COBIT- ITIL

Document Sample
COBIT- ITIL Powered By Docstoc
					                                                   Table of contents
1. Abstract.......................................................................................................................... 3
2. Introduction. .................................................................................................................. 4
3. IT Governance............................................................................................................... 5
   3.1 Strategic alignment ................................................................................................... 6
   3.2 Value delivery ........................................................................................................... 6
   3.3 Resource management .............................................................................................. 6
   3.4 Risk management ...................................................................................................... 6
   3.5 Performance measurement ........................................................................................ 7
4. Why IT Governance is Necessary?.............................................................................. 7
   4.1 Benefits of IT Governance ........................................................................................ 7
5. COBIT (Control Objectives for Information and related Technology) .................. 8
   5.1 COBIT Domains ....................................................................................................... 9
      5.1.1 Plan and Organise .............................................................................................. 9
      5.1.2 Acquire and Implement.................................................................................... 10
      5.1.3 Deliver and Support ......................................................................................... 10
      5.1.4 Monitor and Evaluate ....................................................................................... 11
   5.2 How Does COBIT Help Implement Effective IT Governance? ............................. 12
   5.3 Why is COBIT valuable? ........................................................................................ 12
   5.4 Limitations of COBIT ............................................................................................. 12
6. ITIL (Information Technology Infrastructure Library) ........................................ 13
   6.1 ITIL v3 .................................................................................................................... 14
      6.2.1 Service Strategy ............................................................................................... 16
      6.2.2 Service Design ................................................................................................. 17
      6.2.3 Service Transition ............................................................................................ 18
      6.2.4 Service Operation............................................................................................. 18
      6.2.5 Continual Service Improvement (CSI) ............................................................ 18
7. COBIT and ITIL: The Alignment ............................................................................ 20
8. Conclusion ................................................................................................................... 23
9. References .................................................................................................................... 24
10. Appendix : ITIL maps on CobiT – Detailed level process ......................................A




                                                                                                                                     1
                                                   List of Figures
Figure 1: Five Outcomes of IT Governance ....................................................................... 5
Figure 2: Plan and Organise ................................................................................................ 9
Figure 3: Acquire and Implement ..................................................................................... 10
Figure 4: Deliver and Support........................................................................................... 11
Figure 5: Deliver and Support........................................................................................... 11
Figure 6: ITIL version 2 library [ILX] .............................................................................. 14
Figure 7: ITIL version 3 .................................................................................................... 15




                                                                                                                              2
1. Abstract

Organisations require a structured approach for managing these and other challenges.

This will ensure that there are agreed objectives for IT, good management controls in

place and effective monitoring of performance to keep on track and avoid unexpected

outcomes.

Management hopes for heightened understanding of the way IT is operated and the

likelihood of its being leveraged successfully for competitive advantage. Boards and

executive management need to extend governance to IT and provide the leadership,

organisational structures and processes that ensure that the enterprise’s IT sustains and

extends the enterprise’s strategies and objectives. IT governance is not an isolated

discipline; it is an integral part of overall enterprise governance. The need to integrate IT

governance with overall governance is similar to the need for IT to be an integral part of

the enterprise rather than something practiced in remote corners or ivory towers. An

increasingly educated and assertive set of stakeholders is concerned about the sound

management of its interests. This has led to the emergence of governance principles and

standards for overall enterprise governance. Furthermore, regulations establish board

responsibilities and require that the board of directors exercise due diligence in its roles.

Investors have also realised the importance of governance; research shows they are

willing to pay a premium of more than 20 percent on shares of enterprises that have

shown to have good governance practices in place.




1 McKinsey’s Investors Opinion Survey, June 2000



                                                                                           3
2. Introduction.

For many enterprises, information and the technology that supports it represent their most

valuable, but often least understood assets. Successful enterprises recognise the benefits

of information technology and use it to drive their stakeholders’ value. These enterprises

also understand and manage the associated risks, such as increasing regulatory

compliance and critical dependence of many business processes on information

technology (IT). To be able to manage an enterprise, good enterprise governance

practices have to be strictly followed.

Enterprise governance is a set of responsibilities and practices exercised by the board and

executive management with the goal of:

      Providing strategic direction

      Ensuring that objectives are achieved

      Ascertaining that risks are managed appropriately

      Verifying that the enterprise’s resources are used responsibly



Enterprise governance is about:

      Conformance

       Adhering to legislation, internal policies and audit requirements among others

      Performance

       Improving profitability, efficiency, effectiveness and growth.




                                                                                         4
3. IT Governance

An integral part of enterprise governance, consisting of the leadership, organisational

structures and processes that ensure that the enterprise’s IT sustains and extends the

organisation’s strategies and objectives.




                                                V
                                    te gic nt De alue
                                                l iv
                                tra nme
                               S ig                  er
                                                        y
                                 Al          IT
                                         Governance



                                                            nt
                        Pe f u e
                        Perf ureme
                         Mea




                                          Domains


                                                               e
                                                          agem
                            as




                                                       Man isk
                            orm
                            om




                                                           R
                                a c
                                ance t




                                          Resource
                                    n
                                    n




                                         Management

                          Figure 1: Five Outcomes of IT Governance


Simply stated IT governance is the responsibility of the board and must be integrated into

the organization’s enterprise governance structure. Boards and senior management must

know what to expect from their information security programs.

As shown in the Figure 1, the five basic outcomes of IT governance should include



              Strategic alignment of information security

              Value Delivery - optimizing information security investment

              Resource Management

              Risk Management – manage and mitigate risks



                                                                                        5
                 Performance Measurement - information security governance metrics




3.1 Strategic alignment

It focuses on ensuring the linkage of business and IT plans; on defining, maintaining and

validating the IT value proposition; and on aligning IT operations with enterprise

operations.


3.2 Value delivery

It is about executing the value proposition throughout the delivery cycle, ensuring that IT

delivers the promised benefits against the strategy, concentrating on optimising costs and

proving the intrinsic value of IT.


3.3 Resource management

It is about the optimal investment in, and the proper management of, critical IT resources:

applications, information, infrastructure and people. Key issues relate to the optimisation

of knowledge and infrastructure.


3.4 Risk management

Requires risk awareness by senior corporate officers, a clear understanding of the

enterprise’s Risk management appetite for risk understanding of compliance

requirements, transparency about the significant risks to the enterprise, and embedding of

risk management responsibilities in the organisation.




                                                                                         6
3.5 Performance measurement

Tracks and monitors strategy implementation, project completion, resource usage,

process performance and service delivery, using, for example, balanced scorecards that

translate strategy into action to achieve goals measurable beyond conventional

accounting.


4. Why IT Governance is Necessary?

IT governance is needed to ensure that the investments in IT generate value-reward-and

mitigate IT-associated risks, avoiding failure.

IT is central to organisational success – effective and efficient delivery of services and

goods – especially when the IT is designed to bring about change in an organisation. This

change process, commonly referred to as “business transformation,” is now the prime

enabler of new business models both in the private and public sectors. Business

transformation offers many rewards, but it also has the potential for many risks, which

may disrupt operations and have unintended consequences. The dilemma becomes how to

balance risk and rewards when using IT to enable organisational change.


4.1 Benefits of IT Governance

      Increased predictability and reduced uncertainty of business operations

      Protection from the potential for civil and legal liability

      Structure to optimize the allocation of resources

      Assurance of security policy compliance

      Foundation for effective risk management.

      A level of assurance that critical decisions are not based on faulty information


                                                                                          7
      Accountability for safeguarding information




5. COBIT (Control Objectives for Information and related

Technology)

Business orientation is the main theme of COBIT. It is designed to be employed not only

by users and auditors, but also, and more important, as comprehensive guidance for

management and business process owners. Increasingly, business practice involves the

full empowerment of business process owners so they have total responsibility for all

aspects of the business process. In particular, this includes providing adequate controls.


The COBIT framework provides a tool for the business process owner that facilitates the

discharge of this responsibility. The framework starts from a simple and pragmatic

premise: To provide the information that the organisation needs to achieve its objectives,

IT resources need to be managed by a set of naturally grouped processes.


The framework continues with a set of 34 high-level control objectives, one for each of

the IT processes, grouped into four domains: Plan and Organise, Acquire and Implement,

Deliver and Support, and Monitor. This structure covers all aspects of information and

the technology that supports it. By addressing these 34 high-level control objectives, the

business process owner can ensure that an adequate control system is provided for the IT

environment.


IT governance guidance is also provided in the COBIT framework. IT governance

provides the structure that links IT processes IT resources and information to enterprise


                                                                                             8
strategies and objectives. IT governance integrates optimal ways of planning and

organising, acquiring and implementing, delivering and supporting, and monitoring and

evaluating IT performance. IT governance enables the enterprise to take full advantage of

its information, thereby maximizing benefits, capitalising on opportunities and gaining

competitive advantage.

In addition, corresponding to each of the 34 high-level control objectives is an audit

guideline to enable the review of IT processes against COBIT’s 318 recommended

detailed control objectives to provide management assurance and/or advice for

improvement.

Specifically, COBIT provides maturity models for control over IT processes, so

management can map where the organisation is today, where it stands in relation to the

best in class in its industry and to international standards, and where the organisation

wants to be.


5.1 COBIT Domains

5.1.1 Plan and Organise




                                Figure 2: Plan and Organise



                                                                                       9
5.1.2 Acquire and Implement

This domain covers identifying IT requirements, acquiring the technology, and

implementing it within the company’s current business processes. It also addresses the

development of a maintenance plan that a company should adopt in order to prolong the

life of an IT system and its components.




