COSO Framework & COBIT Framework

COSO Framework
→ COSO is an acronym for the Committee of Sponsoring Organizations.
→ The committee created the framework in 1992, led by Executive Vice President
and General Counsel, James Treadway, Jr. along with several private sector
organizations, including the following:
• American Accounting Association
• Financial Executives International
• The Institute of Internal Auditors
• American Institute of Certified Public Accountants
• The Institute of Management Accountants (formerly the National
Association of Cost Accountants)

→ The COSO Framework is a system used to establish internal controls to be

integrated into business processes. Collectively, these controls provide
reasonable assurance that the organization is operating ethically, transparently
and in accordance with established industry standards.

Principles of COSO Framework

1|ISOM
The COSO CUBE

Internal Control Goals

1. Operation
2. Reporting
3. Compliance

Internal Control Components

1. Control environment – The control environment seeks to make sure that all
business processes are based on the use of industry-standard practices.
2. Risk assessment and management – or enterprise risk management, is based on
the idea that risk is an inherent part of doing business.
3. Control activities – that help you achieve your internal control objectives.
4. Information and communications – Communications rules are put in place to
make sure that both internal and external communications adhere to legal
requirements, ethical values and standard industry practices.
5. Monitoring – is performed by an internal auditor who makes sure that employees
are adhering to established internal controls.

How is the COSO Framework used?

→ The COSO Framework is heavily used by publicly traded companies and
accounting and financial firms. The framework seeks to put internal controls in
place that formalize the way in which key business processes are performed.
→ This helps organizations to adhere to legal and ethical requirements, while also
focusing on risk assessment and management.
2|ISOM
 → In addition to integrating such controls into key business processes, the framework
places a heavy emphasis on monitoring and reporting, especially as it relates to
using internal auditors to monitor adherence to established controls.

Benefits
→ It helps business processes to be performed in a uniform manner according to a
set of internal controls.
→ Is often in a better position to detect fraudulent activity, whether that activity is
perpetrated by cyber criminals, customers or trusted employees.
→ Some organizations find that when they implement carefully crafted internal
controls, it helps them to make existing business processes more efficient. This can
help reduce costs and make the organization more profitable.

Limitations
→ The framework is relatively broad in scope, which means that it can be applied to
a wide variety of organizations and processes.
→ The framework difficult to apply is its organizational structure. Organizations often
find that there are certain processes that could conceivably fall into multiple
categories, or that do not align well with any of the categories. As such,
organizations will often have to make some tough decisions when implementing
the framework.

COBIT Framework
→ COBIT stands for Control Objectives for Information and Related Technology.
→ It is a framework created by the ISACA (Information Systems Audit and Control
Association).
→ It was designed to be a supportive tool for managers—and allows bridging the
crucial gap between technical issues, business risks, and control requirements
→ COBIT is a thoroughly recognized guideline that can be applied to any
organization in any industry.
→ Overall, COBIT ensures quality, control, and reliability of information systems in an
organization, which is also the most important aspect of every modern business.

3|ISOM
 ISACA
→ ISACA stands for Information Systems Audit and Control Association.
→ It develops controls and guidance for information governance, security, control,
and audit professionals.
→ This international association focuses on IT governance, providing benchmarks and
governance tools for organizations that employ information systems.
→ ISACA is behind the creation, sponsorship, and driving of the COBIT framework.

History
ISACA first released COBIT as a set of control objectives to aid the financial
1996
auditing community to work better around IT-related structures.

1998 ISACA released a more comprehensive version.

The third edition released and added further management guidelines around
2000
cyber security.

2003 ISACA created an online version of the third edition of COBIT.

2005 COBIT 4.0 becomes the fourth edition in the COBIT series of releases.

2007 COBIT upgraded to version 4.1.

The fifth COBIT version came in and brought along tools, objectives, and best
2012
practices universally applicable to all IT operations in enterprises.
ISACA then updated COBIT 5 to COBIT 2019. It is the latest version. This COBIT
2019 version is more comprehensive, flexible, and suitable for all enterprises,
irrespective of their immediate goals or size.

4|ISOM
About COBIT 2019
→ COBIT 2019, is aimed at facilitating a flexible and tailored Enterprise Governance
for IT (EGIT) design and implementation.
→ Compared to its predecessor COBIT 5, COBIT 2019 is characterized by the following
major changes.
→ The COBIT Core Model has 40 governance and management objectives are
divided into 5 domains to guide, structure, and catalyze the work:
A. Governance objectives domain:
✓ Evaluate, Direct and Monitor (EDM) - 5 objectives
B. Management objectives domains:
✓ Align, Plan and Organize (APO) - 14 objectives
✓ Build, Acquire and Implement (BAI) - 11 objectives
✓ Deliver, Service and Support (DSS) - 6 objectives
✓ Monitor, Evaluate and Assess (EA) - 4 objectives

5|ISOM
COBIT Framework basics
→ COBIT is more than a set of technical standards for IT managers. This framework
supports the requirements of businesses via combined IT applications, related
processes and sources. It provides the following two main parameters:
1. Control: IT management practices, policies, procedures, and structures,
providing an acceptable assurance level that business goals will be met.
2. IT control objective: States the acceptable results level that must be attained
on implementing control procedures for a particular IT operation.

6|ISOM
COBIT 2019 Principles:
→ The latest version, COBIT 2019, presents six principles for a governance system:
✓ Meet stakeholder needs
✓ Holistic approach
✓ Dynamic governance system
✓ Distinct governance from management
✓ Tailored to enterprise needs
✓ End-to-end governance system

What you need to know before using COBIT

A. Objectives: IT professionals can prioritize or ignore the objectives based on the
stakeholders’ needs.
B. Design factors: Include strategic, contextual, and tactical factors that help define
an organization’s requirements and how they must be addressed in a framework.
C. Domains: The objectives are categorized into specific domains that map to
various business processes such as planning, creating, and monitoring.
D. Goals cascade: It defines the connection between business goals and
requirements.
E. Components: These are generic elements such as infrastructure, skills, process
descriptions and structures influencing IT.

COBIT Components
1. Framework
2. Process Descriptions
3. Control Objectives
4. Maturity Models
5. Management Guidelines

Benefits
1. Improves IT management processes 4. Offers flexibility and Scalability

2. Enhanced IT governance and risk 5. Ensures Compliance with regulation

management
3. Aligns IT goals with business goals 6. Ensure conformity to industry standards

7|ISOM
 Goals
→ There are four primary goals of the COBIT framework:
1. To help organizations achieve their objectives for the governance and
management of enterprise IT.
2. To provide a comprehensive set of best practices for enterprise IT governance
and management.
3. To promote alignment between enterprise IT and the business goals of the
organization.
4. To provide a common language for enterprise IT governance and
management.

INFORMATION TECHNOLOGY – CONTROLS

Purpose and Main Types of IT Controls

→ Controls at this level:
a) prepare the organization and its IT activities for the future,
b) establish the good operating environment for IT (infrastructure and systems),
c) ensure the successful execution of the daily activities and operational
transactions of the IT systems of the organization.

→ Also, the more specific strategic objectives of IT Controls are to ensure the safe
and secure operation of information systems and the protection from harm or
other potential damage of the organization’s I.T. assets and data maintained by
these systems. These objectives are achieved by a set of policies, procedures,
methods, techniques and technological measures, collectively called “IT
controls”.

→ IT operational controls are controls that enable, support and facilitate

a) the activities that manage the input, processing, and output functions of
computerized application systems in recording, maintaining and processing the
computerized transactions of the organization,

b) the developing, management and maintenance of IT infrastructure and

application systems,

8|ISOM
c) the protection and safeguarding of the IT infrastructure, equipment, facilities and
data of the organization. Both of these controls may overlap the typical corporate
administration, human resource, financial and production controls.

The main types of IT Controls are:

B. IT Organization Controls: These controls are designed to ensure that the IT
department is organized and managed effectively.
✓ Examples of IT organization controls include policies and procedures for IT staff
training, hiring and termination processes, and segregation of duties.

C. IT Administration Controls: These controls are focused on the day-to-day

management of IT systems and processes.
✓ Examples of IT administration controls include change management
procedures, backup and recovery processes, and incident response plans.

D. IT Strategy Controls: These controls are designed to ensure that IT is aligned with
the overall goals and objectives of the organization.
✓ Examples of IT strategy controls include IT governance frameworks, IT portfolio
management processes, and IT risk management policies.

E. System Development Controls: These controls are focused on the development

and implementation of IT systems.
✓ Examples of system development controls include software development
lifecycle processes, coding standards, and testing procedures.

F. IT Security Controls: These controls are designed to protect IT systems and data
from unauthorized access, disclosure, or modification.
✓ Examples of IT security controls include access controls, encryption, and
vulnerability assessments.

G. IT Technical Controls: These controls are focused on the technical aspects of IT

systems and infrastructure.
✓ Examples of IT technical controls include network segmentation, firewalls, and
intrusion detection systems.

H. Computerized Application Controls: These controls are designed to ensure the

integrity and accuracy of data processed by IT systems.
9|ISOM
 ✓ Examples of computerized application controls include data validation
checks, transaction logging, and audit trails.
✓ Each of these types of controls plays an important role in ensuring the security
and effectiveness of IT systems and processes. Organizations may use a
combination of these controls to achieve their IT goals and objectives.

→ These IT controls helps with the proper monitoring and control of the organization
as a whole, from the members up to the managers and leaders.
→ It helps to make the organization and its members have an exceptional
performance, better than before and possibly a more cooperative with each
other, just like a human body that has different roles and parts but acts as one.

IT Committee
→ Establishing the IT committee should be done by the board. The primary purpose
of the IT Committee is to provide guidelines, review, and approve the IT critical
strategic issues (systems, plans, etc.) of the Company. An example of an IT
Committee charter is described next.
➢ Main Responsibilities: The duties and areas of responsibility of the IT
Committee are:

• Oversee the IT strategic planning and execution process. It is needed to

oversee to prevent some flaws and to see the details in a wider scope

• Approve and oversee the execution of the IT budget. The IT Committee is

responsible for those as to see what is needed and to give exactly the
needed resources and budget to prevent some unthinkable events.

• Approve the feasibility of new IT investments. The investments need to be

monitored by the committee, especially if they are beneficial or a possibly a
game changer.

• Approve the IT personnel hiring and training plan. The Committee needs to
oversee the personnel hiring and training plan, to look for potential talents
and to see who will be a great addition to the organization.

• Determine and set operating and development priorities on existing and

future IT projects. Determining the following can set our priorities and

10 | I S O M
 objectives on what needs to be done first, and what should we do next after
the operation and development has been done.

