You are on page 1of 48

Table of contents

1. Abstract..............................................................................................................................3 2. Introduction.......................................................................................................................4 3. IT Governance...................................................................................................................5 3.1 Strategic alignment........................................................................................................6 3.2 Value delivery................................................................................................................6 3.3 Resource management...................................................................................................6 3.4 Risk management...........................................................................................................6 3.5 Performance measurement.............................................................................................7 4. Why IT Governance is Necessary?..................................................................................7 4.1 Benefits of IT Governance.............................................................................................7 5. COBIT (Control Objectives for Information and related Technology).....................8 5.1 COBIT Domains............................................................................................................9 5.1.1 Plan and Organise...................................................................................................9 5.1.2 Acquire and Implement.........................................................................................10 5.1.3 Deliver and Support..............................................................................................10 5.1.4 Monitor and Evaluate............................................................................................11 5.2 How Does COBIT Help Implement Effective IT Governance?.................................12 5.3 Why is COBIT valuable?.............................................................................................12 5.4 Limitations of COBIT..................................................................................................12 6. ITIL (Information Technology Infrastructure Library)............................................13 6.1 ITIL v3.........................................................................................................................14 6.2.1 Service Strategy....................................................................................................16 6.2.2 Service Design......................................................................................................17 6.2.3 Service Transition.................................................................................................18 6.2.4 Service Operation..................................................................................................18 6.2.5 Continual Service Improvement (CSI).................................................................18 7. COBIT and ITIL: The Alignment................................................................................19 8. Conclusion........................................................................................................................22 9. References........................................................................................................................23 10. Appendix : ITIL maps on CobiT – Detailed level process.........................................A

1

List of Figures
Figure 1: Five Outcomes of IT Governance........................................................................5 Figure 2: Plan and Organise.................................................................................................9 Figure 3: Acquire and Implement .....................................................................................10 Figure 4: Deliver and Support............................................................................................11 Figure 5: Deliver and Support............................................................................................11 Figure 6: ITIL version 2 library [ILX]..............................................................................14 Figure 7: ITIL version 3......................................................................................................15

2

1. Abstract
Organisations require a structured approach for managing these and other challenges. This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes. Management hopes for heightened understanding of the way IT is operated and the likelihood of its being leveraged successfully for competitive advantage. Boards and executive management need to extend governance to IT and provide the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives. IT governance is not an isolated discipline; it is an integral part of overall enterprise governance. The need to integrate IT governance with overall governance is similar to the need for IT to be an integral part of the enterprise rather than something practiced in remote corners or ivory towers. An increasingly educated and assertive set of stakeholders is concerned about the sound management of its interests. This has led to the emergence of governance principles and standards for overall enterprise governance. Furthermore, regulations establish board responsibilities and require that the board of directors exercise due diligence in its roles. Investors have also realised the importance of governance; research shows they are willing to pay a premium of more than 20 percent on shares of enterprises that have shown to have good governance practices in place.

1 McKinsey’s Investors Opinion Survey, June 2000

3

2. Introduction.
For many enterprises, information and the technology that supports it represent their most valuable, but often least understood assets. Successful enterprises recognise the benefits of information technology and use it to drive their stakeholders’ value. These enterprises also understand and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on information technology (IT). To be able to manage an enterprise, good enterprise governance practices have to be strictly followed. Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of: • • • • Providing strategic direction Ensuring that objectives are achieved Ascertaining that risks are managed appropriately Verifying that the enterprise’s resources are used responsibly

Enterprise governance is about: • Conformance Adhering to legislation, internal policies and audit requirements among others • Performance Improving profitability, efficiency, effectiveness and growth.

4

As shown in the Figure 1. the five basic outcomes of IT governance should include • • • • Strategic alignment of information security Value Delivery . Resource Management Figure 1: Five Outcomes of IT Governance Simply stated IT governance is the responsibility of the board and must be integrated into the organization’s enterprise governance structure. organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives. IT Governance An integral part of enterprise governance.3.optimizing information security investment Resource Management Risk Management – manage and mitigate risks R Man isk a ge m e Governance Domains nt V gic nt De alue te e liv er tra nm S ig y l A IT e a c a nc t om orm n n Pe f u e Perf ureme as Mea 5 . consisting of the leadership. Boards and senior management must know what to expect from their information security programs.

1 Strategic alignment It focuses on ensuring the linkage of business and IT plans. Key issues relate to the optimisation of knowledge and infrastructure.2 Value delivery It is about executing the value proposition throughout the delivery cycle. 3. maintaining and validating the IT value proposition. on defining. information. 6 . transparency about the significant risks to the enterprise. 3.4 Risk management Requires risk awareness by senior corporate officers. and embedding of risk management responsibilities in the organisation. a clear understanding of the enterprise’s Risk management appetite for risk understanding of compliance requirements. and the proper management of. ensuring that IT delivers the promised benefits against the strategy. and on aligning IT operations with enterprise operations. critical IT resources: applications.information security governance metrics 3.• Performance Measurement .3 Resource management It is about the optimal investment in. 3. concentrating on optimising costs and proving the intrinsic value of IT. infrastructure and people.

” is now the prime enabler of new business models both in the private and public sectors. 4. resource usage. but it also has the potential for many risks. project completion. Business transformation offers many rewards. A level of assurance that critical decisions are not based on faulty information 7 . process performance and service delivery. Why IT Governance is Necessary? IT governance is needed to ensure that the investments in IT generate value-reward-and mitigate IT-associated risks. avoiding failure.1 Benefits of IT Governance • • • • • • Increased predictability and reduced uncertainty of business operations Protection from the potential for civil and legal liability Structure to optimize the allocation of resources Assurance of security policy compliance Foundation for effective risk management. IT is central to organisational success – effective and efficient delivery of services and goods – especially when the IT is designed to bring about change in an organisation.5 Performance measurement Tracks and monitors strategy implementation.3. commonly referred to as “business transformation. balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. This change process. 4. which may disrupt operations and have unintended consequences. for example. using. The dilemma becomes how to balance risk and rewards when using IT to enable organisational change.

This structure covers all aspects of information and the technology that supports it. The COBIT framework provides a tool for the business process owner that facilitates the discharge of this responsibility. By addressing these 34 high-level control objectives. and more important.• Accountability for safeguarding information 5. It is designed to be employed not only by users and auditors. COBIT (Control Objectives for Information and related Technology) Business orientation is the main theme of COBIT. The framework continues with a set of 34 high-level control objectives. Deliver and Support. Increasingly. one for each of the IT processes. and Monitor. IT resources need to be managed by a set of naturally grouped processes. The framework starts from a simple and pragmatic premise: To provide the information that the organisation needs to achieve its objectives. this includes providing adequate controls. but also. business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. IT governance provides the structure that links IT processes IT resources and information to enterprise strategies 8 . Acquire and Implement. the business process owner can ensure that an adequate control system is provided for the IT environment. as comprehensive guidance for management and business process owners. grouped into four domains: Plan and Organise. IT governance guidance is also provided in the COBIT framework. In particular.

and objectives. corresponding to each of the 34 high-level control objectives is an audit guideline to enable the review of IT processes against COBIT’s 318 recommended detailed control objectives to provide management assurance and/or advice for improvement. so management can map where the organisation is today. IT governance enables the enterprise to take full advantage of its information. acquiring and implementing. thereby maximizing benefits. capitalising on opportunities and gaining competitive advantage.1 Plan and Organise Figure 2: Plan and Organise 9 . and monitoring and evaluating IT performance. In addition. COBIT provides maturity models for control over IT processes.1. 5. delivering and supporting. and where the organisation wants to be. Specifically. where it stands in relation to the best in class in its industry and to international standards. IT governance integrates optimal ways of planning and organising.1 COBIT Domains 5.

