IT Leadership Pyramid: Service Management
Heightened security concerns, increasingly complex regulations, and the need to meet a wide range of initiatives in areas such as quality control, systems maturity, and governance have led to a proliferation of regulations, standards and frameworks with which organizations must comply. Certain frameworks have become popular for particular regulations or mandates. CobiT (with COSO in the US) and/or ITIL have emerged as a popular solution in many parts of the world, and ISO 27002 has been popular among many organizations.
As frameworks have become integrated with standards, they have increasingly come into range of other initiatives such as quality initiatives such as ISO 9000 and Six Sigma; and governance certifications such as CMMI. The areas of practice have created huge overlaps among existing models, making compliance increasingly difficult and auditing all but impossible.
Experton Group believes IT executives need to establish a unified strategy for handling the ever-expanding body of standards, regulations, frameworks and controls. This strategy must include a comprehensive mapping of these elements as they relate to the enterprise, and enable automation of compliance. While there are a number of frameworks to choose from, a study should be conducted to determine which one is most closely aligned with your enterprise’s objectives.
Bringing together the major service management models and frameworks and aligning them can be a difficult task, but it is essential to meeting today’s requirements for unified Governance, Risk and Compliance (GRC). Standards and regulations continue to evolve, stretching into every corner of the enterprise, and the need to satisfy auditing, quality, and security improvement initiatives has emphasized the use of frameworks as a unifying standard. Integration of these elements can become extremely complex, and they all continue to evolve. Although there are many commonalities, it is becoming clear that a centralized solution is imperative, and this makes it necessary to achieve a comprehensive mapping between standards, frameworks and controls. This mapping must be kept continuously up to date, and requires continuous review to ensure that objectives are being achieved.
Current solutions are beginning to evolve, including a number of public approaches and independent mappings produced by vendors in the GRC area. These solutions offer the beginnings of a universal vision of enterprise service and risk management that integrates the growing body of regulations as well as financial and IT risk within an organization.