Interfacing and Adopting ITIL® and COBIT®

BEST

MANAGEMENT PRACTICE PRODUCTwww.tso.co.uk

Interfacin

g an

d A

do

ptin

g ITIL

® and

CO

BIT

®

Given that IT is operationally critical and strategic to enterprise success, then adopting best professional management practices should be a managementimperative. ITIL® and COBIT® are two of the most widely adopted frameworks for supporting IT governance and management improvement initiatives and when used together as complementary tools can provide an even more powerful solution to your organization’s service management and governance needs.

However, every enterprise needs to tailor these practices to suit their individual requirements and overcome common obstacles to ensure that any improvement initiative is driven by business priorities and requirements.

This is where this publication can help you. If you are already using ITIL or COBIT,it will show you how to effectively adopt and utilize these two best practices ascomplementary tools, resulting in improved IT service capability that is aligned with business and governance requirements. If you are new to ITIL or COBIT, it will provide a useful overview of the advantages of both practices and how and why they can be used together.

By following the guidance in this publication, you will learn how to realize thevalue from your IT investments and services, enabling you to achieve cost-effective IT solutions, as well as better governance and management of IT services.

9 780113 314522

IS B N 978-0-11-331452-2

9449 ITIL Interfacing and Adopting Cov v1_0 7mm SPINE.indd All Pages 16/12/2015 17:13

Interfacing and Adopting ITIL® and COBIT®

London: TSO

48906_AXELOS FOR PRINT.indb 1 15/12/2015 18:08

Published by TSO (The Stationery Office), part of Williams Lea and available from:

Onlinewww.tsoshop.co.uk

Mail, Telephone, Fax & E-mailTSOPO Box 29, Norwich, NR3 1GNTelephone orders/General enquiries: 0333 202 5070Fax orders: 0333 202 5080E-mail: customer.services@tso.co.ukTextphone: 0333 202 5077

TSO@Blackwell and other Accredited Agents

© The Stationery Office 2015

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the permission of the publisher.

Copyright in the typographical arrangement and design is vested in The Stationery Office Limited. Applications for reproduction should be made in writing to The Stationery Office Limited, St Crispins, Duke Street, Norwich, NR3 1PD.

Applications for reproduction should be made in writing to The Stationery Office Limited, St Crispins, Duke Street, Norwich NR3 1PD.

The information contained in this publication is believed to be correct at the time of manufacture. Whilst care has been taken to ensure that the information is accurate, the publisher can accept no responsibility for any errors or omissions or for changes to the details given.

This product includes COBIT 5® ©2012 ISACA® used by permission of ISACA®. All rights reserved

The AXELOS swirl logo is a trade mark of AXELOS LimitedThe AXELOS logo is a trade mark of AXELOS LimitedThe Best Management Practice Official Publisher logo is a trade mark of AXELOS LimitedPRINCE2® is a registered trade mark of AXELOS LimitedMoP® is a registered trade mark of AXELOS LimitedITIL® is a registered trade mark of AXELOS LimitedM_o_R® is a registered trade mark of AXELOS LimitedCOBIT 5® is a registered trademark of ISACA®

A CIP catalogue record for this book is available from the British Library

A Library of Congress CIP catalogue record has been applied for.

First published 2015

ISBN 9780113314522

Printed in the United Kingdom for The Stationery Office Material is FSC certified. Sourced from responsible sources.

