1. Continual Service Improvement Process
General Understanding

2. Knowledge Sources ISO/IEC 20000:2011 ITIL® COBIT 5
Section 4.5 Establish and Improve SMS.
ITIL®
Continual Service Improvement.
COBIT 5
Manage Quality
Monitor, Evaluate and Assess Performance and Conformance.
Monitor, Evaluate and Assess the System of Internal Controls.
Monitor, Evaluate and Assess Compliance with External Requirements.
This presentation provides an overview of continual improvement in IT and is based on knowledge introduced in the leading approaches and standards in IT Service Management. The primary processes and sections of these approaches are listed here with a caution – each approach encourages improvement as a cultural endeavor, not just a procedural one. In this context, these sections and processes provide a foundation for effectively identifying, tracking, and managing improvements within the service environment.
ITIL® is a registered trademark of AXELOS Limited.

3. Continual Improvement – PDCA Cycle
Plan Do
Continual improvement is a part of every process. Most improvement systems are based on the Deming Cycle of Continual Improvement (Plan, Do, Check, Act), including ITIL and COBIT.
The PDCA cycle is a structural requirement of quality management systems certified as ISO 9000 systems and this requirement is leveraged as part of the ISO/IEC standard for IT Service Management.
In this context, implementing ITSM is an ongoing activity, where you improve quality through incremental steps.
Section 4.5 of the ISO/IEC standard identifies the following scope for each step:
Plan - Plan the SMS.
Do - Implement and operate the SMS.
Check - Monitor and review the SMS.
Act - Maintain and improve the SMS.
It is important to realize that even though only the fourth term explicitly uses the word “improve,” a successful improvement program requires that all four steps of the cycle are required.
ISO/IEC also makes a critical distinction between the management infrastructure for delivering services (service management system) and the services themselves. In truth, continual improvement efforts should be applied to both.
Some of the items that occur during each of the 4 phases:
Plan:
Scope, requirements, objectives, Roles, and Responsibilities.
Do:
Funds, Policies, reports, managing, changing.
Check:
Monitor against plans, survey, report.
Act:
Policy on improvement, assess, implement.
Act
Check
Quality Assurance
Improvement

4. 7 Steps to Service Improvement
Identify
Vision
Strategy
• Tactical Goals
• Operational Goals
1. Define what you
should measure
7. Implement
corrective action
6. Present and use the
information, assessment
summary, action plans, etc.
2. Define what you
can measure
3. Gather the data
Who? How? When?
Integrity of data?
4. Process the data
Frequency? Format?
System? Accuracy?
5. Analyze the data
Relations? Trends?
According to plan?
Targets met?
Corrective action?
Goals
The Deming Cycle is transformed into more detailed steps and actions in ITIL’s Continual Service Improvement Process. Like the Deming Cycle, these steps need to be taken in sequential order.
The comparison between PDCA and the 7-step process are:
Plan
Define what you should measure.
Define what you can measure. Do
Gather data.
Process data.
Check
Analyze data.
Present and use results.
Act
Implement improvements.
Continuous improvement is not performed in isolation from the other aspects of ITSM: it still must be aligned with the vision, strategies, goals, and objectives of the service environment.
© Crown Copyright 2013 Reproduced under licence from AXELOS

5. COBIT Processes
Provides the governance and management structures to manage and improve:
Quality.
Performance.
Control.
Compliance.
The COBIT processes provide a framework for governance and management of IT and does not provide an explicit process for continuous improvement. The four processes strongly leveraged in this overview do have outputs relevant to any continuous improvement agenda, such as “maintain continuous improvement,” “ensure the implementation of corrective actions,” “execute assurance initiatives,” and “obtain assessment of external compliance.”
The ideas and concepts of these processes will be used to support the developing continuous improvement process.