                              Figure 3: Acquire and Implement



5.1.3 Deliver and Support

The Deliver and Support domain focuses on the delivery aspects of the information

technology. It covers areas such as the execution of the applications within the IT system

and its results, as well as, the support processes that enable the effective and efficient

execution of these IT systems. These support processes include security issues and

training.




                                                                                       10
                                Figure 4: Deliver and Support



5.1.4 Monitor and Evaluate

The Monitor and Evaluate domain deals with a company’s strategy in assessing the needs

of the company and whether or not the current IT system still meets the objectives for

which it was designed and the controls necessary to comply with regulatory

requirements. Monitoring also covers the issue of an independent assessment of the

effectiveness of IT system in its ability to meet business objectives and the company’s

control processes by internal and external auditors.




                                Figure 5: Deliver and Support



                                                                                    11
5.2 How Does COBIT Help Implement Effective IT Governance?

COBIT enables mapping of IT goals to business goals and vice versa. It provides a better

alignment, based on a business focus and more importantly, it gives a view of what IT

does that is understandable to management. There is also a shared understanding amongst

all stakeholders, based on a common language and the fulfillment of the COSO

requirements for the IT control environment.


5.3 Why is COBIT valuable?

Executives can expect the following results from the adoption of COBIT:

      IT staff and executives will understand more fully how the business and IT can

       work together for successful delivery of IT initiatives.

      Full life-cycle costs of IT will become more transparent and predictable.

      IT will deliver better quality and more timely information.

      IT will deliver better quality services and more successful projects.

      Security and privacy requirements will be clearer and implementation more easily

       monitored.

      IT-related risks will be managed more effectively.

      Audits will be more efficient and successful.

      IT compliance with regulatory requirements will be a normal management

       practice.


5.4 Limitations of COBIT

Despite the various reasons for one to use COBIT, it still needs to be customized by

whoever wants to use it and to customize it, an analysis of the control requirements,



                                                                                     12
should be performed, based on the value driver, the risk profile and the IT infrastructure

and project portfolio.




6. ITIL (Information Technology Infrastructure Library)

Information Technology Infrastructure Library, ITIL is a set of concepts and policies for

best practice of Information Technology Service Management, developments and

operations. It describes the number of important IT practices with checklists, tasks and

procedures. It provides a framework for IT Service Management Practitioners to

demonstrate their knowledge and understanding of ITIL and to develop their professional

expertise through training and qualifications. IT organizations can customise to their

needs.

ITIL started in 1989 as IT Infrastructure Library compiled by W. Edwards Demings

which became v1. ITIL v2 came out in year 2000 to make ITIL more accessible and

more affordable. ITIL v2 was grouped into eight sets logically bounded by related

processes and the main one being Service Management set. While ITIL version 2 focused

mainly on what should be done to improve organization aims.




                                                                                       13
                            Figure 6: ITIL version 2 library [ILX]



There was a request from practitioners to improve on this version and so as to meet the

increasing need businesses. As such in May 2007, the third version of ITIL came out in

five volumes revolving around the concept of Service Lifecycle structure. The third

version being much more prescriptive and gave more return on investment to businesses.

This section, the focus will be mainly on the IT practices of ITIL v3.


6.1 ITIL v3

ITIL v3 is an evolution of v2 by making ITIL even more accessible and more complete.

As mentioned earlier it is around the concept of Service Lifecycle structure which is as

shown below


                                                                                     14
                                 Figure 7: ITIL version 3

ITIL version has been long awaited by many practitioners and many international

organizations such as private and public sectors, examination bodies, businesses among

many others contributed in the development of ITIL version 3.

ITIL version 3 has many improvement compared to that of the second version. As

mentioned earlier it is more prescriptive, tells exactly how things should be done and

thirdly and more importantly for businesses, it provides a guidance on return on

investment to them. It has also an evolution in structure by classifying the different

sections and adding more details to them. The contents also faced four major evolutions.

The first evolution involved how to integrate business processes with IT technologies, it

aims at making business and IT a single inter dependable component rather than two

separate identities. The second evolution is that it included an integrated value service



                                                                                       15
network that brings together all business units such that they do not need to refer to third

party for prescription. The third evolution is that it makes service the centre point rather

than something to be done later. It provides a dynamic service portfolio for continuous

service improvement. Fourthly, the processes have been reviewed and refined in 5

volumes that meet the specific needs of organizations.

The five volumes are

      Service Strategy

      Service Design

      Service Transition

      Service Operation

      Continuous Service Improvement

Each of the five volumes will be detailed as follows.




6.2.1 Service Strategy

Being the core of ITIL Service Lifecycle, it offers guidance on clarification and

prioritization of service provider investments in services by ensuring that the Service

Strategy is defined, maintained and implemented. It aims at helping IT organizations

improve and progress over time and is dependent mostly on market driven approach. It

also introduces new concepts such as value creation, market definition and solution

space. Its focus is mainly on enabling practical decision making based upon the

understanding service assets, structures and service economics. It fundamentally aims at

increasing the economic life of the services




                                                                                         16
6.2.2 Service Design


In order to meet the current and future business requirements, Service Design provides

guidance on the production and maintenance of IT policies, architectures, and documents

for the design of appropriate and innovative IT services solutions and processes. Service

Design aims at converting the business strategy into reality. Service Design addresses

how a planned service solution interacts with the larger business and technical

environments, service management systems required to support the service, processes

which interacts with the service, technology, and architecture required to support the

service,   and   the   supply    chain   required   to   support   the   planned   service.

Concepts and guidance include:


      Service design objectives and elements

      Selecting the service design model

      Cost model

      Benefit/risk analysis

      Implementing service design

      Measurement and control




                                                                                        17
6.2.3 Service Transition

Service transition relates to the delivery of services required by the business into

live/operational use. It aims to bridge the gap between projects and operations more

effectively. Service Transition is concerned with the quality and control of the delivery to

operations and provides example organization models to support transition, and guidance

on how to reduce variation of delivery. It includes service asset and configuration

management, the validation and testing, release and deployment management, change

management and knowledge management.




6.2.4 Service Operation

Service Operations ensures that there are end to end practices which support responsive

and stable services. It is the part of the lifecycle where the services and value is actually

directly delivered. It considers the monitoring of problems and the balance between

service reliability and costs. The functions include event management, incident

management, problem management, request fulfillment and access management




6.2.5 Continual Service Improvement (CSI)

Continual Service Strategy aims at aligning and realigning the IT services to meet the

changing business requirements. In order for it to be possible, there needs to be up front

planning, training and awareness, ongoing scheduling, roles creation, ownership

assignment and the core activities identified for it to be successful. It includes service




                                                                                          18
level management, service measurement and reporting and continual service

improvement.




                                                                       19
7. COBIT and ITIL: The Alignment

The COBIT framework is aimed primarily at compliance and security and, as such,

ensures the IT governance for the operation of the IT services.          ITIL describes a

systematic, professional procedure for the management of IT services. The library

forcefully puts the emphasis on the importance of meeting the corporate requirements

from the commercial aspect. IT service management under ITIL is geared purely towards

customer benefit and efficiency. Achieving the business objectives whilst simultaneously

meeting internal and external requirements is fundamental to ensuring a company’s

medium and long-term success. The synergy between the two networks lies in the fact

that more formal control objectives of COBIT are aligned with the ITIL framework. This

link synchronizes the standards for the strategic orientation and increased efficiency of IT

service management with the auditing standards.

COBIT defines 34 IT processes and includes tools for performance measurement

(outcome measures and performance drivers for all IT processes); a list of critical success

factors that provides concise, non-technical best practices for each IT process and

Maturity models to assist in benchmarking and decision-making for capability

improvements. COBIT systematically chronicles a checklist of all the things we ought to

be doing, and their properties, but ITIL explains how.

ITIL does not stand alone. It requires a framework of policy, process, procedures and

metrics that can give direction to IT operations (and ITIL activities.). COBIT and ITIL

together are a powerful force for IT Operational efficiency and effectiveness. ITIL is a

collection of best practices in Service Management, Security, Infrastructure Management,




                                                                                         20
and Application Management. Together they can make the process improvement task

much more achievable.

COBIT addresses the need for an IT organization to unambiguously understand the need

for technology-enabled business change. It does this by tying the business’ use of

information to the processes and resources used by IT to deliver that information. The IT

Infrastructure Library addresses a subset of the 34 COBIT processes that relate to the

delivery (defining services, quality of service and plan for its delivery) and support

(direct support for the restoration of service and changes to the infrastructure) of IT

services. While there is an overlap in some process areas, that overlap enables the

integration of the COBIT and ITIL frameworks.

ITIL is not an out-of-the-box solution and does not have to stand alone; in fact, an

organisation may struggle to effectively implement ITIL without some form of IT

governance framework. Whilst ITIL provides best practices on planning, designing, and

implementing effective ITSM capabilities, the addition of COBIT guidance and tools can

help an organisation ensure that its ITSM effort is better aligned with the business, and its

governance and internal control requirements. A point not to be overlooked here is that

IT governance does not only improve internal control but can also be a key facilitator in

aligning IT goals with those of the enterprise – a key pillar of ITIL’s raison d’être.

The integration of COBIT with ITIL processes not only allows management to improve

processes and control-based elements, it also helps to demonstrate the level of IT

governance. With the utilisation of an industry standard set of controls (and common

terminology) facilitating the provision of assurance to both internal and external




                                                                                          21
assessors, this potentially reduces the time and effort required from both operational staff

and assessors in completing compliance-based initiatives.

The mappings are used to drill down from the COBIT Control Objectives into specific

Control Practices to beef up existing, or proposed, ITIL processes in order to help achieve

effective IT governance. These can be used to create specific process control points that

an organisation can measure compliance against. Not all the COBIT Domains map onto

ITIL. ITIL has many omissions compared to COBIT. ITIL focuses on operations, and

mostly ignores development/solutions. ITIL seldom ventures into project management or

portfolio management, and it skips a lot of aspects of request management.

