June 2006

Getting to Know ITIL

Although the IT Infrastructure Library is one of the most widely used best practices for IT service management, many organizations may still be unaware of its existence. However, a little knowledge about its purpose, as well as implementation strategies and challenges can help internal auditors provide management with recommendations on how to get started.

Eugene Ball, PHD, ITIL Certified Service Manager
Instructor
Global Knowledge

For 20 years, the IT Infrastructure Library (ITIL) has helped organizations around the world improve their IT management activities, assess the adequacy of existing security goals and plans, and measure actual security performance. Today's current regulatory landscape is putting a lot of pressure on organizations to establish sound IT practices and procedures that ensure high-quality services. As a result, many companies are using established frameworks such as ITIL as benchmarks to emulate when setting up an effective IT service management program. Due to ITIL's adoption over the years as an IT service best practices model, it is important for internal auditors to learn as much as possible about this framework (i.e., its purpose and benefits) and ways to help organizations get started with the implementation process (i.e., implementations strategies and challenges).

WHAT IS ITIL?

Books Within ITIL Framework

The ITIL framework contains eight books, each providing information on different IT topics. These books include:

  1. Service Support.
  2. Service Delivery.
  3. Business Perspective.
  4. ICT Infrastructure Management.
  5. Applications Management.
  6. Security Management.
  7. Planning and Implementation.
  8. Software Asset Management.
ITIL started in the late 1980s when the UK's Central Computer and Telecommunication Agency — now the Office of Government Commerce (OGC) — commissioned a study to develop a new approach to manage technology more effectively. The result was version 1 of ITIL, originally called the Government Information Technology Infrastructure Management framework. Early ITIL adoption efforts began in the British government, later spreading to other nongovernmental institutions. From England, ITIL crossed over to other parts of Europe and Canada, where it has been widely adopted, and has made its way to the United States, where adoption is gaining momentum.

ITIL's current version contains eight books dealing with a broad range of IT subjects (see "Books Within ITIL Framework" at right for a list of all eight books). Two of these books, Service Support and Service Delivery, are the heart of ITIL and the focus of ITIL adoption in many companies worldwide. Companies that have implemented ITIL as a base for their own proprietary IT management frameworks include Hewlett-Packard, Microsoft, and IBM. Many of the chapters within ITIL's eight books were written by individuals from one of these companies.

According to ITIL best practices, companies should have one service desk function or department with an overall framework consisting of 10 processes:

  1. Incident management.
  2. Problem management.
  3. Change management.
  4. Release management.
  5. Configuration management.
  6. Service-level management.
  7. Financial management.
  8. IT service continuity management.
  9. Availability management.
  10. Capacity management.

ITIL's Service Support book covers the first five processes, while its Service Delivery book discusses the last five. It is important to remember that ITIL only provides a process framework for the management of IT services and, as a result, does not describe in great detail how particular processes should be implemented. When deciding whether to implement ITIL, organizations should weigh its benefits over those of other frameworks. Some benefits of ITIL implementation include:

  • A common IT dictionary — an item that has been lacking in the present IT world.
  • Improved financial management of IT and better matching of IT services to organization needs.
  • Improved relationship between the IT function or department and the organization.
  • Improved use of the company's IT infrastructure and personnel.
  • Improved reputation of IT within the organization.
  • Information on the proper use of service-level agreements (SLAs), which are key to defining the business' service relationship.

STRATEGIES FOR IMPLEMENTING ITIL

For organizations planning to implement ITIL, there are a few things to note before getting started. First, implementing ITIL can cause a major change in the way business processes work. However, even though ITIL implementation can be difficult, the true value to organizations comes from their long-term adoption of best practices that have shown a positive return on investment. Through the cultural changes created by ITIL, including the establishment of an effective IT service management business function, services are matched to the company's present and future needs in a cost-effective manner. Both of these actions can improve the standing of IT within the business, as well as the company's competitive advantage and bottom line.

Second, auditors should keep in mind that although ITIL implementation may indicate senior management is committed to establishing proper IT processes and controls, some organizations may use ITIL as an excuse not to have proper controls. Hence, monitoring of ITIL compliance is important — ITIL initiatives will not work in the long term without strong controls to hold people accountable for their job performance and responsibilities. For instance, besides establishing the proper tone at the top, auditors should recommend that organizations implement and monitor compliance with ITIL policies and procedures. One way to monitor compliance is by placing detective controls that provide fact-based enforcement of ITIL policies.

To get started with ITIL implementation, internal auditors can recommend that organizations take the following five steps:

1. Designate an ITIL adoption project owner and develop an implementation team.
The adoption of ITIL should rise to the level of a major project and requires formal oversight. The company's chief informaiton officer (CIO), or someone in a similar capacity — preferably an ITIL certified service manager — should be the process owner to get things done with help from a manager. Because this is a long-term project, every effort should be made to have the same certified service manager throughout the implementation — this will help provide the project's continuity.

In addition, companies need to develop an implementation project management team. Because the implementation of ITIL is a major undertaking, auditors should recommend that organizations establish a well-defined project management team. Because ITIL implementation can take years, careful thought and preparation must be put into the development and staffing of the team. Companies should keep in mind that the implementation of ITIL will change the working culture of IT forever. As a result, project management teams should consist of a cross-section of all IT areas and key business units.

2. Train employees.
Due to ITIL's common dictionary of IT terminology, education is usually a first step for organizations during the implementation process. Many companies begin by requiring most or all of their IT staff to take an ITIL foundation certification class. This class, which can take up to three days, provides a common understanding of the ITIL framework and a common language for a more accurate discussion during the implementation phase. In addition, as progress is made toward the implementation of each of the 10 ITIL processes, the manager of each process may be assigned to take a special ITIL practitioner certificate class that covers the process for which he or she is responsible.

