilities user across the life cycle
authorities SD 6.2 Activity analysis
E
Ownership of IT risks in the
business
Roles for managing critical risks
Enterprisewide risk and security
management
System-specific security
PO4.7 Responsibility for IT quality Direction on risk appetite and
assurance (QA) acceptance of residual risks SD 6.4 Roles and responsibilities
PO4.8 Responsibility for risk, Ownership of IT risks in the
security business SD 6.4 Roles and responsibilities
and compliance Roles for managing critical risks
Enterprisewide risk and security
management
System-specific security
Direction on risk appetite and
acceptance of residual risks
Enablement of business
PO4.9 Data and system ownership ownership SO 6.3 Technical management
of data
Decision making about
information
classification
ST 3.2.13 Assure the quality of
PO4.11 Segregation of duties Proper execution of roles and the
responsibilities new or changed service
Avoidance of compromise of SO 5.13 Information security
management and service
critical processes operation
PO4.12 IT staffing Number and competency; SO 6.2 Service desk
requirements evaluation
PO4.15 Relationships Optimal co-ordination SD 4.2.5.9 Develop contracts
Communications and liaison and relationships
F
PO5.4 Cost management Comparison of costs to budgets SS 5.1 Financial management
Cost reporting (esp. 5.1.2.7)
Remediation of cost deviations
from plan
PO5.5 Benefit management Benefits monitoring and analysis SS 2.2 What are services?
Improvement of ITs contribution SS 5.1 Financial management
Maintenance of business cases SS 5.2 Return on investment
ST 4.4.5.10 Review and close
service transition
ST 4.4.5.8 Early life support
PO6.1 IT policy and control
environment Management philosophy and SS 6.4 Organisational culture
operating style
Integrity, ethics, competences,
accountability and responsibility
Culture of value delivery while
managing risks
Promulgating and controlling
PO6.2 Enterprise IT risk and control policy
framework Alignment with enterprise risk
and control
PO6.5 Communication of IT ST 5.1 Managing
objectives Awareness and understanding of communications
and direction business and IT objectives and commitment
SO 3.6 Communication
PO7.4 Personnel training Organisational induction and SD 6.3 Skills and attributes
ongoing training to raise technical
and management skill levels
SS 7.5 Strategy and
PO8.1 Quality management system Standard approach aligned to improvement
business requirements covering ST 4.4.5.3 Build and test
quality requirements and criteria
Policies and methods for
detecting
and correcting quality
nonconformance
PO8.2 IT standards and quality PO8.2 IT standards and quality SS 7.5 Strategy and
practices practices improvement
ST 3.2.13 Assure the quality of
the
new or changed service
ST 4.5 Service validation and
testing
(ITIL is not just focused on ST, but
on
ongoing test of the service)
CSI App A Complementary
guidance
Life cycle standards for
PO8.3 Development and acquisition deliverables SS 6.5 Sourcing strategy
G
standards SD 3.5 Design activities
SD 3.6 Design aspects
SD 3.9 Service-oriented
architecture
SD 7 Technology considerations
ST 3.2.3 Adopt a common
framework and standards
H
management processes
CSI 5.6.7 Summary
CSI 6 Organising for continual
service improvement
CSI 8 Implementing continual
service improvement
CSI 9 Challenges, critical
success
factors and risks
PO8.6 Quality measurement, Monitoring compliance to QMS
monitoring and CSI 5.2 Assessments
and review value of QMS CSI 5.3 Benchmarking
CSI 5.4 Measuring and reporting
frameworks
PO9.1 IT risk management
framework Alignment to enterprise risk SS 9.5 Risks
framework SD 4.5.5.1 Stage 1Initiation
PO9.2 Establishment of risk context Internal and external context and SS 9.5 Risks
goals of each assessment SD 4.5.5.1 Stage 1Initiation
SD 4.5.5.2 Stage 2
Requirements
and strategy
PO9.3 Event identification Important threats exploiting SS 9.5 Risks
SD 4.5.5.2 Stage 2
vulnerabilities having negative Requirements
business impact and strategy
Risk registry ST 9 Challenges, critical success
factors and risks
CSI 5.6.3 IT service continuity
management
PO9.4 Risk assessment Likelihood and impact of all SS 9.5 Risks
SD 4.5.5.2 Stage 2
identified risks Requirements
Qualitative and quantitative and strategy