There is no reason why, however, an organisation cannot utilise COBIT’s supporting

Control Objectives within these Domains to further improve business alignment and IT

governance.




                                                                                         22
8. Conclusion

To conclude, we can say that CobiT addresses what needs to be controlled and how that

is to be measured, and ITIL addresses how IT services are to be delivered and supported.

When implemented properly, both CobiT and ITIL provide the necessary framework of

good practices that enable and IT organization to clearly align itself with the goals of the

business, manage its resources to enable those goals through the optimized delivery of

information needed by the business, and the deliver IT services and provide for their

direct support.




                                                                                         23
9. References

   Brisebois, Richard. Boyd,Greg. Shadid, Ziad. “What is IT Governance?”. Canada.

     Web. 24 Oct.2009

   Washington, Cheryl. Torner, Javier. “IT Governance”. Information Security

     Governance: Guidance for Boards of Directors and Executive Management 2nd

     Edition: 2004. Web. 24 Oct.2009

   IT Governance Institute and the Office of Government Commerce. “Aligning

     COBIT, ITIL and ISO 17799 for Business Benefit: Management Summary”.

     2005. web: 25 Oct. 2009’




                                                                               24
       10. Appendix : ITIL maps on CobiT – Detailed level process

CobiT 4.1 Control Objective   Key Areas                                 ITIL V3 Supporting Information
                              PLAN AND ORGANISE
PO1.1 IT value management     • Business case                           • SS 2.2 What are services?
                              • Allocation of funds                     • SS 3.1 Value creation
                              • Benefit realisation                     • SS 3.4 Service structures
                              • Business case evaluation                • SS 4.4 Prepare for execution
                                                                        • SS 5.1 Financial management
                                                                        • SS 5.2 Return on investment
                                                                        • SS 5.3 Service portfolio
                                                                        management
                                                                        • SS 5.4 Service portfolio
                                                                        management method
                              • IT alignment with business
PO1.2 Business-IT alignment   strategy                                  • SS 2.1 What is service
                              • Bi-directional and reciprocal           management?
                              involvement in strategic planning         • SS 2.3 The business process
                                                                        • SS 2.4 Principles of service
                                                                        management
PO1.3 Assessment of current
capability                    • Baseline of current performance         • SS 4.4 Prepare for execution
and performance               • Assessment of business                  • CSI 5.2 Assessments
                              contribution, functionality, stability,
                              complexity, costs, strengths and
                              weaknesses
PO1.4 IT strategic plan       Definition of IT goals                    • SS 3.3 Service provider types
                              • Contribution to enterprise
                              objectives,                               • SS 3.5 Service strategy
                              budgets, funding, sourcing and            fundamentals
                              acquisition strategy                      • SS 4.1 Define the market
                                                                        • SS 4.2 Develop the offerings

                                                                        • SS 4.3 Develop strategic assets
                                                                        • SS 4.4 Prepare for execution
                                                                        • SS 5.5 Demand management
                                                                        • SS 6.5 Sourcing strategy
PO1.5 IT tactical plans       • IT initiatives                          • SS 4.4 Prepare for execution

                              • Resource requirements                   • SS 7.1 Implementation through
                              • Monitoring and managing benefit         the lifecycle
                              achievement                               • SS 7.2 Strategy and design

                                                                        • SS 7.3 Strategy and transitions

                                                                        • SS 7.4 Strategy and operations




                                                                                                 A
PO1.6 IT portfolio management      • Defining, prioritising, managing    • SS 2.5 The service lifecycle
                                   programmes                            • SS 3.4 Service structures
                                   • Clarifying outcomes and scope       • SS 4.2 Develop the offerings

                                   of effort                             • SS 4.3 Develop strategic assets
                                   • Assigning accountability            • SS 5.3 Service portfolio
                                   • Allocating resources and funding    management
                                                                         • SS 5.4 Service portfolio
                                                                         management methods
                                                                         • SS 5.5 Demand management
                                                                         • SD 3.4 Identifying and
                                                                         documenting

                                                                         business requirements and drivers
                                                                         • SD 3.6.1 Designing service
                                                                         solutions

                                                                         • SD 3.6.2 Designing supporting
                                                                         systems, especially the service
                                                                         portfolio



PO2.1 Enterprise information       • Decision support analysis           • SD 3.6 Design aspects

architecture model                 • Information architecture model      • SD 3.6.3 Designing technology
                                   maintained                            architectures
                                                                         • SD 3.9 Service-oriented
                                   • Corporate data model                architecture
                                                                         • SD 3.10 Business service
                                                                         management
                                                                         • SD 5.2 Data and information
                                                                         management

                                                                         • ST 4.7 Knowledge management
PO2.2 Enterprise data dictionary
and                                • Corporate data dictionary           • SD 5.2 Data and information
data syntax rules                  • Common data understanding           management

                                                                         • SD 7 Technology considerations

PO2.3 Data classification scheme   • Information classes                 • SD 5.2 Data and information
                                   • Ownership                           management
                                   • Retention
                                   • Access rules
                                   • Security levels for each
                                   information
                                   class

PO2.4 Integrity management         • Integrity and consistency of data   • SD 5.2 Data and information



                                                                                                   B
                                                                        management

                                                                        • ST 4.7 Knowledge management
PO3.1 Technological direction
planning                          • Available technologies              • SS 8 Technology and strategy
                                  • Enablement of IT strategy
                                  • Systems architecture
                                  • Technological direction
                                  • Migration strategies
PO3.2 Technology infrastructure
plan                              • Technological infrastructure plan   • SD 3.6.3 Designing technology
                                  • Acquisition direction               architectures
                                  • Economies of scale
                                  • Interoperability of platforms

PO3.3 Monitor future trends and   • Business sector, industry,          • SS 2.4 Principles of service
                                  technology, infrastructure, legal
regulations                       and                                   management
                                                                        • SD 4.3.5.7 Modelling and
                                  regulatory trends                     trending

PO4.1 IT process framework        • IT process structure and            • SS 2.6 Functions and processes
                                  relationships                         across the life cycle
                                  • Process ownership                   • SS 3.4 Service structures
                                  • Integration with business
                                  processes,                            • SS 7.1 Implementation through
                                  enterprise portfolio management       the life cycle
                                  and business change processes         • SS 9.1 Complexity

                                                                        • SS 9.2 Co-ordination and control
                                                                        • SS 9.3 Preserving value
                                                                        • SS 9.4 Effectiveness in
                                                                        measurement
                                                                        • SD 2.4.2 Scope

                                                                        • SD 3.6.3 Designing technology
                                                                        architectures

                                                                        • SD 3.6.4 Designing processes

                                                                        • SD 3.6.5 Design of measurement
                                                                        systems and metrics

                                                                        • SD 4 Service design processes

                                                                        • SD 6.1 Functional roles analysis
                                                                        • SD 6.2 Activity analysis
                                                                        • SD 6.3 Skills and attributes

                                                                        • SD 6.4 Roles and responsibilities



                                                                                                  C
                                                                      • SD 8 Implementing service
                                                                      design
                                                                      • SD App C Process
                                                                      documentation
                                                                      templates (example)
                                                                      • ST 3.2.7 Establish effective
                                                                      controls and disciplines
                                                                      • ST 4 Service transition
                                                                      processes
                                                                      • ST 6.1 Generic roles
                                                                      • ST 8 Implementing service
                                                                      transition

                                                                      • SO 2.3 Functions and processes
                                                                      across the life cycle
                                                                      • SO 4 Service operation
                                                                      processes

                                                                      • SO 4.6 Operational activities of
                                                                      processes covered in other life
                                                                      cycle phases
                                                                      • SO 6 Organising for service
                                                                      operation
                                                                      • SO 8 Implementing service
                                                                      operation

                                                                      • CSI 3.11 Frameworks, models,
                                                                      standards and quality systems
                                                                      • CSI 4 Continual service
                                                                      improvement processes
                                                                      • CSI 4.1.1 Integration with the
                                                                      rest of the life cycle stages and
                                                                      service management processes
                                                                      • CSI 5.2 Assessments
                                                                      • CSI 5.5 The Deming Cycle
                                                                      • CSI 8 Implementing continual
                                                                      service improvement

PO4.2 IT strategy committee         • Board direction                 • SD 2.4.2 Scope
                                    • IT governance
                                    • Strategic direction
                                    • Review of investments
PO4.4 Organisational placement of                                     • SS 6.1 Organisational
the                                 • Business significance of IT     development

IT function                         • CIO reporting lines             • SO 3.2.4 Reactive vs. proactive
                                                                      organisations

PO4.5 IT organisational structure   • Organisational alignment with   • SS 2.6 Functions and processes
                                    business needs                    across the life cycle



                                                                                                D
                                                                           • SS 6.1 Organisational
                                                                           development
                                                                           • SS 6.2 Organisational
                                                                           departmentalisation
                                                                           • SS 6.3 Organisational design
                                                                           • SS 6.5 Sourcing strategy
                                                                           • SS App B2 Product managers
                                                                           • SD 6.3 Skills and attributes
                                                                           • ST 4.2.6.8 Change advisory
                                                                           board

                                                                           • ST 6.2 Organisational context for
                                                                           transitioning a service

                                                                           • ST 6.3 Organisation models to
                                                                           support service transition
                                                                           • SO 3.1 Functions, groups,
                                                                           teams,
                                                                           departments and divisions
                                                                           • SO 3.2 Achieving balance in
                                                                           service operation
                                                                           • SO 3.3 Providing service
                                                                           • SO 6.1 Functions
                                                                           • SO 6.2 Service desk