3 Deliver and Support The Deliver and Support domain focuses on the delivery aspects of the information technology. These support processes include security issues and training.5.1. Figure 3: Acquire and Implement 5. It covers areas such as the execution of the applications within the IT system and its results. and implementing it within the company’s current business processes. acquiring the technology.2 Acquire and Implement This domain covers identifying IT requirements. as well as. the support processes that enable the effective and efficient execution of these IT systems.1. It also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. 10 .

4 Monitor and Evaluate The Monitor and Evaluate domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors.1.Figure 4: Deliver and Support 5. Figure 5: Deliver and Support 11 .

should 12 .5.2 How Does COBIT Help Implement Effective IT Governance? COBIT enables mapping of IT goals to business goals and vice versa. 5. It provides a better alignment. an analysis of the control requirements. IT compliance with regulatory requirements will be a normal management practice. IT will deliver better quality services and more successful projects. it gives a view of what IT does that is understandable to management. based on a common language and the fulfillment of the COSO requirements for the IT control environment. • • • • Full life-cycle costs of IT will become more transparent and predictable. Security and privacy requirements will be clearer and implementation more easily monitored. • • • IT-related risks will be managed more effectively. There is also a shared understanding amongst all stakeholders.3 Why is COBIT valuable? Executives can expect the following results from the adoption of COBIT: • IT staff and executives will understand more fully how the business and IT can work together for successful delivery of IT initiatives. it still needs to be customized by whoever wants to use it and to customize it.4 Limitations of COBIT Despite the various reasons for one to use COBIT. based on a business focus and more importantly. IT will deliver better quality and more timely information. Audits will be more efficient and successful. 5.

IT organizations can customise to their needs. ITIL v2 came out in year 2000 to make ITIL more accessible and more affordable. ITIL (Information Technology Infrastructure Library) Information Technology Infrastructure Library. based on the value driver. ITIL is a set of concepts and policies for best practice of Information Technology Service Management. It describes the number of important IT practices with checklists. While ITIL version 2 focused mainly on what should be done to improve organization aims. It provides a framework for IT Service Management Practitioners to demonstrate their knowledge and understanding of ITIL and to develop their professional expertise through training and qualifications. ITIL started in 1989 as IT Infrastructure Library compiled by W. developments and operations. the risk profile and the IT infrastructure and project portfolio. ITIL v2 was grouped into eight sets logically bounded by related processes and the main one being Service Management set. Edwards Demings which became v1.be performed. 13 . tasks and procedures. 6.

1 ITIL v3 ITIL v3 is an evolution of v2 by making ITIL even more accessible and more complete. This section. As mentioned earlier it is around the concept of Service Lifecycle structure which is as shown below 14 . the third version of ITIL came out in five volumes revolving around the concept of Service Lifecycle structure. 6. The third version being much more prescriptive and gave more return on investment to businesses.Figure 6: ITIL version 2 library [ILX] There was a request from practitioners to improve on this version and so as to meet the increasing need businesses. As such in May 2007. the focus will be mainly on the IT practices of ITIL v3.

it provides a guidance on return on investment to them. examination bodies. businesses among many others contributed in the development of ITIL version 3. It has also an evolution in structure by classifying the different sections and adding more details to them. it aims at making business and IT a single inter dependable component rather than two separate identities. The first evolution involved how to integrate business processes with IT technologies. The contents also faced four major evolutions. As mentioned earlier it is more prescriptive. The second evolution is that it included an integrated value service 15 . tells exactly how things should be done and thirdly and more importantly for businesses.Figure 7: ITIL version 3 ITIL version has been long awaited by many practitioners and many international organizations such as private and public sectors. ITIL version 3 has many improvement compared to that of the second version.

It provides a dynamic service portfolio for continuous service improvement. maintained and implemented. 6. The third evolution is that it makes service the centre point rather than something to be done later.1 Service Strategy Being the core of ITIL Service Lifecycle.2. Fourthly. Its focus is mainly on enabling practical decision making based upon the understanding service assets.network that brings together all business units such that they do not need to refer to third party for prescription. It fundamentally aims at increasing the economic life of the services 16 . market definition and solution space. It also introduces new concepts such as value creation. It aims at helping IT organizations improve and progress over time and is dependent mostly on market driven approach. it offers guidance on clarification and prioritization of service provider investments in services by ensuring that the Service Strategy is defined. the processes have been reviewed and refined in 5 volumes that meet the specific needs of organizations. The five volumes are • • • • • Service Strategy Service Design Service Transition Service Operation Continuous Service Improvement Each of the five volumes will be detailed as follows. structures and service economics.

2.2 Service Design In order to meet the current and future business requirements. and architecture required to support the service. processes which interacts with the service. technology. Service Design aims at converting the business strategy into reality. service management systems required to support the service. architectures. Service Design addresses how a planned service solution interacts with the larger business and technical environments. and the supply chain required to support the planned service.6. Concepts and guidance include: • • • • • • Service design objectives and elements Selecting the service design model Cost model Benefit/risk analysis Implementing service design Measurement and control 17 . Service Design provides guidance on the production and maintenance of IT policies. and documents for the design of appropriate and innovative IT services solutions and processes.

change management and knowledge management.2. It includes service asset and configuration management.2. In order for it to be possible. It includes service level management. release and deployment management. roles creation. and guidance on how to reduce variation of delivery.6.3 Service Transition Service transition relates to the delivery of services required by the business into live/operational use. ownership assignment and the core activities identified for it to be successful. ongoing scheduling. The functions include event management. request fulfillment and access management 6. the validation and testing. training and awareness. Service Transition is concerned with the quality and control of the delivery to operations and provides example organization models to support transition.4 Service Operation Service Operations ensures that there are end to end practices which support responsive and stable services. It considers the monitoring of problems and the balance between service reliability and costs. It is the part of the lifecycle where the services and value is actually directly delivered. 18 .2.5 Continual Service Improvement (CSI) Continual Service Strategy aims at aligning and realigning the IT services to meet the changing business requirements. service measurement and reporting and continual service improvement. problem management. 6. incident management. there needs to be up front planning. It aims to bridge the gap between projects and operations more effectively.

professional procedure for the management of IT services. ITIL describes a systematic. The library forcefully puts the emphasis on the importance of meeting the corporate requirements from the commercial aspect. COBIT and ITIL: The Alignment The COBIT framework is aimed primarily at compliance and security and. non-technical best practices for each IT process and Maturity models to assist in benchmarking and decision-making for capability improvements. ensures the IT governance for the operation of the IT services. a list of critical success factors that provides concise. Infrastructure Management. IT service management under ITIL is geared purely towards customer benefit and efficiency. It requires a framework of policy. process. but ITIL explains how. The synergy between the two networks lies in the fact that more formal control objectives of COBIT are aligned with the ITIL framework. procedures and metrics that can give direction to IT operations (and ITIL activities. 19 . COBIT defines 34 IT processes and includes tools for performance measurement (outcome measures and performance drivers for all IT processes). COBIT systematically chronicles a checklist of all the things we ought to be doing. as such. Security. and their properties. COBIT and ITIL together are a powerful force for IT Operational efficiency and effectiveness. ITIL is a collection of best practices in Service Management.). ITIL does not stand alone. This link synchronizes the standards for the strategic orientation and increased efficiency of IT service management with the auditing standards.7. Achieving the business objectives whilst simultaneously meeting internal and external requirements is fundamental to ensuring a company’s medium and long-term success.

