ITIL vs. COBIT, ISO20000 et al, and itSMF's role in promoting them.

itSMF exists as a marketing arm of the ITSM industry, by definition. An open market is a wonderfully self-levelling system: money flows where the potential money is. So itSMF forms a very good indicator of where the interest or 'action' is in ITSM at the time. Right now it is ITIL. But what about the future?

This post was triggered by this comment:

ITSM and particularly the itSMf is core ITIL focussed with some discussion on integration of ITIL with these other frameworks, practices and methods.. I think the governance of the development of ITIL should focus on that scope and the professional body should be more inclusive of these other frameworks and concentrate on making the Service Managers knowledgeable of these areas.

Right now all the attention of the community is on ITIL, so likewise itSMF. Once the community twigs to the potential of something else, watch itSMF switch horses with alacrity.

On the other hand, marketing closes a feedback loop, driving the community's interest. So itSMF's marketing will maintain interest in ITIL after the potential has moved elsewhere - there will be a momentum ("hysterisis" actually, if I recall my engineering) caused by the positive feedback loop.

itSMF did attempt to drive or lead the market by drumming up interest in ISO20000, though pretty half-heartedly and I think mostly in the UK. It could be argued it was more of a mindshare land grab of the lucrative certification market than a promotion. In general itSMF seems happy to stick with ITIL for now, and I suspect will tend to be market driven rather than a thought leader (although that depends entirely on who steps up for future elections).

Finally, I think the potential lies with COBIT (and maybe ISO20000), and I think there is a particular issue with COBIT and itSMF. COBIT already has an "owner" organisation: ISACA. It is hard to think of two more different organisations. If the community started to get all excited about COBIT, would itSMF cooperate or compete or just not go there?


itSMF's Role

Your last paragraph is a real hint to the future. itSMF is a “user group,” (a non-owner organization) type of club focused on the use of a particular technology. ISACA is a group of individuals (an “owner” organization) that saw the need for a centralized source of information and guidance in their field, auditing controls in the computer systems, and formed an association to fulfill those needs.

ISACSA has a certification program, where a person is certified as being able to competently complete a job or task, by the passing of an examination. itSMF has, uh, nothing.

ISACAS is well managed and governed. itSMF is, uh, nothing.

ISACA is devoid of politics. itSMF is a Petri dish for politics.

If the community does get excited, it will be over an organization that does what it says, not what it talks about. How relevant it is to its members. The master it will serve is the future. I would believe that ISACA has given some thought to the future, whereas, itSMF is irradicably entrenched in contemptible unimportance. Could ISACA become that vessel for cooperation? That would require a different mind-set about growing issues by itSMF, so, that means no.

[itSMF is a “user

[itSMF is a “user group,”]

That one was funny.

It's a group which exists to promote the self interest of those at the top end of its triangle, and which is driven by lust for profit. They are arguably worse than APMG, in that they are better at hiding their true motives from the mugs on the ground than APMG.

Their unseemly squabbling amongst themselves over the last year has been a great showcase for what they are like under their veneer.

Does anyone remember our purpose

May I bring you all back to a very important point for a second.

"The customer doesnt buy the service. The customer buys a means to achieve his needs or goals" from the ITIL books themselves.

But it brings me to this. What does service management mean today and where is it going?

I believe (and correct me if Im wrong skeptic) this is what the purpose of this whole site revolves around, does it not? It isnt here to plainly discuss ITIL, Cobit, ISO 20000 (as the skeptic is often bringing up). These are frameworks and standards to assist Service Managers fulfill the needs of the customer. They serve as mechanisms not as final products.Are we not viewing them as the service we are selling(with reference to the quote above).

The acronyms ITIL, COBIT, ISO etc are fads at the moment, Why? because many company's who have successfully "implemented" any of these standards or frameworks have seen results. Also because the top board of directors have really pushed the concepts and dedicated themselves and their company's to it.I bring this up because its mentioned often that company's only "implement" a small number of the processes and ITIL is not successful. I favour ITIL as the concepts do work. But "implementation" is not as easy as everyone is led to believe. The word "implimentation" is a contradiction to what ITIL is in itself. You cannot "implement" any of these standards or frameworks. They mature over time. There is no placement and completion. The bad taste customers get in their mouth from ITIL or anyother frame work or standard is the expectation that once the consultants leave the benefits will produce themselves shorlty afterwards. Due to it maturing over time at which point will you say ITIL has been a success. Where is that point to the customer or the organisation making use of ITIL. I think this is an extremely important question.