                                                                           • SO 6.3 Technical management
                                                                           • SO 6.4 IT operations
                                                                           management

                                                                           • SO 6.5 Application management
                                                                           • SO 6.7 Service operation
                                                                           organisation structures

PO4.6 Establishment of roles and   • Explicit roles and responsibilities   • SS 2.6 Functions and processes
                                   • Clear accountabilities and end-
responsibilities                   user                                    across the life cycle
                                   authorities                             • SD 6.2 Activity analysis

                                                                           • SD 6.4 Roles and responsibilities

                                                                           • ST 6.3 Organisation models to
                                                                           support service transition

                                                                           • SO 6.6 Service operation roles
                                                                           and responsibilities
                                                                           • CSI 6 Organising for continual
                                                                           service improvement




                                                                                                        E
                                        • Ownership of IT risks in the
                                        business
                                        • Roles for managing critical risks
                                        • Enterprisewide risk and security
                                        management
                                        • System-specific security
PO4.7 Responsibility for IT quality     • Direction on risk appetite and
assurance (QA)                          acceptance of residual risks             • SD 6.4 Roles and responsibilities
PO4.8 Responsibility for risk,          • Ownership of IT risks in the
security                                business                                 • SD 6.4 Roles and responsibilities
and compliance                          • Roles for managing critical risks
                                        • Enterprisewide risk and security
                                        management
                                        • System-specific security
                                        • Direction on risk appetite and
                                        acceptance of residual risks
                                        • Enablement of business
PO4.9 Data and system ownership         ownership                                • SO 6.3 Technical management
                                        of data
                                        • Decision making about
                                        information
                                        classification
                                                                                 • ST 3.2.13 Assure the quality of
PO4.11 Segregation of duties            • Proper execution of roles and          the
                                        responsibilities                         new or changed service
                                        • Avoidance of compromise of             • SO 5.13 Information security
                                                                                 management and service
                                        critical processes                       operation
PO4.12 IT staffing                      • Number and competency;                 • SO 6.2 Service desk
                                        requirements evaluation
PO4.15 Relationships                    • Optimal co-ordination                  • SD 4.2.5.9 Develop contracts
                                        • Communications and liaison             and relationships

PO5.1 Financial management              • Portfolio management                   • SS 3.1 Value creation
framework                               • Investment and cost management         • SS 5.1 Financial management
                                        of IT assets                             • SS 5.2 Return on investment
                                                                                 • SS App A Present value of an
                                                                                 annuity

PO5.2 Prioritisation within IT budget   • Allocation of IT resources             • SS 5.2 Return on investment
                                        • Optimisation of ROI                    • SS 5.3 Service portfolio
                                                                                 management
                                                                                 • SS 5.4 Service portfolio
                                                                                 management methods

PO5.3 IT budgeting                      • Budgeting process                      • SS 5.2.2 Return on investment
                                        • Ensuring that budget is in line with
                                        investment portfolio of programmes
                                        and services



                                                                                                           F
                                       • Budget review and approval
PO5.4 Cost management                  • Comparison of costs to budgets      • SS 5.1 Financial management
                                       • Cost reporting                      (esp. 5.1.2.7)
                                       • Remediation of cost deviations
                                       from plan
PO5.5 Benefit management               • Benefits monitoring and analysis    • SS 2.2 What are services?
                                       • Improvement of IT’s contribution    • SS 5.1 Financial management
                                       • Maintenance of business cases       • SS 5.2 Return on investment
                                                                             • ST 4.4.5.10 Review and close
                                                                             service transition
                                                                             • ST 4.4.5.8 Early life support
PO6.1 IT policy and control
environment                            • Management philosophy and           • SS 6.4 Organisational culture
                                       operating style
                                       • Integrity, ethics, competences,
                                       accountability and responsibility
                                       • Culture of value delivery while
                                       managing risks
                                       • Promulgating and controlling
PO6.2 Enterprise IT risk and control   policy
framework                              • Alignment with enterprise risk
                                       and control
PO6.5 Communication of IT                                                    • ST 5.1 Managing
objectives                             • Awareness and understanding of      communications
and direction                          business and IT objectives            and commitment
                                                                             • SO 3.6 Communication
PO7.4 Personnel training               • Organisational induction and        • SD 6.3 Skills and attributes
                                       ongoing training to raise technical
                                       and management skill levels
                                                                             • SS 7.5 Strategy and
PO8.1 Quality management system        • Standard approach aligned to        improvement
                                       business requirements covering        • ST 4.4.5.3 Build and test
                                       quality requirements and criteria
                                       • Policies and methods for
                                       detecting
                                       and correcting quality
                                       nonconformance
PO8.2 IT standards and quality         PO8.2 IT standards and quality        • SS 7.5 Strategy and
practices                              practices                             improvement
                                                                             • ST 3.2.13 Assure the quality of
                                                                             the
                                                                             new or changed service
                                                                             • ST 4.5 Service validation and
                                                                             testing
                                                                             (ITIL is not just focused on ST, but
                                                                             on
                                                                             ongoing test of the service)
                                                                             • CSI App A Complementary
                                                                             guidance



                                                                                                       G
                                    • Life cycle standards for
PO8.3 Development and acquisition   deliverables                       • SS 6.5 Sourcing strategy
standards                                                              • SD 3.5 Design activities
                                                                       • SD 3.6 Design aspects
                                                                       • SD 3.9 Service-oriented
                                                                       architecture

                                                                       • SD 3.11 Service design models

                                                                       • SD 5.3 Application management

                                                                       • SD 7 Technology considerations
                                                                       • ST 3.2.3 Adopt a common
                                                                       framework and standards

                                                                       • ST 4.1.4 Policies, principles and
                                                                       basic concepts
                                                                       • ST 4.1.5.1 Transition strategy
PO8.4 Customer focus                • Customer-oriented QMS            • SS 5.5 Demand management
                                    • Roles and responsibilities for
                                    conflict                           • SD 4.2.5.4 Collate, measure and
                                    resolution                         improve customer satisfaction

                                                                       • ST 3.2.6 Establish and maintain
                                                                       relationships with stakeholders

PO8.5 Continuous improvement        • Communication processes          • SD 4.2.5.7 Conduct service
                                    promoting continuous improvement   reviews and instigate
                                                                       improvements within an overall
                                                                       security information officer (SIO)
                                                                       • SO 5.14 Improvement of
                                                                       operational activities
                                                                       • CSI 1 Introduction
                                                                       • CSI 2 Service management as
                                                                       a practice
                                                                       • CSI 3 Continual service
                                                                       improvement principles
                                                                       • CSI 4.1 The seven-step
                                                                       improvement process
                                                                       • CSI 4.1.1 Integration with the
                                                                       rest of the life cycle stages and
                                                                       service management processes
                                                                       • CSI 4.4 Return on investment
                                                                       for CSI
                                                                       • CSI 4.5 Business questions
                                                                       for CSI
                                                                       • CSI 5 Continual service
                                                                       improvement methods and
                                                                       techniques
                                                                       • CSI 5.1 Methods and techniques



                                                                                                 H
                                                                             • CSI 5.5 The Deming Cycle
                                                                             • CSI 5.6 CSI and other service
                                                                             management processes
                                                                             • CSI 5.6.7 Summary
                                                                             • CSI 6 Organising for continual
                                                                             service improvement
                                                                             • CSI 8 Implementing continual
                                                                             service improvement
                                                                             • CSI 9 Challenges, critical
                                                                             success
                                                                             factors and risks
PO8.6 Quality measurement,            • Monitoring compliance to QMS
monitoring                            and                                    • CSI 5.2 Assessments
and review                            value of QMS                           • CSI 5.3 Benchmarking
                                                                             • CSI 5.4 Measuring and reporting
                                                                             frameworks
PO9.1 IT risk management
framework                             • Alignment to enterprise risk         • SS 9.5 Risks
                                      framework                              • SD 4.5.5.1 Stage 1—Initiation

PO9.2 Establishment of risk context   • Internal and external context and    • SS 9.5 Risks
                                      goals of each assessment               • SD 4.5.5.1 Stage 1—Initiation
                                                                             • SD 4.5.5.2 Stage 2—
                                                                             Requirements
                                                                             and strategy
PO9.3 Event identification            • Important threats exploiting         • SS 9.5 Risks
                                                                             • SD 4.5.5.2 Stage 2—
                                      vulnerabilities having negative        Requirements
                                      business impact                        and strategy
                                      • Risk registry                        • ST 9 Challenges, critical success
                                                                             factors and risks
                                                                             • CSI 5.6.3 IT service continuity
                                                                             management
PO9.4 Risk assessment                 • Likelihood and impact of all         • SS 9.5 Risks
                                                                             • SD 4.5.5.2 Stage 2—
                                      identified risks                       Requirements
                                      • Qualitative and quantitative         and strategy
                                      assessment                             • SD 8.1 Business impact analysis
                                      • Inherent and residual risk           (not in detail)
                                                                             • ST 4.6 Evaluation
PO9.5 Risk response                   • Cost-effective controls mitigating   • SS 9.5 Risks
                                      exposure                               • SD 4.5.5.3 Stage 3—
                                      • Risk avoidance strategies in
                                      terms of                               Implementation
                                      avoidance, mitigation or
                                      acceptance                             • ST 4.6 Evaluation

PO9.6 Maintenance and monitoring
of a                                  • Prioritising and planning risk       • SS 9.5 Risks
risk action plan                      responses                              • SD 4.5.5.4 Stage 4—Ongoing