• Oversee the progress of IT projects and take appropriate actions. By

monitoring the progress, we can take note some important details that some
might overlooked and after that if something happens, we will know what
might cause it and we can now take appropriate actions.

• Monitor IT security and the good resolution of IT security related incidents.

Monitoring of the IT security will help the organization to find a better solution
once a problem arise, also helps us to seek and root out the cause of the
problems.

• Oversee the maintenance and future development of all IT systems of the

organization. To see what needs to be maintained, updated and the systems
that needs changing. Changing the system to make it work with the current
version of softwares especially computers and servers.

• Plan the development of the skills of its members. Monitoring the members
has it perks, as so we can know what to improve with them, and what needs
to fix and change.

• Supply competent expertise to all levels of management of the organization

in the areas of IT technology.

• Supply the membership with timely information regarding IT technology. by

doing so we'll know that our information will be up to date or when will we
need to update.

Policy
→ IT policies and procedures establish guidelines for the use of information
technology within an organization. In other words, it outlines what everyone is
expected to do while using company assets.
→ With the help of strong policies and procedures, you can incorporate actions that
are consistent, effective and efficient.
→ Policies helps us to understand what needs to be accomplished, what needs to
be prioritized, and the steps needed & the proper way to accomplish the task.

11 | I S O M
IT Personnel Management Controls
→ IT personnel management controls should be identified and formally established.
Developing the IT personnel management controls should be done by the IT
committee and ratified by the board.
→ In addition to whatever general personnel controls are exercised, at the level of
the Organization, the additional management controls for I.T. personnel include:

a. Screening: Screening of IT personnel during the hiring process should be

careful, meticulous and thorough. Screening should be followed by initial
orientation, the necessary periodic internal and external training, and the
periodic progress review on tasks and jobs completed.

b. Employment contracts and job descriptions: All IT personnel should have valid
employment contracts, and job descriptions which should always reflect the
current job assignment.

c. Supervision: Supervision of IT personnel involves not only direction and

progress review for the jobs and tasks assigned but the monitoring of other
aspects of their professional conduct within the work environment of the
organization, paying particular attention to deviations from expected
behavior and performance results.

d. Segregation of duties: Segregation of personnel duties as a control measure

is very important in the I.T. area, basically to safeguard the organization form
fraud, crime and abnormal actions on I.T. systems and infrastructure. Not one
person should be assigned to a position to authorize transactions, execute
transactions, record transactions, and safeguard resources resulting form
consummating transactions. This means that systems development,
technical support services, and operations should be carried out by separate
units or separate individuals.

e. Rotation of duties: Rotation of duties, done periodically, prevents personnel

from becoming bored and vulnerable to fraud, abuse and system tampering
as a form of challenge.

12 | I S O M
 f. Vacation: Vacation taking is also very important especially for I.T. personnel
working in financial and other critical systems as various abnormal and
potentially illegal actions may be discovered.

g. Professional code adoption: Adoption of professional ethical standards for

system development and other I.T. professionals is also a good control
measure as it instills a set of values to which I.T. personnel will have to comply
with and apply to their everyday work activities.

IT Strategic Process Methodology

→ Executing the IT strategic process steps and implementing strategy should be done
by the IT manager (CIO, etc.), overviewed by the IT committee and ratified by the
board.
→ The IT Strategic Process Methodology is similar to the corporate Strategic Process,
except that it is targeted wholly at IT.
→ The main steps are just reminded in this chapter. These are:
1. STEP 1: Getting Ready,
2. STEP 2: Articulating Mission and Vision,
3. STEP 3: Assessing the existing organizational context and current IT systems and
infrastructure,
4. STEP 4: Developing IT Strategies, Goals, and Objectives,
5. STEP 5: Defining the future I.T. architecture and data to support the business
environment of the organization, and completing the written action plan,
6. STEP 6: Implementing the IT Strategy, and
7. STEP 7: Evaluating the IT Strategy (at least annually). The product of this process
is the IT Strategic Plan, outlined next

IT Strategic Plan
→ An IT strategy is a plan to meet the organization's information needs over three to
five years through the development of computer systems and related services
such as automation and technology.
→ The IT strategy includes a computer systems development plan but also the
business needs and goals that must be satisfied including the environmental issues

13 | I S O M
 that must be addressed in support of a primary process of the business delivered
through IT.
→ This strategy should also enable and facilitate the knowledge management
framework.
→ The objectives of the IT Strategic Plan are:
1. Align information systems with the competitive strategy of the enterprise to
enhance the company's performance.

2. Ensure that IT delivers effective solutions to business problems.

3. Make certain that IT provides strategic advantage to company through cost or

price benefits, innovation, value to products or services offered

4. Target the customer, supplier, and competitor needs, and

5. Accurately target the Corporate Success Factors to achieve, through the use
of IT, the given business objectives. This strategic plan should document the
information needs of the organization for the next 5-10 years. It should be
reviewed at least every year and it should be updated and re-issued every
three to five years. Also, it should be linked to the master business plan of the
organization.

IT System Development Controls

→ The purpose of System Development Controls is to ensure the safe and secure
development of computerized information systems and the protection from harm
or other potential damage of the organization’s information and data maintained
by these systems.
→ The typical system development controls are:
1. IT Systems Development Methodology, and
2. System Development Products. An IT Systems Development Methodology
provides guidance to IT project managers and development staff on all
aspects of managing their IT development projects.

→ A typical IT Systems Development Project can be divided into seven major stages:
1. IT Project Proposal: This phase involves the identification of a business need or
opportunity that can be addressed through an IT project. The IT project

14 | I S O M
 proposal is created to outline the purpose of the project, the expected
outcomes, and the estimated costs and benefits.

2. IT Project Initiation: This phase involves the creation of a project team and the
establishment of project goals and objectives. The project team will conduct
a preliminary analysis of the requirements for the project and will identify the
resources needed to execute the project.

3. IT Project Planning: This phase involves the creation of a detailed project plan,
which includes a project schedule, budget, and resource allocation plan. The
project plan will also identify the risks associated with the project and how
they will be managed.

4. IT Project Execution: This phase involves the actual development and

implementation of the IT system. The project team will conduct a feasibility
study, systems analysis, systems design, software code development, and
software testing. Once the system is developed, it will be implemented and
evaluated.

5. IT Project Management: This phase involves the management of the project

team and the project plan. The project manager will monitor the progress of
the project and make adjustments to the plan as needed. The project
manager will also communicate with stakeholders and manage any issues
that arise.

6. IT Project Termination: This phase involves the completion of the project and
the delivery of the IT system to the customer. The project team will conduct a
final evaluation of the system to ensure that it meets the requirements of the
customer.

7. IT Project Closure: This phase involves the closure of the project and the
documentation of the project results. The project team will create a final
report that outlines the successes and challenges of the project. They will also
identify any lessons learned that can be applied to future projects.

15 | I S O M
IT Security Controls
→ The purpose of I.T. security controls is to ensure that all I.T. assets, systems, facilities,
data and files are protected against unauthorized access, potential damage and
improper or illegal use, and that they are operable, safe and secure at all times.
→ Information security protects information from a wide range of threats in order to
ensure business continuity, minimize business damage and maximize return on
investments and business opportunities. Information security can be characterized
as the preservation of:
A. Confidentiality: ensuring that information is accessible only to those
authorized to have access.

B. Integrity: safeguarding the accuracy and completeness of information and

processing methods.

C. Availability: ensuring that authorized users have access to information and

associated assets when required

→ The main types of IT Security Controls are:

1. IT Security Policies and Plans: This category includes the creation and
implementation of policies and plans to manage IT security risks. IT security
policies and plans define the responsibilities and procedures for safeguarding
the organization's assets and data.

2. Computer Operations Controls: This category includes the controls used to

manage the computer operations and ensure the integrity, confidentiality,
and availability of data. Computer operations controls include procedures
for system backups, software updates, and access controls.

3. Personnel Security Management Controls: This category includes controls for

managing personnel security risks, such as hiring procedures, background
checks, and security training for employees.

4. End User Security Administration Controls: This category includes controls for
managing the security of end-user systems, such as laptops and mobile
devices. End-user security administration controls include procedures for
securing devices and restricting access to sensitive data.

16 | I S O M
 5. Password Controls: This category includes controls for managing password
security, such as password complexity requirements, password expiration,
and password reuse restrictions.

6. IT Technical Protection Controls: This category includes technical controls

used to protect against IT security risks, such as firewalls, intrusion detection
systems, and antivirus software.

7. Other Management Controls: This category includes controls not covered by

other categories, such as controls for managing physical security risks,
disaster recovery plans, and incident response procedures.

8. Security Organizational Controls: This category includes controls for

managing the security of the organization as a whole, such as security
governance, risk management, and compliance management.

9. IT Security Performance Measures: This category includes measures for

assessing and monitoring the effectiveness of IT security controls and policies,
such as security audits, vulnerability assessments, and penetration testing.

→ Overall, IT security controls and policies are essential for protecting an organization's
assets and data from security risks. By implementing a comprehensive set of controls
and policies, organizations can reduce the likelihood and impact of security
incidents, while ensuring compliance with relevant regulations and standards.

Corporate It Security Policy Examples

→ The Corporate Information Security Policy of ‘ABC Corporation’ (fictitious
Company) contains high-level statements describing the general objectives of
the Company as regarding to the control, protection and security over its critical
information assets, such as, information systems, information technology and
application software, operating systems and data base management system
software, buildings, computer rooms, cabling, network and computer facilities, other
related installations and technical infrastructures, data, backup media and archived
files and information resources in general.

17 | I S O M
Purpose
→ The purpose of the Company’s Information Security Policy is to provide the
essential guidelines and controls for secure, efficient and effective data collection
and processing operations, electronic transaction processing and information
reporting services, management information systems, and appropriate customer
information capabilities for Company Management and the Board of Directors to
effectively operate and manage the Company.

Management Responsibility
→ It is the responsibility of Company’s Management to manage the Company’s
computing and telecommunications systems.

→ The President of the Company (or other Officer authorized by the Board) shall
establish an operating structure that effectively runs and optimizes the Company’s
system capabilities and information assets potential consistent with sound business,
banking and regulatory practices.

→ The various systems and infra-structural IT components will be monitored on a

continuous basis to ensure that they function properly and that they have the
ability to meet the current and future needs and requirements of the Company.

→ The authorized management staff shall be responsible for, and direct the feasibility
studies regarding the procurement of IT solutions and the development,
implementation, system and data conversion, system review, system operation
and training of personnel for all systems of the company. It is also management’s
responsibility to ensure that procedures are in effect for these systems to operate
in case of disasters or other calamities.