in fact. and its governance and internal control requirements. and implementing effective ITSM capabilities. an organisation may struggle to effectively implement ITIL without some form of IT governance framework. that overlap enables the integration of the COBIT and ITIL frameworks.and Application Management. Together they can make the process improvement task much more achievable. 20 . designing. quality of service and plan for its delivery) and support (direct support for the restoration of service and changes to the infrastructure) of IT services. the addition of COBIT guidance and tools can help an organisation ensure that its ITSM effort is better aligned with the business. With the utilisation of an industry standard set of controls (and common terminology) facilitating the provision of assurance to both internal and external assessors. While there is an overlap in some process areas. it also helps to demonstrate the level of IT governance. The IT Infrastructure Library addresses a subset of the 34 COBIT processes that relate to the delivery (defining services. COBIT addresses the need for an IT organization to unambiguously understand the need for technology-enabled business change. It does this by tying the business’ use of information to the processes and resources used by IT to deliver that information. ITIL is not an out-of-the-box solution and does not have to stand alone. A point not to be overlooked here is that IT governance does not only improve internal control but can also be a key facilitator in aligning IT goals with those of the enterprise – a key pillar of ITIL’s raison d’être. Whilst ITIL provides best practices on planning. The integration of COBIT with ITIL processes not only allows management to improve processes and control-based elements.

The mappings are used to drill down from the COBIT Control Objectives into specific Control Practices to beef up existing. or proposed. 21 . ITIL has many omissions compared to COBIT. There is no reason why. These can be used to create specific process control points that an organisation can measure compliance against. and mostly ignores development/solutions. ITIL processes in order to help achieve effective IT governance. ITIL focuses on operations. Not all the COBIT Domains map onto ITIL. an organisation cannot utilise COBIT’s supporting Control Objectives within these Domains to further improve business alignment and IT governance. ITIL seldom ventures into project management or portfolio management.this potentially reduces the time and effort required from both operational staff and assessors in completing compliance-based initiatives. however. and it skips a lot of aspects of request management.

22 . and the deliver IT services and provide for their direct support. manage its resources to enable those goals through the optimized delivery of information needed by the business. we can say that CobiT addresses what needs to be controlled and how that is to be measured. both CobiT and ITIL provide the necessary framework of good practices that enable and IT organization to clearly align itself with the goals of the business. and ITIL addresses how IT services are to be delivered and supported. Conclusion To conclude. When implemented properly.8.

Torner. Javier. Shadid. Richard. 24 Oct. Boyd.9. 24 Oct. Web. Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition: 2004. References  Brisebois. Ziad. 2009’ 23 .2009  IT Governance Institute and the Office of Government Commerce. “IT Governance”. “Aligning COBIT. 2005. “What is IT Governance?”.Greg. Cheryl. Canada. ITIL and ISO 17799 for Business Benefit: Management Summary”. web: 25 Oct. Web.2009  Washington.

5 Demand management • SS 6.4 Prepare for execution • SS 7. strengths and weaknesses Definition of IT goals • Contribution to enterprise objectives. funding.1 Financial management • SS 5.4 Prepare for execution • CSI 5. functionality. budgets.2 Assessments PO1.1 Control Objective PO1.4 Principles of service management • SS 4.3 Service portfolio management • SS 5.4 Service portfolio management method • SS 2.4 IT strategic plan • Baseline of current performance • Assessment of business contribution. stability. costs.2 Business-IT alignment • IT alignment with business strategy • Bi-directional and reciprocal involvement in strategic planning PO1.5 Sourcing strategy • SS 4.1 IT value management Key Areas PLAN AND ORGANISE • Business case • Allocation of funds • Benefit realisation • Business case evaluation ITIL V3 Supporting Information • SS 2.1 What is service management? • SS 2.2 Strategy and design • SS 7.3 The business process • SS 2.1 Implementation through the lifecycle • SS 7.1 Value creation • SS 3.10. Appendix : ITIL maps on CobiT – Detailed level process CobiT 4.3 Strategy and transitions PO1.2 Develop the offerings • SS 4.4 Prepare for execution • SS 5.3 Assessment of current capability and performance PO1.2 Return on investment • SS 5.2 What are services? • SS 3. sourcing and acquisition strategy • SS 3.4 Prepare for execution • SS 5.5 IT tactical plans • IT initiatives • Resource requirements • Monitoring and managing benefit achievement A . complexity.3 Develop strategic assets • SS 4.3 Service provider types • SS 3.1 Define the market • SS 4.5 Service strategy fundamentals • SS 4.4 Service structures • SS 4.

4 Strategy and operations PO1.5 Demand management • SD 3.4 Service structures • SS 4.6 IT portfolio management • Defining.2 Data and information management • SD 7 Technology considerations PO2.6. especially the service portfolio PO2.7 Knowledge management PO2.3 Develop strategic assets • SS 5.2 Develop the offerings • SS 4. prioritising.6.6.2 Data and information management • ST 4.3 Designing technology architectures • SD 3.6 Design aspects • SD 3.4 Service portfolio management methods • SS 5.1 Designing service solutions • SD 3.2 Designing supporting systems.4 Identifying and documenting business requirements and drivers • SD 3.9 Service-oriented architecture • SD 3.1 Enterprise information architecture model • Decision support analysis • Information architecture model maintained • Corporate data model • SD 3. managing programmes • Clarifying outcomes and scope of effort • Assigning accountability • Allocating resources and funding • SS 2.2 Enterprise data dictionary and data syntax rules • Corporate data dictionary • Common data understanding • SD 5.3 Data classification scheme • Information classes • Ownership • Retention • Access rules • Security levels for each information class • SD 5.5 The service lifecycle • SS 3.10 Business service management • SD 5.3 Service portfolio management • SS 5.2 Data and information management B .• SS 7.

1 Complexity • SS 9.1 Functional roles analysis • SD 6.3 Designing technology architectures • SD 3.1 Technological direction planning • Available technologies • Enablement of IT strategy • Systems architecture • Technological direction • Migration strategies • Technological infrastructure plan • Acquisition direction • Economies of scale • Interoperability of platforms • Business sector.4 Integrity management • Integrity and consistency of data • SD 5.4.1 Implementation through the life cycle • SS 9.7 Knowledge management PO3.3 Skills and attributes PO4.2 Co-ordination and control • SS 9.3 Monitor future trends and regulations • SS 2. technology.7 Modelling and trending • SS 2.3.4 Service structures • SS 7. legal and regulatory trends • SS 8 Technology and strategy PO3.6.4 Principles of service management • SD 4.4 Effectiveness in measurement • SD 2. infrastructure.6. enterprise portfolio management and business change processes C .4 Designing processes • SD 3.PO2.1 IT process framework • IT process structure and relationships • Process ownership • Integration with business processes.2 Technology infrastructure plan • SD 3.5 Design of measurement systems and metrics • SD 4 Service design processes • SD 6.2 Activity analysis • SD 6.6 Functions and processes across the life cycle • SS 3.3 Preserving value • SS 9.6.2 Scope • SD 3.5. industry.6.3 Designing technology architectures PO3.2 Data and information management • ST 4.