assessment SD 8.1 Business impact analysis
Inherent and residual risk (not in detail)
ST 4.6 Evaluation
PO9.5 Risk response Cost-effective controls mitigating SS 9.5 Risks
exposure SD 4.5.5.3 Stage 3
Risk avoidance strategies in
terms of Implementation
avoidance, mitigation or
acceptance ST 4.6 Evaluation
I
Monitoring deviations
PO10.3 Project management Approach commensurate with ST 3.2 Policies for service
approach size, transition
complexity and requirements of
each project
Project governance structure
Project sponsors
PO10.4 Stakeholder commitment Commitment and participation of ST 3.2.6 Establish and maintain
stakeholders relationships with stakeholders
ST 3.2.12 Ensure early
involvement
in the service life cycle
SD 3.4 Identifying and
PO10.5 Project scope statement Approval of nature and scope of documenting
project business requirements and drivers
SD 3.5 Design activities
PO10.7 Integrated project plan Integrated plan covering business SD App D Design and planning
and IT resources documents and their contents
Activities and interdependencies
between projects
PO10.8 Project resources Responsibilities, relationships, ST 3.2.11 Proactively manage
authorities, and performance resources across service
criteria transitions
of project team
Planning procurement of
resources
PO10.11 Project change control Change control system for each ST 3.2.10 Anticipate and manage
project (cost, schedule, scope, course corrections
quality)
ACQUIRE AND IMPLEMENT
SS 7.5 Strategy and
AI1.1 Definition and maintenance of Identifying, prioritising and improvement
business functional and technical specifying requirements for all SS 8.1 Service automation
requirements initiatives related to investment SD 3.2 Balanced design
programmes SD 3.3 Identifying service
requirements
SD 3.4 Identifying and
documenting business
requirements and drivers
SD 3.5 Design activities
SD 3.6.1 Designing service
solutions
SD 3.6.2 Designing supporting
systems, especially the service
portfolio
SD 3.6.3 Designing technology
J
architectures
SD 3.6.4 Designing processes
SD 3.6.5 Design of measurement
systems and metrics
SD 3.8 Design constraints
SD 3.9 Service-oriented
architecture
SD 4.3.5.8 Application sizing
SD App D Design and planning
documents and their contents
ST 3.2.5 Align service transition
plans with the business needs
Analysis of all significant threats
AI1.2 Risk analysis report and SD 2.4.2 Scope
potential vulnerabilities affecting the SD 3.6 Design aspects
SD 4.5.5.2 Stage 2
requirements Requirements
and strategy
AI1.3 Feasibility study and SD 3.6.1 Designing service
formulation Alternative solutions to satisfying solutions
business requirements assessed
of alternative courses of action by SD 3.7.1 Evaluation of alternative
the business and IT solutions
ST 3.2.4 Maximise reuse of
established processes and
systems
SD 3.6.1 Designing service
AI1.4 Requirements and feasibility Business sponsors approval of solutions
decision and approval requirements, feasible options,
solutions and the acquisition
approach
Translation of business SD 3.6.1 Designing service
AI2.1 High-level design requirements solutions
to high-level design for acquisition SD 3.6.3 Designing technology
Alignment with technological architectures
direction and information
architecture
AI2.2 Detailed design Technical design and application SS 8.2 Service interfaces
requirements SD 4.2.5.2 Determine, document
Criteria for acceptance and agree requirements for new
services and produce service level
requirements (SLR)
SD 5.3 Application management
SD 3.6.1 Designing service
AI2.4 Application security and Security and availability solutions
SO 4.4.5.11 Errors detected in
availability requirements addressed the
development environment
AI2.7 Development of application Developing functionality in SD 3.7.3 Develop the service
software accordance with design, standards solution
K
and QA requirements
Legal and contractual
requirements
followed by third-party developers
Tracking status of all
AI2.9 Applications requirements requirements ST 3.2.6 Establish and maintain
management through change management relationships with stakeholders
process ST 3.2.10 Anticipate and manage
course corrections
L
ST 3.2.5 Align service transition
AI4.2 Knowledge transfer to Enable ownership, delivery, plans with the business needs