IT Solutions Procurement and System Development

→ The Company’s IT Solutions procurement and development/operation of the
systems, maintenance services, application systems, consulting support, IT Training,
etc. shall be managed by the authorized management of the Company and/or
designated individuals or functional entities and the steps identified below shall be
followed for the attainment of these.
→ Also, the computing and telecommunications systems of the company shall be
constantly monitored, and should a current and/of future need for change or
18 | I S O M
 improvement be identified, the Company should again follow the System
Development file-Cycle (SDLC) approach as follows:

1) Business Needs Scoping analysis 6) System development

7) System testing
2) Requirements analysis

8) System and data Conversion

3) Feasibility study

9) System operation
4) Review of alternative solutions

10)System Post-Implementation review

5) System analysis and design

Equipment, Software and other Physical Installations

→ The management of the Company is authorized to install all the necessary
equipment and software, (servers, terminals, printer, modems, routers, bridges,
etc) and supervise the design and completion of all the physical installations
(buildings, cabling, computer rooms, network rooms, etc) that may be required for
the computing and telecommunications systems of the Company.
→ Users of these systems are not allowed to install any devices and/or software in any
personal computers or workstations assigned to them by the Company. Also
transfer of any Company files and/or data in any way, into or out of Company
premises, facilities and systems is not allowed.

General IT and Application Systems Controls

→ The President or other authorized management staff of the Company is responsible
for the establishment, development, maintenance, and review of a
comprehensive security program covering computing and telecommunications
systems and related infrastructures.
→ The systems, infrastructure components, and related data will be safeguarded,
protected, and operated in a safe environment.
→ Controls and security must include, but are not limited to, the following:
A. Administrative controls: Administrative controls aim to ensure that the entire
control framework is instituted, continuously supported by management, and
properly enforced.

19 | I S O M
 ✓ Examples of administrative controls include: a published controls policy,
formal systems development standards and procedures, employment
contracts and confidentiality clauses, personnel screening, continuous
personnel supervision, separation of duties, and disaster recovery
planning for computing and telecommunications systems.

B. Physical Data Center Protection: Normal operating conditions should be

ensured through environmental controls (air-conditioning, air filtering,
humidification, dehumidification, etc.), fire and flooding protection,
emergency power supply, radiation shielding, and so on.

C. Operations controls (policies, procedures, and technology) shall be

established by the Company to ensure that data centers are operated in a
reliable manner.
✓ Controls over personnel access to the data center, control over
operations personnel, control over computer and telecommunications
equipment maintenance, and control over archival media and storage
facilities are among these controls.

D. Information and communication security: To protect all computing and

telecommunication systems and information, the company must maintain
integrity and security controls.
✓ These controls are also intended to address the risks associated with the
potential misappropriation of computing and telecommunications system
resources.
✓ Logical access controls (operating system, database system, application
software)
✓ Network and local access security, user identification and authentication,
firewalls, cryptographic controls (encryption, hashing, etc.)
✓ Message transmission controls (e-mail, telecommunications, etc.)
✓ An information resource classification method, information retention and
disposal, and security are all examples of security controls.

E. Controls for System Development and Maintenance: The Company's

management will ensure that auditing procedures are established and

20 | I S O M
 implemented on a continuous basis to ensure that all systems are developed
and maintained using the SDLC methodology identified in this document and
in the Company's IT standards.
✓ These audits should also ensure that only authorized personnel perform
approved system changes and improvements, that administrative
controls are in place (segregation of duties, screening and supervision of
personnel, etc.), and that audit mechanisms for the periodic review of the
source code of applications in escrow are in place.

F. Application Controls: The company's authorized management staff will ensure,

through various mechanisms (e.g., IT audit), that all application systems are
developed and operate with the following indicative controls to ensure
information accuracy: Input controls, Processing controls, Data Base Controls,
Telecommunications Controls, and Output controls.

G. Data Center Controls: It is the responsibility of the Company's authorized

management (e.g., the IT division manager) to ensure that the following
operational procedures are followed.
✓ Biometrics for facility access, Backup and Recovery Procedures, System
(Operating, Data Base, Network) performance monitoring, Problem
management and resolution, Application Health-Cheek and Integrity
Control procedures, Off-site storage procedures, IT disaster plan testing
procedures, and Security incident monitoring and reporting procedures
are examples of these.

IT systems continuity
→ The Company's management is responsible for establishing and operating proper
backup systems and procedures for all computing and telecommunications
systems.
→ These backup systems must be put in place to protect the company in the event
of a major breakdown or disaster.
→ The Company must develop and maintain a plan to address the possibility of such
events occurring, which will necessitate planning for alternate computing system
processing options (facilities, equipment, procedures, etc).
→ All of this is to ensure that the Company can maintain business continuity.
21 | I S O M
→ IT system continuity requirements may include, at a minimum, the following:
a) identification of critical application systems,
b) evaluation of alternate processing facilities, documented backup and
recovery plans
c) test procedures
d) contingency evaluation procedures,
e) off-site storage procedures, and computer data recovery
f) equipment
g) Computer Insurance Policy

Security requirements:
→ The minimum criteria, rules, and procedures established by Senior Company
Management and ratified by the Board of Directors that must be implemented to
help ensure the achievement of the Corporate Information Security Policy are
defined as information systems security standards.
→ Under management's direction, various staff (e.g., security manager, system
security administrator, end users, IT divisional managers, system development staff,
etc.) implement these. These should include a detailed description of each
procedure and/or control to be implemented.

Applicability and Compliance

→ This security policy applies to all of the Company's locations, branches, subsidiaries,
premises, equipment, installations, systems, networks, personnel, and outside
contractors. Without written permission, information may not be disclosed to any
unauthorized parties.
→ Personal use of all of these systems, facilities, equipment, and so on (as defined in
the introductory paragraph and throughout this policy) is not permitted unless
written management approval at the appropriate level is obtained.
→ Without written management approval, company management shall not make
any commitments of any kind through the use of electronic media and network
software facilities.
→ Any violation of this policy and/or related procedures and/or related laws,
whether voluntary or involuntary, will be dealt with in accordance with the laws of

22 | I S O M
 the country in which the Company's office is located. All personnel must keep all
passwords, access procedures, and related controls confidential.
→ Cases involving Company personnel, whether directly or indirectly, may result in
immediate dismissal of these employees, as well as other disciplinary and/or legal
actions as required by national laws or Company regulations.

IT Operational Controls
→ The purpose of IT operational controls is to ensure that the IT facilities and
equipment can remain in good operational status, and therefore ensure the
safe and successful operation of the IT infrastructure and systems for serving the
business purposes of the organization.
→ The main types of IT Operational Controls are:
➢ four categories of IT controls related to infrastructure, contingency
planning, and end-user devices. Here is a brief overview of each
category:

1. Data Centre Controls: This category includes controls used to manage

the data center environment and ensure the availability, reliability, and
security of IT infrastructure. Data center controls may include
procedures for managing power and cooling, physical access controls,
fire suppression systems, and environmental monitoring.

2. IT Contingency Planning and IT Disaster Recovery Plan: This category

includes controls for planning and executing IT contingency and
disaster recovery procedures. IT contingency planning includes the
development of procedures for responding to unforeseen events, such
as system failures, cyber-attacks, and natural disasters. Disaster
recovery planning includes the development of procedures for
restoring IT systems and data after a disaster.

3. Hardware Controls: This category includes controls used to manage

hardware assets, such as servers, storage devices, and network
equipment. Hardware controls may include procedures for monitoring
equipment performance, managing hardware inventory, and tracking
hardware maintenance and repairs.

23 | I S O M
 4. Personal Computers Controls: This category includes controls used to
manage end-user devices, such as desktops, laptops, and mobile
devices. Personal computers controls may include procedures for
managing software updates, restricting access to sensitive data, and
monitoring device usage.

→ Overall, IT controls related to infrastructure, contingency planning, and end-

user devices are essential for ensuring the availability, reliability, and security
of IT systems. By implementing a comprehensive set of controls, organizations
can reduce the risk of IT-related incidents, maintain compliance with relevant
regulations and standards, and minimize the impact of unforeseen events.

→ The most critical from a corporate perspective is the IT Disaster Recovery Plan,
which is presented next. The other controls are not discussed as they are
deemed to be outside the scope of this book.

IT Disaster Recovery Plan

→ The contents of a typical IT Disaster Plan are described next:

→ The I.T. Disaster Recovery Plan Document describes what must be done in
order to recover from a pre-defined failure and resume operating an
Information System.
→ The contents of this plan should be:

i. Executive Summary: A management overview, and a summary

statement of contents of this document including a costs and benefits
summary. Also, critical business functions and the critical IT applications
covered in this plan. A brief overview of the contents of the document,
including a summary of costs and benefits, critical business functions, and
critical IT applications covered.

ii. Resources Required: Internal organizational conditions and resources

required (Legal, IT management, Users, Building facilities, Administration,
Accounting, Security). Also, external organizational resources required
Insurers, Vendors, Alternate business processing personnel,
24 | I S O M
 telecommunications, public authorities, etc.) A description of the internal
and external resources required to support the disaster recovery plan.

iii. Security Issues: A detailed statement of the security issues regarding I.T.
disaster recovery and how these should be implemented to facilitate the
recovery process.

iv. Risks Covered: A detailed statement of the natural and other risks
covered, such as rain, fire, storm, earth-quake, etc.

v. Risk Solutions Analysis: A detailed statement of the recovery solutions

covered by the document at the level of: recovery of data, recovery of
the data center, recovery of the network, recovery of end-user
operations, recovery of the business function(s).

vi. Recovery Solution: A detailed statement of the recovery solution to be

implemented, such as: Hot Site, Warm-Site, Parallel Data center, etc. For
the solution (to be implemented) all the hardware and software
requirements and specifications should be documented as well.

vii. Applications Recovery List: A summary statement for each critical

application to be recovered as per recovery solution.

viii. Back up Procedure: A summary statement for the procedures executed,

as per backup procedure (see backup Procedure Plan), and the set of
backup media required for the recovery of each critical application to
be recovered.

ix. Recovery Invocation Process: A detailed statement of the conditions

triggering the recovery process, such as: time period, impact of real or
potential damage, production errors of the application system, etc.

x. Recovery Organization: A detailed statement on the key personnel

required, their organization structure for recovery processes, their
complete details (surnames, names, phone numbers, etc.) and the
training that they have taken.
25 | I S O M
 xi. External Support: A detailed statement of all external contractors, their
contractual arrangements and their details (names, locations, phone
numbers, etc.) required for the triggering and completion of the recovery
process.

xii. Recovery Testing Strategy: A detailed statement of the testing strategy for
all elements of the recovery process and the resources required.

xiii. Return Procedures: A detail description of the procedures that have to be

carried out for the successful return to the main data center of the
organization after the recovery has taken place at the recovery location.

xiv. Insurance: Insurance coverage details should document what is covered

(specially to cover any cost of moving data and operating in an alternative
way) and what is not, as weak as the necessary claims forms and
procedures to be followed.

xv. Plan Maintenance Procedure: A detail description of the procedure to

maintain this plan including all the required forms, such as: history of
changes log, testing schedule, change authorization form, etc.

xvi. Appendix: The appendix may contain external support contracts for the
recovery process, insurance contracts, insurance claims forms, and all other
pertinent documentation required for the recovery process to be
completed (.e.g, distribution list, user comments form, glossary of recovery
terms, vital records inventory list, systems and data based software
configuration lists, vehicles list for logistics support, the details (names,
phone numbers) of backup top management that must be present to
authorize critical operations in case the assigned recovery management
personnel are absent, etc.).