2 Assessments • CSI 5.2 IT strategy committee • Board direction • IT governance • Strategic direction • Review of investments • Business significance of IT • CIO reporting lines • SD 2.4 Reactive vs.4.3 Functions and processes across the life cycle • SO 4 Service operation processes • SO 4.1 Integration with the rest of the life cycle stages and service management processes • CSI 5.5 The Deming Cycle • CSI 8 Implementing continual service improvement PO4.6 Operational activities of processes covered in other life cycle phases • SO 6 Organising for service operation • SO 8 Implementing service operation • CSI 3.1 Generic roles • ST 8 Implementing service transition • SO 2. models.7 Establish effective controls and disciplines • ST 4 Service transition processes • ST 6.2 Scope PO4.2.2.1.• SD 6.4 Roles and responsibilities • SD 8 Implementing service design • SD App C Process documentation templates (example) • ST 3. proactive organisations D . standards and quality systems • CSI 4 Continual service improvement processes • CSI 4.4 Organisational placement of the IT function • SS 6.1 Organisational development • SO 3.11 Frameworks.

2 Organisational context for transitioning a service • ST 6.3 Organisational design • SS 6.2.2 Service desk • SO 6. departments and divisions • SO 3.3 Organisation models to support service transition • SO 3.6 Service operation roles and responsibilities • CSI 6 Organising for continual service improvement E .5 Application management • SO 6.3 Skills and attributes • ST 4.5 Sourcing strategy • SS App B2 Product managers • SD 6.3 Organisation models to support service transition • SO 6.6 Functions and processes across the life cycle • SS 6.1 Functions • SO 6.PO4.2 Activity analysis • SD 6.6 Establishment of roles and responsibilities • Explicit roles and responsibilities • Clear accountabilities and enduser authorities • SS 2.7 Service operation organisation structures PO4.6. teams. groups.5 IT organisational structure • Organisational alignment with business needs • SS 2.2 Achieving balance in service operation • SO 3.3 Providing service • SO 6.1 Organisational development • SS 6.8 Change advisory board • ST 6.1 Functions.4 Roles and responsibilities • ST 6.4 IT operations management • SO 6.3 Technical management • SO 6.2 Organisational departmentalisation • SS 6.6 Functions and processes across the life cycle • SD 6.

2 Return on investment • SS App A Present value of an annuity • SS 5.2.1 Financial management framework PO5.1 Financial management F . requirements evaluation • Optimal co-ordination • Communications and liaison • Portfolio management • Investment and cost management of IT assets • SD 6.7 Responsibility for IT quality assurance (QA) PO4.2 Prioritisation within IT budget • Allocation of IT resources • Optimisation of ROI PO5.PO4.8 Responsibility for risk.2.4 Service portfolio management methods • SS 5.9 Develop contracts and relationships • SS 3.11 Segregation of duties • ST 3.13 Information security management and service operation • SO 6.13 Assure the quality of the new or changed service • SO 5.2 Return on investment • SS 5.12 IT staffing PO4.3 IT budgeting PO5.4 Cost management • Budgeting process • Ensuring that budget is in line with investment portfolio of programmes and services • Budget review and approval • Comparison of costs to budgets • SS 5.3 Technical management PO4.1 Value creation • SS 5.4 Roles and responsibilities • SD 6.3 Service portfolio management • SS 5.2 Return on investment PO4.1 Financial management • SS 5.9 Data and system ownership • Ownership of IT risks in the business • Roles for managing critical risks • Enterprisewide risk and security management • System-specific security • Direction on risk appetite and acceptance of residual risks • Ownership of IT risks in the business • Roles for managing critical risks • Enterprisewide risk and security management • System-specific security • Direction on risk appetite and acceptance of residual risks • Enablement of business ownership of data • Decision making about information classification • Proper execution of roles and responsibilities • Avoidance of compromise of critical processes • Number and competency.15 Relationships PO5.2.5. security and compliance PO4.4 Roles and responsibilities • SO 6.2 Service desk • SD 4.

5 Sourcing strategy • SD 3.5 Design activities • SD 3.3 Skills and attributes PO8.6 Design aspects PO8.1 Managing communications and commitment • SO 3.5 Communication of IT objectives and direction PO7.5.7) • SS 2.1.2 IT standards and quality practices • ST 5.10 Review and close service transition • ST 4.4.5.4.2 What are services? • SS 5.5 Strategy and improvement • ST 3. accountability and responsibility • Culture of value delivery while managing risks • Promulgating and controlling policy • Alignment with enterprise risk and control • Awareness and understanding of business and IT objectives • Organisational induction and ongoing training to raise technical and management skill levels • Standard approach aligned to business requirements covering quality requirements and criteria • Policies and methods for detecting and correcting quality nonconformance PO8.2.PO5. competences.2 Return on investment • ST 4.3 Development and acquisition standards • Life cycle standards for deliverables G .2 Enterprise IT risk and control framework PO6.4 Personnel training • Management philosophy and operating style • Integrity. 5.1 Quality management system • SS 7.1 IT policy and control environment PO6.4 Organisational culture PO6.8 Early life support • SS 6.2.2 IT standards and quality practices • SS 7.4.5 Service validation and testing (ITIL is not just focused on ST.6 Communication • SD 6.1 Financial management • SS 5.3 Build and test PO8.5 Strategy and improvement • ST 4.13 Assure the quality of the new or changed service • ST 4.5 Benefit management • Cost reporting • Remediation of cost deviations from plan • Benefits monitoring and analysis • Improvement of IT’s contribution • Maintenance of business cases (esp.5. ethics. but on ongoing test of the service) • CSI App A Complementary guidance • SS 6.

2.4 Collate.2.5.9 Service-oriented architecture • SD 3.5 The Deming Cycle • CSI 5.6 CSI and other service management processes • CSI 5. measure and improve customer satisfaction • ST 3.6.1 The seven-step improvement process • CSI 4.2.• SD 3.1.1 Integration with the rest of the life cycle stages and service management processes • CSI 4.14 Improvement of operational activities • CSI 1 Introduction • CSI 2 Service management as a practice • CSI 3 Continual service improvement principles • CSI 4.2.5.1 Methods and techniques • CSI 5.11 Service design models • SD 5.3 Adopt a common framework and standards • ST 4.4 Policies.5.4 Customer focus • Customer-oriented QMS • Roles and responsibilities for conflict resolution H .3 Application management • SD 7 Technology considerations • ST 3.6 Establish and maintain relationships with stakeholders PO8. principles and basic concepts • ST 4.5 Business questions for CSI • CSI 5 Continual service improvement methods and techniques • CSI 5.7 Conduct service reviews and instigate improvements within an overall security information officer (SIO) • SO 5.1.5 Continuous improvement • Communication processes promoting continuous improvement • SD 4.1 Transition strategy • SS 5.1.7 Summary PO8.4 Return on investment for CSI • CSI 4.5 Demand management • SD 4.