48906_AXELOS FOR PRINT.indb 2 15/12/2015 18:08

Contents

List of figures and tables v

Acknowledgements vi

1 Introduction 1

1.1 Today’s business view of IT 3

1.2 The benefits of ITIL® and COBIT® 4

1.3 Objectives of this guide 4

2 ITIL and COBIT 7

2.1 Introduction to COBIT 9

2.2 COBIT 5 overview 10

2.3 COBIT 5 process model 11

2.4 COBIT 5 implementation 13

2.5 Introduction to ITIL 14

2.6 ITIL Service Strategy 15

2.7 ITIL Service Design 16

2.8 ITIL Service Transition 17

2.9 ITIL Service Operation 18

2.10 ITIL Continual Service Improvement 19

3 Governance and management of IT services 21

3.1 Business context – value 23

3.2 IT risk 25

3.3 Information is a key resource for all enterprises 26

3.4 Key drivers affecting service management 27

3.5 Governance and management activities related to IT services 27

4 Practical applications for using ITIL and COBIT together 31

4.1 Objective 1 – Delivering value from an IT service 33

4.2 Objective 2 – Aligning IT services with enterprise objectives and risks 34

4.3 Objective 3 – Developing IT solutions and services to align with desired business outcomes 38

4.4 Objective 4 – Aligning IT service level agreements with business objectives 41

4.5 Objective 5 – Ensuring IT services are defined and delivered securely 43

4.6 Objective 6 – Managing enterprise and IT service supplier relationships 45

4.7 Objective 7 – Optimizing the portfolio of IT services and the service catalogue to deliver benefits and optimize costs 46

5 Achieving required service capability and monitoring performance 49

5.1 The importance of assessing capability 51

5.2 Driving a positive improvement culture 52

5.3 How to assess capability 53

5.4 Driving improvement 53

5.5 Monitoring performance 59

6 Conclusions 61

48906_AXELOS FOR PRINT.indb 3 15/12/2015 18:08

iv | Interfacing and Adopting ITIL and COBIT

Bibliography and further reading 65

Appendix A: COBIT and ITIL mapping 69

Appendix B: Examples of mappings based on enterprise goals 95

Index 103

48906_AXELOS FOR PRINT.indb 4 15/12/2015 18:08

List of figures and tablesFIGURES

Figure 2.1 Meeting stakeholder needs 10

Figure 2.2 Processes for governance of enterprise IT 12

Figure 2.3 Seven phases of the implementation lifecycle 14

Figure 2.4 The ITIL service lifecycle 15

Figure 4.1 COBIT value creation 33

Figure 4.2 The overall value chain 35

Figure 5.1 Ensuring strategic alignment 52

Figure 5.2 Continual service improvement approach 57

TABLES

Table 3.1 The objectives of effective governance and management of IT services 28

Table 4.1 COBIT 5 enterprise goals 36

Table 4.2 COBIT 5 IT-related goals 37

Table 4.3 COBIT 5 processes mapped to ITIL guidance for aligning objectives 39

Table 4.4 COBIT 5 processes mapped to ITIL guidance for designing and developing solutions and services 40

Table 4.5 COBIT 5 processes mapped to ITIL guidance for aligning IT service level agreements with business objectives 42

Table 4.6 COBIT 5 processes mapped to ITIL guidance for ensuring IT services are defined and delivered securely 44

Table 4.7 COBIT 5 processes mapped to ITIL guidance for managing enterprise and IT service supplier relationships 45

Table 4.8 COBIT 5 processes mapped to ITIL guidance for optimizing the portfolio of IT services and the service catalogue to deliver benefits and optimize costs 47

Table 5.1 IT service management maturity paths 53

Table A.1 COBIT 5 enterprise goals mapped to IT-related goals 72

Table A.2 IT-related goals mapped to IT processes 76

Table A.3 Risk scenarios mapped to IT processes 82

Table A.4 COBIT 5 IT-related processes mapped to ITIL 2011 guidance 91

Table B.1 Cascade example – top 10 COBIT 5 processes based on the enterprise goal of customer-oriented service culture 97

Table B.2 Cascade example – top 10 COBIT 5 processes based on the enterprise goal of business service continuity and availability 99

Table B.3 Cascade example – top 10 COBIT 5 processes based on the enterprise goal of optimization of service delivery costs 100

48906_AXELOS FOR PRINT.indb 5 15/12/2015 18:08

Acknowledgements

AUTHOR

Gary Hardy, IT Winners

REVIEWERS

We would like to thank those who participated in the quality assurance of this publication, generously donating their time to reviewing this title, including:

