Companies required to comply with government mandates and regulations, such as Sarbanes-Oxley and HIPAA can benefit from learning about and implementing the European standards initiative IT Infrastructure Library (ITIL). ITIL defines a coherent set of best practices for IT services management and delivery. It rests on standards originally defined by the British Standards Institution (BS15000) and elaborated through the IT Service Management Forum (
The IT services management principles and practices that ITIL prescribes can help facilitate regulatory compliance. In particular, ITIL practices related to configuration items and a configuration management database (CMDB) can help organizations work toward Sarbanes-Oxley compliance (which requires a complete accounting for IT assets and processes). Working toward the kind of comprehensive IT governance to which ITIL implementation leads helps to lay the groundwork for compliance with any regulation. Also, when used with COBIT, experts cite ITIL as a useful means to meet business challenges.
ITIL training options
ITIL itself offers a large collection of publications and official training, but a considerable aftermarket is also hard at work to provide training, study guides, publications and best practices information. To help organizations make sure that their staff is sufficiently versed in and knowledgeable about ITIL principles, practices and processes, it's possible to earn a whole series of certificates related to this program. These are listed next, but those of most interest to security practitioners are the ITIL Foundation and Practitioner credentials.
- ITIL Foundation: A certificate based on course completion and passing an examination, this credential is designed for individuals who work within IT operations, particularly in the area of IT service management. This credential is also a necessary pre-requisite and stepping stone to Practitioner and Manager Certificates in IT service management.
- ITIL Service Desk Practitioner: A certificate based on course completion and passing an exam, this credential is designed for more senior IT professionals who work within IT service responsible for or involved in a lead role in help desk operations with a strong focus on incident management. Topics covered include planning a service desk, incident management, service desk tools, the role of the incident manager, the incident management process, plus service desk reporting and reviewing. Other Practitioner Certificates are available for problem management, change management, service level management, release management, financial management and configuration management.
- ITIL Service Manager: A certificate aimed at IT professionals who manage service operations and who are responsible for services delivery. Topics covered the full range of service support operations — namely, service desk, incident management, problem management, change management, configuration management and release management. Likewise, service delivery includes service level management (SLM), availability management, IT service continuity management, financial management for IT services and capacity management. This involves two 5-day courses and two separate exams.
- Additional training on ITIL is available that aims at different audiences and doesn't lead to certification. Awareness for managers and awareness for non-IT staff courses aim at the rest of the work force, to teach them basic ITIL philosophy, principles and practices. Executive level training classes seek to educate an organization's leaders along the same lines.
Companies as varied as Knowledge United, IBM Global Services, HP and Fox IT Training all stand ready not just to help organizations get their IT staff trained on ITIL topics, but to help shepherd them through the certification process, and even to build customized in-house training programs where appropriate. Indeed the formal ITIL Qualification Scheme, designed to permit companies and organizations to certify their proper adoption and use of ITIL practices and processes, has become an important benchmark nowadays, in much the same way that ISO 9000 and formal quality assurance processes predominated in the 1990s business landscape.
Given a large number of offerings and learning opportunities, does pursuing ITIL compliance through training or certification makes sense? Yes, it does. Recent studies from the IT Process Institute show that formalizing IT processes and practices within compliance and best practices frameworks can boost productivity and ROI significantly — sometimes by as much as 30-35% — simply by virtue of creating formal structures and measurement mechanisms where none existed before. It's not often that doing what's required by law turns out to be good for businesses and organizations, but those that seize the opportunity to rethink their infrastructure and IT operations while working toward compliance may discover that the paybacks involved amount to something more than a sense of accomplishment, or of doing the right thing.
About the author
Ed Tittel is a freelance writer who specializes in information security, IT certification, and markup lanaguages. He created the Exam Cram series, has contributed to over 130 computer books and writes regularly for numerous TechTarget Web sites. E-mail Ed at firstname.lastname@example.org.
This was first published in September 2006