I really dont see why there should be speculation among these frameworks and standards they all have their purpose and thier place. But really becoming compliant in any of these is such an "image" factor. I feel that the "image" factor company's are pursuing is what is removing the Quality of these standards and frameworks. There is a constant focus on the end goal (which is seldomly really understood) and not on the process to get there. Its just a neat new tool the company want's to play with.

There really shouldnt be a "vs" in any statement that ITIL, ISO, or COBIT fall under. they all tie up together

I ask for your opinions on what Ive said

anything I see as silly in the world of IT

Actually this site exists to discuss (and hopefully debunk) anything I see as silly in the world of IT. It tends to revolve around ITSM because that is what I know, and around ITIL in particular because ITIL and those who work with it provide such rich material :-D

You suggest that there should not be speculation among these frameworks and standards because they all work together. This is true to a field practitioner: you use combinations of them to get the job done. It is not true in the murkier world of creating and promoting and selling them, where they all compete (actively, or naively unaware they do) for the mindshare to be that next fad (is ITIL a fad?).

Your comment also triggered this post. Thankyou for the thought-provoking comment.

itSMF is a Petri dish for politics

itSMF is a Petri dish for politics


I disagree with only one point:

itSMF is a user group

No it isn't: it is a self-interest group dedicated to the promotion (i.e. marketing, development of the industry) of Service Management. We clearly, formally and specifically define ourself as such, or we did before the Great itSMFI Website Disaster disappeared all the "About" info. Presumably the new website will eventually provide a definition again.

History may repeat itself

User Group; Self-Interest Group - six of one, half a dozen of the other. Both are users and are indoctrinated with a methodology, and in this case, a religious zeal. User/Self-interest groups are easily seduced or drawn into a foolish course of action by powerful vendors, just waiting for the opportunity. Do you remember the Open View Forum?

a new leader of the pack?

The itSMF focus definitely is at ITIL, and global vendors are pushing V3 to an unwilling market. User organizations are in no way ready for that, and individual certification schemes are at the least chaotic - not something you'd want to invest in now.
Alternative frameworks have very different goals (COBIT ) or appear to be empty shells (OSMF). The only option left would indeed be ISO/IEC 20000. After the stunning commercialization of ITIL, this may well be the road taken by those who want to go for an independent future. Interest in 20000 is slowly growing, with some of the biggest user organizations halfway the project, most likely setting an example for the market. As soon as they illustrate that they can get the desired improvement by taking the 20000 road instead of the ITIL path, I expect a fast adoption. After all, the clockwork is the same, but the result of 20000 is a certified organization, which beats any claim to ITIL compliancy.

The itSMF seems to have some problems to hold its position in the 20000 field. Last week's message from the UK chapter (who manage a certification scheme that is independent from ISO) showed the following:

ISO/IEC 20000 Certification
Dear itSMF Member
We have recently received concerns, expressed by a number of our members with regards to the operation of the itSMF's ISO/IEC 20000 Certification Scheme. The cause of this concern is the activities of a limited number of the RCB organisations. […..]it appears that certain RCB organisations, as well as conducting audits within the scheme are also conducting them outside of the scheme and hence its rules and regulations. This means that the organisation being certified is then not allowed to claim certification within the itSMF scheme and more importantly not allowed to use the itSMF scheme logo. This has upset a number of our members and is therefore a matter of grave concern to ourselves, as we treat this matter very seriously. [etc….]

It seems that the registered certication bodies (RCBs), normally working in the formalized context of the ISO organizational structure, are getting from under the UK scheme. As soon as the National Accreditaton Bodies will step into this arena, the RCBs may start wandering off to their normal partners. That would most likely normalize the situation and stimulate the further adoption of the standard as an independent mark.