6. Continual Service Improvement
Plan

7. Planning for Improvements
ISO/IEC 20000: Plan – scope and service management plan. ITIL: Define what should be measured (strategy). Define what will be measured (measurement framework). COBIT: Establish a quality management system. Define and management quality standards, practices, and procedures. Establish a monitoring approach. Set performance and control targets. Identify compliance requirements. Optimize responses to compliance.

8. Step 1 – Defining Strategy
Defining what should be measured:
Corporate Strategy.
IT Strategy.
Improvement Strategy.
Strategy is an opportunity to map out how to proceed forward. While both corporate and IT strategies may have explicit expectations on continuous improvement, the scope of those strategies may be to broad to go into much detail. In many cases, these strategies will enforce the commitment to continuous improvement and identify the roles pertinent to subsequent efforts in continuous improvement. In truth, most decisions regarding continuous improvement will probably be done through some governance body, such as an IT Steering Committee.
ITIL provides a good model for continuous improvement to be used by the governing body and other levels of the service organization.

9. The Continual Service Improvement Model
Items to consider:
Vision aligns with business and IT strategies
Obtain an accurate baseline assessment.
Understand and agree upon the priorities for improvement.
Verify that measurements and metrics are in place.
Momentum for quality improvement is maintained by assuring Changes are embedded in the organization.
What is the vision?
Where do we
want to be?
How do we get
there?
Did we get
Where are
we now?
How do we keep the momentum going?
Service &
process
improvement
Measurable
targets
Baseline
assessments
Measurements &
metrics
Business vision,
mission, goals,
and objectives
This links in with the 7-step improvement process, also conducted within CSI.
It emphasizes the fact that there are many opportunities for CSI. The model illustrates a constant cycle for improvement.
Additional info for Items to consider list:
Embrace the vision by understanding the high level business objectives.
Access the current situation to obtain an accurate and unbiased snapshot of where the organization right now. This baseline assessment is an analysis of the current position in terms of the business, organization, people, process and technology.
Based on a deeper development of the principles defined in the vision. The full vision can be years away but this step provides specific goals and a manageable timeframe.
Detail the CSI plan to achieve higher quality service provision by implementing ITSM processes.
Verify that measurements and metrics are in place to ensure that milestones were achieved, process compliance is high, and business objectives and priorities were met by the level of service.
Finally, the processes should ensure that the momentum for quality improvement is maintained by assuring that changes become embedded in the organization.
© Crown Copyright 2013 Reproduced under licence from AXELOS

10. The Continual Service Improvement Model
What is the vision?
Where do we want
to be?
How do we get
there?
Did we get there?
Where are we now?
How do we keep
the momentum going?
Service & process
improvement
Measurable
targets
Baseline
assessments
Measurements &
metrics
Business vision,
mission, goals, and
objectives
The Continual Service Improvement Model summarizes the constant cycle for improvement. The questions require close interactions with all the other ITIL processes in order to achieve Continual Service Improvement.
Relationships within the Service Lifecycle:
What is the Vision? Service Strategy, Service Portfolio.
Where are we now? Baselines taken using Service Portfolios, Service Level Management, Financial Management for IT etc.
Where do we want to be? Service Portfolio, Service Measurement and Reporting.
How do we get there? CSI and all service management processes!
Did we get there? Service Measurement and Reporting.
How do we keep the momentum going? Continual Service Improvement.
Continuous improvement does not occur in isolation to the other activities within the service environment and will, in fact, leverage these other activities within reason.
© Crown Copyright 2013 Reproduced under licence from AXELOS

11. Scope Why scope? To provide the greatest value to the customer.
To prioritize appropriately.
To manage budgets and resources effectively.
To minimize risk.
ISO/IEC focuses on the establishment and improvement of the service management system and a critical aspect of this system is defining its scope. While scoping activities in this context are intended to support certification efforts, the concept is advantageous to continual improvement.
The basic premise of scoping is the existence of some line of demarcation: in continuous improvement, some efforts may fall outside the line and some within the line. There may even be several lines of demarcation based on impact, risk, and service value. If everything can be improved, then scope provides the organization the ability to prioritize improvements.
One factor in determining scope may be financial. Some companies may provide different departments or lines of business a budget to perform internal improvements while maintaining a corporate budget for performing enterprise-wide improvements. Other companies may allow improvements to be made without a specific budget in place for that purpose: funds are diverted from those areas being improved. Scoping allows a structure for determining how funding occurs, as well as approvals for improvement projects.