Claire Agutter ITSM Zone

Duncan Anderson Global Knowledge

Johannes Botha get-IT-right.com

James Doss itvaluequickstart.com

Lucio Augusto Molina Focazzio Independent consultant

Jimmy Heschl Red Bull

John E. Jasinski C5Plugin

Christian F. Nissen CFN People

Marco Smith ICORE Ltd

48906_AXELOS FOR PRINT.indb 6 15/12/2015 18:08

9449 ITIL Interfacing and Implementing CP.indd 1 25/08/2015 12:10Introduction148906_AXELOS FOR PRINT.indb 1 15/12/2015 18:08

48906_AXELOS FOR PRINT.indb 2 15/12/2015 18:08

| 3

1 Introduction

1.1 TODAY’S BUSINESS VIEW OF IT

For many years, IT has been an enabler for enterprise success and a strategic tool for increasing competitive advantage. Now IT has become pervasive in all aspects of business activity, public service and personal communications. IT services are embedded in business processes and have become an integral part of enterprise operations. With the expansion of the internet providing high-capacity and low-cost mobile communications, IT is no longer confined to the IT function or just within the enterprise – it can be utilized anywhere at any time by anybody.

Successful enterprises apply effective governance and management practices to ensure that objectives are achieved and risks are minimized. They recognize that strategic planning and execution must be driven and monitored by executive management if value is to be created. Given IT’s pervasiveness, informed business leaders are recognizing that the same attitude must be applied in relation to IT, ensuring that controls are in place to preserve value and avoid IT-related business risks. They insist on adoption and adaptation of best practices in areas such as portfolio management, service delivery and risk management, and they are able to monitor IT’s performance using business-oriented reporting.

Executive management needs to pay special attention to the use of IT, given that IT is now so intrinsic to the execution of business strategy and operations. IT accounts for a very significant

proportion of an enterprise’s costs, yet many enterprises fail to optimize these costs and obtain a good return from their IT-related investments. Enterprises – especially those operating globally – are also dealing with an increasing amountof regulation. As a result of this environment, IT services must be responsive to fast-changing demands and be predictable, reliable, secure and cost-effective.

The increased focus on IT by executive management has highlighted the need for better governance and management of IT. The concept and actual practice of IT governance have gained significant momentum and acceptance in recent years and this is driving a need for IT best practices to be aligned with business and governance requirements. It has shifted management’s attention away from just technology solutions and towards defining the beneficial outcomes desired from the use of IT.

(Note: although ‘IT governance’ is the commonly used term, in reality we mean improved enterprise governance to include IT. ISACA uses the term ‘governance of enterprise IT’ [GEIT] to try to emphasize this point. The goal is not to create another IT silo in this case with respect to governance.)

One of the most important enablers in an enterprise is the provision of cost-effective IT services at service levels necessary to support critical business functions. If IT services and service levels are not clearly defined, and the service levels not properly

48906_AXELOS FOR PRINT.indb 3 15/12/2015 18:08

4 | Interfacing and Adopting ITIL and COBIT

measured and monitored, then it is likely that the services provided will fail to meet business needs.

The growing capability and capacity of the internet, mobile communications and cloud computing are enabling a transition towards outsourced IT services rather than just IT applications or solutions. This will evolve towards what might be called ‘cloud business’, since in reality they will become IT-enabled business services. We have already seen this happen with, for example, cloud-based sales processes, online gaming, email and social networking. Therefore, IT functions and the business must together take responsibility for managing the operation of business processes and related IT services. This requires mature IT service management, IT management and IT governance practices that include the business process owners (the consumers of the services), the IT function (which manages IT in an enterprise) and service providers (who increasingly will supply IT-enabled business services).

1.2 THE BENEFITS OF ITIL® AND COBIT®

The adoption of proven best practices helps guide professional behaviour, increases effectiveness and efficiency, and results in reliable and trusted activities. It avoids ‘reinventing wheels’; avoids disagreements between business, IT, risk and assurance stakeholders; and saves time in developing approaches.

