What ITIL Doesn't Cover

In today’s world ITSM is IT Delivery. There may be other ways of describing how to run a computer system, but ITSM is the best available and the generally accepted approach.

And ITIL is the de facto standard ITSM framework to use. Everything we do in IT Delivery should be framed in terms of the services delivered, and all our activities and behaviors (and spending) derived from that.

There is, however, a mismatch. ITIL does not cover all of IT Delivery.

By “IT Delivery” I’m referring to that half of IT also known as Production or Operations, separated by The Wall from the other half, known as Solutions or Development. (IT Solutions should also be service based, but that is a fight for another day). I’d like to use the term “IT Operations” (and I do), but it is used by ITIL more specifically to refer to the monitor and control functions of IT, the day-to-day, so to avoid confusion we’ll use “IT Delivery”.

The gaps in ITIL’s coverage of IT Delivery are most starkly illuminated by a white paper “COBIT Mapping: Mapping of ITIL V3 With COBIT 4.1”. For those who haven’t met it, COBIT started life as an audit framework for IT and has grown to be something a lot more general and useful. The paper is available for download from www.isaca.org free to ISACA members - others will have to pay. It shows how much more complete COBIT is as a framework (although ITIL has advanced in Version 3), and more rigorous, even if ITIL does have more meat on the bones.

For those of you who don't have a spare twenty-five bucks, the COBIT processes not covered at all by ITIL V3 are:

PO2 Define Information architecture

PO3 Determine Technological direction

PO6 Communicate management aims and direction

PO7 Manage IT human resources

PO10 Manage projects

DS7 Educate and train users

ME2 Monitor and evaluate internal control

ME3 Ensure compliance with external requirements

ME4 Provide IT governance

(The codes are COBIT process identifiers. If you do have the white paper, these assessments come from the diagram on page 19.)

Nothing important in that lot, is there? And the COBIT processes only partially covered by ITIL V3 are: ...

PO1 Define a Strategic IT Plan

PO4 Define the IT Processes, Organisation and Relationships

PO5 Manage the IT Investment

PO8 Manage Quality

PO9 Assess and Manage IT Risks

AI1 Identify Automated Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology Infrastructure

AI4 Enable Operation and Use

AI5 Procure IT Resources

DS2 Manage Third-party Services

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations

ITIL only scores a full coverage on 8 out of 34 COBIT processes:

AI6 Manage Changes

AI7 Install and Accredit Solutions and Changes DS

DS1 Define and Manage Service Levels

DS3 Manage Performance and Capacity

DS6 Identify and Allocate Costs

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

More recently we had another white paper, this time issued jointly by ISACA (owners of COBIT) and OGC (owners of ITIL). This paper, the excitingly titled “Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit” is available for public download. It does not map the processes so starkly – it doesn’t give ratings of coverage. But if you wade through the detail of the mappings you can make your own assessment based on what proportion of COBIT controls for which it shows equivalent ITIL coverage. You may conclude as I did that it seems to rate ITIL more highly against two processes (PO1 and DS2) than the original paper did, and seems to make an even lower assessment than the first paper on five others (PO9, AI2, AI7 DS5, DS10), ending up with indicating that ITIL has full coverage for a slightly different 8 of the 34 COBIT processes.