12. Service Management Plan
A service management plan will include information on:
Objectives.
Service requirements.
Policies, standards, and external requirements.
Roles, responsibilities, and authorities.
Resource allocations (human, technical, information, and financial).
Stakeholders and suppliers.
Process and system interfaces.
Risk acceptance and management.
Approved technologies.
Measurements and reporting.
The service management plan is an IT strategy document define how the service provider will create a service management system and processes for delivering value to customer.
In ITIL, the service management plan is the culmination of efforts from:
Strategy Management for IT Services.
Service Portfolio Management.
Financial management for IT services.
Demand Management.
Business Relationship Management.
The expectation is that all subsequent plans, policies, processes, and decisions will be aligned with the service management plan.

13. Quality Management Systems
Benefits to Continuous Improvement:
Performance advantage through improved organizational capabilities.
Alignment of improvement activities to organization’s strategic intent.
Flexibility to react quickly to opportunities.
Employing a consistent approach to continual improvement.
Providing people with training .
Making continual improvement an objective for every person in the organization.
Establishing goals and measures in continual improvement.
Recognizing and acknowledging improvements.
Source: Quality Management Principles (ISO)
Source is Presentation on Quality Management Principles found at
Quality Management Systems are inherently approaches to continual improvement. ISO 9000 is the leading international standard for quality management systems and all ITSM approaches will encourage compliance and leverage this standard.
The establishment of a quality management system is dependent on:
Creating quality requirements.
Defining roles, responsibilities, and authorities.
Established monitoring systems and measurements.
Alignment with business, customer, and IT objectives.
Established training programs in quality management.
Monitoring the effectiveness of achievements in quality.

14. Approaches to Monitoring
Identify stakeholders.
Define requirements on monitoring and reporting.
Maintain alignment with current business, customer, and IT objectives.
Create agreement around goals, metrics, taxonomy, and retention periods.
Create agreement around change control.
Allocate resources to monitoring and reporting.
Assess effectiveness of approach.
While not exclusively for continuous improvement, monitoring can provide data used in analyzing and identifying opportunities for improvements. Having an effective monitoring infrastructure in place is an essential component for continual improvement.
The basic steps of establishing a monitoring approach are:
Identify the stakeholders – these are the people who may be customers of the services or the service delivery personnel themselves. Any information obtained though monitoring will eventually be delivered to the stakeholders.
Define requirements – not every stakeholder needs the same data and providing all the same data to every stakeholder may be cumbersome and overwhelming. This step provides an opportunity to explicitly define what teach stakeholder requires from monitoring and reporting.
Maintain alignment – monitoring should be performed based on the objectives and priorities of the business, customer, and IT strategies. If the service provider is unable to sufficiently monitor because it is outside the strategic scope or technical ability of the organization, there is no reason to continue forward.
Create goals, metrics, taxonomies, and retention standards – this step provides the service provider the ability to define, classify, and maintain relationships between requirements, objectives, and current organization capabilities.
Create change control – as changes occur in the environment, they can impact how monitoring is performed or what can be monitored. Understanding and controlling changes appropriately is critical for maintaining an effective infrastructure for monitoring.
Allocate resources – human, technical, and financial resources are a necessary component of any effort. Resource management ensures the appropriate mix of resources to ensure effective monitoring.
Assess effectiveness – the monitoring approach should be evaluated periodically to determine any deficiencies or opportunities for improvement.