3. Establish a Service-level Agreement (SLA) process.
Organizations should have a well-defined and approved process for handling SLAs that accompany service processes. This will help the organization align its long-term goals with current business and IT needs.

4. Evaluate IT needs.
New technology should not be considered until processes are better defined. It is important to remember that technology is only an enabler and does not improve weak processes.

5. Perform a gap analysis.
Many organizations will have some of the 10 ITIL processes in place. Hence, a gap analysis will identify key performance indicators and inter-process relationships, as well as what modifications are required to bring processes, procedures, and policies in line with each goal. These are all defined within the ITIL framework as part of the service delivery and service support books. The gap analysis also will help companies prioritize the selection of processes based on current maturity levels, which allows the organization to close small gaps between the present process and the ITIL-defined process as quickly as possible.

CHALLENGES TO ITIL IMPLEMENTATION

Although ITIL helps companies create a framework that includes the processes required to run IT as a core business function, its adoption may not be easy or cheap. One reason is that IT departments may not operate efficiently, providing services and using resources as they see fit. Other reasons include the company's overall ITIL maturity level (i.e., where the organization is within the ITIL implementation process); its ability to integrate IT best practices into businesswide processes; and the lack of documentation to prove the need for a specific service, practice, or resource use. For instance, many organizations lack a strong change management process, evident in the presence of frequent system changes, which can have an adverse effect on companywide productivity.

In addition, ITIL implementation may require companies to redefine how they allocate IT resources. Most IT departments or functions spend years dividing IT resources among staff based on specific categories, such as hardware and software. Unfortunately, breaking down or redefining these categories to expedite ITIL implementation while making sure necessary information is transmitted from one process to another can become one of the most difficult adoption challenges. Because this is such a large stumbling block, auditors should recommend that ITIL adoption be endorsed and supported by top management.

Another challenge organizations face during ITIL implementation is that of time. Although most IT projects show major positive results or are completed within six months, ITIL milestones are measured in years, rather than months. Implementing ITIL also may require new resources, because currently used technology may not be able to support ITIL processes. Hence, implementation only succeeds if the right tools, people, and processes are working together.

A final difficulty is determining where to start, which depends on each organization. Because ITIL does not require a specific methodology, organizations need to understand their present processes and determine how they match those described in either the Service Support or Service Delivery books. Once these processes are identified and matched, IT departments should start working on a course of action that will show a positive result quickly so others stay on board.

ADDITIONAL RESOURCES

ITIL is a framework of how to manage IT like a business for the business. As such, the ITIL framework does not describe in absolute terms how any of the ITIL processes should be implemented — those details are left up to the implementer. However, because the framework defines goals and key performance indicators, companies have a clear road map to measure their implementation progress and success. In addition, ITIL defines repeatable, verifiable processes that enable organizations to incorporate IT controls into the organization's service management function.

For those organizations that are about to begin ITIL implementation, they should remember that complete implementation is a long-term journey measured in years rather than months. ITIL is also an approach to continuous improvement — part of the framework is the constant improvement of each of the 10 ITIL processes. This goal of this constant improvement is to provide IT services in a more cost-effective manner, while better matching those services to the present and future needs of the business.

For more information on ITIL, visit the OGC's ITIL Web page, www.ogc.gov.uk/index.asp?id=2261 and frequently-asked-questions page, www.ogc.gov.uk/index.asp?docid=1000368. The OGC Web site also features an ITIL pocket guide that provides an overview of ITIL's objectives, content, and coverage. The pocket guide can be found at www.ogc.gov.uk/sdtoolkit/deliveryteam/briefings/ITIL/index.html.

Besides the OGC, other major players involved with ITIL and sources for ITIL information include:

  • The Stationary Office (TSO), the official publisher of ITIL documentation. Downloadable PDF versions of old ITIL books can be obtained through the TSO Web site.
  • Loyalist College of Applied Arts and Technology, a Canadian college that administers ITIL certification tests for individuals living in North America.
  • The Dutch Examination Institute for Information Science (EXIN) and the UK's Information Systems Examination Board (ISEB), developers of ITIL's professional certification system in cooperation with the OGC and Information Technology System Management Forum (itSMF) — an industry consortium dedicated to managing the cost and quality of IT service management. EXIN and ISEB provide three recognized individual certifications: the Foundation Certificate in IT Service Management, the Practitioner Certificate in IT Service Management, and the Manager Certificate in IT Service Management. itSMF administrates the BS1500 organizational certification — the world's first standard for IT service management — which is based heavily on the ITIL framework.
  • ISACA's IT Governance Institute, which provides reference information that can help auditors combine ITIL with its Control Objectives for Information and related Technology framework.
  • Organizations that use Microsoft products might want to read the company's Microsoft Operations Framework, which provides prescriptive operations guidance for Microsoft-specific platforms.
  • The Information Technology Process Institute's Visible Ops Handbook, which offers information for organizations looking to achieve rapid results by first implementing specific portions of ITIL.

Eugene Ball, PHD, ITIL Certified Service Manager, has 26 years of experience in the customer service industry and 12 years of experience teaching and conducting research in mathematics, computer science, and statistics at universities in the United States and abroad. In 1993, Ball founded Help Desk Solutions Inc., where he helps organizations implement and improve customer service functions.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 

 Write for Gaming Auditorium

Write for FSA Times

 

 Twitter

facebook IAO 

IA APP