OGC gives us an ITIL V3 maturity assessment standard, but they won't publish

A recent blog set me thinking. Since OGC have now set a standard for assessing software products against ITIL processes, that should also form the basis of ITIL maturity assessment too. All we await is OGC publishing the standard. I bet they don't.

Juan Jiminez said recently

When it comes to ITIL maturity assessments, however, the evaluations cannot be performed against set standards because, quite simply, there are none. Since ITIL is a framework and not a methodology, the guidelines in the core publications are descriptive, not prescriptive. The result is that everyone interprets and executes ITIL best practices in whatever manner best serves the needs of the organization. The phrase “It depends.” is notorious among ITIL practitioners because it is the standard answer to the question “How does ITIL say I should do this?”

Obviously this isn't true any more. We have an official standard from OGC for the assessment of software products. Software products automate or assist work procedures. So the standard for the software scheme must potentially be a standard for organisational maturity assessment, or at least an excellent basis for it. Obviously OGC have removed the ambiguities and documented the alternatives if they are certifying products as compliant.

So all we need is for them to publish the standard right? I bet they don't, for several reasons: it will generate a storm of arguments over all the assumptions and simplifications they must have made (it is a decreed standard with no public consultation so there is going to be a mass of controversy); it would undermine the lucrative assessment consulting market; it is valuable IP.

How can they not publish it? Easy. If you want to certify your product or be licensed as an assessor you apply for the criteria under a non-disclosure agreement. I'm betting that is what happens.


singing from the same hymnbook

They have to have decreed standards for something in order to certify against it. The stuff about work procedures is sarcastic exaggeration, but they must have something pinned down. And whatever they have is by definition a standard (yes, Antonio, ITIL is now an OGC-decreed standard, albeit a secret one so far).

As such it would serve nicely as a standard framework for organisational assessments too (whether with a maturity or not), a la COBIT. Assessments don't need to be binary. You can ask enough questions to determine a maturity level. But whether we do maturity or not, it would be good to have all those consultants singing from the same hymnbook.

ITIL V3 Self Assessment Maturity Model

Someone else thinks ITIL can be assessed. ITIL Live has announced

Self Assessment Maturity Model - created by one of the Authors of the core ITIL V3 Service Lifecycle publications

ITIL V3 Maturity Model Self Assessment a Cottage Industry

My thoughts about this : OGC is not giving any hints of an ITIL process maturity model definition. Hence many
ITSM consultancy firms had been making lots of money creating their own version of ITIL process maturity definitions for organizations willing to buy such a service. In this tough economic climate, parting money for a non OGC endorsed industry maturity model definition is not going to be that easy.

My thoughts for a better selling point is using the COBIT 4.1 maturity model. The maturity for the 34 processes are explicitly mentioned in Cobit 4.1 and the COBIT-ITIL V3 document shows that majority of these processes can be mapped to ITIL V3 processes criteria + PMO too! So if a self assessment tool base on the 120+ control objectives is created and linked back to the process maturity definition for those 34 COBIT processes and later using the Cobit 4.1 to ITIL V3 document mapped back to the 23++ ITIL V3 process, an COBIT and ITIL V3 (and even PMO) process maturity can be derived through the appropriate groupings. Additional selling point: COBIT's online assessment tool: Plucking the overall COBIT process maturity numbers onto the ISACA tool will provide an industry benchmark.


Assessment against COBIT

I quite like the COBIT assessment model, to be honest I can't see what additional real world benefit would be gained by mapping it on to ITIL.

What is missing perhaps is something more fundamental, a tool that would help IT organisations decide what maturity level they need to achieve to meet the needs of their customer.

extract a number from a suitable orifice

yes I blogged on Setting the target goal for service management initiatives:
how do we determine the to-be? Seems to me the standard model is to extract a number from a suitable orifice

How to pick a number.

Maturity level: 5 is world class, heck we can undermine that by saying it is overkill. Obviously we can't go for any level below 3 because 0,1, or 2 sounds like re-branding failure as success. So Looks like it will be 3 or 4 then.

Availability: 5 9s if we are doing something important. Any other system? Gosh 99% sounds scarily high, so go for 98%, the customer will probably buy it.

That seems to be how so many people do it.

Terrifying, isn't it?

Dare we assess the maturity of the customer interface

James, as you might suspect - I feel you have hit the nail again.... Critical to any service provider maturity model against which an organization and its processes might be assessed, are questions and methods to unearth the customer interaction points and recognition within the provider that improvement is most effective here.