3 Event identification • Important threats exploiting vulnerabilities having negative business impact • Risk registry PO9.5.5.6 Evaluation PO9.2 Establishment of risk context PO9.6. complexity and requirements of each project • SS 9.3 Project management approach • Prioritising and planning risk responses • Costs.3 Benchmarking • CSI 5.5.5 Risks • SD 4.6 Maintenance and monitoring of a risk action plan PO10.2 Stage 2— Requirements and strategy • SD 8. critical success factors and risks PO8.3 Stage 3— Implementation • ST 4.5.1 Stage 1—Initiation • SS 9.5.5 Risks • SD 4.1 Stage 1—Initiation • SD 4.5.2 Assessments • CSI 5.2 Stage 2— Requirements and strategy • SS 9.5.• CSI 6 Organising for continual service improvement • CSI 8 Implementing continual service improvement • CSI 9 Challenges.5.5 Risks • SD 4.5 Risk response • Cost-effective controls mitigating exposure • Risk avoidance strategies in terms of avoidance.2 Policies for service transition I .5.4 Measuring and reporting frameworks • SS 9.5.1 IT risk management framework • Alignment to enterprise risk framework • Internal and external context and goals of each assessment PO9. monitoring and review • Monitoring compliance to QMS and value of QMS • CSI 5.3 IT service continuity management • SS 9.6 Evaluation • SS 9.5 Risks • SD 4.4 Stage 4—Ongoing operation • ST 3.5.5.2 Stage 2— Requirements and strategy • ST 9 Challenges. mitigation or acceptance PO9.4 Risk assessment • Likelihood and impact of all identified risks • Qualitative and quantitative assessment • Inherent and residual risk PO9. critical success factors and risks • CSI 5.1 Business impact analysis (not in detail) • ST 4.6 Quality measurement.5. benefits and responsibilities • Monitoring deviations • Approach commensurate with size.5.5 Risks • SD 4.5 Risks • SD 4.

4 Stakeholder commitment • Commitment and participation of stakeholders • ST 3.6. quality) ACQUIRE AND IMPLEMENT • Identifying. especially the service portfolio • SD 3. scope.10 Anticipate and manage course corrections AI1.6.2. relationships.6.2.5 Design of measurement systems and metrics • SD 3.12 Ensure early involvement in the service life cycle • SD 3.5 Design activities • SD App D Design and planning documents and their contents PO10.6 Establish and maintain relationships with stakeholders • ST 3.6.5 Design activities • SD 3.2.8 Design constraints J .1 Service automation • SD 3.11 Proactively manage resources across service transitions PO10.7 Integrated project plan PO10.4 Identifying and documenting business requirements and drivers • SD 3.2.4 Designing processes • SD 3.5 Project scope statement • Approval of nature and scope of project PO10.2 Balanced design • SD 3. authorities. schedule. prioritising and specifying requirements for all initiatives related to investment programmes • ST 3.11 Project change control • Change control system for each project (cost. and performance criteria of project team • Planning procurement of resources • ST 3.1 Definition and maintenance of business functional and technical requirements • SS 7.5 Strategy and improvement • SS 8.3 Identifying service requirements • SD 3.6.• Project governance structure • Project sponsors PO10.8 Project resources • Integrated plan covering business and IT resources • Activities and interdependencies between projects • Responsibilities.3 Designing technology architectures • SD 3.2 Designing supporting systems.4 Identifying and documenting business requirements and drivers • SD 3.1 Designing service solutions • SD 3.

document and agree requirements for new services and produce service level requirements (SLR) • SD 5.6.6.6 Design aspects • SD 4.7 Development of application software • Security and availability requirements addressed • Developing functionality in accordance with design.3 Feasibility study and formulation of alternative courses of action • SD 2.1 Evaluation of alternative solutions • ST 3.3 Designing technology architectures AI2.9 Service-oriented architecture • SD 4.2.1 Designing service solutions • SD 3.9 Applications requirements management • ST 3.6.• SD 3.2 Detailed design • Business sponsor’s approval of requirements. feasible options.2.3 Application management • SD 3.1 High-level design AI2.1 Designing service solutions • SD 3.2 Scope • SD 3.2.4 Application security and availability AI2.4 Requirements and feasibility decision and approval AI2.5.2 Determine.5.2 Stage 2— Requirements and strategy • SD 3.2 Risk analysis report • Analysis of all significant threats and potential vulnerabilities affecting the requirements AI1.3 Develop the service solution AI2.2.1 Designing service solutions • SO 4.6.6 Establish and maintain relationships with stakeholders K .11 Errors detected in the development environment • SD 3.5 Align service transition plans with the business needs AI1.7.5.1 Designing service solutions • Alternative solutions to satisfying business requirements assessed by the business and IT AI1. standards and QA requirements • Legal and contractual requirements followed by third-party developers • Tracking status of all requirements through change management • SS 8.4.5.3.5.7.8 Application sizing • SD App D Design and planning documents and their contents • ST 3.4. solutions and the acquisition approach • Translation of business requirements to high-level design for acquisition • Alignment with technological direction and information architecture • Technical design and application requirements • Criteria for acceptance • SD 3.4 Maximise reuse of established processes and systems • SD 3.6.2 Service interfaces • SD 4.

1 Planning • ST 4.5 Plan and prepare for deployment • ST 3.2 Knowledge transfer to business management AI4.1 Planning • ST 4. feasibility and integration tests AI4.process • ST 3.8 Early life support • ST 4.3 Build and test • ST 4.4.5.2 Preparation for build.7 Test clean up and closure • ST 4.9 Plan release and deployment packages • ST 4.1 Planning for operational solutions • Identification and planning of all technical.3 Designing technology architectures AI3.5.4.8 Provide systems for knowledge transfer and decision support • ST 4. aligned with business need and technological direction • Protection of resources using security and auditability measures • Use of sensitive infrastructure • Change control.7 Information management • SD 3.2 Preparation for build.5.2.4. operational and usage aspects of solutions AI4.2.6.6.5 Align service transition plans with the business needs • ST 4.8 Directory services management • SO 5.5.1 Security controls • SO 5.5 Network management • SO 5.2.5. implementation and maintenance plan for infrastructure.10 Middleware management • SO 5. quality and internal control of solution • End-user knowledge and skills for use as part of business processes • ST 3.4.2.1 Designing service solutions • ST 3.4 Server management and support • SO 5.5.7 Knowledge management L .4.4.2.10 Anticipate and manage course corrections • SD 3.11 Internet/web management • ST 4. test and deployment • ST 4. delivery. patch management.1 Technological infrastructure acquisition plan AI3.4.5.3 Infrastructure maintenance • Acquisition.3 Knowledge transfer to end users • Enable ownership.5. upgrade strategies and security requirements • SD 4. test and deployment • ST 4.5.5.9 Desktop support • SO 5.5.7 Knowledge management AI3.6.4 Server management and support • SO 5.5 Align service transition plans with the business needs • ST 3.4 Feasibility test environment • Development and test environments.7 Database administration • SO 5.2 Infrastructure resource protection and availability AI3.