business quality ST 4.7 Knowledge management
management and internal control of solution
AI4.3 Knowledge transfer to end
users End-user knowledge and skills for ST 3.2.8 Provide systems for
use as part of business processes knowledge transfer and decision
support
ST 4.4.5.8 Early life support
ST 4.7 Knowledge management
AI4.4 Knowledge transfer to
operations Knowledge and skills to enable ST 3.2.8 Provide systems for
and support staff operation and support of systems knowledge transfer and decision
and infrastructure support
ST 4.4.5.5 Plan and prepare for
deployment
ST 4.7 Knowledge management
SO 3.7 Documentation
SO 4.4.5.11 Errors detected in
the
development environment
SO 4.6.6 Knowledge
management
(as operational activities)
Standards and procedures
AI5.1 Procurement control aligned to SD 3.7.2 Procurement of the
enterprise procurement process preferred solution
SD 4.2.5.9 Develop contracts
AI5.2 Supplier contract management Contract initiation and life cycle and
m anagement relationships
SD 4.7.5.3 Establishing new
suppliers and contracts
AI5.3 Supplier selection Fair and formal selection process SD 3.7.1 Evaluation of alternative
Viable best fit to requirements solutions
SD 4.7.5.3 Establishing new
suppliers and contracts
SD App I Example contents of a
statement of requirement (SoR)
and/or invitation to tender (ITT)
Protection of enterprise interests
AI5.4 IT resources acquisition in SD 3.7.2 Procurement of the
contractual agreements preferred solution
Rights and obligations of all
parties
AI6.1 Change standards and Formal change management SD 3.2 Balanced design
procedures procedures SD 3.7 The subsequent design
Standardised approach activities
ST 3.2 Policies for service
transition
ST 3.2.1 Define and implement
a formal policy for service
M
transition
ST 3.2.2 Implement all changes
to services through service
transition
ST 3.2.7 Establish effective
controls and disciplines
ST 4.1 Transition planning
and support
ST 4.1.4 Policies, principles and
basic concepts
ST 4.2 Change management
ST 4.2.6.1 Normal change
procedure
ST 5 Service transition common
operation activities
ST 6 Organising for service
transition
ST 6.3 Organisation models to
support service transition
ST 6.4 Service transition
relationship with other life cycle
stages
SO 4.6.1 Change management
(as operational activities)
AI6.2 Impact assessment,
prioritisation Assessing impact, categorising, ST 4.2.6.2 Create and record
and authorisation prioritising and authorising requests for change
ST 4.2.6.3 Review the request
for change
ST 4.2.6.4 Assess and evaluate
the change
ST 4.2.6.5 Authorising the
change
ST 4.2.6.6 Co-ordinating change
implementation
ST 4.2.6.8 Change advisory
board
ST 4.6 Evaluation
SO 4.3.5.1 Menu selection
SO 4.3.5.2 Financial approval
SO 4.3.5.3 Other approval
Process for defining, raising,
AI6.3 Emergency changes testing, ST 4.2.6.9 Emergency changes
documenting, assessing and
authorising emergency changes
AI6.4 Change status tracking and Tracking and reporting of all ST 3.2.13 Assure the quality of
reporting changesrejected, approved, the new or changed service
in-process and completed ST 3.2.14 Proactively improve
quality during service transition
ST 4.1.5.3 Planning and
N
co-ordinating service transition
ST 4.1.6 Provide transition
process support
AI6.5 Change closure and Change implementation and ST 4.2.6.4 Assess and evaluate
documentation documentation updates the change
ST 4.2.6.7 Review and close
change record
ST 4.4.5.10 Review and close
service transition
ST 4.4.5.9 Review and close
a deployment
SO 4.3.5.5 Closure
Training of users and operations
AI7.1 Training in ST 4.4.5.2 Preparation for build,
accordance with implementation test and deployment
plan
AI7.2 Test plan Test plan defining roles and ST 4.5.5.1 Validation and test
responsibilities management
ST 4.5.5.2 Plan and design test
ST 4.5.5.3 Verify test plan and
test design
ST 4.5.5.4 Prepare test
environment
AI7.3 Implementation plan Implementation plan including ST 3.2.9 Plan release and
fallback and backout strategies deployment packages
ST 4.1.5.2 Preparation for
service
transition
ST 4.4.5.2 Preparation for build,
test and deployment
ST 4.4.5.3 Build and test
ST 4.4.5.4 Service testing and
pilots
ST 4.4.5.5 Plan and prepare for
deployment
