Transition Part 5 – Assessments

Transition Part 5 – Assessments


In Part 3 of this series on Transition, we mentioned readiness assessments, the primary objective of which is to provide information about the effort which will be required to complete the service handoff from the client to the service provider. The readiness assessments focus on such things as the current infrastructure, with an eye to determining the efforts which will be needed to ensure that the plant and its equipment will function effectively and efficiently throughout the life of the outsourcing engagement. In addition to this, the readiness assessments will consider the current cultural attitudes present in the client organization, and which could negatively impact the transition.


Model Assessments

The purpose of assessments is to gain a better understanding of the requirements for transformation planning.

The depth of assessments and their nature depends on the amount of due diligence performed by the service provider.

A major influencing factor will also govern the operational model followed by the service provider. Let us consider some of the more common operational models employed in the marketplace:


ITIL, is an acronym for Information Technology Infrastructure Library, and is a set of detailed best practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL V3), ITIL is published as a series of five core volumes, each of which covers a different ITSM lifecycle stage. Those volumes include: (1) Service Strategy, (2) Service Design, (3) Service Transition, (4) Service Operations, and (5) Continual Service Improvement. Although ITIL underpins ISO/IEC 20000 (previously BS 15000), the International Service Management Standard for IT Service Management, there are some differences between the ISO 20000 standard and the ITIL framework.

ISO/IEC 20000

ISO/IEC 20000 is the first international standard for IT service management. It was developed in 2005, by ISO/IEC JTC1/SC7 and revised in 2011. It is based on, and intended to supersede the earlier BS 15000 that was developed by BSI Group.

ISO/IEC 20000, like its BS 15000 predecessor, was originally developed to reflect best practice guidance contained within the ITIL (Information Technology Infrastructure Library) framework.  Although it equally supports other IT service management frameworks and approaches including Microsoft Operations Framework and components of ISACA’s COBIT framework.

The standard was first published in December 2005. In June 2011, the ISO/IEC 20000-1:2005 was updated to ISO/IEC 20000-1:2011. In February 2012, ISO/IEC 20000-2:2005 was updated to ISO/IEC 20000-2:2012.



Capability Maturity Model Integration (CMMI) is a process level improvement training and appraisal program. Administered by the CMMI Institute, a subsidiary of ISACA, it was developed at Carnegie Mellon University (CMU). It is required by many United States Department of Defense (DoD) and U.S. Government contracts, especially in software development. CMU claims CMMI can be used to guide process improvement across a project, division, or an entire organization. CMMI defines the following maturity levels for processes: (1) Initial, (2) Managed, (3) Defined, (4) Quantitatively Managed, and (5) Optimizing. Version 1.3 was published in 2010. CMMI is registered in the U.S. Patent and Trademark Office by CMU.

CMMI addresses three areas of interest:

  • Product and service development — CMMI for Development (CMMI-DEV),
  • Service establishment, management, — CMMI for Services (CMMI-SVC), and
  • Product and service acquisition — CMMI for Acquisition (CMMI-ACQ).

CMMI was developed by a group from industry, government, and the Software Engineering Institute (SEI) at CMU. CMMI models provide guidance for developing or improving processes that meet the business goals of an organization. A CMMI model may also be used as a framework for appraising the process maturity of the organization. By January 2013, the entire CMMI product suite was transferred from the SEI to the CMMI Institute, a newly created organization at Carnegie Mellon.

CMMI originated in software engineering but has been highly generalized over the years to embrace other areas of interest, such as the development of hardware products, the delivery of all kinds of services, and the acquisition of products and services. The word “software” does not appear in definitions of CMMI. This generalization of improvement concepts makes CMMI more abstract.



ISO/IEC 27001:2013 is an information security standard that was published in September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for an information security management system (ISMS). Organizations that meet the standard may be certified compliant by an independent and accredited certification body on successful completion of a formal compliance audit.

The official title of the standard is: “Information technology — Security techniques — Information security management systems — Requirements”

ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:

1)     Scope of the standard

2)     How the document is referenced

3)     Reuse of the terms and definitions in ISO/IEC 27000

4)     Organizational context and stakeholders

5)     Information security leadership and high-level support for policy

6)     Planning an information security management system; risk assessment; risk treatment

7)     Supporting an information security management system

8)     Making an information security management system operational

9)     Reviewing the system’s performance

10)  Corrective action


COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT governance. COBIT provides an implementable “set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers.”

COBIT was initially “Control Objectives for Information and Related Technologies,” though before the release of the framework people talked of “CobiT” as “Control Objectives for IT” or “Control Objectives for Information and Related Technology.” The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model. COBIT also provides a set of recommended best practices for governance and control process of information systems and technology with the essence of aligning IT with business. COBIT 5 consolidates COBIT 4.1, Val IT and Risk IT into a single framework acting as an enterprise framework aligned and interoperable with other frameworks and standards.



Many of these models have formal assessments, so practitioners are familiar with both the methods of assessment and the required depth and breadth. Specifically, the ISO/IEC models, as well as CMMI and Cobit provide detailed guidance about requirements of the standards. In any case, service providers will perform their assessment to help with planning Transformation activities.

Since all of these models are variations of process improvement, there are common elements among them. The primary differences hinge on the nature of the processes being addressed. For example, ISO/IEC 2701 focuses on the protection of data, so special attention is given to the security processes dealing with information protection. COBIT, on the other hand has a focus on financial governance, so it pays special attention to the controls surrounding various processes.


Leave a Reply

Your email address will not be published. Required fields are marked *