                                                                                                       I
                                      • Costs, benefits and
                                      responsibilities                      operation
                                      • Monitoring deviations
PO10.3 Project management             • Approach commensurate with          • ST 3.2 Policies for service
approach                              size,                                 transition
                                      complexity and requirements of
                                      each project
                                      • Project governance structure
                                      • Project sponsors

PO10.4 Stakeholder commitment         • Commitment and participation of     • ST 3.2.6 Establish and maintain
                                      stakeholders                          relationships with stakeholders
                                                                            • ST 3.2.12 Ensure early
                                                                            involvement
                                                                            in the service life cycle
                                                                            • SD 3.4 Identifying and
PO10.5 Project scope statement        • Approval of nature and scope of     documenting
                                      project                               business requirements and drivers
                                                                            • SD 3.5 Design activities

PO10.7 Integrated project plan        • Integrated plan covering business   • SD App D Design and planning
                                      and IT resources                      documents and their contents
                                      • Activities and interdependencies
                                      between projects
PO10.8 Project resources              • Responsibilities, relationships,    • ST 3.2.11 Proactively manage
                                      authorities, and performance          resources across service
                                      criteria                              transitions
                                      of project team
                                      • Planning procurement of
                                      resources
                                                                            • ST 3.2.10 Anticipate and
PO10.11 Project change control        • Change control system for each      manage
                                      project (cost, schedule, scope,       course corrections
                                      quality)
                                       ACQUIRE AND IMPLEMENT
                                                                            • SS 7.5 Strategy and
AI1.1 Definition and maintenance of   • Identifying, prioritising and       improvement

business functional and technical     specifying requirements for all       • SS 8.1 Service automation
requirements                          initiatives related to investment     • SD 3.2 Balanced design
                                      programmes                            • SD 3.3 Identifying service
                                                                            requirements
                                                                            • SD 3.4 Identifying and
                                                                            documenting business
                                                                            requirements and drivers
                                                                            • SD 3.5 Design activities
                                                                            • SD 3.6.1 Designing service
                                                                            solutions
                                                                            • SD 3.6.2 Designing supporting
                                                                            systems, especially the service



                                                                                                         J
                                                                             portfolio
                                                                             • SD 3.6.3 Designing technology
                                                                             architectures
                                                                             • SD 3.6.4 Designing processes
                                                                             • SD 3.6.5 Design of measurement
                                                                             systems and metrics
                                                                             • SD 3.8 Design constraints
                                                                             • SD 3.9 Service-oriented
                                                                             architecture
                                                                             • SD 4.3.5.8 Application sizing
                                                                             • SD App D Design and planning
                                                                             documents and their contents
                                                                             • ST 3.2.5 Align service transition
                                                                             plans with the business needs
                                     • Analysis of all significant threats
AI1.2 Risk analysis report           and                                     • SD 2.4.2 Scope
                                     potential vulnerabilities affecting
                                     the                                     • SD 3.6 Design aspects
                                                                             • SD 4.5.5.2 Stage 2—
                                     requirements                            Requirements
                                                                             and strategy
AI1.3 Feasibility study and                                                  • SD 3.6.1 Designing service
formulation                          • Alternative solutions to satisfying   solutions
                                     business requirements assessed          • SD 3.7.1 Evaluation of
of alternative courses of action     by                                      alternative
                                     the business and IT                     solutions
                                                                             • ST 3.2.4 Maximise reuse of
                                                                             established processes and
                                                                             systems
                                                                             • SD 3.6.1 Designing service
AI1.4 Requirements and feasibility   • Business sponsor’s approval of        solutions
decision and approval                requirements, feasible options,
                                     solutions and the acquisition
                                     approach
                                     • Translation of business               • SD 3.6.1 Designing service
AI2.1 High-level design              requirements                            solutions
                                     to high-level design for acquisition    • SD 3.6.3 Designing technology
                                     • Alignment with technological          architectures
                                     direction and information
                                     architecture
AI2.2 Detailed design                • Technical design and application      • SS 8.2 Service interfaces
                                     requirements                            • SD 4.2.5.2 Determine, document
                                     • Criteria for acceptance               and agree requirements for new
                                                                             services and produce service level
                                                                             requirements (SLR)
                                                                             • SD 5.3 Application management
                                                                             • SD 3.6.1 Designing service
AI2.4 Application security and       • Security and availability             solutions
                                                                             • SO 4.4.5.11 Errors detected in
availability                         requirements addressed                  the



                                                                                                       K
                                                                            development environment
AI2.7 Development of application     • Developing functionality in          • SD 3.7.3 Develop the service
software                             accordance with design, standards      solution
                                     and QA requirements
                                     • Legal and contractual
                                     requirements
                                     followed by third-party developers
                                     • Tracking status of all
AI2.9 Applications requirements      requirements                           • ST 3.2.6 Establish and maintain
management                           through change management              relationships with stakeholders
                                                                            • ST 3.2.10 Anticipate and
                                     process                                manage
                                                                            course corrections

AI3.1 Technological infrastructure   • Acquisition, implementation and      • SD 3.6.3 Designing technology
acquisition plan                     maintenance plan for infrastructure,   architectures
                                     aligned with business need and
                                     technological direction
AI3.2 Infrastructure resource        • Protection of resources using        • SD 4.6.5.1 Security controls
protection and availability          security and auditability measures     • SO 5.4 Server management and
                                     • Use of sensitive infrastructure      support
                                     • Change control, patch
AI3.3 Infrastructure maintenance     management,                            • SO 5.4 Server management
                                     upgrade strategies and security        and support
                                     requirements                           • SO 5.5 Network management
                                                                            • SO 5.7 Database administration
                                                                            • SO 5.8 Directory services
                                                                            management
                                                                            • SO 5.9 Desktop support
                                                                            • SO 5.10 Middleware
                                                                            management
                                                                            • SO 5.11 Internet/web
                                                                            management
                                     • Development and test
AI3.4 Feasibility test environment   environments;                          • ST 4.4.5.1 Planning
                                     feasibility and integration tests      • ST 4.4.5.2 Preparation for build,
                                                                            test and deployment
                                                                            • ST 4.4.5.3 Build and test
                                                                            • ST 4.5.5.7 Test clean up and
                                                                            closure
                                                                            • ST 4.5.7 Information
                                                                            management
AI4.1 Planning for operational       • Identification and planning of all   • SD 3.6.1 Designing service
solutions                            technical, operational and usage       solutions
                                     aspects of solutions                   • ST 3.2.5 Align service transition
                                                                            plans with the business needs
                                                                            • ST 3.2.9 Plan release and
                                                                            deployment packages
                                                                            • ST 4.4.5.1 Planning
                                                                            • ST 4.4.5.2 Preparation for build,



                                                                                                       L
                                                                            test and deployment
                                                                            • ST 4.4.5.5 Plan and prepare for
                                                                            deployment
                                                                            • ST 3.2.5 Align service transition
AI4.2 Knowledge transfer to          • Enable ownership, delivery,          plans with the business needs
business                             quality                                • ST 4.7 Knowledge management
management                           and internal control of solution
AI4.3 Knowledge transfer to end
users                                • End-user knowledge and skills for    • ST 3.2.8 Provide systems for
                                     use as part of business processes      knowledge transfer and decision
                                                                            support
                                                                            • ST 4.4.5.8 Early life support
                                                                            • ST 4.7 Knowledge management
AI4.4 Knowledge transfer to
operations                           • Knowledge and skills to enable       • ST 3.2.8 Provide systems for
and support staff                    operation and support of systems       knowledge transfer and decision
                                     and infrastructure                     support
                                                                            • ST 4.4.5.5 Plan and prepare for
                                                                            deployment
                                                                            • ST 4.7 Knowledge management
                                                                            • SO 3.7 Documentation
                                                                            • SO 4.4.5.11 Errors detected in
                                                                            the
                                                                            development environment
                                                                            • SO 4.6.6 Knowledge
                                                                            management
                                                                            (as operational activities)
                                     • Standards and procedures
AI5.1 Procurement control            aligned to                             • SD 3.7.2 Procurement of the
                                     enterprise procurement process         preferred solution
                                                                            • SD 4.2.5.9 Develop contracts
AI5.2 Supplier contract management   • Contract initiation and life cycle   and
                                     m anagement                            relationships
                                                                            • SD 4.7.5.3 Establishing new
                                                                            suppliers and contracts
                                                                            • SD 3.7.1 Evaluation of
AI5.3 Supplier selection             • Fair and formal selection process    alternative
                                     • Viable best fit to requirements      solutions
                                                                            • SD 4.7.5.3 Establishing new
                                                                            suppliers and contracts
                                                                            • SD App I Example contents of a
                                                                            statement of requirement (SoR)
                                                                            and/or invitation to tender (ITT)
                                     • Protection of enterprise interests
AI5.4 IT resources acquisition       in                                     • SD 3.7.2 Procurement of the
                                     contractual agreements                 preferred solution
                                     • Rights and obligations of all
                                     parties
AI6.1 Change standards and           • Formal change management             • SD 3.2 Balanced design
procedures                           procedures                             • SD 3.7 The subsequent design