15. Identifying compliance requirements
Legislation
Regulations
Standards
Architectures
Policies
In addition to the service requirements set forth and agreed by the customer, a service provider may be subjected to additional requirements. These requirements are typically external to the organization and the customer, but may also be policies derived from strategic decisions.
In most circumstances, the service provider must demonstrate their compliance to these external requirements through evidence, reports, and audits. Any nonconformance, even partial, with an external requirement is a potential opportunity for improvement.

16. CSI – Implementation Issues
Identify and fill critical roles and responsibilities, e.g.
CSI Manager, Service Owner, SLM and reporting analyst.
Governance.
CSI and Organizational Change.
Communication and Strategy planning.

17. CSI - value to the business
For CSI to be successful, it must provide improvement opportunities throughout the entire service lifecycle.
There is much greater value to the business when service improvement takes a holistic approach throughout the entire lifecycle.
Improvements
Benefits
Return on Investment
Value of Investment
Four commonly used terms when discussing service improvement outcomes:
Improvements – outcomes that when measured against the baseline, show a measurable increase as a desirable metric.
Benefits – Gains achieved through realization of improvements, usually but not always in monetary terms.
ROI: Return on investment – Difference between the benefit (saving) achieved and the amount expended to achieve that benefit, expressed as percentage. Logically we would like to spend a little to save a lot.
VOI: Value on investment – Extra value created by establishment of benefits that include non-monetary or long term outcomes. ROI is a subcomponent of VOI.

18. CSI and the Service Lifecycle
Service and Process Improvements, Guidance for Investments into IT and refreshed Service Portfolios
Service Strategy
Service and Process Improvements, guidance for KPIs, metrics and reporting, refined SLRs, SLAs, OLAs, & UCs.
Service Design
Continual Service Improvement
Request for Changes, Service and Process Improvements, guidance and refinements for testing & validation.
Service Transition
Service Operation
Process and Function organization improvements, refined SLAs & OLAs, guidance for metrics and reporting

19. Step 2 – Define Measurement Framework
Defining what to measure Creating relationships between objectives, critical success factors, key performance indicators, and metrics Identifying methods of reporting communicating service levels, customer satisfaction, business impact, supplier performance, and market performance

20. Governance Governance has been around the IT arena for decades.
IT is forced to comply with sweeping legislation and an
ever increasing number of external regulations.
IT organizations must operate under full transparency.

21. IT Governance “IT governance is the responsibility of the board of
directors and executive management.
It is an integral part of enterprise governance and
consists of the leadership, organizational structures
and processes that ensure that the organization’s IT
sustains and extends the organization’s strategies
and objectives."
Source: Board briefing on IT Governance, 2nd Edition, 2003,
IT Governance Institute – ITGI.
On one hand, IT must now comply with new rules and legislation and continually demonstrate their compliance through successful independent audits by external organizations. On the other hand, IT is increasingly being called upon to do more with less and create additional value while maximizing the use of existing resources. These increasing pressures dovetail perfectly with the basic premise of ITIL: IT is a service business. Existing internal IT organizations must transform themselves into effective and efficient IT service providers or they will cease to be relevant to the business and, soon after, cease to exist. This continual and unceasing drive toward greater business value with greater internal efficiency is at the heart of the ITIL Continual Service Improvement Lifecycle phase.