Secure test environment based
AI7.4 Test environment on ST 3.2.14 Proactively improve
operational conditions quality during service transition
ST 4.4.5.2 Preparation for build,
test
and deployment
ST 4.4.5.3 Build and test
ST 4.4.5.4 Service testing and
pilots
Independently testing changes
AI7.6 Testing of changes prior ST 3.2.14 Proactively improve
to migration quality during service transition
ST 4.4.5.4 Service testing and
pilots
ST 4.5.5.5 Perform tests
O
ST 4.5.5.6 Evaluate exit criteria
and
report
ST 4.4.5.4 Service testing and
AI7.7 Final acceptance test Business process owners and pilots
stakeholders evaluating outcome of ST 4.5.5.5 Perform tests
testing ST 4.5.5.6 Evaluate exit criteria
and report
Controlled handover to
AI7.8 Promotion to production operations, ST 4.4.5.5 Plan and prepare for
software distribution, parallel deployment
processing ST 4.4.5.6 Perform transfer,
deployment and retirement
SO 4.3.5.4 Fulfilment
Evaluating whether objectives ST 3.2.13 Assure the quality of
AI7.9 Post-implementation review have the
been met and benefits realised new or changed service
Action plan to address issues ST 4.1.5.3 Planning and
co-ordinating service transition
ST 4.4.5.10 Review and close
service transition
ST 4.4.5.7 Verify deployment
ST 4.4.5.9 Review and close a
deployment
ST 4.6 Evaluation
SO 4.3.5.5 Closure
DELIVER AND SUPPORT
DS1 Service level management Formal service level management SS 2.6 Functions and processes
framework process and continuous alignment across the life cycle
to business requirements SS 4.3 Develop strategic assets
Facilitating common
understanding SS 4.4 Prepare for execution
between customer and provider SS 7.2 Strategy and design
SS 7.3 Strategy and transitions
SS 7.5 Strategy and
improvement
SD 4.2.5.1 Designing SLA
frameworks
SD 4.2.5.9 Develop contracts
and relationships
Services defined based on
DS1.2 Definition of services service SS 4.2 Develop the offerings
characteristics and business SS 4.3 Develop strategic assets
requirements in a service catalogue SS 5.4 Service portfolio
management methods
SS 5.5 Demand management
SS 7.2 Strategy and design
SS 7.3 Strategy and transitions
SS 7.4 Strategy and operations
SS 7.5 Strategy and
improvement
P
SS 8.2 Service interfaces
SD 3 Service design principles
SD 3.1 Goals
SD 3.2 Balanced design
SD 3.4 Identifying and
documenting business
requirements and drivers
SD 3.5 Design activities
SD 3.6 Design aspects
SD 4.1 Service catalogue
management
DS1.3 Service level agreements Defining SLAs based on customer SD 4.2.5.2 Determine, document
requirements and IT capabilities and agree upon requirements for
Service metrics, roles and new services and produce SLR
responsibilities SD App F Sample SLA and
operating level agreement (OLA)
DS1.4 Operating level agreements Definition of technical delivery to SD 4.2.5.5 Review and revise
support the SLA(s) underpinning agreements and
service scope
SD App F Sample SLA and OLA
DS1.5 Monitoring and reporting of Continuous monitoring of service SS 5.3 Service portfolio
service level achievements performance management
SD 4.2.5.3 Monitor service
performance against SLA
SD 4.2.5.6 Produce service
reports
SD 4.2.5.7 Conduct service
reviews
and instigate improvements within
an overall SIO
SD 4.2.5.10 Complaints and
compliments
SD 4.3.8 Information
management
CSI 4.2 Service reporting
CSI 4.3 Service measurement
DS1.6 Review of service level Regular review of SLAs and SD 4.2.5.4 Collate, measure and
agreements and contracts underpinning contracts for improve customer satisfaction
effectiveness and being up to date SD 4.2.5.5 Review and revise
underpinning agreements and
service scope
SD 4.2.5.8 Review and revise
SLAs,
service scope and underpinning
agreements
DS2.1 Identification of all supplier Categorising services according SS 7.3 Strategy and transitions
relationships to supplier type, significance and SD 4.7.5.1 Evaluation of new
Q
criticality suppliers and contracts
SD 4.7.5.2 Supplier
categorisation
and maintenance of the supplier
and contracts database (SCD)
Liaising with regard to customer SD 4.2.5.9 Develop contracts
DS2.2 Supplier relationship and and
management supplier issues relationships
SD 4.7.5.2 Supplier
Trust and transparency categorisation
and maintenance of the supplier
and contracts database (SCD)