26 | I S O M
 IT technical controls
→ The purpose of IT Technical Controls is to ensure that the operating system, data
base and data communications software can remain in good operational
status, and therefore ensure the safe and successful operation of the IT
infrastructure and systems for serving the business purposes of the organization.

→ The main types of IT Technical Controls are:

a) Systems Operating Environment

d) Audit Trail Controls
Controls

b) Data Base Controls e) Operating System

f) Data Base and Data Communications software

c) Data Communications Controls
Change Management Controls.

Computerized Application Controls

→ Application control is a security approach that prevents unauthorized applications
from damaging data by blocking or restricting their execution.

→ The purpose computerized application controls is to ensure that the computer

programs of a particular computerized application, processes the business
transactions, according to a set of predefined rules and store the processed data
in computerized files, and data bases in a safe and secure way.

→ The main Computerized Application Controls are:

➢ The purpose computerized application controls is to ensure that the
computer
➢ Input Controls, Processing Controls, and Output Controls are three types of
controls that are used in information systems to ensure the accuracy,
completeness, and security of data.

1. Input Controls: These controls are designed to ensure that data entered into
the system is accurate, complete, and authorized.
✓ Examples of input controls include validation checks, which verify the
accuracy and completeness of data, and access controls, which ensure
that only authorized users can enter data into the system.

27 | I S O M
 2. Processing Controls: These controls are designed to ensure that data is
processed accurately and completely.
✓ Examples of processing controls include error handling procedures, which
detect and correct processing errors, and reconciliation procedures,
which verify that processed data is accurate and complete.

3. Output Controls: These controls are designed to ensure that data output from
the system is accurate, complete, and secure.
✓ Examples of output controls include formatting and labeling controls,
which ensure that output is easily understandable and properly identified,
and distribution and access controls, which ensure that output is only
accessed by authorized users.

Input Controls
→ The main objective of input controls is to prevent the entry of erroneous,
incomplete, or otherwise improper data into the computerized information system.
Also, to ensure that each transaction is authorized, processed correctly, and
processed only one time.
→ This is because imputing of data is the area where significant risks and exposures
for abuse, crime and errors exist. These controls must ensure: accuracy of data,
completeness of input and validation of input.

1. Accuracy of data: In order to ensure accuracy of data, information systems

developers should:

• Design both the documents and the screens so as to minimize the number of
errors which could be made by the data entry personnel, especially when
data are keyed from documents.
• Include check digits in the codes that identify transactions and other entities
which enable the computer application software to check whether a code
has been entered correctly.
• Display a message on the screen (for online systems) to remind data entry
personnel that all input transactions should be authorized (i.e the original
documents should be checked). For batch systems the check for
authorization should be visual.

28 | I S O M
2. Completeness of input: In order to ensure completeness of input, information
systems developers should provide instructions and software code in the system
developed so that:
• For batch systems, all transactions entered into the system, should
be compared against the count for the batch produced by the
computer program of the information system. Also, financial totals for the
batch, when financial data are involved, should be compared between what
has been inputted and what exists on the input documents.

• For online systems, “logical” batches may be created by each data

entry clerk on some time-period basis (e.g. hourly or daily, etc.). Again, the
manual count of what has been entered can be compared to the count kept
by the computerized application system. Also, financial totals can be
compared (as explained above for the batch systems).

• For both batch and online systems, the approach of “Dual read” may be
applied, especially for very critical financial or other-type transactions.

• This means that the data are inputted twice, once by person A, the second
by person B, and the input is accepted only when both actions (input by
person A and input by person B) are the same.

3. Validation of input: In order to ensure validation of input, information systems

developers should write software code in the system developed to perform a
variety of checks, such as:
• Format checks: character validation tests should check input data fields to see
if the contain alpha numeric when they are supposed to have only numeric,
and so on. Also if special characters are in the input data field, the format in
improper.

• Reasonableness checks: These checks compare input data to expected

values by testing logical relationships, or checking whether an upper limit has
not been exceeded. For example, employee weekly hours should not be
automatically processed if the sum of regular and overtime hours per individual
exceeds 80. Another check could be performed on range values. For example,
customer numbers can only be in the range 00001 to 59999. A financial totals

29 | I S O M
 check can also be performed by comparing the individual detail and total
numerical items entered, and the financial total produced by the
computerized system. If a difference occurs then the data may have to be
corrected and inputted again.

• Code checks: The system can compare the code entered, beyond its digit
code (as explained beforehand), with valid codes exiting in the corporate or
other database. The result of all validations is an error file, a valid transactions
file and an error report for subsequent human inspection and correction.

Processing Controls
→ The main objective of processing controls is to ensure that transactions entered into
the computerized application system are valid and accurate, that external data
are not lost or altered, and that invalid transactions are reprocessed correctly.

• Cross footing tests: Cross footing tests mean the execution of logical tests for
information consistency. This presupposes that two independent computations
of a total figure can be made and compared.

• Reasonableness checks: Reasonableness checks compare processed data to

a set of pre-defined values or against an upper or lower limit before updating
the corporate data base.

• Functional checks: Functional checks ensure that invoices for zero or negative
amounts are not printed. Also funds are not transferred or paid beyond some
upper of pre-set limit per customer account.

• Rounding off checks: Correct rounding off of financial data can avoid a
possible “salami” attack where very tiny sums (e.g., 1 cent) are deposited into
an account of the defrauder for every financial transaction processed. This may
amount to several hundreds or millions of dollars (or euros) in a financial
institution in a given year stolen and defrauded.

• Parity checks: The addition of a parity bit (i.e., make all “1” bits even or odd) in
a set of data to be processed, assures that bits are not lost during computer
processing and prevents data corruption.

30 | I S O M
 • Sequence checks: Sequence checks are used to check for missing items either
within the given transaction or in a pre-defined set of transactions.

• Design both the documents and the screens so as to minimize the

Output Controls
→ The main objective of output controls is to authenticate all the other controls, i.e.,
to ensure that only authorized transactions are processed correctly and that
reports, screens and other output (e.g. magnetic media) are of the highest quality,
complete and available only to authorized personnel.
→ Output controls include:
• Schedule checks: to ensure that reports, media and documents are produced
and printed according to schedule.

• Distribution checks: to ensure that all printed output is distributed according to

the rules of security (e.g. for checks or payroll reports), and that electronic
output (media, etc.) is also sent to the authorized recipients.

• Balancing checks: balancing checks confirm that output figures balance

back to inputs from which they are derived. This is a must in order to check the
reasonableness of financial figures, and to perform a variety of spot checks on
the printed information (e.g. review all printed checks to verify that checks
beyond an upper limit have not been printed, that there is only one check per
recipient, that dates are of the valid format, etc.).

• Report quality checks: Report quality checks ensure that all printed output is of
the highest quality.

• Output log: The output log is used to record manually all the outputs produced,
printed and distributed. This may serve as evidence for historical purposes,
especially when disputes have to be settled and for auditing purposes.

IT Performance Management Controls

→ Establishing the performance management process (in general terms), which
should include the IT parts, should be done by the board. The actual detail IT
performance management process controls may be developed by the IT

31 | I S O M
 corporate committee (made up of the Chief Executive Officer, Chief Financial
Officer, Human Resources Director, etc.).

IT Balanced Scorecard
→ The whole idea of the Balanced Scorecard (as discussed in Chapter 11) is that it
gives you a clear picture of how well you're doing. When it comes to IT, however,
the rules for keeping score can get a little murky.

→ IT departments frequently use a set of metrics to gauge their progress, but they
track performance indicators -- like system availability and network uptime -- that
are unfamiliar to people in other areas of the business.

→ So while IT may believe it's performing well, the rest of the organization may be
less convinced of its success. The traditional mind-set of IT personnel has been
reactive, and their focus has been limited to putting out fires and answering
distress calls.

→ That kind of orientation doesn't lend itself to strategic thinking. If a company

intends to develop strategic measures for IT, the function will likely need to be told
what those measures should be.

→ Also IT departments must align their strategic goals (via their own IT Balanced
Scorecard) with strategic goals defined by business managers (in the corporate
Balanced Scorecard) in order to have the best results delivered by IT.

→ The usual key IT Performance Measurement Areas are:

1) Alignment with the Organizational Strategic
5) Financial Management
Objectives

2) Customer Commitments & Customer Satisfaction 6) IT Infrastructure Availability

3) Cycle & Delivery Time 7) Internal IT Operations

4) Quality and Cost 8) IT Skill Availability

→ All these goals, objectives and performance measures are best managed by the
BSC framework.
→ An example of such a Balanced Scorecard for the IT function is included in figure
FI10.01 (more examples are contained in the appendix):

32 | I S O M
 Strategic Goals Measures

% of Active Projects Approved by Senior

1: Strategic Alignment
Management

% Compliance with Customer Service Level

2: Customer Satisfaction
Agreements

3: IT Business Performance % Computer & Network Availability

4: IT Staff Innovation &

% of IT Staff Training Plans Executed
Learning
Figure FI10.01: IT Balanced Scorecard Example

❖ Other typical IT organizational and strategic performance measures, maintained

by a Performance Management System on the Balanced Scorecard model, could
be:

1. For the IT system development function: Functions developed worth to users,

No. of lines coded / tested / changed, Number of Applications supporting
critical business functions, and Hours spent on maintenance (person,
program).

2. For the IT operations function: Timely delivery of reports to users, Average

response time, Average availability time, Volume of data stored, Mean time
between failures, No. of lines printed, Volume of data maintained, Number of
Shared Applications, Number of Shared Data Bases, and No. of on-line
transactions processed.

3. For the IT financial performance function: Adherence to budget,

Expenditures on maintenance vs. new development, Expenditures on
preventative maintenance, Return on IT Investments, and Ratio of
administrative (staff)) costs to production (line) costs.