22. Defining Service Levels
Service Levels are a means of defining and measuring the behavior of service components within the context of providing value to the customer.
Let consider our restaurant analogy and locate potential service levels. Here are several potential services with proposed behaviors for the service:
Food which is fresh, cooked, and warm: suggested behavior to be measured – the time passed between ordering and receiving food.
Substantial liquids: suggested behavior – the time passed when glasses are emptied.
Attentive, but courteous, host: suggested behavior – the number of visits by restaurant staff and the average time of each visit.
Each of the suggested behaviors to watch for can be considered service levels, and for most patrons, may be key determines for calculating a reasonable tip after the meal.
In IT service management, a service may be focused on the delivery of a network-based application with a shared database for information. Some key expectations on the behavior of the application as a service may focus on the availability of the application, the accessibility to the data, or the ability of the application to support concurrent operations from multiple persons. Service levels are often expressed in terms of time, volume, or conditions.
The same service delivered by different services providers or to different customers may have different levels of services: in the same way different restaurants provide different service (even if in the same chain) or the number of people in the party may influence the level of service (serving 20 people compared to 2 people requires more resources to provide the same level of service). Therefore, service levels identify where the service is measured; whereas service targets will define the minimum expectations for the services within the context of service levels.
Copyright: The Art of Service 2008

23. Defining Service Target
Service Targets represent the required level of service needed to deliver value to the customer.
For each customer and representing each service level, a target must be negotiated and agreed upon. Sometimes these targets are universal to all services; other times these targets are dependent on the importance of the service and costs for providing the service, and what the service provider can reasonably provide.
Availability is the most commonly known service level and represents the measured time the service is available for use by the customer compared to the measured time the customer needs the service. For instance, how much an application is available for the customer when they need it. The business practices often define when the customer needs the service. If they work only business hours 8am-5pm M-F, the service must be available during these time and can be “shut down” or not measured outside these times. If the business operates 7-24, the customer needs the service 100% of the time. Unfortunately, maintenance checks and planned updates, as well as cost of maintaining a high demand, will often make achieving 100% availability impractical; therefore, a reasonable target must be identified.
An availability target is calculated by determining how many hours the service is available without disruption during a period of time.
For a 7-24 calculation, the total number of hours is 168. If the target was 100%, the service would be available for 168 hours without disruption. Here is a breakdown of the most commonly seen availability targets:
99.98% hours
99.9% hours
99.5% hours
99.0% hours
98.0% hours
95.0% Hours
The availability target is commonly expressed as a percentage and the difference between the target and 100% available allows for planned and unplanned disruptions in the service: though the smaller the gap, the more the service provider must prevent unplanned disruptions to allow for planned maintenance. A 99.98% target allows for a disruption lasting one and a half minutes – just enough time for a single undisturbed reboot of a system.
Copyright: The Art of Service 2008

24. Quality Management What is quality? A measure of excellence.
A comparison between similar objects.
A fulfillment of requirements.
etc.
Quality is a concept with many meanings to many people. In truth, almost any definition of quality is valid; however, for purposes of ITSM, the definition must allow quality to be measured. For this reason, quality is best prescribed to services which meet the requirements they are expected to fulfill. Often, there are levels of quality to be obtained. For instance, a service may be effective in meeting requirements but is inefficient and expensive. Two similar services may meet requirements, but do not provide equal value to the business. Some may argue that its not enough to achieve the desired service levels and targets, but to manage how that achievement is obtained.
Quality management is an approach for determining what quality is, how it should be measured, and ensuring that quality targets are achieved across the environment. Quality management is a function of several processes, including:
Business Relationship Management.
Service Level Management.
Supplier Management.
Incident and Service Request Management.
Change Management.

25. Process Management The activities of process management include:
Process definition.
Defining roles, responsibilities, and authorities.
Evaluating performance.
Identifying opportunities for improvement.
Like quality management, process management is pervasive across the entire organization. Some people may argue that the two are the similar and though the methods may be similar in purpose and function, it is sometimes reasonable to keep their intents separate. The reason for this distinction is quality can often be seen as focusing on the output of the process, while process management will look at the entire end-to-end process. In ITSM, quality can be attributed to the services while process management relates to the service management processes underlying the services.
The responsibilities of process management will fall on the conveniently named role of process manager, a role introduced by ITIL who has administrative and management authority over what the process offers and “how to” of the services provided.