SD 4.7.5.4 Supplier and contract
management and performance
SD 4.7.5.5 Contract renewal and/
or termination
DS2.3 Supplier risk management Risk identification, contract SD 4.7.5.3 Establishing new
conformance and supplier viability suppliers and contracts
SD 4.7.5.5 Contract renewal and/
or termination
DS2.4 Supplier performance Meeting business requirements, SD 4.7.5.4 Supplier and contract
monitoring adherence to contract and management and performance
competitive performance
Ensuring capacity and Ensuring capacity and
DS3.1 Performance and capacity performance performance
planning are available to meet SLAs are available to meet SLAs
Assessment of current
DS3.2 Current performance and performance SD 4.3.5.2 Service capacity
capacity and capacity management
SD 4.3.5.3 Component capacity
management
SO 4.1.5.2 Event notification
SO 4.1.5.3 Event detection
SO 5.4 Server management and
support
CSI 4.3 Service measurement
DS3.3 Future performance and Forecasting of resource SD 4.3.5.1 Business capacity
capacity requirements management
Workload trends SD 4.3.5.2 Service capacity
management
SD 4.3.5.3 Component capacity
management
SD 4.3.5.7 Modelling and
trending
SD 4.3.8 Information
management
DS3.4 IT resources availability Provision of resources, SD 4.3.5.3 Component capacity
contingencies, fault tolerance and management
resource prioritisation SD 4.3.5.4 The underpinning
activities of capacity
R
management
SD 4.4 Availability management
SD 4.4.5.1 The reactive activities
of availability management
SD 4.4.5.2 The proactive
activities
of availability management
SO 4.6.5 Availability
management
(as operational activities)
CSI 5.6.1 Availability
management
Maintaining and tuning
DS3.5 Monitoring and reporting performance SD 4.3.5.4 The underpinning
and capacity, and reporting service activities of capacity
availability to the business management
SD 4.3.5.5 Threshold
management
and control
SD 4.3.5.6 Demand
management
SD 4.4.5.1 The reactive activities
of availability management
Enterprisewide consistent
DS4.1 IT continuity framework approach SD 4.5 IT service continuity
to continuity management management
SD 4.5.5.1 Stage 1Initiation
CSI 5.6.3 IT Service continuity
management
Individual continuity plans based
DS4.2 IT continuity plans on SD 4.5.5.2 Stage 2
framework Requirements and strategy
Business impact analysis SD 4.5.5.3 Stage 3
Resilience, alternative processing Implementation
and recovery SD App K The typical contents of
a recovery plan
SD 4.4.5.2 The proactive
DS4.3 Critical IT resources Focus on critical infrastructure, activities
resilience and prioritisation of availability management
Response for different time
periods SD 4.5.5.4 Stage 4Ongoing
operation
DS4.4 Maintenance of the IT
continuity Changing control to reflect SD 4.5.5.4 Stage 4Ongoing
plan changing business requirements operation
DS4.5 Testing of the IT continuity
plan Regular testing SD 4.5.5.3 Stage 3
Implementing action plan Implementation
SD 4.5.5.4 Stage 4Ongoing
operation
DS4.6 IT continuity plan training Regular training for all concerned SD 4.5.5.3 Stage 3
S
parties Implementation
SD 4.5.5.4 Stage 4Ongoing
operation
DS4.7 Distribution of the IT Proper and secure distribution to
continuity all SD 4.5.5.3 Stage 3
plan authorised parties Implementation
SD 4.5.5.4 Stage 4Ongoing
operation
SD 4.4.5.2 The proactive
DS4.8 IT services recovery and Planning for period when IT is activities
resumption recovering and resuming services of availability management
Business understanding and SD 4.5.5.4 Stage 4Ongoing
investment support operation
Offsite storage of all critical
DS4.9 Offsite backup storage media, SD 4.5.5.2 Stage 2
documentation and resources Requirements and strategy
needed in collaboration with SO 5.2.3 Backup and restore
business process owners
Regular management
DS4.10 Post-resumption review assessment of plans SD 4.5.5.3 Stage 3
Implementation
SD 4.5.5.4 Stage 4Ongoing
operation
DS5.4 User account management Life cycle management of user SO 4.5 Access management
accounts and access privileges SO 4.5.5.1 Requesting access
SO 4.5.5.2 Verification
SO 4.5.5.3 Providing rights
SO 4.5.5.4 Monitoring identity
status
SO 4.5.5.5 Logging and tracking
access
SO 4.5.5.6 Removing or
restricting
rights
T
SO 4.5.5.6 Removing or