In the end it's all about the market perception: as soon as the buyers will recogize that they can reach the same results by taking the 20000 road, the providers will offer their services under that label. And that would be the emergence of a new leader: not itSMF, not ISACA, but ISO.

cat amongst the pigeons

Jan, I can't agree that

The only option left would indeed be ISO/IEC 20000

ISO20000 is not an option to ITIL. You can't get an equivalent BOK* like ITIL for ISO20000. There are no books of guidance for ISO20000, no "how". Like COBIT, ISO20000 is for a slightly different purpose.

Now, if somebody were to do such a BOK, well then we'd have a serious cat amongst the pigeons!

BOK = body of knowledge

Achieving ISO 20000

There are the Achievining BSI/ISO 20000 books which provide the main elements of a how to guide, and the authorship of ISO 20000 and ITIL shows a healthy crossover. It isn't a case of either/or so much as where do you put the emphasis. I worry that the big uptake of ISO 20000 will happen in organisations that are more bothered about getting the piece of paper (for instnace it is being mandated in some UK government outsourcing deals) rather than in using it to deliver true service managment.


James - be serious: is that any different from ITIL? Isn't that all about the branding too? Being able to say "we've implemented ITIL"? Have you ever seen an organization that really had more than 3 or 4 processes up and running?
My suggestion was, that organizations might go for the ISO 200000 certificate and use the available best practice information to get there. And you'd be using the very same consultants and tool providers that you would have used for an ITIL project. After all, the standard doesn't require a specific road towards the goal, it doesn't even mention the word ITIL, it just describes what you must have achieved. And isn't that much wiser than implementing ITIL because it's named ITIL?
In this scenario, ITIL will be used exactly for the purpose it was designed for: as guidance on best practices for IT service management. And you use it to get somewhere - which would be illustrated by the independent 20000 certificate.
It seems to hold a much nicer future, compared with the vendor-driven overhyped ITIL scenario we're facing now. And it would credit ITIL in a much better way for its value.

Question of degree


Well of course the vast majority of organisations claiming to use ITIL are actually only using a small sub set of it, even with reference to v2, never mind v3.

My concern though is with organisations who will manipulate their scope statement for ISO 20000, in the same way many organisations did with ISO 9000, so that they only have to do the absolute minimum to achieve certification.

I thought I was agreeing with you that using ITIL was a good way of achieveing certification!

I wonder if any research has been done on the value of the "independent" ITIL maturity assesments carried out by consultancy firms.

better one bird in the hand...

Of course that will happen - can't be stopped. Although I think that ISO 9000 has changed for the better in 2000, avoiding certificates for companies that made sailing boats from solid rock. It grew into much more than just 'if you do what you say you'll be certified for that'. The management system approach, involving customer requirements, ensured that the organization was continually improving their performance in the light of customer satisfaction.
So we may well work from the idea that the ISO 9000 base under the 200000 application is useful and directly relates to quality.

Let's now compare the application of ITIL and the application of ISO 20000.... As you confirmed, many organizations that claim to have applied ITIL are in fact nowhere near that goal. Last week I talked with a manager from an organization the "had implemented ITIL for many years" and he confessed that they effectively had never achieved more than 2 processes - and that he'd probably be fired if he would make that statement in public;-).
So wouldn't the fact that you complied with the full set of ISO 20000 requirements have a lot more weight? Even if you tried to get there the cheapest way?

Further proof is coming up soon I think. The ISO organization has recently forwarded a proposal to allow for incremental certification against the 200000 standard:

"...compliance with the full requirements of ISO/IEC 20000-1 is difficult for some service providers to achieve in one stage. These service providers would benefit from standards that define acceptable subsets for use as stages towards the full requirements of ISO/IEC 20000-1."

I haven't heard whether this proposal really made it, but I guess that it underlines exactly what I've said above: it's very hard to achieve the entire set of requirements from ISO 20000. Even done the cheapest way - a full certificate will definitely bring you much further than a mere statement "yes - we have implemented ITIL".

Or as the old Dutch proverb says: "better one bird in the hand than ten in the sky".

Capability and Maturity

Jan and others,

It is interesting to note that too often we all land in front of the question with customers, trainees etc: 'what is the difference between an approach to ISO/IEC 20000 and that of ITIL'!