Yes, I know - there goes Ian again on Outside-In thinking... guilty as charged. This is all about providing service to satisfy customers, not just the management of services. There is a silent 'C' in ITSM - the customer. Customer outcomes and the activities they perform to achieve them makeup services. IMHO an assessment should start with the customer and 'processes' (if you must use that word) that manage the customer interaction and customer experience.

We might find that this approach lures us into areas of application development....

Customer perspective


Most of us have come across the situation where IT thinks all they need to do is a little optimising of the status quo, when the customer wants a total transformation of both the relationship and the service. Unfortunately maturity models don't tend to pick up on this, or that the most mature organisations are often the most self critical. I believe that sadly many customers have given up hoping that IT will really change, yet real IT maturity depends on an engaged customer voice.

ITIL lacks real customer interface

Agree with James that ITIL maturity model is of little use. One should remember that ITIL does not have a function or process for sales or business relationships. I find it really amazing considering all this talk how V3 is serice and lifecycle oriented. In this sense ISO 20000 is a major step forward from ITIL V3.

In my experience real life service providers obey customers. Strategies and service design plans are dropped when THE major customers says that we want this. Only internal IT's may have the luxury of not listening to customers (until they are outsourced). IT is to serve the business. Business makes strategies and plans and IT's role is to help business to achieve the results it needs.

A practical problem for Service Level Management is that sales sells services that are not in the service catalogue, if they would stick to the catalogue there would be no sales.



"A practical problem for Service Level Management is that sales sells services that are not in the service catalogue, if they would stick to the catalogue there would be no sales."

I really hope you meant to say Service Portfolio because there would 'be sales' if both existing services from the catalogue and upcoming services from the Pipeline were sold. Catalogue by itself is just an audit.

P.S. IT is not to serve the business. IT IS part of business. Looking at it any other way and you might as well forget all this ITSM stuff, get outsourced and go back to replacing desktop PCs.

Two worlds

I sat yesterday listening an excellent presentation on how to design and build datacenters by Mika Leno from Datacenter Finland. (Here is good tip for European consultants and IT infra managers. A datacenter in Finland saves millions of Euros in electricity costs due to our cold climate. There is also a lot of good space available, country is boringly stable, English is second language, (unofficial) etc.). Data center design is not so simple but all IT services need to have a solid and reliable data center somewhere.

On the other hand James writes in his recent blog that his customers do not run their infra, just manage the services and he does not even meet people who run the infra. http://coreitsm.blogspot.com/2010/04/international-perspective.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+CoreItsm+%28Core+ITSM%29. I suppose Chris has the same situation.

These two worlds seem to be more and more apart. One provides the basic infrastructure and the other works close with business to apply the infrastructure for the business needs. There is a huge difference between these two worlds and it is impossible to try to explain it with a single model like ITIL V3 tries to do. I see ITIL V2 is a model for the infra people but V3 does not know where it sits.

The engine room does not define strategy to shovel coal. Designing new services is quite different if you are a) an internal IT service manager, b) a basic IT infra service provider, c) a business IT service provider. It seems that ITIL wants to forget where the second "I" comes from, just like HDI is not Help Desk Institute or SAS is not Statistical Analysis System. We should clarify what we mean when we talk about IT service.



Yes, in the UK the model I'm seeing is third party infrastructure suppliers delivering services controlled contractually by an intelligent customer function. In addition it is the norm for several suppliers to be in the value network/chain, for instance applications support, the service desk, and networks might all be supported by other supplier, possibly delivering a commodity service level. Rather like the British and the Americans the danger is that we end up with "two countries separated by a common language" with both using ITIL terminology but interpreting it relative to their position in the supply chain.

One implication of this is that much we hold dear becomes problematic, like articulating and managing the link to end customer value. Company X&Y three layers down in the contractual hierarchy will provide their standard, technical, performance reports that make no mention of business impact. Not only that, but the retained customer IT department will have little or no influence over sub-contractor performance.

Aale is right that a strategy does not tell you how to shovel coal, but strategy does have to take into account the model for delivery of services. That means the strategy has to be formulated with an understanding of how the strategic objectives can be decomposed into coherent contractual targets. I did a lot of work on this back in 1996 at the start of UK government's Market Testing initiative based on Robert Smith's 'Sunningdale Model'.

Here we are in 2010 and I have to agree that v3 in its current form does not equate to the reality I see on a regular basis. It isn't that you can't use it, but you need to do constantly check which way you are facing. Hence the Janus title of this post.