Given that IT is operationally critical and strategic to enterprise success, then adopting good professional management practices should be a management imperative. ITIL has become the world’s most popular and effective guidance for IT service management. Used by thousands of individuals and enterprises, COBIT is the world’s most used

framework for enterprise-wide governance and management of IT.

COBIT provides the strategic orientation and focus, by considering all stakeholder needs, and by linking business and governance requirements to critical IT-related areas. It helps establish ‘what to do’ and helps obtain executive-level sponsorship for any necessary improvement. Just as importantly, it ensures executive-level accountability for IT-related business decisions. ITIL provides best practice for ‘how to do’: the planning, designing, building and operating of the IT services required to support and sustain the enterprise’s IT-related objectives.

ITIL and COBIT are the two most widely adopted frameworks for supporting IT governance and management improvement initiatives, and when used together implementation will be significantly more effective. By utilizing both frameworks, improvements will be driven top down with management’s support and commitment. Using ITIL and COBIT will help to improve the success, stability and quality of IT services, and the speed at which they are delivered.

Leveraging proven best practices allows organizations to implement standard processes in place of ad hoc approaches. It also helps to maintain enterprise knowledge (rather than relying on expert staff) and develops professionalism and career progression within the organization. It embeds a shared vision of good practice into business as usual and makes meeting contractual requirements and compliance obligations easier.

1.3 OBJECTIVES OF THIS GUIDE

This guide will help organizations that are already using ITIL or COBIT to effectively adopt and utilize these two best practices as complementary tools –

48906_AXELOS FOR PRINT.indb 4 15/12/2015 18:08

Introduction | 5

to enable improved IT service capability aligned with the enterprise’s business and governance requirements. For those new to ITIL or COBIT, the guide will provide a useful overview of the advantages of both practices and how and why they can be used together.

Every enterprise needs to tailor the use of ITIL and COBIT to suit its individual requirements. Experience has shown that adoption of these potentially helpful best practices can be costly and unfocused if it is not driven by business priorities and requirements. Given the enterprise-wide use of IT, there needs to be an enterprise view of IT and of the governance and management practices required. Executive management, business management, auditors, compliance officers, IT managers and IT practitioners should work together to ensure that use of COBIT and ITIL leads to cost-effective and value-generating IT solutions and services.

This guide will help enterprises adopt and adapt ITIL and COBIT to:

■ Better govern and manage IT services ■ Gain executive management buy-in and support

for continual service improvement ■ Provide a transparent and accurate view of

current IT process performance and significant gaps to enable decision-making

■ Prioritize improvement plans and actions based on business needs and the value generated

■ Improve the efficiency and effectiveness of implementation activities

■ Create an effective framework of management structures, policies and defined practices

■ Provide structure and context for existing or potential activities

■ Provide management with key practices to monitor the performance of, and value delivered

by, improvement projects and operational services.

This can lead to many other business benefits, including the engagement of executive management and business process owners, efficiency gains, less reliance on experts, fewer errors, increased trust from business partners, and respect from regulators. It will also emphasize the importance of setting direction and monitoring (governance) and of the execution of objectives (management).

This guide is intended for all users of ITIL and COBIT – current or prospective – who are interested in driving increased value from IT. This includes business and IT management, IT professionals (including consultants and advisors), auditors and process assessors.

The contents of the guide are organized as follows:

■ Chapter 2 provides an overview of ITIL and COBIT.

■ Chapter 3 describes the business context and issues that drive a need for effective governance and management of IT services, and describes the most important governance management activities related to service management.

■ Chapter 4 explains how to use ITIL and COBIT to define the requirements for service capability – understanding business and compliancerequirements for IT services and focusing on key ITIL processes.

■ Chapter 5 explains how to use ITIL and COBIT to assess service capability, implement improvements in an integrated way and measure service performance using appropriate performance objectives and metrics – based on maturity assessments and best-practices gap analysis.

■ Chapter 6 provides some conclusions.

48906_AXELOS FOR PRINT.indb 5 15/12/2015 18:08