There are a number of IT standards that aim to assist organizations in the implementation of best practices in the field of IT. For instance, ISO 17799, ITIL and COBIT are well thought out and can help organizations improve — not only in terms of compliance but also in terms of real operational benefits. However, regardless of the standard selected, organizations must actually embrace the spirit of the standards to gain these real benefits.
In the past, many organizations worked on obtaining certification against a standard for marketing purposes or as a means to pass some contractual or regulator requirement as opposed to truly embracing the standard and the requisite continuous improvement.
For example, some organizations went after ISO 9000 certification in order to simply say they were certified. The main goal wasn’t to improve, but simply to be certified and be able to put that on their marketing communications. This skewed outlook caused these groups to miss tremendous opportunities to truly improve their organizations. In a similar fashion, organizations that truly want to improve their IT organizations must truly embrace the spirit of the various standards they choose to implement.
Select the Right Standard
First and foremost, organizations must select the standard(s) that best suits their needs. For example, ISO 17799 addresses IT security. ITIL addresses IT operations from a service management perspective and provides a wealth of best practices. COBIT is the most all-encompassing IT governance standard and touches on all areas. All three have positive benefits and there are elements to learn from all three. However, if your focus is solely IT security, you may want to focus on ISO 17799.
Likewise, if you want to address operations and service level issues, start with ITIL. Organizations must take the time to research what best fits their requirements both in the short and long terms.
Factors to Consider
There must be forces at work driving you to investigate the IT standards. These pressures and their subsequent requirements will vary from organization to organization. Take the time to list down these factors and assign weights based on need. The result will be a checklist you can use to formally compare the various standards. For example, some of the factors you may want to consider are:
- Your requirements: as mentioned, list what your organization needs. For example, improved operations, improved security, etc. Try to be specific so you can measure progress and justify expenditures.
- Other benefits: moving beyond the list of requirements, what other benefits does this standard bring? Can you quantify/value these benefits? The goal is to identify the total value that the standard can bring to the organization. Include both quantifiable and subjective values.
- Timeframe to implement: how long will it take to attain this standard?
- Internal resources required: internally, who will need to be involved in order to implement this standard? The list of stakeholders may be larger than you think once you research each standard.
- Resources available to assist: what resources exist to help implement? For example, you must consider consultants, Web resources, peer groups, training, books, etc. In general, the broader the set of resources you can draw on, the better off you will be.
Implementation risks: what are the risks associated with implementing this standard? Think in terms of:
- Internal risks: things that may happen within the organization.
- External risks: things that may happen outside of the organization with the market, regulatory bodies, etc.
- Cost to implement: it is important to understand what the total cost of implementation will be. Factor in labor, materials, training, learning curves, etc. This also why it is important to understand how the standard meets your requirements and other benefits it brings such that you get an accurate picture of total value. There will always be costs associated with IT projects and they should only be incurred, ideally, as part of a worthwhile investment.
When you are assembling your plans, think in terms of continuous improvement versus a one-time event. The old saying that, “the only constant is change,” is as true as ever. Moreover, best practices typically evolve over time as people learn. As a result, the improvement process must, by definition, be a constant process as well. Standards give a framework to follow but often do not explain every detail. It is up to the implementing organization to take each standard’s tenets to heart, apply it to their environment and continuously improve.
Rather than adopt standard IT governance methodologies for the sake of marketing or solely to meet regulatory or contractual requirements, organizations need to adopt the spirit of the standards. Only by doing so will they truly accrue the benefits associated with the standards. The value does not end with the initial implementation of the standard and continuous improvement practices must be adopted to continue the attainment of benefits. Without a doubt, standards are beneficial and provide guidance to organizations, but it is up to each organization to truly reap the rewards.