4. For the IT human resource management function: Turn over ratios, Training
per employee (amounts, hours), and Average tenure within the company.

33 | I S O M
 IT Management Reporting Controls
→ In addition to the corporate procedures the IT Department must report to upper
levels of management the IT related performance issues. Especially these reports
should contain:

• Changes, problems, and backlog of requests,

• Help Desk related issues,

• Development issues of new applications,

• Project actual costs (against budgets), and

• Post-implementation review issues.

ITIL FRAMEWORK

ITIL (Information Technology Infrastructure Library)

→ is a well-known set of IT best practices designed to assist businesses in aligning their
IT services with customer and business needs. Services include IT-related assets,
accessibility, and resources that deliver value and benefits to customers.

→ In the early days of enterprise IT, the information technology department was
viewed as a cost center within the business. Communication and collaboration
between the IT department and the business was poor, and many organizations
lacked any formalized processes for requesting services or reporting IT incidents. As
a result, there was a common perception within many organizations that IT did not
add much value and did not effectively serve the needs and goals of the business.

→ As enterprise IT organizations matured, they recognized a growing need to

demonstrate their value by catering to the specific needs of the business. IT
professionals began practicing IT in a new paradigm known as IT Service
Management (ITSM). In the ITSM paradigm, the IT organization is viewed as its own
entity and the business unit is the customer. To satisfy its customers, the IT
organization provides services that are supported by IT assets and capabilities.

34 | I S O M
 These services must align with the strategic requirements of the business and they
must be delivered by the IT organization in accordance with agreed service levels.

→ As a growing number of businesses developed IT capabilities while adopting the

ITSM paradigm, there was a growing need to establish standardized processes for
the management of IT services.

→ Several standards have been released, including COBIT, ISO 20000, and others, but
the ITIL framework has become the most widely accepted and practiced standard
for managing the lifecycle and delivery of IT services. ITIL is a framework of best
practices for managing the It service lifecycle. ITIL's publications and guidance
have transformed enterprise IT with their emphasis on aligning IT services with the
strategic demands of the business.

→ The key difference between ITSM and ITIL is that ITSM is a paradigm and ITIL is a
framework of best practices.

→ A paradigm is a worldview that underlies a particular methodology or way of doing

things. The ITSM paradigm is a specific way of understanding the relationship
between an IT organization and the business that it supports. The early days of IT
management were characterized by a focus on the management of technologies
themselves, which included a lot of reactive break-fix activities and ad-hoc
operations. As the ITSM paradigm emerged, IT organizations began to focus on the
management of services and the delivery of those services to the business.

The ITSM paradigm can be summarized simply:

→ The IT department is its own organization and its customers are the business.
→ The role of the IT organization is to provide services to the business.
→ The services provided by IT should align with the strategic goals and needs of the
business.
→ Services must be managed throughout their entire lifecycle.

❖ ITIL goes beyond simply defining the relationship between the IT organization and
the business. ITIL is a framework for effectively managing IT services throughout the
entire service lifecycle. The ITIL framework offers guidance and best practices for
managing the five stages of the IT service lifecycle: service strategy, service design,
service transition, service operation and continual service improvement.
35 | I S O M
❖ Organizations who practice ITSM may think of IT as a service-provider to the
business, but they may follow a separate framework like COBIT or ISO/IEC 20000 for
managing IT services. Still, ITIL is the most commonly applied framework of best
practices for organizations operating within the ITSM paradigm.

ITIL V1: The Origin

→ The ITIL framework was first developed by the Central Computing and
Telecommunications Agency (CCTA), a government agency in Great Britain.

→ It was 1986 and the British government saw that its information technology was
getting increasingly costly - there was a need to develop a methodology for IT
service management that would enable cost savings and more efficient use of
resources.

→ By 1988, the CCTA had published a set of guidelines known as the Government
Infrastructure Management Method (GITMM), however the word "government" in
the name of the standard was seen to have a negative influence on private-sector
adoption.

→ In 1989, the GITMM was re-named the Information Technology Infrastructure Library
(ITIL).

→ The first version of ITIL was highly unrefined compared to later versions. Released in
40 separate volumes, it included guidance on service level management, help
desk management, change management, contingency planning, problem
management, configuration management and cost management.

→ There was also plenty of highly technical subject matter, including best practices
for cabling, configuring backup power supplies and designing office acoustics.

→ Despite the poor organization of ITIL v1, the standard and ITIL processes continued
to grow in popularity as additional publications were released throughout the
1990's.

ITIL V2: The First Major Evolution

→ The early late 1990's and early 2000's were a challenging period for ITIL,
characterized by changes and growing competition. The International
Organization for Standardization (ISO) had released its own ITSM standard in 1995,

36 | I S O M
 known as ISO/IEC 20000 and other ITSM standards were beginning to emerge as
well.

→ Just in the year 2000, the CCTA merged into Great Britain's Office for Government
Commerce (OGC), BSI released the BS 15000:2000 specification for ITSM and
Microsoft, using ITIL as inspiration, created their own ITSM framework known as
Microsoft Operations Framework (MOF).

→ To remain relevant in the face of growing competition, the ITIL framework and
processes needed to be improved, re-invented, and reorganized into a more
structured framework that would become known as ITIL V2.

→ This revision of ITIL allowed OGC to describe new IT concepts like release and
deployment management and clearly define processes like ITIL incident
management and the financial management of IT assets. Publishing ITIL V2 would
also allow for the elimination of duplicate entries that characterized ITIL V1.

❖ The first volume of ITIL v2 was released in 2001. By 2002, seven volumes of ITIL V2
were made available:
1. Service Support
2. Service Delivery
3. ICT Infrastructure Management
4. Security Management
5. Application Management
6. Software Asset Management
7. Planning to Implement Service Management

→ 2005 saw the release of the ITIL V2 glossary that would clarify certain terms in the
framework that were poorly defined. In 2006, the OGC released a supplement to
ITIL V2 called ITIL small-scale implementation that provided additional guidance for
small businesses who hoped to benefit from the ITIL framework. ITIL V2 was a more
complete and organized version of ITIL V1 that served as a necessary intermediate
standard between V1 and the even more robust and comprehensive ITIL V3.

37 | I S O M
 ITIL V3: Introducing the IT Service lifecycle
→ By 2007, the OGC had further refined their approach to ITSM and were prepared
to release an even more comprehensive and well-organized update to ITIL V2. ITIL
V3 was released in 2007 as a set of five publications, each corresponding to an
individual stage of the IT service lifecycle. The five books were titled:
1. ITIL Service Strategy
2. ITIL Service Design
3. ITIL Service Transition
4. ITIL Service Operation
5. ITIL Continual Service Improvement

→ Together, the five books of ITIL V3 (which would become known as ITIL 2007 after
the ITIL 2011 revision) described a comprehensive set of processes and functions
that support the various aspects of IT service delivery.

→ ITIL V3 covers all essential steps of IT service management, from strategically

prioritizing the delivery of IT services that satisfy business needs to managing the
continual service improvement process. Below, we review and examine the
contents of ITIL V3's five core publications, describing the goals of each stage of
the service lifecycle and the processes that support these ITIL objectives.

ITIL 4: Embracing the Service Value System

→ The recent release of ITIL 4 is changing the way IT organizations do ITSM. ITIL 4 was
launched in February 2019 and represents the most significant update to the
framework since the 2007 release of ITIL V3. ITIL 4 promotes a holistic approach to
service management with its new four dimensions model that identifies the four
factors critical to successful value delivery with ITIL:
1. Organizations and people
2. Information and technology
3. Partners and suppliers
4. Value streams and processes

38 | I S O M
→ While previous versions of ITIL placed a strong emphasis on the management of IT
services throughout the service lifecycle, the ITIL 4 framework is built around a new
model called the Service Value System (SVS).

Why is an update necessary?

→ Updates can prevent security issues and improve compatibility and program
features. Software updates are necessary to keep computers, mobile devices and
tablets running smoothly–and they may lower security vulnerabilities. Data
breaches, hacks, cyberattacks and identity theft have all been in the news.

Purpose of ITIL
→ The goal is to improve efficiency and achieve predictable service delivery. The ITIL
framework enables IT administrators to be business service partners, rather than just
back-end support.

→ ITIL guidelines and best practices align IT department actions and expenses to
business needs and change them as the business grows or shifts direction.

→ ITIL helps you create accurate, repeatable processes to keep quality consistent.
Rely on the Industry Standard. ITIL is a globally recognized framework proven to
help businesses build a robust IT management system, ensure a high quality of
customer service, and constantly improve their IT-enabled services.

CORE PILLARS OF ITIL

→ There are several key points in ITIL that make it different from other frameworks, but
there are at least 3 core pillars that have remained steady throughout the various
updates and versions. These pillars include:

1. ITIL CHANGE MANAGEMENT:

➢ The formal definition of ITIL change management is:
✓ “The process responsible for controlling the lifecycle of all changes,
enabling beneficial changes to be made with minimum disruption to IT
services.”
➢ Change management is ultimately a balancing act between the need for
speed and the management of inherent risks associated with a change.
After all, no organization wants its latest change to cause its customers

39 | I S O M
 and/or employee’s issues, nor the IT service desk to be drowned under a
deluge of change-related incidents. This unwanted disruption, and
potentially cost, is a foundation stone in the need for a change
management process.

2. ITIL INCIDENT MANAGEMENT

➢ An incident is defined as an unplanned interruption to a service or reduction
in the quality of a service. Incidents are usually identified by end users and
reported via telephone, email, or an IT self-service portal.

➢ An incident is an issue affecting one or more employees, customers, third

parties, business processes or services, or another entity that can be
adversely affected by your organization’s technology—or technology-
based services—not working as they should. For example, a faulty laptop
and an inaccessible business application are both classified as
incidents. Both of these example issues (or incidents) are likely to be
reported to the IT service desk—either by an affected person or a
monitoring or event management tool—for resolution.

➢ Incident management (not to be confused with problem management) is

defined by Axelos as:
✓ “The practice of minimizing the negative impact of incidents by restoring
normal service operation as quickly as possible.”

➢ In short, this core pillar of ITIL aims to reduce downtime caused by incidents
by getting the user back up and running in as little time as possible. An
example of incident management in action is an employee call to the IT
service desk in respect of an app on their mobile phone not working, with
the resolution being either an update to the app, the phone’s operating
system or both. This can either be done by the service desk analyst remotely
or the employee by following provided instructions.

3. ITIL PROBLEM MANAGEMENT

➢ Problem and incident management differ, but are both key components in
ITIL. Problems are defined by Axelos as “A cause, or potential cause, of one
or more incidents.”
40 | I S O M
 ➢ Problems come from incidents, but despite how some people might
describe problems, incidents don’t change state into problems. Instead, a
problem is a new ITSM entity—and a separate record in an ITSM software—
created from recurring incidents.