We can get into a lot of detailing and explanation where time is not a concern- However, often we land into an 'elevator pitch' scenario :-)

Here is one explanation which I used more than once to handle such 'quickie' situations:

I take the analogy of CMM model - Capability and Maturity.
Here, the process areas/sections/practinces (whatever we want to call them) specified in ISO/IEC 20000 is like the capability levels.
So if you achieve the certification, you are ideally (!) at a capability level of 4 or 5.
Now, to achieve maturity on these levels, you might want to look at best practice framework (commonly ITIL in this context)or industry best practices - basically providing the "How" part as some of you pointed out here.

If your (I mean the customer's) requirement is to achieve better maturity in certain process areas, I advice them to take 'ITIL alignment' route (and later go for certification if need be). If their need is to put all those building blocks (processes/controls/practices) in place, then I advice them ISO/IEC 20000 route.
(Obviously assuming there is no business need for certification - in this case the choice is obvious).

I am not sure if this analogy is apt or correct. Would like to hear other view points on this.

Thanks in advance!


Cherry Picking


I wish all managers were that honest, especially in public. I long to go to an itSMF conference session and hear someone tell the brutal truth. One of my concerns about ITIL 3 is that amongst all the hype there is a sub text that ITIL 2 is old hat and everybody has already done it, rather than an acknowledgment that organisations still struggle with the basics. I get very annoyed with a certain kind of manager and consultant who tells me how obvious and easy ITIL is. If it isn't hurting I can't help feeling you aren't making real changes. Those who are passionate about service are, in my experience, never complacent about it.

An advantage of ISO/IEC 20000 that attracted me to use it with clients is that it makes it hard to cherry pick the easy processes, and makes you think about the ones that are difficult, but which deliver long term benefit.

The incremental approach to certification is still under discussion. I think it is a good thing. It would be nice if, and I believe it will, it aligns with COBIT.

I struggled with Dutch proverbs when I was with Quint. One I think was along the lines of " A leaf falls close to the tree", hopefully the ITIL v3 leaf will not drift too far from the tree in the long term.

The market

I have no opinion to many of your notes but I'll add a differing opinion to the statement about "unwilling market".

As an IT operations consultant, this has been one of the strongest years for our company. The majority of the engagements have centered on the ITIL topics. Many "V2-finished" clients returned this summer/fall and engaged us for the V3 topics. We've sold more V3 work in the last 10 months than V2 work in the prior 24 months. This holds true across Europe and North America.

Meanwhile, we've done three ISO20K projects in the last two years.

This wasn't a function of pushing V3 on an unwilling market. Clients are really not that gullible. Instead, it stems from the market's search for improvements. Clients don't want ITIL for ITIL's sake. Nor are they that interested in certification for certification's sake, as with ISO20000. It often feels like we are pushing ISO20K to unwilling market while ITIL sells itself. For example, how much traffic would this site get if it was called "The ISO20K Skeptic"?

If the product works, then clients come back for more. For both product and consultancy. If it doesn't then they won't return for either. Based on my vantage point, the market has been more than willing, it has been hungry for more.

the "IT Skeptic" not the "ITIL Skeptic"

If you are who I think you are, then "We've sold more V3 work in the last 10 months than V2 work in the prior 24 months" may have more to do with the fact that your organisation had just about zero profile in ITIL2 but has jumped to prominence in ITIL3.

My impression (from afar, admittedly) is that the uptake of ITIL3 and ISO20000 are both sluggish while the ITIL2 party rocks on.

BTW, I'm called the "IT Skeptic" not the "ITIL Skeptic" - far be it for me to misuse a Crown Copyright ... or to lock myself into a pigeon-hole.

But that's just your "impression"

Do you your impressions have the same weight as market research? As time goes by you're becoming more and more ... never mind... reminds me of a certain Calvin & Hobbes comic...

Market research: Do you have some?

No my impressions don't carry the same weight as market research. Do you have some? {see my previous comments on the value of most of what passes for research in this sector}

I have had conversations with very senior ITIL and ISO20000 people from around the world to form these impressions. I offer them because I feel they have some substance, though admittedly subjective. The impressions of others who are well immersed in the ITIL community are welcomed here.

How would one differentiate

How would one differentiate between a v2 and v3 initiative?

Syndicate content