DS5.5 Security testing, surveillance Proactive testing of security restricting
and monitoring implementation rights
Timely accreditation SO 5.13 Information security
Timely reporting of unusual management and service
events operation
SD 4.6.5.1 Security controls
DS5.6 Security incident definition Definition and classification of (highlevel
security incident characteristics coverage, not in detail)
SD 4.6.5.2 Management of
security breaches and incidents
DS5.7 Protection of security Resistance to tampering SO 5.4 Server management and
technology support
DS5.10 Network security Controls to authorise access and SO 5.5 Network management
information flows from and to
networks
DS6.1 Definition of services Identification of all costs linked to SS 5.1 Financial management
IT services and associated SD 4.1 Service catalogue
business processes management
U
SO 4.3.5.1 Menu selection
DS8.3 Incident escalation Incident escalation according to SO 4.1.5.8 Response selection
limits in SLAs SO 4.2.5.6 Incident escalation
SO 4.2.5.7 Investigation and
diagnosis
SO 4.2.5.8 Resolution and
recovery
SO 5.9 Desktop support
DS8.4 Incident closure Recording of resolved and SO 4.1.5.10 Close event
unresolved incidents SO 4.2.5.9 Incident closure
Reports of service performance
DS8.5 Reporting and trend analysis and SO 4.1.5.9 Review and actions
trends of recurring problems CSI 4.3 Service measurement
(vague
DS9.1 Configuration repository and Recording configuration items, SS 8.2 Service interfaces
baseline monitoring and recording all assets, ST 4.1.5.2 Prepare for service
and implementing a baseline for transition
every system and service as a ST 4.3.5.2 Management and
change recovery checkpoint planning
DS9.2 Identification and
maintenance Configuration procedures to ST 4.1.5.2 Prepare for service
of configuration items support logging of all changes in transition
configuration database ST 4.3.5.3 Configuration
identification
ST 4.3.5.4 Configuration control
ST 4.3.5.5 Status accounting and
reporting
Periodic review of configuration
DS9.3 Configuration integrity review data ST 4.3.5.6 Verification and audit
integrity SO 5.4 Server management and
Control of licensed software and support
unauthorised software SO 7 Technology considerations
(especially for licensing,
mentioned in SO 7.1.4)
DS10.1 Identification and Problem classification, allocation
classification to SO 4.4.5.1 Problem detection
SO 4.4.5.3 Problem
of problems support staff categorisation
SO 4.4.5.4 Problem prioritisation
SO App C Kepner and Tregoe
SO App D Ishikawa diagrams
Audit trails, tracking and analysis
DS10.2 Problem tracking and of SO 4.4.5.2 Problem logging
resolution root causes of all problems SO 4.4.5.5 Problem investigation
Initiating solutions to address root and diagnosis
causes SO 4.4.5.6 Work-arounds
SO 4.4.5.7 Raising a known error
record
SO 4.4.5.8 Problem resolution
V
Closure procedures after
DS10.3 Problem closure elimination SO 4.4.5.9 Problem closure
SO 4.4.5.10 Major problem
of error or alternative approach review
DS11.1 Business requirements for Input form design SD 5.2 Data and information
data management Minimising errors and omissions management
Error-handling procedures
DS11.2 Storage and retention Document preparation SD 5.2 Data and information
arrangements Segregation of duties management
SO 5.6 Storage and archive
DS11.5 Backup and restoration Legal requirements SO 5.2.3 Backup and restore
Retrieval and reconstruction
mechanisms
DS11.6 Security requirements for
data Data input by authorised staff SD 5.2 Data and information
management management
DS12.2 Physical security measures Securing the location, including SO App E Detailed description of
protection from unauthorised facilities management
access, natural risks and power
outages
DS12.3 Physical access Controlled access to premises by SO App E Detailed description of
all parties facilities management
SO App F Physical access
control
DS12.4 Protection against Monitoring and control of SO App E Detailed description of
environmental factors environmental factors facilities management
DS12.5 Physical facilities Management of facilities SO 5.12 Facilities and data
management according centre
to business, legal and regulatory management
requirements
DS13.1 Operations procedures and Procedures and familiarity with SO 3.7 Documentation