➢ A problem might be an incident that repeats over time—for example, the

same laptop continually experiences hard disk failures (despite repeated
replacement). Or, it’s an incident that’s affecting multiple laptops, and the
likely cause, or root cause, is going to be a manufacturing issue.

➢ Problems are typically identified through the analysis of incident records

and other ITSM data.

❖ ITIL best practices indicate the proper way to handle problem management:
➢ “The practice of reducing the likelihood and impact of incidents by
identifying actual and potential causes of incidents, and managing
workarounds and known errors.”

➢ Problems are usually dealt with over a longer timeframe than

incidents. Here, ITSM tool data and potentially other sources of information
are gathered and analyzed to understand what has caused the recurring
issue(s) and what needs to be done to rectify the situation.
This resolution might take the form of a request for change (RFC) or if a
definitive solution is known or isn’t feasible, then a known error and
workaround are created to temporarily flag and fix the recurring
issue respectively.

There are seven principles defined in ITIL4, which are listed below:
1. Focus on value
➢ The value of the services is always determined in the perspective of customers.
Every service or product should create value to customers and its stakeholders.
More than the creation of value, it has to be realized and acknowledged by
the stakeholders, upon value realization.

➢ Every service produces an output which can be measured and checked

through its utility & warranty. While focusing on value, one should know who is

41 | I S O M
 being served. Therefore, in this scenario the service provider must determine
the service consumer and the key stakeholders i.e. customers, users, or sponsors
etc. By doing this, the service provider will obtain clarity on who will receive
value from that which is being delivered, modified or improved.

2. Start where you are

➢ Organizations on the verge of building new systems tend to scrap the existing
system or try establishing the idealistic scenario to create / improve the new
system. In this tendency, organizations will lose out on the opportunities of
leveraging on existing environment, practices, technologies which are useful
while establishing the new or improving the existing ones.

➢ It is extremely unproductive to take such approaches, which would result in

waste of effort, time, and loss of existing systems, services, practices, people,
process, tools & technology platforms. These could have provided value which
are significant in optimizing and improving the value. It is always recommended
to first leverage on the existing service before considering anything further.

➢ Firstly, the existing system has to be assessed, measured and observed to get a
proper / correct understanding of the existing state. The possibility of re-using
them as applicable & feasible should then be determined. This will provide the
required insights of the existing system and guide in making the appropriate
decisions. It is important to understand that, all decisions made to bring about
changes in the existing system, must be made with clarity, based on the existing
reality

➢ It is also important to assess the current state by eliminating biased data and
incorrect assumptions which would lead towards wrong conclusions and
decisions. The individual who does the assessment and recommendations
needs to have specific knowledge about the existing reality, and the state of
the proposed new services and objective of the initiative. There should not be
any bias while doing the assessment.

➢ The measurement metrics used (considered) for assessment should be

appropriate, which can provide the insight, supporting the analysis for right

42 | I S O M
 decisions. The metrics established have to be meaningful and should help
interpreting the required outcome.

3. Progress iteratively with feedback

➢ Every service which is established, is done so by taking a step-by-step
approach. It is sensible and practical to accomplish it iteratively rather than
doing everything in one go. This will help in organizing the work into smaller and
manageable pieces, which can be executed in order and with appropriate
control.

➢ The iterations which are sequential, are to be sequenced based on the need.
It may be for establishing the new services or improving / modifying the existing
ones. The individual iterations should consider both the requirements and the
resources available and have to be manageable. This will ensure that the results
produced should be tangible and are returned in a timely.

➢ As the iteration progresses there should be continuous feedback, for evaluating

and validating the progress of the changes being done. Initiatives to
introducing a new service or improving the existing service etc., if done in an
organized way by having multiple smaller iterations & efforts, can ensure
success for the overall initiative. This will provide the opportunity for continuously
evaluating (re-evaluating) & validating (re-validating) the progression, which
helps in aligning to the value intended to be accomplished.

4. Collaborate and promote visibility

➢ While an organization takes up an initiative, the involvement of the right set of
people is essential for making the right decisions. This involves assimilating right
information, which is more relevant and appropriate to take forward the
initiative, with increased probability of success in the long run.

➢ Today’s organizations are emphasizing more and more on enabling the

collaborative culture to bring in innovative solutions. Ideas involving different
perspectives (of experts), views, and important insights helps towards
establishing better working conditions, better policies and practices etc.

43 | I S O M
 ➢ Working together in collaboration is emphasized over working in a silo culture.
Which means, bringing excellence through involvement of many, rather than
depending on just individual excellence.

➢ The silo culture can be a result of the existing organizational structure/belief that
does not promote a collaborative culture, refuses encouragement and
empowerment, and does not change established processes & practices,
communication methods used etc.

➢ Working together in collaboration is the way forward to establish and achieve

the required trust and bring improvements in making the results and action
visible. This would further ensure the enhanced information flow with increased
awareness of the system.

5. Think and work holistically

➢ While establishing and managing an IT service, one needs to know the overall
picture of the service and service management system; a bird’s eye view. A
clear understanding is needed of how all the components of the service
organization are organized and function together. To understand this, it is
required to have a visibility of entire systems, right from beginning till end. One
has to visualize this to understand the functioning of the system and the impact
of the variations in the performance of various components used in the services.

➢ All the services, processes, practices, functions, partner or supplier organization

cannot stand alone and they have to work together in an integrated way. All
the activities of the systems must be connected and visualized holistically, to
work together. They are part of a single holistic system.

➢ No service, practice, process, department, or supplier stands alone. The outputs

that the organization delivers to itself, its customers, and other stakeholders will
suffer unless it works in an integrated way to handle its activities as a whole,
rather than as separate parts. All the organization’s activities should be focused
on the delivery of value.

44 | I S O M
6. Keep it simple and practical
➢ The principle, keep it simple and practical, emphasizes on establishing the
minimum required steps in an approach or process to achieve the objectives.
It is important to produce the solutions which are workable, practical, and
understandable while delivering the solutions, which further, should be able to
deliver value to the customer in terms of outcomes the customer wanted to
achieve.

➢ This is applicable to every process, practice, approach, solution etc., defined

for a service. Defining the minimum or optimum steps essential to deliver the
outcome, is needed to make it simple and relevant.

➢ While defining a service, attempting to consider the solution with every

exception, would result in over-complication. It is not wrong to assess and
analyze the exceptions related to the services. However, considering all of
them, even those which are not very important to address makes the service
solution too complex. One has to make the decision on only what is important
and needed for the service.

7. Optimize and automate

➢ The optimization refers to making something more effective and improving the
usefulness of that as needed. Optimization shall be done for entire services,
systems, processes, products etc. The objective of optimizing helps in
maximizing the value by better utilization of resources i.e. Human resources or
Technology Resources.

➢ The continual effort put by the service organization to optimize should result in
improving the performance of services and delivering service value. The
guidance for optimization is obtained through the guidance of ITIL®4 & can
also refer to the guidance provided in best practices followed in industry like
Lean, Kanban and DevOps etc. ITIL®4 complements these frameworks.

➢ The effort put in optimization should have an intended objective of supporting

the overall objective of the service management & organization. It should be
optimized to a level where it makes sense to do so. Optimizing beyond certain

45 | I S O M
 points would not add any further value. The consideration of compliance needs
such as time, resources, finance etc. should be kept in mind while optimizing.

Introducing the IT Service lifecycle

→ By 2007, the OGC had further refined their approach to ITSM and were prepared
to release an even more comprehensive and well-organized update to ITIL V2. ITIL
V3 was released in 2007 as a set of five publications, each corresponding to an
individual stage of the IT service lifecycle. The five stages were titled:
1. ITIL Service Strategy
2. ITIL Service Design
3. ITIL Service Transition
4. ITIL Service Operation
5. ITIL Continual Service Improvement

→ Together, the five books of ITIL V3 (which would become known as ITIL 2007 after
the ITIL 2011 revision) described a comprehensive set of processes and functions
that support the various aspects of IT service delivery. ITIL V3 covers all essential
steps of IT service management, from strategically prioritizing the delivery of IT
services that satisfy business needs to managing the continual service
improvement process.

→ We review and examine the contents of ITIL V3's five core publications, describing
the goals of each stage of the service lifecycle and the processes that support
these ITIL objectives.

→ The service strategy stage facilitates organizations to strategize and set business
goals to meet customer demands and needs.

→ The purpose of Service Strategy is to provide a strategy for the service lifecycle.
The strategy should be in sync with business objectives.

→ The 5 stages of the service lifecycle work together to enable more seamless
delivery and communication between business services and IT. This approach can
be used enterprise-wide. As mentioned above, each major category has
subcategories.

46 | I S O M
Within the category of Service Strategy, there are four subcategories
1. Service Strategy
➢ Service strategy is the first book in ITIL V3 and corresponds to the first stage in
the IT service lifecycle. The purpose of service strategy is to align the actions of
the IT organization with the needs of the business. To do this, the IT organization
must decide on a strategy for effectively serving its customers. As part of Service
Strategy, the IT organization works with the business to determine what services
the IT organization should offer and what capabilities must be developed.

• IT organization is the department within a company that is charged with

establishing, monitoring and maintaining information technology systems and
services. In a large organization, the IT organization may also be charged with
strategic planning to ensure that all IT initiatives support business goals.

• Service - from its root word serve, it means the action of helping or doing work for
someone. It is also an assistance or advice given to customers during and after
the sale of goods.

❖ There are four processes described in the Service Strategy volume of ITIL V3:
A. Service Portfolio Management - The Service Portfolio is the entire set of services
under management by a service provider. It consists of three major parts:
Service Pipeline, Service Catalog, and Retired Services. Service Portfolio
Management organizes the process by which services are identified,
described, evaluated, selected and chartered.
✓ It is also the scope of services the service provider manages. Managing this
portfolio requires each service to be identified and evaluated to establish
its role in the IT process. Service portfolio management includes the Service
Pipeline, Service Catalog, and Retired Services.

47 | I S O M
 B. Financial Management for IT Services - a process that helps the IT organization
manage its budgeting, charging and accounting requirements. The Financial
Management process provides a means of understanding and managing
costs and opportunities associated with services.
✓ It includes three basic activities:
• Accounting: Tracking how money is spent by a service provider.
• Budgeting: Planning how the money will be spent by a service provider.
• Charging: Securing payment from customers for services provided.