5 Plan and prepare for deployment • ST 4.2 Policies for service transition • ST 3.7 Establish effective controls and disciplines • ST 4.5.7 The subsequent design activities • ST 3.1 Change standards and procedures • Protection of enterprise interests in contractual agreements • Rights and obligations of all parties • Formal change management procedures • Standardised approach M .AI4.5.2 Supplier contract management AI5.4 Policies.5.3 Establishing new suppliers and contracts • SD 3.1 Procurement control • Standards and procedures aligned to enterprise procurement process • Contract initiation and life cycle m anagement AI5.3 Supplier selection • Fair and formal selection process • Viable best fit to requirements AI5.4.4 IT resources acquisition AI6.7.1.3 Establishing new suppliers and contracts • SD App I Example contents of a statement of requirement (SoR) and/or invitation to tender (ITT) • SD 3.4 Knowledge transfer to operations and support staff • Knowledge and skills to enable operation and support of systems and infrastructure • ST 3.2. principles and basic concepts • ST 4.2 Implement all changes to services through service transition • ST 3.7.6 Knowledge management (as operational activities) • SD 3.4.9 Develop contracts and relationships • SD 4.2.11 Errors detected in the development environment • SO 4.5.2 Procurement of the preferred solution • SD 3.7.7 Knowledge management • SO 3.8 Provide systems for knowledge transfer and decision support • ST 4.7.2.1 Transition planning and support • ST 4.1 Define and implement a formal policy for service transition • ST 3.1 Evaluation of alternative solutions • SD 4.2 Balanced design • SD 3.2.2.7 Documentation • SO 4.6.7.5.2 Change management AI5.2 Procurement of the preferred solution • SD 4.

5. in-process and completed AI6.2.1.6 Provide transition process support • ST 4.7 Review and close change record • ST 4.3. documenting.1 Menu selection • SO 4.13 Assure the quality of the new or changed service • ST 3.2.1.6.2.2.6 Evaluation • SO 4.6.3.6. categorising.5 Change closure and documentation • Change implementation and documentation updates • ST 3.5.2.4 Service transition relationship with other life cycle stages • SO 4. approved.4.2 Create and record requests for change • ST 4.3.2.2 Impact assessment.• ST 4.3 Planning and co-ordinating service transition • ST 4.3 Emergency changes • Process for defining.1 Normal change procedure • ST 5 Service transition common operation activities • ST 6 Organising for service transition • ST 6.5.5.6. raising.14 Proactively improve quality during service transition • ST 4.6.6.6.2.6.6.6.5.1 Change management (as operational activities) AI6.9 Review and close a deployment N .6.2.3 Review the request for change • ST 4.3 Organisation models to support service transition • ST 6.5.2. testing.2.5 Authorising the change • ST 4. prioritising and authorising • ST 4.2.6 Co-ordinating change implementation • ST 4.4. assessing and authorising emergency changes • Tracking and reporting of all changes—rejected. prioritisation and authorisation • Assessing impact.9 Emergency changes AI6.4 Change status tracking and reporting AI6.4 Assess and evaluate the change • ST 4.3 Other approval • ST 4.4 Assess and evaluate the change • ST 4.8 Change advisory board • ST 4.2.10 Review and close service transition • ST 4.2 Financial approval • SO 4.

2 Preparation for service transition • ST 4.5.5.2 Plan and design test • ST 4.2 Preparation for build.2.4.5 Perform tests • ST 4.5. test and deployment • ST 4.6 Evaluate exit criteria and report • ST 4.3 Verify test plan and test design • ST 4. test and deployment • ST 4.4.4.4.5.5.5.9 Plan release and deployment packages • ST 4.4.5.6 Evaluate exit criteria and report • ST 4.4.5.5.3 Build and test • ST 4.5.14 Proactively improve quality during service transition • ST 4.5.1.5.4 Test environment • Secure test environment based on operational conditions AI7. parallel processing AI7.5 Closure • ST 4.14 Proactively improve quality during service transition • ST 4.5.4.3.5. software distribution.5.4 Service testing and pilots • ST 3.5.2.7 Final acceptance test • Business process owners and stakeholders evaluating outcome of testing • Controlled handover to operations.5.5.AI7.4.5.5.6 Perform transfer.3 Implementation plan • Implementation plan including fallback and backout strategies AI7.1 Validation and test management • ST 4.4 Service testing and pilots • ST 4.4.4.4 Service testing and pilots • ST 4.4.5. deployment and retirement • SO 4.2.5.8 Promotion to production O .5.5 Perform tests • ST 4.2 Test plan • Training of users and operations in accordance with implementation plan • Test plan defining roles and responsibilities • SO 4.3 Build and test • ST 4.6 Testing of changes • Independently testing changes prior to migration AI7.5.5.2 Preparation for build.5.1 Training AI7.5.5 Plan and prepare for deployment • ST 3.5.5.5.5 Plan and prepare for deployment • ST 4. test and deployment • ST 4.4 Service testing and pilots • ST 4.2 Preparation for build.4 Prepare test environment • ST 3.4 Fulfilment AI7.5.4.3.

5 Design activities • SD 3.3 Strategy and transitions • SS 7.2 Service interfaces • SD 3 Service design principles • SD 3.2.13 Assure the quality of the new or changed service • ST 4.AI7.2 Develop the offerings • SS 4.2.2 Balanced design • SD 3.9 Review and close a deployment • ST 4.3 Strategy and transitions • SS 7.5.2.4 Service portfolio management methods • SS 5.5 Closure • SS 2.5 Strategy and improvement • SD 4.6 Evaluation • SO 4.2 Strategy and design • SS 7.1 Goals • SD 3.2.3 Service level agreements • Defining SLAs based on customer requirements and IT capabilities • Service metrics.5 Strategy and improvement • SS 8.5.7 Verify deployment • ST 4.3.4 Prepare for execution • SS 7.1 Service catalogue management • SD 4. roles and responsibilities P .3 Planning and co-ordinating service transition • ST 4.4 Strategy and operations • SS 7.5.6 Functions and processes across the life cycle • SS 4.5 Demand management • SS 7.4.5.4 Identifying and documenting business requirements and drivers • SD 3.2 Determine.5. document and agree upon requirements for new services and produce SLR • SD App F Sample SLA and operating level agreement (OLA) DS1 Service level management framework DELIVER AND SUPPORT • Formal service level management process and continuous alignment to business requirements • Facilitating common understanding between customer and provider DS1.5.1 Designing SLA frameworks • SD 4.2 Strategy and design • SS 7.3 Develop strategic assets • SS 4.5.4.1.9 Develop contracts and relationships • SS 4.10 Review and close service transition • ST 4.9 Post-implementation review • Evaluating whether objectives have been met and benefits realised • Action plan to address issues • ST 3.3 Develop strategic assets • SS 5.5.4.2 Definition of services • Services defined based on service characteristics and business requirements in a service catalogue DS1.6 Design aspects • SD 4.

2.9 Develop contracts and relationships • SD 4.5.2.5 Contract renewal and/ or termination • SD 4.2 Service reporting • CSI 4.3 Supplier risk management Risk identification.5.7.5 Monitoring and reporting of service level achievements • Continuous monitoring of service performance DS1.6 Produce service reports • SD 4.5.5.2 Supplier categorisation and maintenance of the supplier and contracts database (SCD) • SD 4.3 Service portfolio management • SD 4.2.1 Identification of all supplier relationships • Categorising services according to supplier type.5.8 Review and revise SLAs.7.4 Supplier and contract management and performance • SD 4.7 Conduct service reviews and instigate improvements within an overall SIO • SD 4.5 Review and revise underpinning agreements and service scope • SD 4.2.3 Establishing new DS1. measure and improve customer satisfaction • SD 4.8 Information management • CSI 4.2 Supplier categorisation and maintenance of the supplier and contracts database (SCD) • SD 4.6 Review of service level agreements and contracts • Regular review of SLAs and underpinning contracts for effectiveness and being up to date DS2. contract Q .3.DS1.5.4 Operating level agreements • Definition of technical delivery to support the SLA(s) • SD 4. service scope and underpinning agreements • SS 7.5.5.5.2.2.7.3 Service measurement • SD 4.5.7.3 Strategy and transitions • SD 4.2.2.3 Monitor service performance against SLA • SD 4.5 Review and revise underpinning agreements and service scope • SD App F Sample SLA and OLA • SS 5.7. significance and criticality DS2.1 Evaluation of new suppliers and contracts • SD 4.7.2 Supplier relationship management • Liaising with regard to customer and supplier issues • Trust and transparency DS2.5.5.2.4 Collate.5.5.5.10 Complaints and compliments • SD 4.