                                                                                                      M
                           • Standardised approach             activities
                                                               • ST 3.2 Policies for service
                                                               transition
                                                               • ST 3.2.1 Define and implement
                                                               a formal policy for service
                                                               transition
                                                               • ST 3.2.2 Implement all changes
                                                               to services through service
                                                               transition
                                                               • ST 3.2.7 Establish effective
                                                               controls and disciplines
                                                               • ST 4.1 Transition planning
                                                               and support
                                                               • ST 4.1.4 Policies, principles and
                                                               basic concepts
                                                               • ST 4.2 Change management
                                                               • ST 4.2.6.1 Normal change
                                                               procedure
                                                               • ST 5 Service transition common
                                                               operation activities
                                                               • ST 6 Organising for service
                                                               transition
                                                               • ST 6.3 Organisation models to
                                                               support service transition
                                                               • ST 6.4 Service transition
                                                               relationship with other life cycle
                                                               stages
                                                               • SO 4.6.1 Change management
                                                               (as operational activities)
AI6.2 Impact assessment,
prioritisation             • Assessing impact, categorising,   • ST 4.2.6.2 Create and record
and authorisation          prioritising and authorising        requests for change
                                                               • ST 4.2.6.3 Review the request
                                                               for change
                                                               • ST 4.2.6.4 Assess and evaluate
                                                               the change
                                                               • ST 4.2.6.5 Authorising the
                                                               change
                                                               • ST 4.2.6.6 Co-ordinating change
                                                               implementation
                                                               • ST 4.2.6.8 Change advisory
                                                               board
                                                               • ST 4.6 Evaluation
                                                               • SO 4.3.5.1 Menu selection
                                                               • SO 4.3.5.2 Financial approval
                                                               • SO 4.3.5.3 Other approval
                           • Process for defining, raising,
AI6.3 Emergency changes    testing,                            • ST 4.2.6.9 Emergency changes
                           documenting, assessing and
                           authorising emergency changes



                                                                                         N
AI6.4 Change status tracking and   • Tracking and reporting of all      • ST 3.2.13 Assure the quality of
reporting                          changes—rejected, approved,          the new or changed service
                                   in-process and completed             • ST 3.2.14 Proactively improve
                                                                        quality during service transition
                                                                        • ST 4.1.5.3 Planning and
                                                                        co-ordinating service transition
                                                                        • ST 4.1.6 Provide transition
                                                                        process support
AI6.5 Change closure and           • Change implementation and          • ST 4.2.6.4 Assess and evaluate
documentation                      documentation updates                the change
                                                                        • ST 4.2.6.7 Review and close
                                                                        change record
                                                                        • ST 4.4.5.10 Review and close
                                                                        service transition
                                                                        • ST 4.4.5.9 Review and close
                                                                        a deployment
                                                                        • SO 4.3.5.5 Closure
                                   • Training of users and operations
AI7.1 Training                     in                                   • ST 4.4.5.2 Preparation for build,
                                   accordance with implementation       test and deployment
                                   plan
AI7.2 Test plan                    • Test plan defining roles and       • ST 4.5.5.1 Validation and test
                                   responsibilities                     management
                                                                        • ST 4.5.5.2 Plan and design test
                                                                        • ST 4.5.5.3 Verify test plan and
                                                                        test design
                                                                        • ST 4.5.5.4 Prepare test
                                                                        environment
AI7.3 Implementation plan          • Implementation plan including      • ST 3.2.9 Plan release and
                                   fallback and backout strategies      deployment packages
                                                                        • ST 4.1.5.2 Preparation for
                                                                        service
                                                                        transition
                                                                        • ST 4.4.5.2 Preparation for build,
                                                                        test and deployment
                                                                        • ST 4.4.5.3 Build and test
                                                                        • ST 4.4.5.4 Service testing and
                                                                        pilots
                                                                        • ST 4.4.5.5 Plan and prepare for
                                                                        deployment
                                   • Secure test environment based
AI7.4 Test environment             on                                   • ST 3.2.14 Proactively improve
                                   operational conditions               quality during service transition
                                                                        • ST 4.4.5.2 Preparation for build,
                                                                        test
                                                                        and deployment
                                                                        • ST 4.4.5.3 Build and test
                                                                        • ST 4.4.5.4 Service testing and
                                                                        pilots



                                                                                                  O
                                   • Independently testing changes
AI7.6 Testing of changes           prior                                 • ST 3.2.14 Proactively improve
                                   to migration                          quality during service transition
                                                                         • ST 4.4.5.4 Service testing and
                                                                         pilots
                                                                         • ST 4.5.5.5 Perform tests
                                                                         • ST 4.5.5.6 Evaluate exit criteria
                                                                         and
                                                                         report
                                                                         • ST 4.4.5.4 Service testing and
AI7.7 Final acceptance test        • Business process owners and         pilots
                                   stakeholders evaluating outcome of    • ST 4.5.5.5 Perform tests
                                   testing                               • ST 4.5.5.6 Evaluate exit criteria
                                                                         and report
                                   • Controlled handover to
AI7.8 Promotion to production      operations,                           • ST 4.4.5.5 Plan and prepare for
                                   software distribution, parallel       deployment
                                   processing                            • ST 4.4.5.6 Perform transfer,
                                                                         deployment and retirement
                                                                         • SO 4.3.5.4 Fulfilment
                                   • Evaluating whether objectives       • ST 3.2.13 Assure the quality of
AI7.9 Post-implementation review   have                                  the
                                   been met and benefits realised        new or changed service
                                   • Action plan to address issues       • ST 4.1.5.3 Planning and
                                                                         co-ordinating service transition
                                                                         • ST 4.4.5.10 Review and close
                                                                         service transition
                                                                         • ST 4.4.5.7 Verify deployment
                                                                         • ST 4.4.5.9 Review and close a
                                                                         deployment
                                                                         • ST 4.6 Evaluation
                                                                         • SO 4.3.5.5 Closure
                                   DELIVER AND SUPPORT
DS1 Service level management       • Formal service level management     • SS 2.6 Functions and processes
framework                          process and continuous alignment      across the life cycle
                                   to business requirements              • SS 4.3 Develop strategic assets
                                   • Facilitating common
                                   understanding                         • SS 4.4 Prepare for execution
                                   between customer and provider         • SS 7.2 Strategy and design
                                                                         • SS 7.3 Strategy and transitions
                                                                         • SS 7.5 Strategy and
                                                                         improvement
                                                                         • SD 4.2.5.1 Designing SLA
                                                                         frameworks
                                                                         • SD 4.2.5.9 Develop contracts
                                                                         and relationships
                                   • Services defined based on
DS1.2 Definition of services       service                               • SS 4.2 Develop the offerings
                                   characteristics and business          • SS 4.3 Develop strategic assets
                                   requirements in a service catalogue   • SS 5.4 Service portfolio



                                                                                                    P
                                                                            management methods
                                                                            • SS 5.5 Demand management
                                                                            • SS 7.2 Strategy and design
                                                                            • SS 7.3 Strategy and transitions
                                                                            • SS 7.4 Strategy and operations
                                                                            • SS 7.5 Strategy and
                                                                            improvement
                                                                            • SS 8.2 Service interfaces
                                                                            • SD 3 Service design principles
                                                                            • SD 3.1 Goals
                                                                            • SD 3.2 Balanced design
                                                                            • SD 3.4 Identifying and
                                                                            documenting business
                                                                            requirements and drivers
                                                                            • SD 3.5 Design activities
                                                                            • SD 3.6 Design aspects
                                                                            • SD 4.1 Service catalogue
                                                                            management
DS1.3 Service level agreements      • Defining SLAs based on customer       • SD 4.2.5.2 Determine, document
                                    requirements and IT capabilities        and agree upon requirements for
                                    • Service metrics, roles and            new services and produce SLR
                                    responsibilities                        • SD App F Sample SLA and
                                                                            operating level agreement (OLA)

DS1.4 Operating level agreements    • Definition of technical delivery to   • SD 4.2.5.5 Review and revise
                                    support the SLA(s)                      underpinning agreements and
                                                                            service scope
                                                                            • SD App F Sample SLA and OLA

DS1.5 Monitoring and reporting of   • Continuous monitoring of service      • SS 5.3 Service portfolio
service level achievements          performance                             management
                                                                            • SD 4.2.5.3 Monitor service
                                                                            performance against SLA
                                                                            • SD 4.2.5.6 Produce service
                                                                            reports
                                                                            • SD 4.2.5.7 Conduct service
                                                                            reviews
                                                                            and instigate improvements within
                                                                            an overall SIO
                                                                            • SD 4.2.5.10 Complaints and
                                                                            compliments
                                                                            • SD 4.3.8 Information
                                                                            management
                                                                            • CSI 4.2 Service reporting
                                                                            • CSI 4.3 Service measurement
DS1.6 Review of service level       • Regular review of SLAs and            • SD 4.2.5.4 Collate, measure and
agreements and contracts            underpinning contracts for              improve customer satisfaction
                                    effectiveness and being up to date      • SD 4.2.5.5 Review and revise
                                                                            underpinning agreements and
                                                                            service scope



                                                                                                    Q
                                                                            • SD 4.2.5.8 Review and revise
                                                                            SLAs,
                                                                            service scope and underpinning
                                                                            agreements

DS2.1 Identification of all supplier   • Categorising services according    • SS 7.3 Strategy and transitions
relationships                          to supplier type, significance and   • SD 4.7.5.1 Evaluation of new
                                       criticality                          suppliers and contracts
                                                                            • SD 4.7.5.2 Supplier
                                                                            categorisation
                                                                            and maintenance of the supplier
                                                                            and contracts database (SCD)
                                       • Liaising with regard to customer   • SD 4.2.5.9 Develop contracts
DS2.2 Supplier relationship            and                                  and
management                             supplier issues                      relationships
                                                                            • SD 4.7.5.2 Supplier
                                       • Trust and transparency             categorisation
                                                                            and maintenance of the supplier
                                                                            and contracts database (SCD)
                                                                            • SD 4.7.5.4 Supplier and contract
                                                                            management and performance
                                                                            • SD 4.7.5.5 Contract renewal and/
                                                                            or termination