V2 terms

Was using V2 terms where the catalogue is a description of all services. (I'm in a middle of a V2 Foundation class and we were just discussing this phenomen.) One guy told how their sales just said yes to all customer requirements and signed the contract. He had a good comment: "The person who signs the contract has a lot of power over IT service".

IT can be part of the business but still it is the business that creates strategy, not IT. Personally I buy IT services but they are not really part of my business, just support it. I can do consulting without my laptop. My training might be better if I did not use PowerPoint.

One of my customer's business is to build ships. Would you say that IT is part of the business. My wife is a nurse and today hospitals use more and more IT which may or may not help them. Still IT is not the business of a hospital, it just one way to do the paperwork.


can a tool support a reference model?

For what it's worth: Pink Elephant have published their entire scheme, see https://www.pinkelephant.com/en-GB/ResourceCenter/PinkVerify/SelfAssessm...
It's indeed not likely that this would happen with the OGC scheme. They'd really be in big problems if they did ;-)

Basically I don't understand how any tool can be 'compliant' with a reference model, when this reference model is not an implementation model. Isn't a tool in fact supporting the implementation? And have you ever seen ITIL 'implemented'?

Its obvious

I think there are more things about ITIL, OGC and itSMF to be skeptical, than genuinely valuable bits..

Its obvious that tool vendors make money. Tool vendors through distribution control and IP licencing can managing the revenue stream. Through some branding and licensing scheme for certification, someone in the hierachy of Castle ITIL can make some money.

If Castle ITIL was to make money of a process maturity model, it can only be delivered via a audit mechanism, by which the ISO style is the only game in the market at the moment. Audits however cannot be maturity models, They are binary in nature (warning: generalization). A true maturity model is delivered through consultants or IT staff (like most of us and the larger ITIL community). This is notoriously hard to monetize because there is no marketshare leadership, its easily modified, margins are low etc.. They figure they may as well use consulting (ie. the descriptive books) to build community, as a loss leader to other activities.

There are ways for "Castle ITIL" to monetize maturity models and consulting, and they try hard with online activities etc.. But I for one am not about to help them..

In the mean time, this fuzzy-ness of "implementing ITIL", leaves a lot of room for gainful employment by IT staff and external consultants, so "make hay while the Sun shines"..

Net-net.. Castle ITIL's reasoning is always very simple to understand $$$$$$$

Brad Vaughan

Markets, audits and ££££


I believe most conspiracy theories credit government agencies with more ability than they possess, Castle ITIL is a bit like that. Actually if OGC is at fault I suspect it is the too easily duped victim of a conspiracy rather than the perpetrator. ITSMF I suspect wants to be in on the deal, but any con man will tell you that that is the sign of an easy mark. I haven't come to a conclusion about TSO.

Audit can easily be linked to maturity models, it is an intrinsic part of COBIT. The ISO approach is slightly different in that certification is binary, but if an ISO maturity model exists you can claim to be at a certain level. A maturity model can be monetized, but generally by manipulation.

What worries me is the obvious distinction between the way Castle ITIL is working and recognized professions. My biggest concern is the lack of transparency and advance public exposure of key documents and decisions.

The central Keep of Castle ITIL isn't where the money is to be made, the scope for cash is around the curtain wall. The inhabitants of the central keep are driven more by kudos and fame than by hard cash.


In true conspiracy fashion.. The faces we see are the patsies of the whole scheme. Those seeking famous and kudos are puppet for the mechanics of the conspiracy.. I am not sure ISACA makes much money from there audit scheme..

Somewhere in Castle IT lies a Bernie Ecclestone style puppet master making a happy penny from the process.. No other motive fits the execution path they have taken. I don't accept the ignorance play for a minute..

Plus, conspiracies are fun and make good content for blogs :)

Brad Vaughan

not a fan of conspiracy theories

As a skeptic, I'm not a fan of conspiracy theories. They tend to fail the Occam's razor test. I seldom question people's motives on this blog. Execution yes, ethics no. All are professionals trying to make a buck from what they know, and yes get some recognition too. Very few are anything but straight-up honest. Even the vendors and analysts are just doing a job: pumping up the market for their bosses. The only ones getting really rich out of ITIL are the owners of the companies selling software and consulting and training - and many of the smaller owners will only get rich if they manage to cash in (and good on them - I admire entrepreneurs). A few consultants make a pretty buck but not really rich (read Richistan).

there's no evil genius on a desert island somewhere with a persian cat and a worldwide network of ITSM spies. The industry is a self-fueling phenomenon - everyone gives the bandwagon a push while jumping on.

