The role of ITIL in managing IT risk and compliance.
ITIL is one of the most discussed topics in IT in recent years. For those who came in late, ITIL is the IT Infrastructure Library, a set of books from the British Government's Office of Government Commerce (OGC). Or, depending on how you look at it, it is a service management movement sweeping the world's IT industry.
ITIL is a useful tool when improving processes, as it provides a reference framework we can compare ourselves to and a body of knowledge we can draw ideas from. ITIL is sometimes perceived and promoted in the context of risk and compliance, so let us consider where ITIL fits.
You might assume risk management is a practice like asset management or identity management that happens as a recognisably distinct function. Someone can own risk, but the practices that monitor, control and mitigate risk are embedded widely, not centralised. Just about every process in IT operations – every process defined by ITIL – addresses risk in some form.
Change management obviously tries to reduce the risk of service failure due to changes. Problem management is not about fixing things – it is about identifying and prioritising and then removing risks of a service failure. Availability and capacity management are about controlling the risk of future service failures caused by anticipated growth and changes. And so on. Service management (which is what ITIL describes) is all about risk.
There is no part of ITIL that explicitly describes risk management as a practice. ITIL is criticised for this – you can draw your own conclusions as to whether it is fine the way it is, systemic throughout ITIL, or whether risk needs its own processes. But ITIL certainly describes a range of things you can do to reduce and control risk in IT operations.So much for risk – what about compliance? Let's get one thing clear: you cannot certify your organisation as ITIL compliant. Nor is there much point in requiring contractors to be ITIL compliant. ITIL is not a standard. It may be a reference framework, but it is an often vague and ambiguous one.
There is nothing rigorous or systematic about ITIL, so it cannot be measured to assure compliance. The measurable service management frameworks are the ISO 20000 standard and the COBIT audit framework. You can certify compliance with ISO 20000, and/or you can measure your maturity level against COBIT.
ITIL is, however, widely applied as a tool to help in achieving compliance with ISO 20000 or COBIT. It will also help you generate all the paperwork needed for ISO 9000.ITIL also gets talked about in the context of security. It does describe the process for access management, which is for applying security policy to identity provisioning.
And it has an information security management process that in very broad high-level terms describes the lifecycle of security policy. But nothing in ITIL is adequate to fully meet compliance with security standards such as the ISO 2700x series.
So then why do we hear so much about ITIL? ITIL is one of the richest sets of guidance available and is certainly the best known. Many have heard of the Microsoft Operating Framework, and some know that it is applicable in any environment, Windows-based or otherwise, but very few know that – despite the ‘M' word – it is now public domain content released free under a Creative Commons licence. Almost nobody has heard of USMBOK, probably the most complete and consistent framework of them all.
Or FITS, the nifty small-organisation framework, also freely available. ITIL continues to beat them all out of mindshare because of its incumbent momentum, its depth of guidance and its extensive professional certification programme for individuals. You can't certify your organisation, but you can certify your staff. In short, ITIL does nothing to explicitly assist with managing risk or compliance, and yet it crops up within most IT initiatives to deal with them.