ITIL Version 3.0 – What It Means to You Expert Reference Series of White Papers Introduction A major overhaul of the IT Infrastructure Library® (ITIL®) is coming Spring 2007, and it will have a dramatic impact on the entire IT industry. ITIL v3 presents an entirely new “hub-and-spoke” design with a descriptive core framework as the hub and prescriptive solutions as spokes. Perhaps most useful are new implementation templates based on industry, firm size, business model, and regulatory environment that provide an impressive array of targeted solutions. An enhanced descriptive core, new and more prescriptive additions, improved guid- ance on business alignment, and recent international standards approv als move ITIL from a “nice to have” to a “must have” for any IT professional or organization. If you have been putting off ITIL, now is the time to begin. If you are already implementing ITIL, you should consider these new capabilities. In either case, you need to understand the impact that ITIL v3 will have on the entire IT industry . ITIL version 3 The current IT Infrastructure Library (ITIL), version 2, was released in 2000. ITIL v3’s books will start shipping in the Spring of 2007, and there are some major changes ahead for the ITIL and those who use it. The goal of the new ITIL is to provide a simple-to-understand, business-aligned implementation that you can customize to your specific operational situation and IT environment. New topics include: understanding busi- ness catalysts and how they produce IT strategies; how you should respond to specific business drivers like compliance and regulation; and how to interoperate with other standards. ITIL v3 uses a hub-and-spok e model with fundamental core concepts as the hub and specific market and industry guidance in complementary components as the spokes. Because ITIL involves best practices, it can never be fully prescriptive and must always remain descriptive. However, the changes do make ITIL v3 more detailed and industry directed and, thus, more prescriptive than the current ITIL. ITIL v3 will also provide significant new resources to help you “do-it-yourself”. These resources include case studies, templates, and examples. For instance, you can find out of how to build a service catalog or how to perform self-assessments . Reasons for ITIL v3 The UK’s Office of Government Commerce (OGC) continues to own the core guidance and the ITIL brand, but they have passed responsibility for stewardship to itSMF International (international ITIL user group). Hank Marquis, Chief Technology Officer, itSM Solutions, ITIL Service Manager certified ITIL Version 3.0 – What It Means to You Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. ITIL ® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library ® is a Registered T rade Mark of the Of fice of Government Commerce. Page 2 A ccording to a letter written from the OGC to the itSMF discussing collaboration on ITIL development: “Ownership in this context means OGC is the ultimate authority on the content of core guidance in ITIL and provides visible endorsement through use of OGC-owned brands and trademarks.” “Stewardship means the assurance that the guidance is truly best practice through the engagement of experts in development and promulgation.” ItSMF stewardship is important and makes ITIL v3 truly representative of the industry and driven by input from the worldwide ITIL community. The ITIL v3 refresh committee solicited and reviewed 530 written responses and over 6,000 comments—representing 80% of the countries with an itSMF chapter. As taken from the ITIL refresh publication, the top changes requested are: 1. Provide consistent structure and navigation throughout the entire library. 2. Preserve the fundamental core concepts of the existing Service Support and Service Delivery books while expanding and improving upon these fundamental concepts. 3. Include best practices that extend deeper into service management concepts and reflect ITIL’s relevance to business in a more tangible way, and show how ITIL can be built into business processes and cycles. 4. Provide guidance on the softer issues of organizational structures, cultural issues, and an understanding of the interfaces to other best practices that help support effective ITIL practices in the workplace. 5. Provide a knowledge management strategy to support the service management needs of business and IT environments today and tomorrow. A relatively stable core could form the base framework, and would be complemented by focused and topical material in the form of case studies, templates, subject- matter-expert white papers, implementation packages, and business cases, keeping ITIL practices current over time by sharing the wealth of community experience. 6. Demonstrate and articulate value, benefits, and Return on Investment (ROI) to establish the value proposition for ITIL. 7. Reflect the reality of today’ s business , operational, procurement, and technical environments including the use of ITIL in multi-sourced IT environments . Other goals include: improving the usefulness and applicability of ITIL by addressing the changing needs of users as the technology base and business requirements evolve; making ITIL easier to apply; and improving ITIL ’ s applicability to small organizations . The purpose of the ITIL (including this refresh) as defined by the OGC is “to ensure, on behalf of all interested parties, that ITIL provides a single, coherent description of IT service management core activities and products, based on best practice, supported by high-quality qualifications and services that are consistent with the core principles of ITIL.” Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 3 ITIL v3 Structure Physically, ITIL will have three components: Core, Complementary, and Web. The biggest changes come from its focus on achieving and sustaining Business/IT Alignment (BITA), showing value, and delivering return on investment. • The “Core” component has five books covering the lifecycle of IT services from business need to service optimization and subsumes virtually the entirety of the current Service Support and Service Delivery content. • The “Complementary” component includes specific content targeting particular situations, industries, and environments. • The “Web” component provides a dynamic resource for commonly needed and topical materials, such as process maps, definitions, templates, business cases, and case studies. The Core Component T he new Core is a set of five books instead of the current two: Service Delivery and Service Support. The new core follows a lifecycle model from design to retirement. This will include the key concepts and generic best practices that do not change frequently. According to Sharon Taylor , ITIL Chief Architect (ITIL version 3), the working titles are: • Service Strategies—hub of the core; understanding and translating business into IT strategy; recog- nizing and responding to business catalysts; selecting the best practices based on industry , regulatory environment, firm size, etc. • Service Design—IT service and architecture design models to consider, including outsourcing, in- sourcing, co-sourcing, etc. • Service Intr oduction —how to create a transition strategy from service design and put it into the live environment. Topics include change and release management, service models, and checklists for taking designs into production (analogous to a software development lifecycle but for IT services). • Service Oper ation —how to manage services in the live or production environment; day-to-day man- agement issues; how to react to failures; how to develop and monitor metrics of quality; and how to manage the reactive elements and processes. • Service Improvement—how to improve service once deployed. The Complementary Components T he next new section of ITIL v3 features the Complementary components , this addresses application of the generic core guidance in particular mark et, technological, or regulatory contexts. The Complementary compo- nent will change as required, perhaps annually or quarterly. A recent example is the newly revised "ITIL In Small IT Units”, which continues into ITIL v3. Other key additions relate to implementation guidelines by firm size or industry. The Complementary compo- nent contains particular guidance by mark eting segment. You can choose guidance based on governance like Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 4 t he Control Objectives for Information Technology (COBIT), methodology like Six Sigma, particular technology, business model, or even business driver like Sarbanes-Oxley. The guidance in the Complementary component helps you customize ITIL to suit your specific requirements. It also provides guidance on interacting with various other best practices and standards. A recent example of this was the white paper produced by the IT Governance Institute (ITGI) and OGC. ITGI and OGC released a joint paper to explain how COBIT and ITIL should be used together to provide a hierarchy of guidance. They also said the ITGI and OGC plan to continue aligning terminology and content of their practices with other prac- tices to facilitate easier integration. Going forward with ITIL v3, we can expect further integration and guidance with COBIT and other standards and best practices. This guidance on integration with other standards makes choosing and implementing ITIL easier and the results more successful. The Web or Internet Components The web component is a dynamic on-line resource that can change as often as required—just like a company web site. Content in this component provides web-based support for existing and aspiring ITIL users . Examples of mate- rials include a glossary, process maps, and ITIL definitions. It will also include discussion papers, role defini- tions, and case studies. Finally, it will include examples of ITIL forms and agendas for meetings as specified by ITIL, such as the Change Advisory Board. Certifications There are two broad groupings of certifications underpinned by the ITIL: 1. Professional certification for individuals 2. Or ganizational certification via ISO-20000 certification and audit standards Personal Certifications T he APM Group Limited (APMG) administers the professional certification program. APMG members include the OGC, the Information Systems Examination Board (ISEB), and the Examination Institute for Information Science (EXIN). Currently there are three levels of professional certification: 1. Foundation—an entry-level qualification focused on instilling an understanding of ITIL terminology and processes 2. Pr actitioner —a mid-level qualification focused on teaching how to operate specific ITIL processes 3. Manager—a comprehensive qualification focused on ensuring competence in the management, organization, and optimization of all 10 ITIL processes and the Service Desk function Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 5 The existing ITIL certifications (Foundation, Practitioner, and Service Manager) will remain valid, relevant, and valuable. In fact, from a content perspective, the Foundation certification will remain virtually identical. While the content, concepts, and workflow remain the same, the certification programs must eventually change. The expansion of the ITIL core from two books to five will require a change in training programs to