Castle ITIL is aloof and capricious and at times bumbling, but it means well. It is no more crooked than any other assembly of white-collar professionals on the planet (and I consider that to mean "not very").

Who's talking evil or crooked

You calling Bernie Eccelstone evil and/or crooked ?

Also, did I indicate financial motive was bad.

Perhaps the conspiracy theory speak was a little of misplaced fun, but it highlighted a point by taking a radical position.

All I proposed is that the decisions made regarding the leadership of ITIL make sense in the context of financial motive. Words of community, membership and certainly "foundations" are misplaced in this context. They should be replaced by user groups, customers and corporations.

Brad Vaughan

I couldn't possibly comment

I couldn't possibly comment on Bernie.

There's financial motives and financial motives. Pickpockets have a financial motive and so do postmen. I just wanted to be clear where I saw it on the cynical <-> crooked spectrum.

But the real point I'm making is that a conspiracy implies a plan, an underlying purpose, and some central mind. It isn't like that. Nobody is in any more control of ITIL than of a stampeding herd. Most of those in Castle ITIL are a bit surprised to find themselves galloping in front of such a big stampede and some are just trying to stay ahead. ITIL is a phenomenon not a plot.

Good Point!

As always, you have used your brain and found a good point.
Altough the idea that a "compatibility test" for a software is the basis for an ITIL maturity assessment is a little bit vague, I understand what you mean and yes... you are almost right.

Software products automate or assist work procedures. So the standard for the software scheme must potentially be a standard for organisational maturity assessment

In fact, as they don't have standard "work procedures" (nor standard processes, nor standard RACI charts, nor standard anything) it's impossible that they can have such an standard for the software scheme, so the software assessment *must* be based on software capabilities: can your software classify incidents? (yes or not); can your software implement any incident lifecycle that any customer can imagine? (yes or not), and so on...

In this way, you can assess "software capabilities that could be used to implement something based on ITIL V3", and it wont be useful for an IT Service Management Maturity Assessment.

PS:: The key word here is "standard". ITIL is (you already know, I know, but must be said here again) not an *standard*

Antonio Valle
G2, Gobierno y Gestión de TI

I think I've see the light

ITIL is no standard, everybody agrees.

ISO 20.000 is a standard, published and all ;-)

So why not assess software products agains ISO 20.000, sort of...if you completely implement this software you're very likely to succesfully pass an ISO 20.000 audit.

Besides...this would generate money for itSMF UK who owns the certification scheme for ISO 20000, although I never understood why this is owend by itSMF instead of for example BSI. Can anyone explain (sorry bit off topic but I'm curious).

I don't think itSMF UK owns it

ISO 20000 certification rights belong to the ISO organization, which has national representatives. These can appoint Registered Certification Bodies. If I recall it right, the itSMF UK scheme separates the role of the consultant and auditor. The RCB is not allowed to do the 2nd party audit. 3rd party audit is the actual certification audit.

Unfortunately this is not so in other countries where RCB's can do both 2nd and 3rd party audits. This at least doubles their business but puts them in an advisory role. It means that they are not any more fully independent when auditing the organization a second time.

ISO 2000 is a standard for IT Service Management system, not software. This would mean that ISO would need to create a software standard. I don't think they would take it so lightly as OGC, ISO standards are not created by one man in the wink of an eye.

Aale, If you look at this


If you look at this page (http://www.isoiec20000certification.com/lookuplist.asp?Type=6) you will see that its itSMF UK thats registers RCB's and grants them permission RCB to perform ISO 20.000 audits. I think it's wierd, but is is a fact.

I think you misread my post about the software accreditation pas. Indeed ISO 20.000 is not about software. I was not suggesting to make a new ISO standard either.

We talked about checking compiance agains a standard and agreed that ITIL is not a standard. ISO 20.000 is. If you look at it from a very very simplistic point of view ISO 20.000 not much more than: thou shalt do what ITIL suggests. If you can give proof of that, and have some sort of quality system, you may acquire the ISO 20.000 certificat.

As there are many software solutions that claim to support the ITIL processes (which we find back in ISO 20.000) it would be very easy to assess whether a software solution supports everything that's needed to comply with the ISO 20.000 standard.

Peter Gerritsen


Ok, it looks like you are right on the UK itSMF role, strange though. I think I was told that the itSMF UK scheme is voluntary.

I do ISO 20000 assesment all the time and I tell my customer what improvements they should do but I suppose that software companies would like to have an certificate. I think that the point in ISO 20000 is that there is a structure and a system for independent certification.


Syndicate content