DS2.3 Supplier risk management         Risk identification, contract        • SD 4.7.5.3 Establishing new
                                       conformance and supplier viability   suppliers and contracts
                                                                            • SD 4.7.5.5 Contract renewal and/
                                                                            or termination
DS2.4 Supplier performance             • Meeting business requirements,     • SD 4.7.5.4 Supplier and contract
monitoring                             adherence to contract and            management and performance
                                       competitive performance
                                       • Ensuring capacity and              • Ensuring capacity and
DS3.1 Performance and capacity         performance                          performance
planning                               are available to meet SLAs           are available to meet SLAs
                                       • Assessment of current
DS3.2 Current performance and          performance                          • SD 4.3.5.2 Service capacity
capacity                               and capacity                         management
                                                                            • SD 4.3.5.3 Component capacity
                                                                            management
                                                                            • SO 4.1.5.2 Event notification
                                                                            • SO 4.1.5.3 Event detection
                                                                            • SO 5.4 Server management and
                                                                            support
                                                                            • CSI 4.3 Service measurement
DS3.3 Future performance and           • Forecasting of resource            • SD 4.3.5.1 Business capacity
capacity                               requirements                         management
                                       • Workload trends                    • SD 4.3.5.2 Service capacity
                                                                            management
                                                                            • SD 4.3.5.3 Component capacity
                                                                            management


                                                                                                      R
                                                                         • SD 4.3.5.7 Modelling and
                                                                         trending
                                                                         • SD 4.3.8 Information
                                                                         management
DS3.4 IT resources availability   • Provision of resources,              • SD 4.3.5.3 Component capacity
                                  contingencies, fault tolerance and     management
                                  resource prioritisation                • SD 4.3.5.4 The underpinning
                                                                         activities of capacity
                                                                         management
                                                                         • SD 4.4 Availability management
                                                                         • SD 4.4.5.1 The reactive activities
                                                                         of availability management
                                                                         • SD 4.4.5.2 The proactive
                                                                         activities
                                                                         of availability management
                                                                         • SO 4.6.5 Availability
                                                                         management
                                                                         (as operational activities)
                                                                         • CSI 5.6.1 Availability
                                                                         management
                                  • Maintaining and tuning
DS3.5 Monitoring and reporting    performance                            • SD 4.3.5.4 The underpinning
                                  and capacity, and reporting service    activities of capacity
                                  availability to the business           management
                                                                         • SD 4.3.5.5 Threshold
                                                                         management
                                                                         and control
                                                                         • SD 4.3.5.6 Demand
                                                                         management
                                                                         • SD 4.4.5.1 The reactive activities
                                                                         of availability management
                                  • Enterprisewide consistent
DS4.1 IT continuity framework     approach                               • SD 4.5 IT service continuity
                                  to continuity management               management
                                                                         • SD 4.5.5.1 Stage 1—Initiation
                                                                         • CSI 5.6.3 IT Service continuity
                                                                         management
                                  • Individual continuity plans based
DS4.2 IT continuity plans         on                                     • SD 4.5.5.2 Stage 2—
                                  framework                              Requirements and strategy
                                  • Business impact analysis             • SD 4.5.5.3 Stage 3—
                                  • Resilience, alternative processing   Implementation
                                  and recovery                           • SD App K The typical contents of
                                                                         a recovery plan
                                                                         • SD 4.4.5.2 The proactive
DS4.3 Critical IT resources       • Focus on critical infrastructure,    activities
                                  resilience and prioritisation          of availability management
                                  • Response for different time
                                  periods                                • SD 4.5.5.4 Stage 4—Ongoing
                                                                         operation




                                                                                                    S
DS4.4 Maintenance of the IT
continuity                           • Changing control to reflect              • SD 4.5.5.4 Stage 4—Ongoing
plan                                 changing business requirements             operation
DS4.5 Testing of the IT continuity
plan                                 • Regular testing                          • SD 4.5.5.3 Stage 3—
                                     • Implementing action plan                 Implementation
                                                                                • SD 4.5.5.4 Stage 4—Ongoing
                                                                                operation
DS4.6 IT continuity plan training    • Regular training for all concerned       • SD 4.5.5.3 Stage 3—
                                     parties                                    Implementation
                                                                                • SD 4.5.5.4 Stage 4—Ongoing
                                                                                operation
DS4.7 Distribution of the IT         • Proper and secure distribution to
continuity                           all                                        • SD 4.5.5.3 Stage 3—
plan                                 authorised parties                         Implementation
                                                                                • SD 4.5.5.4 Stage 4—Ongoing
                                                                                operation
                                                                                • SD 4.4.5.2 The proactive
DS4.8 IT services recovery and       • Planning for period when IT is           activities
resumption                           recovering and resuming services           of availability management
                                     • Business understanding and               • SD 4.5.5.4 Stage 4—Ongoing
                                     investment support                         operation
                                     • Offsite storage of all critical
DS4.9 Offsite backup storage         media,                                     • SD 4.5.5.2 Stage 2—
                                     documentation and resources                Requirements and strategy
                                     needed in collaboration with               • SO 5.2.3 Backup and restore
                                     business process owners

                                     • Regular management
DS4.10 Post-resumption review        assessment of plans                        • SD 4.5.5.3 Stage 3—
                                                                                Implementation
                                                                                • SD 4.5.5.4 Stage 4—Ongoing
                                                                                operation

DS5.1 Management of IT security      • High-level placement of security         • SD 4.6 Information security
                                     management to meet business                management
                                     needs                                      • SO 5.13 Information security
                                                                                management and service
                                                                                operation
DS5.2 IT security plan               • Translation of business, risk and        • SD 4.6.4 Policies/principles/basic
                                     compliance requirements into a             concepts
                                                                                • SD 4.6.5.1 Security controls
                                     security plan                              (highlevel
                                                                                coverage, not in detail)
DS5.3 Identity management            • Identification of all users (internal,   • SO 4.5 Access management
                                     external and temporary) and their
                                     activity

DS5.4 User account management        • Life cycle management of user            • SO 4.5 Access management
                                     accounts and access privileges             • SO 4.5.5.1 Requesting access


                                                                                                          T
                                                                                 • SO 4.5.5.2 Verification
                                                                                 • SO 4.5.5.3 Providing rights
                                                                                 • SO 4.5.5.4 Monitoring identity
                                                                                 status
                                                                                 • SO 4.5.5.5 Logging and tracking
                                                                                 access
                                                                                 • SO 4.5.5.6 Removing or
                                                                                 restricting
                                                                                 rights
                                                                                 • SO 4.5.5.6 Removing or
DS5.5 Security testing, surveillance   • Proactive testing of security           restricting
and monitoring                         implementation                            rights
                                       • Timely accreditation                    • SO 5.13 Information security
                                       • Timely reporting of unusual             management and service
                                       events                                    operation
                                                                                 • SD 4.6.5.1 Security controls
DS5.6 Security incident definition     • Definition and classification of        (highlevel
                                       security incident characteristics         coverage, not in detail)
                                                                                 • SD 4.6.5.2 Management of
                                                                                 security breaches and incidents
DS5.7 Protection of security           • Resistance to tampering                 • SO 5.4 Server management and
technology                                                                       support
DS5.10 Network security                • Controls to authorise access and        • SO 5.5 Network management
                                       information flows from and to
                                       networks
DS6.1 Definition of services           • Identification of all costs linked to   • SS 5.1 Financial management
                                       IT services and associated                • SD 4.1 Service catalogue
                                       business processes                        management

DS6.2 IT accounting                    • Allocation of costs according to        • SS 5.1 Financial management
                                       enterprise cost model
                                       • IT costing models based on
DS6.3 Cost modelling and charging      service                                   • SS 5.1 Financial management
                                       definitions, and charge-back
                                       process                                   • SS 7.2 Strategy and design
DS6.4 Cost model maintenance           • Regular review and benchmark of         • SS 5.1 Financial management
                                       cost/recharge model
DS7.1 Identification of education      • Training curriculum for each
and                                    group                                     • SO 5.13 Information security
                                                                                 management and service
training needs                         of employees                              operation
                                                                                 • SO 5.14 Improvement of
                                                                                 operational
                                                                                 activities
DS8.1 Service desk                     • User interface                          • SO 4.1 Event management
                                       • Call handling                           • SO 4.2 Incident management
                                       • Incident classification and             • SO 6.2 Service desk
                                       prioritisation based on services and
                                       SLAs
DS8.2 Registration of customer         • Logging and tracking of all calls,      • SO 4.1.5.3 Event detection