accommodate the layout of the material. Lex Hendriks, Portfolio manager at EXIN international provides this statement on the EXIN website: "The ITIL refresh will not dramatically change the contents of ITIL, and therefore the changes in the certification structure are limited. The refresh should lead to a comprehensive set of books, suitable for not only the European market, but also for the many parts in the world where ITIL has been embraced. In the new books you will, of course, find the core concepts and best practices. These tend to be proven practices in the sense that these do not change enormously over a period of time." It is very reassuring that existing ITIL qualifications will not be invalidated because core ITIL principles are not changing. In fact, the latest practitioner programs, for example "ITIL Practitioner in Release and Control" and "ITIL Practitioner in Support and Restore," already follow the new terminology, philosophy, and organizational structure of ITIL v3. However, as is often the case when a certification changes, it will take a while for the certification bodies to catch up. The plan is for new certifications to arrive 6 – 12 months after the delivery of ITIL v3. From a practi- cal perspective, this means within the next 12 – 18 months. This does not mean that you should put your ITIL plans and training on hold, however. You should consider implementing your ITIL plans and taking your ITIL training now for the following reasons. • The OGC and ITSMF have declared that current ITIL v2 certifications will remain valid, useful, and rele- vant, so there is no reason to w ait for v3. • While the core ITIL principles are not changing, the tests will change. This will require significant changes to existing training programs and re-training of instructors. Current trainers and training pro- grams are very effective so taking advantage of current expertise could be a benefit to students. • The latest ITIL Practitioner certification programs, already available, reflect the changes in ITIL v3. Taking ITIL Practitioner in Release and Control (IPRC) or ITIL Practitioner in Support and Restore (IPSR) now pre- pares you for the change in focus coming with ITIL v3. • The existing ITIL underpins the ISO 20000 and 20001 standards for organizational certification, and the new ITIL will provide the same support. There is no reason to wait for ITIL v3 certification exams. The new material will be virtually the same at the Foundation level, and the newly updated and currently available Practitioner cluster programs already reflect ITIL v3 to a large degree. As is often the case when major changes occur to a certification, getting your certifi- cation “before the test changes” is probably a very good idea for the reasons previously listed. Current train - ing programs are very effective and offer real benefits . Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 6 Organizational Certification Neither the current ITIL v2 nor the new ITIL v3 is a standard, and neither has auditing criteria. Some chose COBIT for audits, but COBIT is not a standard either. The British Standards Institute (BSI) created British Standard BS 15000 as an audit standard, but it was not an international standard. However, BS 15000 deliv- ered specifications for managing IT, implementing the ITIL, and establishing audit criteria and corporate-level certification. Although used in the UK, BS 15000 adoption was slow elsewhere in the world. Then BSI submitted BS 15000 to the International Standards Organization (ISO), and ISO released it as ISO 20000 in December 2005. For the first time, IT had an international standard for auditing and certifying IT. ISO 20000 is an industry standard like ISO 9000/9001, And like ISO 9000/9001, ISO 20000 offers organization- al certification. As a standard, ISO 20000 shows IT professionals how to manage and improve IT while estab- lishing audit criteria. It also provides auditors with a documented standard to use for measuring IT compliance. The ITIL offers certifications for individuals; ISO 20000 is an organizational certification with international recognition. This removes one of the toughest problems faced in IT today—management commitment. Every senior manager in an ISO 9000-certified company knows the benefits that came from gaining that status. With ISO 20000, it will now be much easier to gain “mind share” among senior management, ISO 20000 is really two specifications, ISO/IEC 20000-1:2005 and ISO/IEC 20000-2:2005, referred to as ISO 20000-1 and 20000-2: • ISO 20000-1 is the specification for Service Management. It defines the processes and provides assess- ment criteria and recommendations for those responsible for IT Service Management. Organizational certification uses this section. • ISO 20000-2 documents a code of practice that explains how to manage IT with regard to ISO 20000-1 audits. Both ISO 20000-1 and ISO 20000-2 derive directly from the ITIL best practice . ISO 20000 groups the ITIL processes we all know into five core bundles: • Service Delivery Processes—Service Level Management, Availability Management, Capacity Management, Continuity Management, and Budgeting and Accounting for IT Services (Financial Management) along with Information Security Management and Service reporting • Relationship Processes—Business Relationship Management and Supplier Management • Resolution Processes—Incident Management and Problem Management • Control Processes—Configuration Management and Change Management • Release Pr ocess —Release Management ITIL underpins ISO 20000, so you may already understand a lot of this standard. Nevertheless, ISO 20000 also includes more than Service Delivery and Service