IT Infrastructure Library (ITILŪ)
The IT Infrastructure Library (ITIL) was developed by the United Kingdom's Central Computer and Telecommunications Agency (CCTA) in 1987 as a means to establish process standards for U.K. government agencies. Now maintained by the Office of Government and Commerce, ITIL is a series of documents that comprise the "best practices" of ITIL. A non-profit organization, itSMF USA, acts as the official ITIL user organization, dedicated to promoting and helping to advance best practices in IT Service Management.
ITIL adoption rates have been on the rise. The CIO executive board reported in 2004 that 30 percent of global companies with more than $1 billion in revenues evaluated the potential of implementing ITIL, and approximately 13 percent were moving forward with ITIL implementation. Adoption is expected to increase to 60 percent of global companies with more than $1 billion in revenue by 2008.
To produce an ITIL baseline, an organization is audited or measured for performance according to ITIL standards according to a process, BS 15000, introduced by the British Standards Institute in 2000.9 BS 15000 is a formal standard allowing organizations to benchmark the delivery of their IT services. It defines a set of requirements covering ITIL service support and service delivery, security management, and relationship management, and specifies a level of quality that can be audited. As an industry standard, it helps firms qualify and choose suppliers and partner organizations.
The key business drivers for the BS 15000 standard are
- To provide a formal and auditable standard for the delivery of IT services within an organization
- To reinforce and provide accreditation based on best practices as defined by the British Standards Institute
BS 15000 is also aligned with the international standard, ISO 20000 (sometimes known as "ISO20K"). The ISO 20000 is a specification and code of practice for IT service management (ITSM). ISO/IEC 20000 is aligned with the ITIL best practice.
ITIL is a set of best practices built around a process model-based view of controlling and managing IT operations. ITIL is considered one set of best practices in the more general field of ITSM. It is important to remember that ITIL is truly a library of books. The "architecture" of ITIL can be thought of as the structure imposed by the titles of the books that describe the best practices (see Figure 1 and Figure 2). Alternatively, the architecture can be thought of as the set of practices that make up the life cycle that ITIL describes.
Figure 1. ITIL version 2 structure of book titles.
Figure 2. ITIL version 3 structure of book titles.
At the time of writing, ITIL is undergoing an upgrade from version 2 (released in 2000) to version 3 (released in 2007). Why the change? The change was not driven by lack of success. Indeed, the opposite may be closer to the truth. As we noted previously, ITIL version 2 has been widely adopted and has demonstrated its business value, particularly in helping organizations to demonstrate their compliance with increasing regulatory requirements around the management of operational business (and hence IT) risk. It was version 2 that led to the national (BS 15000) and then international (ISO/IEC 20000) standards development described previously.
In fact, the changes were driven by a desire to make the IT service life cycle (implied by the process defined in version 2) more explicit in version 3 in the form of an integrated process model and to reflect changes in professional practices since 2000. Further, although ITIL generally is quite prescriptive (more so than CMMI, for example), it was felt that even more "how to" information was needed. At the same time, the opportunity was taken to clear up some inconsistencies and add some detail in areas where widespread usage had shown to be light or missing altogether (e.g., return on investment, the supply chain).
Where ITIL version 2 focused on processes, version 3 focuses on business value. This shift attempts to improve the linkage between the business needs of the organization and the IT operational processes that enable them. Hence, version 3 has a more strategic approach than the tactical approach of version 2. Version 3 also acknowledges the value and applicability of other standards. Figure 3 summarizes the positioning of version 3 with respect to version 2 and other standards and Figure 4 shows, broadly, how the content of the version 2 books has made its way into the version 3 books.
Figure 3. Relationships between ITIL versions 2 and 3.
Figure 4. Mapping of version 2 to version 3.
Of course, the processes are still important and they are still included in version 3 (with a few added). The content and education associated with version 2 remain relevant but, particularly from a business perspective, using version 3 and updating from version 2 will provide more value.
To establish connectivity between COBIT and CMMI, it helps to have an understanding of the ITIL service management process areas and where they fit in the ITIL version 3 books (see Figure 5).
Figure 5. ITIL version 3 processes.
The ongoing relevance of the education elements of version 2 in version 3 is important because the major dissemination technique for ITIL is the education and certification of individual practitioners. The ITIL Foundation course is the starting point if you want to start implementing ITIL in your organization.
Service Strategy Processes
Financial management is responsible for identifying, calculating, and managing the cost of delivering IT services. Financial management influences user behavior through cost awareness or charging and provides budgeting data to management. Cost accounting focuses on the fair allocation of shared costs and charging for IT services.
Return on investment (ROI) (new in version 3): In service management, ROI is used as a measure of the ability to use assets to generate additional value. As a process, ROI includes the business case, pre-program ROI, and post-program ROI.
Service portfolio management (new in version 3): A service portfolio describes a provider's services in terms of business value. It documents business needs and describes the provider's responses to those needs. Service portfolio management is a dynamic method for governing investments in service management across the enterprise and managing them for value.
Demand management (new in version 3): Poorly managed demand is a source of risk for service providers because of the uncertainty of the capacity needed. Uncertainty over demand usually leads to provision of excess capacity ("just in case"), which can be financially inefficient. Equally, insufficient capacity can
lead to missed service levels and penalties. Demand management techniques include off-peak pricing, volume discounts, and differentiated service levels.
Service Design Processes
Service catalog management (new in version 3): Provides a single source of consistent information on all of the agreed services. The services catalog needs to be widely available to everyone who is approved to access it. Service catalog management is the process for ensuring that the information in the service catalog is maintained with accurate, current information.