26. Continual Service ImprovementDo

27. Implementing and Operating CSI
ISO/IEC 20000: Do – service management system. ITIL: Gather Data. Process Data. COBIT: Monitoring, control and review of performance. Performance and conformance data. Monitor internal controls. Self-Assessments. Confirm compliance.
The full extent of the DO step in continual improvement is maintaining the operational state of the IT infrastructure and gathering the data generated by operations to process and compare against prioritized targets. This is in essence the function of the service management system, which manages the activities related to:
Allocation and management of funds.
Assignment of roles, responsibilities, and authorities based on defined processes.
Resource management for human, technical and information assets.
Risk identification, assessment and management.
Process management of service management processes.
Performance monitoring and reporting.

28. Step 3 – Data Collection
Quality Performance Internal Control Compliance
Technology
Service
Process
The primary purpose of monitoring is to gather data about the operating environment. While some of this data may be used to trigger immediate actions, all the collected data has the potential for identify opportunities of improvement.
In ITSM, the potential candidates for monitoring are the technologies used in the environment, including component-level configuration items, the service management processes, and the services delivered to the customer. Some measures may be appropriate in all three areas: for instance, measuring the uptime of an individual application server may provide insight into the effectiveness of the availability management process or be aggregated with other components to generate an availability SLA for a service.
The data collected should serve to understand and demonstrate quality, performance, internal control, and compliance

29. Procedure for Data Collection
Define activity requirements
Define frequency
Define tool requirements
Develop and communicate plan
Update availability and capacity plans
Begin monitoring and data collection
ITIL provides a simple procedure for data collection which starts with defining the requirements for monitoring and data collection. These requirements will come from the customer, usually through negotiation of the service level agreement. Every service target should have at least one metric attributed to it. Other sources for requirement swill be derived from business objectives, critical success factors, and key performance indicators, as well as from external requirements for compliance.
Another important, but often overlooked, requirement is the frequency for monitoring and data collection. The more critical a service is to the customer, the greater the frequency in monitoring and collecting data – usually at a hourly rate or less. But most data sets need only to be dealt with on a daily basis, if not longer. This requirement is important to consider because the more data being collected, the more resources required to perform the collection and store the data: in addition, analysis must be done over larger data sets. A correlated requirement is data retention: how long the data should be actively maintained, archived, or destroyed.
Knowing what to monitor and collect needs to be supported by implementing the appropriate set of tools, most of which will provide some level of automation to the entire process. Since a single tool will rarely meet all the requirements for monitoring and data collection, it is important to understand and map specific requirements to each tool and even promote a program to unify and connect different tools.
With the knowledge of monitoring, collection, frequency, and tool requirements, the organization can begin the planning to develop a comprehensive monitoring program. Once the plan is in place and approved, it should be communicated. While representatives from different service management process may be included in the planning, the decisions made may still have an significant impact on current plans regarding each process, especially availability and capacity plans. As part of the implementation of the monitoring program, these process-specific plans should be updated.
Once everything is defined, documented, and aligned, monitoring and data collection activities may proceed.

30. Performance Monitoring
Capability assessment.
Investment performance reports.
Service level reports and service reviews.
Supplier reports and reviews.
Project performance reviews.
Availability, performance, and capacity monitoring.
Incident and problem reports.
Service request and change reports.
The sources of data for performance monitoring are plentiful and can run the gambit of concerns across ITSM. The intention of performance monitoring is to gather data appropriate to the service objectives and targets the organization has obligations. As part of continual improvements, the data may be frequently assessed to determine the efficiency in collecting the data, the usefulness and meaning of the data, and the integrity, or accuracy and completeness, of the data. Changes to the plan may be made if any of these considerations are lacking.