Support. It includes sections on managing suppliers and your Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 7 b usiness as well as Security Management. Grouping Security Management (previously its own ITIL book) with Service Delivery is an interesting spin. It appears to foretell the changes planned for ITIL v3. As the industry progresses, the new ISO 20000 terminology is already becoming apparent. The most recent ITIL Certification, the itSMF-approved Practitioner cluster certification "ITIL Practitioner in Release and Control", cov- ers Change Management, Release Management, and Configuration Management—and now you know why. Summary of ITIL v3 New certification programs based on clusters of processes; an alignment with ITGI on the COBIT best practice; a new international standard based on the ITIL; a major re-write of the ITIL—what does it all mean? It means that a boom in ITIL adoption and a significant requirement for ITIL certification is on the horizon. Already Here The newest certification programs from EXIN and ISEB appear to reflect the changes in ITIL v3, as does the new ISO-20000 certification and audit scheme. While the official books go to print in September 2006, ele- ments of the new ITIL seem to be already here . Statements from EXIN and the OGC allude to the fact that the most recent updates to certification programs are reflective of ITIL v3. More Prescriptive The new hub-and-spoke architecture of the ITIL, along with the new certification programs based on related process clusters, foretells the movement toward a more prescriptive ITIL. This version of ITIL will be easy to cus- tomize and offers specific guidance based on the implementer’s unique requirements. The stated objectives of the new ITIL are clearly much more prescriptive—resolving one of the most common complaints implementers have had about the ITIL. Supports Standards and Other Best Practices The specific support for other best practices and standards, like COBIT , makes ITIL implementation more inte- grated and focused than ever before . This official guidance on interoperability takes the guesswork out of implementing ITIL within specific industry or regulatory environments. Continued support for related best prac- tices will ensure the establishment of defacto IT management structures based on industry , firm size, and regu- latory environment. International Standard The new ISO-20000/20000-1 provides, for the first time ever, a worldwide industry standard for auditing and certifying IT organizations . Already , several governments have stated that ISO 20000 is to be a requirement for outsourced IT services. As the industry recognizes the value of ISO 20000, more and more companies will require their partners and vendors to reach ISO 20000 certification—just as they did for ISO 9000/9001. ISO 20000 organizational certification virtually requires ITIL certification for individuals. Conclusion As the IT industry standardizes its operations to solve business problems in the most efficient, effective, eco- nomical, and equitable way, ITIL v3 becomes a critical tool. In combination with the new ISO-20000 certifica- tion and audit standards, ITIL v3 will fully blossom into the new norm. Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 8 I f your organization is already ISO 9000/9001-certified, you will have a much easier time gaining and main- taining management commitment for your ITIL implementation! In addition, if you are already implementing or adopting ITIL, there is now an international audit and certification available for organizations. The new version of the ITIL includes an impressive array of prescriptive solutions for achieving and sustaining BITA, showing value and delivering return on investment. If you have been putting off ITIL, now is the time to begin implementing it. If you are implementing ITIL, you need to understand these changes and take advan- tage of them. The more prescriptive new additions and alignment with business drivers that ITIL v3 contains can help you accelerate acceptance in your organization. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: ITIL Foundations Certification Boot Camp ITIL Practitioner Certification Boot Camp ITIL Service Manager Certification Boot Camp Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use . Our expert instructors draw upon their experiences to help you understand k ey concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. About the Author Hank Marquis is Chief Technology Officer at itSM Solutions LLC, a Global Knowledge P artner. Previously CTO at Opticom, a venture- funded producer of IT Service Management softw are, Hank is an ITSM entrepreneur, practitioner, and manager with over 25 years of practical hands-on experience gained at the U .S. Government, MCI, US Sprint, Timeplex, Compuware, and other organizations. He w as an early ITIL proponent, adopter , and frequent contributor to the ITIL community. He writes the popular weekly DITY™ (Do IT Yourself™) column, lectures on ITIL, and teaches IT executives how to implement ITIL. He has written dozens of articles; several books; and Cisco, CompTIA, ISEB, and EXIN certification programs. He holds the highest ITIL credential—ITIL Service Manager (Masters) certification, with distinction in Service Delivery . Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 9 . how to manage IT with regard to ISO 200 00- 1 audits. Both ISO 200 00- 1 and ISO 200 00- 2 derive directly from the ITIL best practice . ISO 200 00 groups the ITIL processes. 200 00- 1: 200 5 and ISO/IEC 200 00- 2: 200 5, referred to as ISO 200 00- 1 and 200 00- 2: • ISO 200 00- 1 is the specification for Service Management. It defines the processes