3.4 The underpinning activities of capacity management • SD 4.3.2 Current performance and capacity • Meeting business requirements.5.5.5.5. fault tolerance and resource prioritisation DS3.5 Contract renewal and/ or termination • SD 4.5.4 Server management and support • CSI 4.3.5.5.5.1 Business capacity management • SD 4.7.3.3.3.6.3 Event detection • SO 5.5 Availability management (as operational activities) • CSI 5. contingencies.1 Availability management • SD 4.5 Threshold management and control • SD 4.4.2 Service capacity management • SD 4.1 The reactive activities of availability management • SD 4.3. adherence to contract and competitive performance • Ensuring capacity and performance are available to meet SLAs • Assessment of current performance and capacity suppliers and contracts • SD 4.5.3 Component capacity management • SD 4.2 Service capacity management • SD 4.6.6 Demand management DS3.7 Modelling and trending • SD 4.1.conformance and supplier viability DS2.1 Performance and capacity planning DS3.5.5.1.4 IT resources availability • Provision of resources.5.5.4 Availability management • SD 4. and reporting service availability to the business R .4 The underpinning activities of capacity management • SD 4.7.3.4 Supplier performance monitoring DS3.5 Monitoring and reporting • Maintaining and tuning performance and capacity.3.3 Component capacity management • SD 4.4.5.3.3 Component capacity management • SO 4.2 The proactive activities of availability management • SO 4.5.2 Event notification • SO 4.3 Future performance and capacity • Forecasting of resource requirements • Workload trends DS3.4 Supplier and contract management and performance • Ensuring capacity and performance are available to meet SLAs • SD 4.5.3.3.3 Service measurement • SD 4.8 Information management • SD 4.5.

5.2 IT continuity plans • Individual continuity plans based on framework • Business impact analysis • Resilience.5.5.4 Maintenance of the IT continuity plan DS4.5.4 Stage 4—Ongoing operation • SD 4.3 Critical IT resources DS4.5.5.3 Stage 3— Implementation • SD 4.5.5.4.3 IT Service continuity management • SD 4.2 Stage 2— Requirements and strategy • SO 5.4.5.5.5.3 Stage 3— Implementation • SD 4.5.5.3 Stage 3— Implementation • SD 4.5.5.4.5.5.2 Stage 2— Requirements and strategy • SD 4.1 IT continuity framework • Enterprisewide consistent approach to continuity management • SD 4.7 Distribution of the IT continuity plan • Proper and secure distribution to all authorised parties DS4.4 Stage 4—Ongoing operation • SD 4.2.2 The proactive activities of availability management • SD 4.5.5. documentation and resources needed in collaboration with business process owners • Regular management assessment of plans DS4.5.4 Stage 4—Ongoing operation • SD 4.9 Offsite backup storage • Planning for period when IT is recovering and resuming services • Business understanding and investment support • Offsite storage of all critical media.5.6 IT continuity plan training • Regular training for all concerned parties DS4.6.4 Stage 4—Ongoing operation • SD 4.1 The reactive activities of availability management DS4.4 Stage 4—Ongoing operation • SD 4.5.3 Stage 3— Implementation • SD 4.5.• SD 4.4 Stage 4—Ongoing S .5.2 The proactive activities of availability management • SD 4.5.10 Post-resumption review • SD 4.5.5 Testing of the IT continuity plan • Changing control to reflect changing business requirements • Regular testing • Implementing action plan DS4.5.5.5.3 Backup and restore DS4.5.1 Stage 1—Initiation • CSI 5. resilience and prioritisation • Response for different time periods DS4. alternative processing and recovery • Focus on critical infrastructure.5.8 IT services recovery and resumption DS4.5.4 Stage 4—Ongoing operation • SD 4.5 IT service continuity management • SD 4.5.3 Stage 3— Implementation • SD App K The typical contents of a recovery plan • SD 4.

and charge-back • SO 4.5.1 Security controls (highlevel coverage.operation DS5.6 Information security management • SO 5.5.1 Service catalogue management • SS 5. not in detail) • SO 4.1 Financial management • SD 4.5.13 Information security management and service operation • SD 4.10 Network security • Resistance to tampering • Controls to authorise access and information flows from and to networks • Identification of all costs linked to IT services and associated business processes • Allocation of costs according to enterprise cost model • IT costing models based on service definitions.1 Requesting access • SO 4.7 Protection of security technology DS5.1 Financial management • SS 7. risk and compliance requirements into a security plan DS5.2 Verification • SO 4.6.1 Definition of services • SS 5.5.4 User account management DS5.5 Access management DS5.5 Network management DS6.5.6.5.2 IT security plan DS5.5 Security testing.5.5.6.6.1 Management of IT security • High-level placement of security management to meet business needs • Translation of business.5.6 Removing or restricting rights • SO 5.1 Financial management DS6.5 Access management • SO 4.4 Policies/principles/basic concepts • SD 4.3 Identity management • Identification of all users (internal.4 Server management and support • SO 5.2 Strategy and design T .3 Cost modelling and charging • SS 5.5.13 Information security management and service operation • SD 4.5.5.5 Logging and tracking access • SO 4.1 Security controls (highlevel coverage.2 Management of security breaches and incidents • SO 5. external and temporary) and their activity • Life cycle management of user accounts and access privileges • SD 4. surveillance and monitoring • Proactive testing of security implementation • Timely accreditation • Timely reporting of unusual events • Definition and classification of security incident characteristics DS5.5.3 Providing rights • SO 4.5.5.6 Removing or restricting rights • SO 4.2 IT accounting DS6. not in detail) • SD 4.4 Monitoring identity status • SO 4.5.6 Security incident definition DS5.5.

2.5.5.3.1 Incident identification • SO 4.5 Initial diagnosis • SO 4.1.8 Response selection • SO 4.2 Prepare for service transition • ST 4.7 Trigger • SO 4.3 Incident escalation • Incident escalation according to limits in SLAs DS8.2.3.1 Financial management DS7.1 Configuration repository and baseline DS9.5.2 Incident logging • SO 4.3 Service measurement (vague • SS 8. and implementing a baseline for every system and service as a change recovery checkpoint • Configuration procedures to support logging of all changes in configuration database • SO 4.7 Investigation and diagnosis • SO 4.4 Incident closure DS8.4 Cost model maintenance process • Regular review and benchmark of cost/recharge model • Training curriculum for each group of employees • SS 5.1.4 Configuration control • ST 4.DS6.3.9 Review and actions • CSI 4.5.3.2.2 Management and planning • ST 4.5.2.5.1.5.1 Identification of education and training needs DS8. monitoring and recording all assets.3 Incident categorisation • SO 4.14 Improvement of operational activities • SO 4.5.2 Incident management • SO 6.2.2 Service interfaces • ST 4.13 Information security management and service operation • SO 5.1 Menu selection • SO 4.2 Registration of customer queries • User interface • Call handling • Incident classification and prioritisation based on services and SLAs • Logging and tracking of all calls. incidents.5.9 Desktop support • SO 4.5.4 Event filtering • SO 4.8 Resolution and recovery • SO 5.5.1.5.9 Incident closure • SO 4.1.1 Event management • SO 4.6 Event correlation • SO 4.2 Prepare for service transition • ST 4.1.5.2.5. service requests and information needs • SO 5.4 Incident prioritisation • SO 4.5.5.2.5.2 Identification and maintenance of configuration items U .1.6 Incident escalation • SO 4.5.5.3 Event detection • SO 4.5 Reporting and trend analysis • Recording of resolved and unresolved incidents • Reports of service performance and trends of recurring problems • Recording configuration items.5.5 Significance of events • SO 4.1.5.3 Configuration identification • ST 4.2 Service desk DS8.5 Status accounting and DS9.2.1.5.5.3.5.1.1 Service desk DS8.2.10 Close event • SO 4.

