Qualityworld

• Knowledge portal
• FAQs
• Information
• Qualityworld
  • Current issue
  • Reader survey
  • Editorial comment
  • Free Qualityworld
  • Past articles
  • Advertisers
  • Subscribe to Qualityworld
  • Advertise in Qualityworld
• Journal of Quality
• Jobs
• Press
• Links

The IT crowd

Often found overlooked and undervalued in the basement, IT departments should be the beating heart of all organisations. Alan Calder explains how a new IT service management standard might improve inter-departmental relations to benefit the end user

It has become a cliché to describe information technology (IT) as something understood in one way by business users, and in quite another by IT experts. Managers say they want technology to be easy and intuitive to use, helping their business to deliver seamless services to their customers. They also want the technology at work to be as advanced and sophisticated as that which they have just installed at home.

The IT team in a larger-scale business, however, has to grapple with a range of hardware, software and budgetary constraints that don't face the average householder. They are also expected to ensure the confidentiality, integrity and continuity of the systems and information they are dealing with, and respond to a range of IT-related legislation, such as the Data Protection, Computer Misuse and Human Rights Acts.

Systems change

Over the last 20 years, the management of an IT department has become ever more complex and challenging. Client-server IT architectures have become widespread allowing many users (clients) to access and manipulate data on a central computer (the server) - Microsoft Exchange is perhaps the most ubiquitous example of this.

Such IT architectures have been the basis of workflow packages, enterprise resource planning systems, finance and accounting systems, customer support systems and so on.

Most organisations now have a number of centralised servers, usually in a secure server room, with a central IT team to support the server-client systems. Few of these servers were designed to work together. They have different user and administration interfaces, are at different stages of software development - meaning they are not equally robust or sophisticated. All systems are subject to hacking and virus attacks and there is a wide range of printers, scanners, telecoms services and networks that the IT team is expected to maintain and support.

The arrival of the internet and web-based computing (where a user accesses computer programs remotely through a browser) has increased the challenges facing an IT department. Web-based and client-server architectures have to co-exist, although they have different user and support requirements. In addition, IT teams have found themselves with a range of websites, intranets and extranets to support, protect and maintain.

Man on a mission

Imagine that 'John Smith' has just been appointed head of IT in a medium-sized business. His background is in software development and database programming. He understands network architecture and won't be bamboozled by supplier technical teams.

His IT department supports an organisation that has some 450 computer users, accessing 30 different applications. None of the users get specific IT training. Half of the applications are relatively new, ten are rarely used and not all upgrades have been applied. In a few instances, the software supplier has either gone out of business or been taken over. Applying monthly Microsoft operating systems (eg Windows XP and Windows 2000) invariably creates a conflict with one or more of the older applications and system crashes are, as a result, quite frequent.

Many of the users work remotely, accessing files on the network through a virtual private network and they regularly complain about how long it takes to retrieve data. The IT team supports three different internal networks, each containing a number of differently-aged switches and routers (which manage the sending and receiving of data to computers and networks respectively) a server room with some 40 servers representing a reasonable range of hardware, and a couple of websites.

It also maintains a firewall, an extranet for customers to access, anti-virus and other anti-malware software, and it supports the telephone service, mobile phone users and an eclectic array of personal digital assistants. Only the CEO's PA has a current-model printer; there are at least 35 other printers of different capabilities, ages, makes and models scattered throughout the organisation. The IT team is responsible for them all. There are eight technical staff in the IT team - and a number of outsourced service suppliers - that handle all maintenance and user support, as well as all 'computer incidents' (including jammed printers) and system upgrades.The users don't think that they are getting an adequate service from the IT department, and the IT technicians have often been heard to say: 'Everything would be fine if only we didn't have users interrupting us all day long'. The chief executive - whose understanding of IT doesn't extend much beyond reading her email - wants John Smith to 'make things better,' but she's not sure how, and there's no new money to spend.

Are you being served?