                                                                                                          U
queries                                incidents, service requests and        • SO 4.1.5.4 Event filtering
                                       information needs                      • SO 4.1.5.5 Significance of events
                                                                              • SO 4.1.5.6 Event correlation
                                                                              • SO 4.1.5.7 Trigger
                                                                              • SO 4.2.5.1 Incident identification
                                                                              • SO 4.2.5.2 Incident logging
                                                                              • SO 4.2.5.3 Incident
                                                                              categorisation
                                                                              • SO 4.2.5.4 Incident prioritisation
                                                                              • SO 4.2.5.5 Initial diagnosis
                                                                              • SO 4.3.5.1 Menu selection
DS8.3 Incident escalation              • Incident escalation according to     • SO 4.1.5.8 Response selection
                                       limits in SLAs                         • SO 4.2.5.6 Incident escalation
                                                                              • SO 4.2.5.7 Investigation and
                                                                              diagnosis
                                                                              • SO 4.2.5.8 Resolution and
                                                                              recovery
                                                                              • SO 5.9 Desktop support
DS8.4 Incident closure                 • Recording of resolved and            • SO 4.1.5.10 Close event
                                       unresolved incidents                   • SO 4.2.5.9 Incident closure
                                       • Reports of service performance
DS8.5 Reporting and trend analysis     and                                    • SO 4.1.5.9 Review and actions
                                       trends of recurring problems           • CSI 4.3 Service measurement
                                                                              (vague
DS9.1 Configuration repository and     • Recording configuration items,       • SS 8.2 Service interfaces
baseline                               monitoring and recording all assets,   • ST 4.1.5.2 Prepare for service
                                       and implementing a baseline for        transition
                                       every system and service as a          • ST 4.3.5.2 Management and
                                       change recovery checkpoint             planning
DS9.2 Identification and
maintenance                            • Configuration procedures to          • ST 4.1.5.2 Prepare for service
of configuration items                 support logging of all changes in      transition
                                       configuration database                 • ST 4.3.5.3 Configuration
                                                                              identification
                                                                              • ST 4.3.5.4 Configuration control
                                                                              • ST 4.3.5.5 Status accounting and
                                                                              reporting
                                       • Periodic review of configuration
DS9.3 Configuration integrity review   data                                   • ST 4.3.5.6 Verification and audit
                                       integrity                              • SO 5.4 Server management and
                                       • Control of licensed software and     support
                                       unauthorised software                  • SO 7 Technology considerations
                                                                              (especially for licensing,
                                                                              mentioned in SO 7.1.4)
DS10.1 Identification and              • Problem classification, allocation
classification                         to                                     • SO 4.4.5.1 Problem detection
                                                                              • SO 4.4.5.3 Problem
of problems                            support staff                          categorisation
                                                                              • SO 4.4.5.4 Problem prioritisation
                                                                              • SO App C Kepner and Tregoe


                                                                                                        V
                                                                             • SO App D Ishikawa diagrams
                                    • Audit trails, tracking and analysis
DS10.2 Problem tracking and         of                                       • SO 4.4.5.2 Problem logging
resolution                          root causes of all problems              • SO 4.4.5.5 Problem investigation
                                    • Initiating solutions to address root   and diagnosis
                                    causes                                   • SO 4.4.5.6 Work-arounds
                                                                             • SO 4.4.5.7 Raising a known error
                                                                             record
                                                                             • SO 4.4.5.8 Problem resolution
                                    • Closure procedures after
DS10.3 Problem closure              elimination                              • SO 4.4.5.9 Problem closure
                                                                             • SO 4.4.5.10 Major problem
                                    of error or alternative approach         review
DS11.1 Business requirements for    • Input form design                      • SD 5.2 Data and information
data management                     • Minimising errors and omissions        management
                                    • Error-handling procedures
DS11.2 Storage and retention        • Document preparation                   • SD 5.2 Data and information
arrangements                        • Segregation of duties                  management
                                                                             • SO 5.6 Storage and archive
DS11.5 Backup and restoration       • Legal requirements                     • SO 5.2.3 Backup and restore
                                    • Retrieval and reconstruction
                                    mechanisms
DS11.6 Security requirements for
data                                • Data input by authorised staff         • SD 5.2 Data and information
management                                                                   management
DS12.2 Physical security measures   • Securing the location, including       • SO App E Detailed description of
                                    protection from unauthorised             facilities management
                                    access, natural risks and power
                                    outages
DS12.3 Physical access              • Controlled access to premises by       • SO App E Detailed description of
                                    all parties                              facilities management
                                                                             • SO App F Physical access
                                                                             control
DS12.4 Protection against           • Monitoring and control of              • SO App E Detailed description of
environmental factors               environmental factors                    facilities management
DS12.5 Physical facilities          • Management of facilities               • SO 5.12 Facilities and data
management                          according                                centre
                                    to business, legal and regulatory        management
                                    requirements
DS13.1 Operations procedures and    • Procedures and familiarity with        • SO 3.7 Documentation
instructions                        operational tasks                        • SO 5 Common service operation
                                                                             activities
                                                                             • SO App B Communication in
                                                                             service operation
                                                                             • SD 4.3.5.5 Threshold
DS13.2 Job scheduling               • Organisation of job schedules          management
                                    maximising throughput and                and control
                                                                             • SD 4.3.5.6 Demand
                                    utilisation to meet SLAs                 management



                                                                                                      W
                                                                            • SO 5.2.2 Job scheduling
                                                                            • SO 5.3 Mainframe management
DS13.3 IT infrastructure monitoring   • Monitoring infrastructure for       • SD 4.3.5.4 The underpinning
                                      critical events                       activities of capacity
                                      • Logging of information to           management
                                                                            • SD 4.3.5.5 Threshold
                                      enable review                         management
                                                                            and control
                                                                            • SO 4.1 Event management
                                                                            • SO 4.1.5.1 Event occurs
                                                                            • SO 4.1.5.9 Review and actions
                                                                            • SO 5.2.1 Console management/
                                                                            operations bridge
DS13.4 Sensitive documents and        • Physical safeguards for sensitive   • SO 5.2.4 Print and output
output devices                        assets, and negotiable instruments
DS13.5 Preventive maintenance for     • Maintenance to reduce impact of     • SO 5.3 Mainframe management
hardware                              failures                              • SO 5.4 Server management
                                                                            and support
                                      MONITOR AND EVALUATE
ME1.1 Monitoring approach             • General monitoring framework        • SD 8.5 Measurement of service
                                      • Integration with corporate
                                      approach                              design
                                                                            • ST 4.5.5.1 Validation and test
                                                                            management
                                                                            • SO 3.5 Operational health
                                                                            • CSI 4.1 The seven-step
                                                                            improvement process
                                                                            • CSI 4.1a Step one—Define what
                                                                            you should measure
                                                                            • CSI 4.1b Step two—Define what
                                                                            you can measure
                                                                            • CSI 4.1.1 Integration with the
                                                                            rest of the life cycle stages and
                                                                            service management processes
                                                                            • CSI 4.1.2 Metrics and
                                                                            measurement
                                                                            • CSI 4.3 Service measurement
                                                                            • CSI 4.4 Return on investment
                                                                            for CSI
                                                                            • CSI 4.5 Business questions
                                                                            for CSI
                                                                            • CSI 5.1 Methods and techniques
                                                                            • CSI 5.2 Assessments
                                      • Balanced set of objectives
ME1.2 Definition and collection of    approved                              • SD 4.2.5.10 Complaints and
monitoring data                       by stakeholders                       compliments
                                      • Benchmarks, availability and        • CSI 4.1c Step three—Gathering
                                      collection of measurable data         data
                                                                            • CSI 4.1d Step four—Processing
                                                                            the data


                                                                                                    X
                               • Method for capturing and
ME1.3 Monitoring method        reporting                               • ST 4.5.5.2 Plan and design test
                               results                                 • ST 4.5.5.3 Verify test plan and
                                                                       test design
                                                                       • ST 4.5.5.4 Prepare test
                                                                       environment
                                                                       • CSI 4.1b Step two—Define what
                                                                       you can measure
                                                                       • CSI 4.1f Step six—Presenting
                                                                       and
                                                                       using the information
                                                                       • CSI 5.4 Measuring and reporting
                                                                       frameworks
ME1.4 Performance assessment   • Review of performance against         • SD 4.2.5.7 Conduct service
                               targets                                 reviews and instigate
                               • Remedial actions                      improvements within an
                               • Root cause analysis                   overall SIO
                                                                       • CSI 3 Continual service
                                                                       improvement principles
                                                                       • CSI 4.1e Step five—Analysing
                                                                       the data
                                                                       • CSI 5.3 Benchmarking
                                                                       • CSI 8 Implementing continual
                                                                       service improvement
ME1.5 Board and executive                                              • CSI 4.1f Step six—Presenting
reporting                      • Reports of IT’s contribution to the   and
                               business for service and
                               investment                              using the information
                               portfolios and programmes               • CSI 4.2 Service reporting
                               • Follow-up on and remediation of
ME1.6 Remedial actions         all                                     • CSI 4.1g Step seven—
                               performance issues                      Implementing corrective action
                               • IT governance framework aligned
ME4.1 Establishment of an IT   to                                      • CSI 3.10 Governance
                                                                       • CSI App A Complementary
governance framework           enterprise governance                   guidance
                               • Based on suitable IT process and
                               control model
                               • Confirmation framework ensuring
                               compliance and confirming delivery
                               of enterprise strategy for IT
                               • Board understanding of IT
ME4.2 Strategic alignment      strategy,                               • SD 3.10 Business service
                               strategic direction, confidence         management
                               and trust between business and
                               IT, co-responsibility for strategic
                               decisions, and benefit realisation
ME4.3 Value delivery           • Delivery of optimum value to          • SS 3.1 Value creation
                               support enterprise strategy
                               • Understanding of expected
                               business outcomes; effective



                                                                                                 Y
                                business cases; management of
                                economic life cycle and realisation
                                of benefits; enforcement of
                                portfolio, programme and project
                                management; and business
                                ownership of investments
ME4.5 Risk management           • Appetite for risk, appropriate risk   • SS 9.5 Risks
                                management practices, embedding
                                risk responsibilities, regular
                                assessment of risk and transparent
                                risk reporting
ME4.6 Performance measurement   • Confirming objectives have been       • SS 4.4 Prepare for execution
                                met, reviewing any remedial             • SS 9.4 Effectiveness in
                                actions, reporting performance to       measurement
                                senior management and enabling          • SD 3.6.5 Design of measurement
                                review of progress                      systems and metrics
                                                                        • CSI 4.3 Service measurement




                                                                                               Z

				
DOCUMENT INFO
Shared By:
Stats:
views:3282
posted:12/1/2009
language:English
pages:50
Kevin  Soopramanien Kevin Soopramanien Mr www.google.com
About Hello. I am Kevin. I am interested in the security aspect of information systems. I have been doing some research papers which i will be posting here. I hope it helps :) Cars are also of great interest to me. So you can also find reviews here :)