31. Internal Controls What is an Internal Control?
“A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achieving of objectives to operations, reporting, and compliance.”
From COSO Internal Control – Integrated Framework Executive Summary
The explanation to the functions of service monitoring and control can be summarized into a few distinct goals (as defined by COBIT5):
IT Compliance and support for business compliance with external laws and regulations.
Managing IT-related business risks.
Delivery of IT services in line with business requirements.
Optimization of IT assets, resources and capabilities.
IT compliance with internal policies.
But so far, we have only discussed the purpose of service monitoring and control; not the structure for how that purpose is achieved. This requires the introduction of internal controls. The definition (defined in this slide) is taken from the COSO Internal Control Framework and describes a process-based solution which is designed to ensure the achievement of any number of objectives.

32. COSO Internal Controls Framework
The framework consists of:
Three objective categories
Operations
Reporting
Compliance
Five components
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
17 principles
The Internal Controls Framework designed by COSO does not define the specific objectives for an organization: these are defined by the organization itself. They do, however, define three categories which business and IT objectives would fall. They are:
Operations – objectives related to effectiveness and efficiency of service operations, including performance, availability, and security.
Reporting – objectives related to internal and external reporting of service delivery, usually prescribed by statutory, regulatory, and contractual requirements.
Compliance – objectives related to adherence to laws, regulations, and other specifications which the organization is subject.
In short, internal controls support requirements related to doing business, communication, and compliance.
The internal control framework supports objectives defined across multiple levels of organization as will as across each of the components of the framework.
The COSO Framework consists of five components designed to work together to ensure the achievement of objectives.
Control Environment – consists of the standards, processes, and systems used to provide internal control across the organization
Risk Assessment – a process for identifying and assessing potential events that can negatively (or positively) impact the achievement of objectives.
Control Activities – policy and procedure-based activities established to ensure risks are mitigated and objectives are achieved.
Information and communication - the continual, iterative process for obtaining, sharing, and providing information across the enterprise and support decision making.
Monitoring Activities – ensures the internal control framework and managed controls are present and functioning.
Let’s put a practical spin on these components. Consider the need in Information Security Management for anti-viral protection. The control environment would consist of the chosen anti-virus application(s) used to provide the protection. Risk assessments are applied to the potential threats to the operating environment. Based on the results of the risk assessments, updates to the application, its deployment and use need to be made to ensure better protection. Collaborative efforts to define, develop, approve, and deploy these updates require information and communication throughout the organization. Once applied, monitoring activities ensure that the updates are in place, current, and will report when the potential threat becomes a reality and the effectiveness of the applied control.
This example focused on the operational aspect of anti-viral protection in meeting information security objectives. Reporting objectives may require simple controls to communicate how many times a day the organization’s network has a potential threat occur and the effectiveness of any preventive or corrective controls. Many laws and regulations have requirements placed on the effectiveness of protecting networks and data; so compliance to these requirements must be controlled, monitored, and reported.
Continual improvement may be applied to how the organization performs within each category, component, or principle at different levels of the organization.

33. Capability Assessments
A capability assessment compares the performance of a process
against a performance standard. This can be an agreement in a SLA,
maturity standard, or an average compared to companies in the same
industry (known as a benchmark).
An assessment for ISO/IEC is a capability assessment; it shows whether or not the requirements of ISO/IEC are being met.
It is crucial to define clearly what is being assessed. This should be based on the goals and on the expected use of the reports. An assessment can take place on 3 different levels:
Process Only - only assess process components from the process description.
People, process and technology -People, process and technology – also assess skills, roles and talents of managers and staff who participate in the process and the process-supporting technology.
Complete - also assess the ability and level of preparation for process acceptance, and the possibility of formulating and following a process strategy and goals. 33 33 33 33

34. Purpose of Internal & External Audits
An independent evaluation is needed to assess the performance,
and is also required by customers and third parties.
The results can be used to update the agreed measures in
consultation with the customers, and also for their implementation.
There are three forms of evaluation:
Self-assessment.
Internal Audit.
External Audit.
Self-assessment – primarily implemented by the line organization of the process
Internal Audit – undertaken by internal IT auditors
External Audit – undertaken by external IT auditors.
Unlike self-assessments, the same personnel that act in the other sub-processes do not undertake audits. This is to ensure that the responsibilities are separated. An internal audit department may undertake audits.
The ISO Standard, Part 1 says "the selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work." 34 34 34 34