C. Demand Management - a process for assessing customer demand for

services. A demand manager follows industry trends and communicates with
customers to anticipate what services the business might want in the future. IT
professionals use user profiles and Patterns of Business Activity (PBA) to analyze
and influence customer demand for better customer satisfaction.
✓ The Demand Management process is concerned with understanding and
influencing customer demand. It involves User Profiles, which characterize
different typical groups of users for a given service, and Patterns of Business
Activity, which represent the way users in different user profiles access a
service over the course of a given time period.

D. Strategy Operations - During the strategic operations phase, it’s essential to

ensure routine IT operations are running smoothly and efficiently. This phase
provides an opportunity to reexamine the current strategic approach.
✓ Strategy Operations ensure that services such as fulfilling user requests,
resolving service failures, fixing problems, and carrying out routine
operational tasks are performed efficiently and effectively.

2. Service Design
➢ The service design phase of the ITIL framework focuses on seven processes and
the Four Ps of Service Design. Its primary goal is to prevent costly service
disruptions that arise in response to inefficient workflow. Each of the Ps
represents an area of focus crucial to consider when designing the IT service
infrastructure.

48 | I S O M
 • Inefficient workflow repetitive/unnecessary tasks–a major source of
inefficiency within teams and is a big waste of one of the most important
resources-time.
✓ Example of inefficient workflow:
- Wasted inventory due to overproduction
- Duplication of efforts and errors

The “Four Ps of Service Design” – represent areas that should be taken into
consideration when designing a service. They are:
1. People: Human resources and customer service representatives are integral to
ITSM. It’s vital to ensure that the members of an organization are adequately
supported and aligned with business objectives.
2. Processes: Measurability is a key component of process management.
Implementing key performance indicators (KPIs) helps keep the IT team aligned
with the rest of the organization’s long- and short-term goals.
➢ Key Performance Indicators:
a) Sales
b) Profit Margin
c) Revenue Growth
d) Revenue Per Client
e) Customer Satisfaction

3. Products: Before designing a new or managed product, consider how it meets or

exceeds customers' current needs. IT professionals should consider this question
during the service design phase: "How does this product enhance our ability to
deliver value to users?”
4. Partners: Partners can describe the vendors, manufacturers, or other third parties
involved in the IT service lifecycle. During the service design phase, IT professionals
must ensure the organization's processes encompass partner management and
support.

There are 7 processes described in the Service Design volume of ITIL V3:
1. Service Catalogue Management - The Service Catalog is a subset that contains
services available to customers and users.

49 | I S O M
 ➢ It is often the only portion of the Service portfolio visible to customers. It
commonly acts as the entry portal for all information services in the live
environment.
➢ A service catalog is the subset of IT services directly available to customers.
Typically, these are the offerings within the larger service portfolio visible to
users.

2. Service Level Management - is charged with securing and managing

agreements between customers and the service provider regarding the level of
performance (utility) and level of reliability (warranty) associated with specific
services.
➢ Service Level Management results in the creation of Service Level Agreements
(SLAs) between customers and the provider. Operational Level Agreements
(OLAs) are performance agreements nearly identical in nature to SLAs.
➢ It is also a process for negotiating service level agreements with customers,
ensuring that services are adequately designed to deliver services according
to the agreements, and ensuring that operational agreements and contracts
are effectively negotiated and managed.

3. Capacity Management - Capacity Management is concerned with ensuring that

at all times, the cost-effective capacity exists that meets or exceeds the needs of
the business as established in Service Level Agreements.
➢ In ITIL, “capacity” is defined as “the maximum throughput a service, system or
device can handle.” It is a process for ensuring that the IT organization has
allocated sufficient resources towards providing IT services in accordance with
service level agreements.

4. Availability Management - similar to capacity management, this process contains

activities and sub-processes that help define, measure and improve the
availability of IT services.
➢ Availability management includes testing, monitoring and reporting activities
that verify the availability of services and alert IT operators when a service
experiences unplanned downtime.
➢ The Availability Management process is concerned with the management
and achievement of agreed-upon availability requirements as established in
50 | I S O M
 Service Level Agreements. In ITIL, “availability” is defined as “the ability of a
system, service, or configuration item to perform its function when required.”

5. Service Continuity Management - The Service Continuity Management process

(ITSCM) ensures that the service provider can always provide the minimum
agreed-upon levels of service.
➢ IT Service Continuity Management uses techniques such as Business Impact
Analysis (BIA) and Management of Risk (MOR).
➢ It results in the production of the IT Service Continuity Plan, which is an aspect
of the overall Business Continuity Plan. It is a process for minimizing service
downtime and minimizing the impact of disaster events on IT service
availability.

6. IT Security Management - a process for maintaining the security of data owned

by the business, including sensitive customer data, payment data and proprietary
business information.
➢ IT Security Management focuses on protecting five basic qualities of
information assets:
• Confidentiality: Assurance that the asset is available only to appropriate
parties.
• Integrity: Assurance that the asset has not been modified by unauthorized
parties.
• Availability: Assurance that the asset may be utilized when required.
• Authenticity: Assurance that the transactions and the identities of parties
to transactions are genuine.
• Nonrepudiation: Assurance that transactions, once completed, may not
be reversed without approval.

7. Supplier Management - Supplier Management is charged with obtaining value

for money from third-party suppliers.
➢ It plays a very similar role to that of Service Level Management, but with
respect to external suppliers rather than internal suppliers and internal/external
customers. Supplier Management handles supplier evaluation, contract
negotiations, performance reviews, renewals, and terminations.

51 | I S O M
 ➢ Supplier management ensures that the organization receives the agreed-
upon service levels from its partners. It’s similar to service level management,
but unlike service management, it deals with internal negotiations.

ITIL Service Transition

A. Objective: The objective of ITIL Service Transition is to build and deploy IT services.
The Service Transition lifecycle stage also makes sure that changes to services and
service management processes are carried out in a coordinated way.
B. Processes: ITIL Service Transition. Service Transition builds and deploys new or
modified services.

The ITIL service lifecycle stage of Service Transition includes the following main
processes:
A. Change Management
➢ Process Objective: To control the lifecycle of all Changes. The primary
objective of Change Management is to enable beneficial Changes to be
made, with minimum disruption to IT services.

B. Change Evaluation
➢ Process Objective: To assess major Changes, like the introduction of a new
service or a substantial change to an existing service, before those Changes
are allowed to proceed to the next phase in their lifecycle.
52 | I S O M
 C. Project Management Transition Planning and Support
➢ Process Objective: To plan and coordinate the resources to deploy a major
Release within the predicted cost, time and quality estimates.

D. Application Development
➢ Process Objective: To make available applications and systems which provide
the required functionality for IT services. This process includes the development
and maintenance of custom applications as well as the customization of
products from software vendors.

E. Release and Deployment Management

➢ Process Objective: To plan, schedule and control the movement of releases to
test and live environments. The primary goal of Release Management is to
ensure that the integrity of the live environment is protected and that the
correct components are released.

F. Service Validation and Testing

➢ Process Objective: To ensure that deployed Releases and the resulting services
meet customer expectations, and to verify that IT operations is able to support
the new service.

G. Service Asset and Configuration Management

➢ Process Objective: To maintain information about Configuration Items required
to deliver an IT service, including their relationships.

H. Knowledge Management
➢ Process Objective: To gather, analyze, store and share knowledge and
information within an organization. The primary purpose of Knowledge
Management is to improve efficiency by reducing the need to rediscover
knowledge.

ITIL Service Operation

→ Objective: The objective of ITIL Service Operation is to make sure that IT services are
delivered effectively and efficiently. The Service Operation lifecycle stage includes
the fulfilling of user requests, resolving service failures, fixing problems, as w ell as
carrying out routine operational tasks.

53 | I S O M
→ Processes: ITIL Service Operation. Service Operation carries out operational tasks.

The ITIL service lifecycle stage of Service Operation ) includes the following main
processes:
A. Event Management
➢ Process Objective: To make sure CIs and services are constantly monitored,
and to filter and categorize Events in order to decide on appropriate actions.

B. Incident Management
➢ Process Objective: To manage the lifecycle of all Incidents. The primary
objective of Incident Management is to return the IT service to users as quickly
as possible.

C. Request Fulfilment
➢ Process Objective: To fulfill Service Requests, which in most cases are minor
(standard) Changes (e.g. requests to change a password) or requests for
information.
D. Access Management
➢ Process Objective: To grant authorized users the right to use a service, while
preventing access to non-authorized users. The Access Management
processes essentially execute policies defined in Information Security

54 | I S O M
 Management. Access Management is sometimes also referred to as Rights
Management or Identity Management.

E. Problem Management
➢ Process Objective: To manage the lifecycle of all Problems. The primary
objectives of Problem Management are to prevent Incidents from happening,
and to minimize the impact of incidents that cannot be prevented. Proactive
Problem Management analyzes Incident Records, and uses data collected by
other IT Service Management processes to identify trends or significant
Problems.

IT Operations Management
→ The objective is to monitor and control the IT services and their underlying
infrastructure, executing day-to-day routine tasks related to the operation of
infrastructure components and applications. This includes job scheduling, backing
up and restoring, print and output management, and routine maintenance.

Console management/Operation Bridge

→ refers to the process of managing and controlling the various tasks and activities
that are performed on computer systems. This involves monitoring and managing
the system's performance, configuring and managing various system
components, and troubleshooting any issues that arise.

Job scheduling
→ This involves configuring and managing the system's job scheduler to ensure that
tasks and processes are executed efficiently and according to schedule. Console
management can help to ensure that the system's job scheduler is properly
configured, that jobs are scheduled correctly, and that any issues or errors are
identified and resolved quickly.

Backup and Restore

→ This involves configuring and managing backup and restore utilities to ensure that
data is backed up regularly and that backups are functioning properly. Console
management can help to ensure that the system's backup and restore utilities are

55 | I S O M
 properly configured, that backups are performed regularly, and that data can be
restored quickly and efficiently in the event of a system failure or data loss.

Print and Output

→ This involves configuring and managing print queues, monitoring print jobs, and
troubleshooting any issues that arise. Console management can help to ensure
that print and output operations are functioning properly and that documents and
other important information can be printed and distributed as needed.

Job Scheduling
Back-up and Restore
Print and Output

Service Desk
→ This is the point of contact between users and the service provider. A service desk
usually handles communication with the users and also manages incidents and
service requests.

Application Management
→ Application Management is responsible for managing applications throughout
their lifecycle.

PRINCIPLES OF AM
Build or Buy
→ The Build or Buy principle helps organizations determine whether to develop an
application in-house or purchase an existing one from a vendor. This decision is
critical because it can have a significant impact on the cost, timeline, and quality
of the application.
→ For example, building an application in-house may provide more control over its
development, but it can also be more expensive and time-consuming.
→ On the other hand, purchasing an existing application can be faster and more
cost-effective, but it may not meet all of the organization's unique requirements.