So, where does John Smith start? A logical beginning point may be what is known as IT service management (ITSM). This is a set of practices for managing large-scale IT systems, and is centred on the concept that the customer's IT expectations and requirements - rather than an organisation and technology focus - should be central to the performance and delivery of IT services. The quality of services provided to, and the nature of the relationship with, the end user are core to the whole concept of ITSM.This is likely to be an attractive concept for John's boss, but not particularly enticing for his 'tech team'.

ITSM is process-focused and deals with what might be called the 'back office' - the IT services that support an organisation's business activities. Examples of business activities include finance, sales, marketing and logistics systems that support key business activities and depend on IT to be effective. ITSM is primarily an operational framework. It does not include project management or systems development activities, and there are many overlaps and links between ITSM and other IT-related disciplines, ranging from enterprise architecture (aligning an organisation's processes and sub units with its strategic direction and core goals) to information security. There are a number of ITSM frameworks, each of which provide different slants on the concept.

What is ITIL?

The most widely-known ITSM framework is probably the IT Infrastructure Library (ITIL). ITIL originated in the 1980s, driven by a UK government determination to improve the quality and financial effectiveness of IT services available to them within the public and private sectors. Widely adopted around the world from the mid-1990s, ITIL has now been though two stages of development and improvement, and will continue to evolve. The most recent version (ITILv3), published in May 2007, is contained in five core books which between them provide over 1,300 pages of best-practice IT service management concepts, advice and recommendations.

ITIL provides the IT team with a set of processes and activities around which IT service design and delivery can be organised. It identifies key areas of IT activity such as service support, service delivery, software asset management, application management and information and communications technology infrastructure management.

It also provides guidance on how key disciplines such as configuration management, problem management, incident management, change management, service/help desk and release management should be operated. Organisations are given measurable and verifiable IT service standards which help the business understand the IT department's scope of work, the deliverables, constraints, limitations and any budgetary needs.

ITIL is supported by an international certification scheme for practitioners. However, there is no certification scheme for organisations. ITIL is a collection of best-practices, and is neither a management system nor a specification, so there is nothing on which a certification scheme can be based. ITIL is not exclusive. Microsoft has, for instance, developed its own operations framework based on ITIL.

Other service management frameworks - some public, some proprietary - have also evolved. However, ITIL is the most widely adopted framework and is well-supported by accredited practitioners, consultants, training and tools. This makes it a logical choice for John Smith. But how is he to implement 1,300 pages of advice and, more importantly, how would he demonstrate that he'd done so effectively?

Can ISO/IEC 20000 help?

The same question is often asked of outsourced IT suppliers, whose services cover a wide range of activities, from network support and data centres through to organisations that supply a completely outsourced IT function. How are they to demonstrate that they successfully operate to international standards of best practice? How do those organisations that operate to high standards differentiate themselves from their competitors who don't? And how are purchasing organisations to filter out those suppliers with an adequate standard of IT service management from those who only claim to have one?

The answer, in all these cases, might well be ISO/IEC 20000. This international standard evolved in parallel with, but is not precisely the same as, ITIL. It first emerged as a British code of practice then became a British national standard, published as BS 15000 in 2000. Updated, internationalised and published in 2006, ISO/IEC 20000 is now a two-part service management standard which, officially aligned with ITIL, is less than 100 pages and far more accessible to John Smith than the content of the five core books of the new ITIL.

Part one of ISO/IEC 20000 is a management system specification, which sets out the best-practice standard requirements for IT service management processes. Audits are performed against this part of the system.

Part two is a code of practice. It describes the best practices required in part one, but is not itself part of the management system requirements. The standard is vendor-neutral and technology-independent, and is designed for use in organisations of all sizes and in any sector, anywhere in the world.

ISO/IEC 20000 specifies the IT service management system for the design and delivery of IT services to clients. It 'promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements.'

The IT service provider - the organisation delivering the services - could be a standalone organisation delivering, for instance, IT services commercially to third parties or it could be the internal IT organisation within a larger company that delivers IT services to users elsewhere in the business.

