For years, the IT profession has been in search of practical and widely applicable best practice standards. The early IT best practices filled bookcases and were distinctly proprietary. The cost to purchase and use them was high, and benefits did not always follow use—even consistent and faithful use.

By the 1990s, IT best practice standards had improved. The better standards abandoned the approach of describing how work was to be performed and concentrated on what results should be obtained. Much of the work done by the Institute of Electrical and Electronics Engineers (IEEE) followed this evolutionary path. These newer best practice standards were practical and widely applicable.

IT Infrastructure Library (ITIL) is a reasonable example of a 21st century standard that offers practical and widely applicable best practices for IT service management. It has been widely embraced, with major outsourcing vendors promising ITIL conformity, and with a full suite of ITIL tools and consultants available.

An important point needs to be made about the ITIL “standard.” In fact, there are three ITIL “standards,” and there may be a fourth. There are seven ITIL volumes in all. That library touches all aspects of IT, including, but not limited to, IT service delivery and support. It is a grand vision, but almost no one uses all seven volumes.

When organizations say they have adopted the ITIL standard, they usually mean that they have in place the 10 processes and the service desk described in the Service Delivery and Service Support volumes. The only actual IT service management “standard” is BS 15000 from the British Standards Institute (or the equivalent ISO 20000 from the International Organization for Standardization). It is close to the 10 processes plus service desk model, but it adds requirements about managing relationships and security.

A new version of the seven volumes is under development. One can only hope that this new version will follow the approach presented in BS 15000. The reality is that BS 15000 does not cover all IT best practices. For example, it is silent on development and acquisition best practices, and it does not present a balanced view of risk management. It covers IT service delivery and service support, but that is it.

Control Objectives for Information and related Technology (COBIT) began as a guide for IT auditors. It has evolved greatly since its first edition. The current version provides practical and widely applicable IT governance best practice standards. It can be used to supply the contextual framework that is missing from such standards as ITIL. The 34 COBIT processes cover all important processes within IT.

COBIT can be used as an effective IT planning framework. It allows an IT shop to close in on the IT processes that are most important for that shop and its parent organization. A gap analysis can be developed directly from the COBIT process maturity models. COBIT gap analysis has been used to guide internal IT improvement plans in shops ranging from dozens to thousands of IT professionals.

But COBIT offers little help in determining which specific best practices a shop should follow. It is useful in identifying the critical gaps, but offers minimal help in identifying the best practices that should be used to bridge those gaps. ITIL (or BS 15000) can be an excellent source of best practices to use for some of those gaps.

One recent assignment saw a large IT organization identify 10 COBIT gaps that needed to be bridged. The operational gaps centered on risk management, change management, quality management and value management. ITIL could provide this client with useful best practices for managing operational changes—a critical point where “the rubber meets the road.” But ITIL does not provide much help with risks, quality or value. COBIT and the new Val IT initiative are being used to guide selection of best practices in these other areas.

ITIL is a proven and practical way to bridge the operational gaps that can be identified when using COBIT. COBIT adds the critical overall context missing from ITIL. ITIL adds the practical advice about operational details that are missing from COBIT. It is true interdependency.

reprinted from

with permission
January, 2007