Service level management: This discipline manages the quality and timeliness of service delivered by the IT services organization to its customers. The essence of service level management is the service level agreement, a virtual "contract" between the IT organization and customers that articulates in detail which services are to be delivered along with the quality and quantity characteristics, such as performance and availability, for those services. The SLA can serve as a catalyst for establishing other valuable ITSM disciplines in terms of their contribution to fulfilling the SLA.
Availability management: A discipline that allows IT management to optimize the use of IT resources, anticipate and calculate expected failures, implement security policies, and monitor for targeted service agreements. Availability management includes security, serviceability, recoverability, maintainability, and resilience of IT resources.
Information security management: Aims to ensure that the security aspects of services are provided at the level agreed upon with the customer at all times. Security is now an essential quality aspect of management. Information security management integrates security in the IT organization from the service provider's point of view. The code of practice for information security management provides guidance for the development, introduction, and evaluation of security measures.
IT service continuity management: A discipline that covers unexpected IT service losses. IT service continuity management involves the planning for alternate configuration items (CIs) or an entire alternate disaster recovery site with alternate IT resources. Analyzing risks, researching options, planning alternatives, and documenting the contingency plan are all part of IT service continuity management.
Capacity management: A discipline that ensures cost-justifiable IT capacity always exists to match business needs. Capacity management determines business demands on IT resources, forecasts workloads, and performs IT resource scheduling. One of the major contributions of capacity management is a documented capacity plan.
Supplier management (new in version 3): Ensures that suppliers and the services they provide are managed to support IT service targets and business expectations. The goal is to provide seamless quality of IT service to the business ensuring value for money is obtained.
Service Transition Processes
Transition and planning support (new in version 3): Service transition is the management and coordination of the processes systems and function to package, build, test, and deploy a release into production and establish the service specified in the customer and stakeholder requirements. Effective transition and planning support can significantly improve a service provider's ability to handle high volumes of change and releases across its customer base.
Release and deployment management: Responsible for the storage of management-authorized software, the release of software into the live environment, distribution of software to remote locations, and the implementation of the software to bring it into service. It is also responsible for hardware so that incidents and installations can be performed quickly. Most of the CMMI life cycle takes place within ITIL release and deployment management.
Service asset and configuration management: Asset management provides a complete inventory of assets and determines who is responsible for their control. Configuration management allows IT management to gain tight control over IT assets such as hardware devices, computer programs, documentation, outsourced services, facilities, job descriptions, process documentation, and any other CIs that are related to the IT infrastructure.
Change management: Describes the change management best practice and discusses its foundational role in the implementation of many other ITSM best practices. After all, evolution of the IT infrastructure in every sense, whether it is related to capacity management, network services management, or service desk, involves change. Change involves risk and invites a rigorous management approach.
Service validation and testing (new in version 3): Can be applied throughout the service life cycle quality to assure any aspect of a service. It can equally be applied to quality assure the service provider's capability, resources, and capacity to deliver a service or service release successfully. That said, businesses need to understand that, for IT services, successful testing is not a guarantee but a sign of a particular confidence level. Businesses should ensure that they understand and are comfortable with the confidence level that any particular set of tests assures.
Evaluation (new in version 3): Considers whether the performance of something is acceptable and worthwhile. This goal is to set stakeholder expectations correctly. This includes consideration of possible unintended effects as well as the intended objectives. Evaluation considers the actual performance of service changes against the planned performance.
Knowledge management (new in version 3): Relevant to, and referenced by, every part of the ITIL life cycle. Just as knowledge is more than information, knowledge management is about ensuring that knowledge, information, and data are available to help the people involved in delivering a service to respond to "circumstances" or, in the words of Harold MacMillan when asked what represented the greatest challenge for a statesman, "events, my dear boy, events." The creation of a single system for knowledge management for the whole organization and its IT Providers is an excellent method for individuals and teams to share data, information, and knowledge about all facets of the IT services.
Service Operation Processes
Event management (new in version 3): Monitors all events that occur throughout the IT infrastructure to detect and escalate exception conditions (see Harold Macmillan quote above).
Request fulfillment (new in version 3): The process for dealing with service requests. Request fulfillment includes the functions of the service desk (which had been treated as a separate process in ITIL version 2).
Incident management: A discipline responsible for resolving incidents as quickly as possible. This process monitors the IT environment in compliance with those predetermined service levels and properly escalates incidents in service delivery when they arise.
Problem management: This process is aimed at handling all types of failed IT services. Its main objective is to identify the root causes of those failures and to recommend changes in CIs to change management. The problem-management processes use information collected from a variety of other areas, including incident management and change management.
Access management (new in version 3): The process of granting authorized users the right to use a service while excluding unauthorized users from that service. It is based upon being able to accurately and, in some cases, uniquely identify authorized users.
Continual Service Improvement Processes
The seven-step improvement process (new in version 3): This process is best illustrated by Figure 6.
Figure 6. The ITIL seven-step improvement process.
Service measurement (new in version 3): Building, populating, and maintaining a service measurement framework that leads to value-added reporting. Within the ITIL domain, the three basic measurements that most organizations utilize are availability, reliability, and performance. To assess the business performance of IT Providers, organizations may want to go further to measure productivity, customer satisfaction, the impact of IT on functional goals (delivered value), comparative performance against internal or external benchmarks, and business alignment and investment targeting (ensuring that IT spending is aligned with business priorities).
Service reporting (new in version 3): An ideal approach to building a business-focused reporting framework is to start with a set of policies and rules to define how reporting will be implemented and managed that has been agreed upon by the business and the service design team. The driving force for reporting must be to get the right content to the right audience in a timely manner.