5.4.2 Problem logging • SO 4.6 Storage and archive • SO 5.5.6 Verification and audit • SO 5.5.9 Problem closure • SO 4.4.4 Protection against environmental factors DS12.5 Problem investigation and diagnosis • SO 4.2 Data and information management • SO App E Detailed description of facilities management DS12.5.3 Problem closure DS11.4 Problem prioritisation • SO App C Kepner and Tregoe • SO App D Ishikawa diagrams • SO 4. tracking and analysis of root causes of all problems • Initiating solutions to address root causes DS10.2 Data and information management • SD 5.6 Security requirements for data management DS12.2 Physical security measures • SD 5.1. allocation to support staff DS10.4.5.2 Storage and retention arrangements DS11.8 Problem resolution • SO 4.5 Physical facilities management • Monitoring and control of environmental factors • Management of facilities according V .5.4.4.3 Problem categorisation • SO 4.5.6 Work-arounds • SO 4.12 Facilities and data centre DS12.1 Identification and classification of problems • Problem classification.4.5.1 Business requirements for data management DS11.3 Backup and restore DS10. natural risks and power outages • Controlled access to premises by all parties DS11.3 Configuration integrity review • Periodic review of configuration data integrity • Control of licensed software and unauthorised software • ST 4.5.4.3 Physical access • SO App E Detailed description of facilities management • SO App F Physical access control • SO App E Detailed description of facilities management • SO 5.7 Raising a known error record • SO 4.10 Major problem review • SD 5. mentioned in SO 7. including protection from unauthorised access.5.5 Backup and restoration • Closure procedures after elimination of error or alternative approach • Input form design • Minimising errors and omissions • Error-handling procedures • Document preparation • Segregation of duties • Legal requirements • Retrieval and reconstruction mechanisms • Data input by authorised staff • Securing the location.5.3.4.2 Problem tracking and resolution • Audit trails.4.2.reporting DS9.4 Server management and support • SO 7 Technology considerations (especially for licensing.1 Problem detection • SO 4.4) • SO 4.2 Data and information management • SO 5.4.

1 Event occurs • SO 4.5.3.1 Event management • SO 4.5. legal and regulatory requirements • Procedures and familiarity with operational tasks management • SO 3.1 The seven-step improvement process • CSI 4.7 Documentation • SO 5 Common service operation activities • SO App B Communication in service operation • SD 4.1 Integration with the rest of the life cycle stages and service management processes • CSI 4.9 Review and actions • SO 5.1 Operations procedures and instructions to business.2.3 IT infrastructure monitoring • Monitoring infrastructure for critical events • Logging of information to enable review DS13.5.4 Return on investment for CSI DS13.5 Measurement of service design • ST 4.5.5.2 Job scheduling • SO 5.DS13.3.1 Console management/ operations bridge • SO 5.4 The underpinning activities of capacity management • SD 4.5 Preventive maintenance for hardware • Physical safeguards for sensitive assets.4 Print and output • SO 5.3.1.2.5 Threshold management and control • SO 4.1 Validation and test management • SO 3.3.1b Step two—Define what you can measure • CSI 4.5 Threshold management and control • SD 4.3 Mainframe management • SD 4.3 Mainframe management • SO 5.1.6 Demand management • SO 5.3 Service measurement • CSI 4.4 Sensitive documents and output devices DS13.4 Server management and support • SD 8.5 Operational health • CSI 4.1 Monitoring approach W .5.1a Step one—Define what you should measure • CSI 4.5.1.5. and negotiable instruments • Maintenance to reduce impact of failures MONITOR AND EVALUATE • General monitoring framework • Integration with corporate approach ME1.2.1.2 Metrics and measurement • CSI 4.2 Job scheduling • Organisation of job schedules maximising throughput and utilisation to meet SLAs DS13.

6 Remedial actions ME4.3 Monitoring method • Method for capturing and reporting results ME1.• CSI 4.1 Establishment of an IT governance framework • Reports of IT’s contribution to the business for service and investment portfolios and programmes • Follow-up on and remediation of all performance issues • IT governance framework aligned to enterprise governance • Based on suitable IT process and control model • Confirmation framework ensuring compliance and confirming delivery of enterprise strategy for IT • Board understanding of IT strategy.5.1 Methods and techniques • CSI 5.1f Step six—Presenting and using the information • CSI 4. availability and collection of measurable data • SD 4.1c Step three—Gathering data • CSI 4.2 Service reporting • CSI 4.2 Plan and design test • ST 4.5.5 Board and executive reporting ME1.4 Measuring and reporting frameworks • SD 4.2 Assessments ME1.7 Conduct service reviews and instigate improvements within an overall SIO • CSI 3 Continual service improvement principles • CSI 4.5. ME4.2.2.1f Step six—Presenting and using the information • CSI 5.5.3 Verify test plan and test design • ST 4.5.5 Business questions for CSI • CSI 5.4 Performance assessment • Review of performance against targets • Remedial actions • Root cause analysis ME1.3 Benchmarking • CSI 8 Implementing continual service improvement • CSI 4.2 Strategic alignment • SD 3.10 Governance • CSI App A Complementary guidance ME1.1b Step two—Define what you can measure • CSI 4.10 Complaints and compliments • CSI 4.1d Step four—Processing the data • ST 4.1e Step five—Analysing the data • CSI 5.5.2 Definition and collection of monitoring data • Balanced set of objectives approved by stakeholders • Benchmarks.10 Business service X .5.4 Prepare test environment • CSI 4.5.1g Step seven— Implementing corrective action • CSI 3.

6.3 Value delivery ME4.5 Design of measurement systems and metrics • CSI 4. reporting performance to senior management and enabling review of progress management • SS 3. embedding risk responsibilities. co-responsibility for strategic decisions. effective business cases. reviewing any remedial actions.4 Effectiveness in measurement • SD 3. programme and project management. and business ownership of investments • Appetite for risk. confidence and trust between business and IT. regular assessment of risk and transparent risk reporting • Confirming objectives have been met.ME4.1 Value creation • SS 9. enforcement of portfolio.5 Risks • SS 4.5 Risk management ME4. and benefit realisation • Delivery of optimum value to support enterprise strategy • Understanding of expected business outcomes.4 Prepare for execution • SS 9.3 Service measurement Y . appropriate risk management practices.6 Performance measurement strategic direction. management of economic life cycle and realisation of benefits.