56 | I S O M
Operation Model
→ The Operation Model principle helps organizations determine how to best operate
and maintain applications over their lifecycle.
→ This includes defining processes for monitoring, troubleshooting, and resolving
issues, as well as determining how to best manage upgrades and changes.
→ This principle is critical because it ensures that applications are reliable,
performant, and secure, and that they meet the needs of users and stakeholders.

AM Lifecycle
A. Requirements: This stage involves identifying the needs of the application's users
and stakeholders. It is important to gather comprehensive and accurate
requirements to ensure that the application meets the desired objectives.

B. Design: Once the requirements have been identified, the next stage involves
designing the application's architecture, functionality, and user interface. This
stage ensures that the application is designed to meet the needs of the users and
stakeholders and is aligned with the organization's goals.

C. Build: In this stage, the application is developed according to the design

specifications. This involves writing code, integrating different components, and
testing the application to ensure it meets the desired functionality.

D. Deploy: Once the application has been developed and tested, it is ready for
deployment. This stage involves deploying the application to the production
environment, configuring the necessary infrastructure, and preparing the
application for launch.

E. Operate: Once the application is live, it enters the operational stage. This involves
monitoring the application's performance, addressing any issues or bugs, and
providing support to users.

F. Optimize: In this stage, the focus is on improving the application's performance,

enhancing its functionality, and optimizing its use. This involves ongoing
maintenance, updates, and improvements to the application to ensure that it
continues to meet the changing needs of its users and stakeholders.

57 | I S O M
 Metrics
→ refer to the quantitative measurements of key performance indicators (KPIs) that
are used to evaluate the performance of the application.

A. Agreed Metrics: Agreed metrics refer to the key performance indicators (KPIs)
that are agreed upon between the application management team and
stakeholders to measure the success of the application management process.
These metrics should align with the overall goals and objectives of the
organization and should be measurable, specific, relevant, and time-bound.

B. Process Metrics: Process metrics are used to measure the efficiency and
effectiveness of the application management process. These metrics provide
insights into how well the process is functioning and can help identify areas for
improvement. Examples of process metrics include the time to complete tasks,
the number of errors or defects, and the frequency of process improvements.

C. Application Performance Metrics: Application performance metrics are used to

measure the performance and availability of the application. These metrics can
provide insights into how the application is functioning and can help identify
areas for improvement. Examples of application performance metrics include
response time, CPU and memory utilization, network latency and throughput,
error rates and exceptions, and transactions per second (TPS).

D. Project Metrics: Project metrics are used to measure the success of a specific
project within the application management process. These metrics are used to
track progress, identify issues, and ensure that the project is delivered on time and
within budget. Examples of project metrics include scope and requirements
adherence, project schedule and timeline, budget variance and cost
management, resource utilization and allocation, and risk and issue
management.

E. Training & Development Metrics: Training and development metrics are used to
measure the effectiveness of training and development programs for employees
within the application management process. These metrics provide insights into
how well the programs are working and can help identify areas for improvement.
Examples of training and development metrics include employee satisfaction

58 | I S O M
 and retention, skills development and competency assessments, training hours
and completion rates, knowledge transfer and sharing, and succession planning
and career development.

Documentation
→ refers to the collection of information about the application that is used to support
its operation and maintenance.

A. Requirements: Requirements documentation is essential in application

management because it provides a clear and concise description of what the
application is supposed to do. This helps ensure that the development team
creates an application that meets the client's expectations and requirements.

B. Use & Change Cases: Use and Change cases are documentation that outlines
how the application should be used and what changes can be made to it. This
helps ensure that the application is being used as intended, and that any
changes made to it are done so in a way that maintains its integrity.

C. Design Documentation: Design documentation is essential in application

management because it provides a clear and detailed description of how the
application is designed, including its architecture, data model, and user
interface. This documentation helps ensure that the development team
understands how the application is structured, and how it should be maintained
and updated over time.

D. Manuals: Manuals are documentation that provides users with instructions on how
to use the application. This documentation helps ensure that users can effectively
use the application and understand its features and functionality.

Technical Management
→ Technical Management provides technical expertise and support for the
management of the IT infrastructure.

Continual Service Improvement (CSI)

→ The objective of this stage is to use methods from quality management to learn
from past successes and failures. It aims to continually improve the effectiveness

59 | I S O M
 and efficiency of IT processes and services in line with the concept of continual
improvement adopted in ISO 2000.

❖ There is only one process in this area, and it has seven steps:
1. Identifying improvement strategies
✓ Compile a list of what you should measure. This will often be driven by
business requirements.

2. Defining what will be measured

✓ Every organization may find that they have limitations on what can
actually be measured. If you cannot measure something then it should not
appear in an SLA.

3. Gathering data
✓ Gathering data requires having some form of monitoring in place.
Monitoring could be executed using technology such as application,
system and component monitoring tools or even be a manual process for
certain tasks.

4. Processing data
✓ process the data into the required format -report-generating technologies
are typically used at this stage as various amounts of data are condensed
into information for use in the analysis activity.

5. Analyzing data
✓ Data analysis transforms the information into knowledge of the events that
are affecting the organization.

6. Presenting and using the information drawn from the data

✓ Take our knowledge and present it, that is, turn it into wisdom by utilizing
reports, monitors, action plans, reviews, evaluations and opportunities.

7. Using the information to improve

✓ Use the knowledge gained to optimize, improve and correct services.

60 | I S O M
 ITIL benefits and use cases
→ Any organization can use ITIL, from small businesses in the US to large-scale
enterprises abroad. It provides a flexible roadmap for organizations to follow when
undertaking a digital transformation. A few more reasons a company may align
their IT processes with the ITIL framework include:

• Standardization. As mentioned above, standardization is one of the primary goals

of the ITIL foundation. ITIL helps create predictable IT environments, making it
easier to manage risks, problem solve, and streamline processes.

• Transparency. Establishing a set of standards helps improve visibility into IT costs

and operations. ITIL helps bridge the gap between departments by enabling IT
admin to be front-end business service partners in addition to back-end support.

• Cost-effectiveness. The ITIL framework is designed to help organizations use their

hardware and software resources as efficiently as possible.

• Strategic alignment. Similar to DevOps methodology, the ITIL framework seeks to

unite business operations and IT departments. Enhanced communication helps
organizations better translate business strategies and goals into technical
requirements.

• Organizational change management. The ITIL foundation includes best practices

for change management. With these guidelines, IT professionals can release
changes without interrupting service.

ITIL CERTIFICATIONS UNDER ITIL 4

→ ITIL 4 Foundation introduces an end-to-end operating model for the creation,
delivery and continual improvement of technology-enabled products and
services.
→ ITIL 4 Foundation is for anyone who needs to understand the key concepts of IT and
digital service delivery, and who is interested in helping their organization embrace
the new service management culture. It is for professionals at the start of their ITIL 4
journey or people looking to update their existing ITIL knowledge.

61 | I S O M
 The course will help you to understand:
→ how modern IT and digital service organizations operate
→ how value streams increase speed and efficiency
→ how cultural or behavioural principles guide work that benefits the wider
organization
→ how to use commonly-used service management terms and concepts

ITIL 4 Foundation training

→ ITIL training courses are run by accredited training organizations, in a variety of
formats. Use our training search to find a training provider.
→ Examination Format
✓ 40 questions
✓ Multiple choice
✓ 26 out of 40 marks required to pass (65%)
✓ 60 minutes
✓ Closed book.

Certification Renewal
→ Starting 2023, all PeopleCert Global Best Practice certifications will need to be
renewed after 3 years.

ITIL 4 STRATEGIC LEADER CERTIFICATIONS

→ ITIL4 Strategic Leader (ITIL SL) is a stream of two modules that are part of ITIL 4, the
next evolution of ITIL.
→ The two modules are:
a) ITIL 4 Strategist Direct, Plan and Improve
b) ITIL 4 Leader Digital and IT Strategy.

→ ITIL SL recognizes the value of ITIL, not just for IT operations, but for all digitally-
enabled services. Becoming an ITIL 4 Strategic Leader demonstrates that you have
a clear understanding of how IT influences and directs business strategy.

→ To obtain the designation ITIL 4 Managing Professional or ITIL 4 Strategic Leader, you
must complete all modules in each stream, with ITIL Strategist Direct, Plan and
Improve being a universal module for both streams.

62 | I S O M
→ After achieving the ITIL 4 Managing Professional designation, candidates would
only need to complete the ITIL 4 Leader: Digital and IT Strategy module to achieve
the ITIL 4 Strategic Leader designation.

ITIL 4 MANAGING PROFESSIONAL CERTIFICATIONS

→ ITIL 4 Managing Professional (ITIL MP) is a stream of four modules that are part of ITIL
4, the next evolution of ITIL.
→ The four modules are:
a) ITIL 4 Specialist: Create, Deliver and Support
b) ITIL 4 Specialist: Drive Stakeholder Value
c) ITIL 4 Specialist: High-velocity IT
d) ITIL 4 Strategist: Direct, Plan and Improve.

→ ITIL 4 MP has been created for IT practitioners working within technology and digital
teams across businesses.

→ The Managing Professional (MP) stream provides practical and technical

knowledge about how to run successful IT enabled services, teams and workflows.

→ To obtain the designation ITIL 4 Managing Professional or ITIL 4 Strategic Leader, you
must complete all modules in each stream, with ITIL Strategist being a universal
module for both streams.

→ You can transition easily to become an ITIL 4 Managing Professional. Take the ITIL 4
Managing Professional Transition Module.

ITIL 4 MASTER CERTIFICATION

→ The ITIL Master Qualification Certificate is the top-level certification of the ITIL
scheme. This certification will validate a professional’s capability to apply ITIL’s
principles, methods, and techniques in the real business world.
→ The ITIL Master Qualification prerequisites are:
a) Certification at ITIL Expert Level
b) Work experience of at least five years in a leading, managerial, or higher
management advisory role in IT service management.
c) Candidates will also need to demonstrate broad practical involvement in ITIL
practices.

63 | I S O M
Steps To ITIL 4 Master Certification
→ To attain the ITIL 4 Master Certification, you must take the following courses and
exams:
1. ITIL 4 Foundation with Certification Exam then,
2. ITIL 4 Specialist: Create, Deliver and Support (CDS) with Certification Exam and
3. ITIL 4 Specialist: Drive Stakeholder Value (DSV) with Certification Exam and
4. ITIL 4 Specialist: High Velocity IT (HVIT) with Certification Exam and
5. ITIL 4 Strategist: Direct, Plan and Improve (DPI) with Certification Exam and
then,
6. ITIL 4 - Digital and IT Strategy w/ Certification Exam

64 | I S O M