While ITIL sets out in some detail the best practices that could help an IT organisation achieve the quality of service required by the standard, ISO/IEC 20000 sets the standards that service management processes should aim for. It also tests that the specified processes have actually been adopted.

ISO/IEC 20000 has ten sections:

• scope
• terms and definitions
• planning and implementing service management
• requirements for a management system
• planning and implementing new or changed services
• service delivery process
• relationship processes
• control processes
• resolution processes
• release process

ISO/IEC 20000 is designed to work with ISO 9001. It adopts the 'plan, do, check, act' cycle at an early stage. Its approach to documentation, management commitment and continual improvement will be familiar to all ISO 9001-aware quality managers.

The benefits that John Smith might hope to get out of adopting ISO/IEC 20000 include:

• a tried and tested framework for the alignment of business strategy and IT services
• clarification of the requirements for management ownership of and responsibility for IT services at all levels
• a processes for managing third party IT service suppliers
• a standardised, consistent approach across the IT organisation and its interfaces with the business that is aligned with established best-practice
• a shift from a reactive, problem-orientated IT environment to one which is proactive and customer-focused
• appropriate benchmarks for IT services against which continual improvement initiatives can be calibrated
• a framework within which staff training needs can be identified and training prioritised
• a reduction in operational costs, leading (hopefully) to an opportunity to redeploy budget to deal with other issues
• an improvement in business efficiency leading to an improvement in the reputation of the IT department

'Adoption of ISO/IEC 20000 is, for most organisations, the first step in a cultural revolution within the IT department. It has to change its attitude from "we hate users" to "we love users"'

Although the ISO/IEC 20000 management system documentation requirements are much less onerous than those for ISO 9001, implementation of ISO/IEC 20000 should not be undertaken lightly. Its adoption is, for most organisations, the first step in a cultural revolution within the IT department. John Smith has to change the IT department's attitude from 'we hate users' to 'we love users'. Unsurprisingly, this is often resisted. The first two steps in implementing ISO/IEC 20000 should be:

• get management buy-in, commitment and support. She does not need to understand all the details, but should be supportive of the objectives and recognise that success will not be immediate
• not to mention ITIL, ISO 20000 or anything similar to the IT team. Instead, use the ideas of 'improving efficiency' and reducing the amount of time 'running around after users' to introduce the concept of a service desk, and of simple processes for standardising how user queries, complaints and issues are captured, filtered and dealt with

Then John Smith can introduce each of the additional processes identified by the standard or identify and improve upon nascent processes already in place within the organisation.

Little by little, he will bring the IT organisation to greater alignment with the business goals and will increase the effectiveness and credibility of his IT department. Once the revolution is well underway and there has been substantial progress, he might introduce ISO/IEC 20000 as a best practice standard against which they should measure their efforts, and as the basis for future growth.

He might, in parallel, start insisting that his IT service suppliers (if they are not already certified to ISO/IEC 20000) initiate IT service management projects themselves and perhaps make certification a future requirement for them.This would ensure that all parts of the extended IT organisation on which the business ultimately depends are transparently operating to the same best practice standard.

Tomorrow's world

Certification of his own organisation will not be the end of the IT service management journey. ISO/IEC 20000 requires continual improvement as a fundamental component of the management system. This will lead John Smith to look at quality frameworks - like six sigma and capability maturity models - to see what additional benefits they can help him achieve.

Inevitably, he will also start looking at how he integrates his IT service management system with his IT governance and information security management systems. There are already clearly identified links between ITIL, the 'Control objectives for information and related technology' best practice framework (also known as COBIT, an international open standard that defines requirements for the control and security of sensitive data) and ISO/IEC 17799, the information security code of practice that supports the information security management system specification, ISO/IEC 27001.

The IT management system of tomorrow will be one in which IT service management, information security management and continually improving quality processes will be integrated

Alan Calder runs IT Governance, whose website provides books, tool kits and guidance to help with information security issues.Visit www.itgovernance.co.uk for more information. His new book, The IT Management System of Tomorrow, will be published by BSI later this year.