instructions operational tasks SO 5 Common service operation
activities
SO App B Communication in
service operation
SD 4.3.5.5 Threshold
DS13.2 Job scheduling Organisation of job schedules management
maximising throughput and and control
SD 4.3.5.6 Demand
utilisation to meet SLAs management
SO 5.2.2 Job scheduling
SO 5.3 Mainframe management
DS13.3 IT infrastructure monitoring Monitoring infrastructure for SD 4.3.5.4 The underpinning
critical events activities of capacity
Logging of information to management
SD 4.3.5.5 Threshold
enable review management
and control
SO 4.1 Event management
SO 4.1.5.1 Event occurs
W
SO 4.1.5.9 Review and actions
SO 5.2.1 Console management/
operations bridge
DS13.4 Sensitive documents and Physical safeguards for sensitive SO 5.2.4 Print and output
output devices assets, and negotiable instruments
DS13.5 Preventive maintenance for Maintenance to reduce impact of SO 5.3 Mainframe management
hardware failures SO 5.4 Server management
and support
MONITOR AND EVALUATE
ME1.1 Monitoring approach General monitoring framework SD 8.5 Measurement of service
Integration with corporate
approach design
ST 4.5.5.1 Validation and test
management
SO 3.5 Operational health
CSI 4.1 The seven-step
improvement process
CSI 4.1a Step oneDefine what
you should measure
CSI 4.1b Step twoDefine what
you can measure
CSI 4.1.1 Integration with the
rest of the life cycle stages and
service management processes
CSI 4.1.2 Metrics and
measurement
CSI 4.3 Service measurement
CSI 4.4 Return on investment
for CSI
CSI 4.5 Business questions
for CSI
CSI 5.1 Methods and techniques
CSI 5.2 Assessments
Balanced set of objectives
ME1.2 Definition and collection of approved SD 4.2.5.10 Complaints and
monitoring data by stakeholders compliments
Benchmarks, availability and CSI 4.1c Step threeGathering
collection of measurable data data
CSI 4.1d Step fourProcessing
the data
Method for capturing and
ME1.3 Monitoring method reporting ST 4.5.5.2 Plan and design test
results ST 4.5.5.3 Verify test plan and
test design
ST 4.5.5.4 Prepare test
environment
CSI 4.1b Step twoDefine what
you can measure
CSI 4.1f Step sixPresenting
and
using the information
X
CSI 5.4 Measuring and reporting
frameworks
ME1.4 Performance assessment Review of performance against SD 4.2.5.7 Conduct service
targets reviews and instigate
Remedial actions improvements within an
Root cause analysis overall SIO
CSI 3 Continual service
improvement principles
CSI 4.1e Step fiveAnalysing
the data
CSI 5.3 Benchmarking
CSI 8 Implementing continual
service improvement
ME1.5 Board and executive CSI 4.1f Step sixPresenting
reporting Reports of ITs contribution to the and
business for service and
investment using the information
portfolios and programmes CSI 4.2 Service reporting
Follow-up on and remediation of
ME1.6 Remedial actions all CSI 4.1g Step seven
performance issues Implementing corrective action
IT governance framework aligned
ME4.1 Establishment of an IT to CSI 3.10 Governance
CSI App A Complementary
governance framework enterprise governance guidance
Based on suitable IT process and
control model
Confirmation framework ensuring
compliance and confirming delivery
of enterprise strategy for IT
Board understanding of IT
ME4.2 Strategic alignment strategy, SD 3.10 Business service
strategic direction, confidence management
and trust between business and
IT, co-responsibility for strategic
decisions, and benefit realisation
ME4.3 Value delivery Delivery of optimum value to SS 3.1 Value creation
support enterprise strategy
Understanding of expected
business outcomes; effective
business cases; management of
economic life cycle and realisation
of benefits; enforcement of
portfolio, programme and project
management; and business
ownership of investments
ME4.5 Risk management Appetite for risk, appropriate risk SS 9.5 Risks
management practices, embedding
risk responsibilities, regular
assessment of risk and transparent
Y
risk reporting
ME4.6 Performance measurement Confirming objectives have been SS 4.4 Prepare for execution
met, reviewing any remedial SS 9.4 Effectiveness in
actions, reporting performance to measurement
senior management and enabling SD 3.6.5 Design of measurement
review of progress systems and metrics
CSI 4.3 Service measurement