IT Compliance Institute, May 30, 2007:

Trends and Technologies

Under the Hood: The New ITIL V3

Are you ready for version 3 of the IT Infrastructure Library (ITIL)? After 10 years, the leading best practices IT service management framework has been updated with an official launch scheduled for May 30, 2007. Learn what’s behind the changes, and what they mean for organizations looking to improve IT service management as well as their IT compliance effectiveness.

By Mathew Schwartz

Are you ready for version 3 of the IT Infrastructure Library (ITIL V3)? A “refresh,” or update of the 20-year old leading IT service management framework officially launches May 30, 2007, replacing version 2.

Why now? It’s been a decade since ITIL was last updated, and in IT time, that’s an eternity. Just consider what’s appeared in the past 10 years: outsourcing, multi-sourcing, the profusion of business partners and interconnected IT systems, technology virtualization, not to mention Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and numerous other regulations with IT impact. Accordingly, IT service management best practices have evolved to cope with the new reality. Hence the need to refresh ITIL guidance.

Even with the update, however, ITIL remains a framework focused on IT service management best practices. In other words, it helps organizations ensure they achieve the business processes they set out to achieve, “and at the same time, we can streamline those processes to add further value, and maybe remove redundant steps,” says Rob Stroud, the IT service management and IT governance evangelist for CA who’s also part of the ITIL Refresh Team.

Increasing Interest in ITIL

The ITIL update comes at a good time: Experts say interest in best practice frameworks—including ITIL—is at an all-time high, as organizations attempt to efficiently and effectively deliver IT services while also complying with myriad regulations. “Companies in all geographies and industries are now undergoing or starting ITIL initiatives,” notes Forrester Research analyst Evelyn Hubbert. While companies of all sizes have turned to ITIL, notably “around 20 percent of $1 billion-plus companies—12 percent to 15 percent when IT service providers are excluded—have implemented ITIL in some way, and the number is growing rapidly.”

Another reason for ITIL’s popularity: it’s free. Indeed, the UK government’s Office of Government Commerce, which owns ITIL, offers it gratis, and keeps it independent of any vendor or software platform. Organizations only need to purchase the five core ITIL books to get started.

What’s New in ITIL V3

Exactly how is ITIL changing? Previously, ITIL was very operationally focused, and primarily concerned with service support and delivery. Increasingly, however, business success requires tight business-IT integration, as well as more flexibility when delivering and then supporting IT services. Accordingly, “V3 helps bring a business management approach and discipline to IT service management,” says Sharon Taylor, the chief architect of ITIL version 3 and also president of the Aspect Group. In other words, the new ITIL guidance mirrors what organizations with service management best practices are now doing: “running IT like a business.”

Five Core Guides

As befits ITIL’s expanded focus, ITIL V3 will comprise five core guides:

1. Service Strategy: How to create service strategies
2. Service Design: How to design services, in both the business and technical sense
   
3. Service Transition: How to implement needed services, and strategies for getting there
   
4. Service Operation: How services operate (note this replaces most of the ITIL V2 processes, especially those concerning service support and delivery)
   
5. Continual Service Improvement: Guidance for IT service managers about how to improve services over time and better define them, per the Service Strategy guide

Each of these guides will be released as a separate book, but together they constitute the ITIL service management lifecycle. In addition, a sixth guide, “Introduction to ITIL Service Management,” will be more of a “quick-start” reference. “This covers the key concepts and articulates the business case for adopting ITIL,” notes Taylor.

Regulatory Compliance with ITIL

Interestingly, the convergence of IT and business which created the need for an ITIL update has been driven, at least in part, by regulations which penalize companies if they have insufficient IT control of their business processes. “A good example is Basel II,” says CA’s Stroud. “It has a material impact if you don’t comply, in that you’ve got to put more cash aside for reserves. Therefore the business, and IT, absolutely have to be engaged to ensure their processes are aligned.”

Already, many organizations have adopted ITIL to deliver more effective IT services which also comply with numerous regulations. For example, “forward-thinking IT executives today [are] integrating the audit requirements into their process design,” notes Stroud. Thus when they deliver a new service, “you’ve got all the audit points you need delivered—almost in a series of audit logs, if you will.”

Yet while ITIL is useful for compliance, the actual ITIL guidance doesn’t offer specific recommendations for any regulation since practically speaking, there are too many to address. Even so, Stroud anticipates ITIL add-ons will more directly address different regulations. “I do believe we’ll soon see some complementary books, that will take the ITIL guidance and be more prescriptive.” For example, one add-on might address service management best practices for healthcare—largely focusing on HIPAA-related processes—while another might help pharmaceutical companies create IT services that comply with FDA regulations.

New CobiT Mapping and Courses

Of course, ITIL is just one framework. Accordingly, V3 offers pointers to other best practice frameworks and standards that can further improve service delivery, such as the ISO 17799 security standard, and ISACA’s CobiT (Control Objectives for Information and related Technology), which is perhaps the leading IT governance framework. “We can’t cover all of these in the ITIL best practice, but we certainly need to make our practitioners aware of them and point them in the right direction,” says Stroud. That said, the Refresh Team plans to release a document which maps ITIL V3 to CobiT—and vice versa—in the very near future.

In June, expect to see new ITIL V3 certification courses, a road show highlighting the changes, and soon after, a series of related white papers. Note that current ITIL certifications will remain valid with the appearance of V3—much of V2 was “refined and included in ITIL V3,” says Taylor—though people can also update their certifications.

From ITIL V2 to V3

The refresh, however, raises a question: should organizations currently implementing ITIL V2 stop and switch to the new version? While that decision rests with implementers, “the processes you are working with today from V2 will continue to be a part of V3,” says Taylor. “What is different about V3 is that the former Service Support and Service Delivery processes will be integrated into a service lifecycle,” and should therefore be easier to implement.

As that suggests, the refresh aims to make IT service support and delivery not an end goal, but rather an enabler for more effective business processes, thus mirroring what leading ITIL practitioners already do. “The guidance is really aimed at assisting the best-practice use that we’re seeing in the industry,” confirms Stroud, “and there are a lot of opportunities with ITIL V3 for us to look at how we can leverage it, and other frameworks, to better integrate IT with the business.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.