35. Types of Audit
Audit findings are used to assess the effectiveness of the quality
management system and to identify opportunities for improvement.
There are three main types of audit:
First-Party Audit
Second-Party Audit
Third-Party Audit
First-Party Audit – conducted by, or on behalf of, the organization itself for internal purposes and can form the basis for an organization’s self-declaration of conformity.
Second-Party Audit – conducted by customers of the organization or by other persons on behalf of the customer.
Third-Party Audit – conducted by external independent organizations. Such organizations, usually accredited, provide certification or registration of conformity, with requirements such as those of ISO 9000. 35 35 35 35

36. Step 4 – Data Processing
Define activity requirements
Define frequency
Define tool requirements
Develop process data procedures
Develop and communicate plan
Update availability and capacity plans
Begin processing
Group logically
Evaluate
The procedure for processing data is similar to the gather data procedure starting with determining the requirements for the requisite activities, frequency, and tools. These requirements should be aligned with those of gathering data. A plan for processing data should be created and communicated, and subsequent plans for individual service management processes. However, one additional step exists: develop process data procedures. Imagine that data collection is like cleaning out the garage for a yard sale. A decision is made whether each item should be available for the sale: this is data collection. However, each item will probably have a different cost associated with it, or like items will be displayed logically with other like items. How the yard sale is managed is similar to data processing. Because of the work involved it would be reasonable to have a plan for cleaning out the garage and a separate plan for the yard sale.
Different procedures for handling the items within the yard sale may be advantageous. Handling a transaction with music CDs will be different than handling a similar transaction with a large dining room set sitting eight, especially if the buyer does not have a truck large enough. In ITSM, the complexity of data processing can be significant: evolved methods in data warehousing and data mining have focused on these areas for decades.

37. Continual Service Improvement
Check

38. Monitor and Review
ISO/IEC 20000: Check – internal audits and management reviews. ITIL: Analyze Data. Present and Use Data. COBIT: Analyze and report performance. Identify and report control deficiencies. Obtain compliance assessment.
The monitoring, collection, and processing activities will continue into the third phase of continual improvement – Check. This is where the data is analyzed and reported upon, but also serves as an opportunity to evaluate the effectiveness of the completed processes.

39. Step 5 – Analyze Data Review the data collected.
Current process results
Statistical measurements
Descriptive Analysis
Variation Analysis
Root Cause Analysis
Can we learn anything from a SWOT analysis?
Once the data are available, it is necessary to analyze this data.
There are many statistical measurements available. Six Sigma is a method of quality control which provides significant focus on data analysis, including:
Descriptive analysis – analyzes how the data can be distributed; for instance, how many incidents were recorded across several categories or locations.
Variation analysis – analyzes the variation found in the data; for instance, the utilization of capacity compared against the demand for that capacity.
Root cause analysis – analyzes and determines actions for "problems" found within and with the data.
Various methods and techniques are available for data analysis, including:
Hypothesis – allows you to make comparisons between groups of data.
Chi-Square – compare two or more group proportions.
ANOVA – uses variances to compare multiple averages.
Regression analysis – a way to graph relationships between data sets.
Correlation Coefficients – a simple numeric measurement that shows how strongly one data set is reflected in another data set.
SWOT is a useful tool. Not covered in detail here, but it’s a review of Strengths, Weaknesses, Opportunities, and Threats

40. Step 6 – Presenting Data
Objective: To produce agreed, timely, reliable, and accurate reports for informed decision making and effective communication
ISO/IEC enforces the importance of reporting by isolating it as one of its primary service management processes: ITIL and COBIT do not diminish its importance but incorporates reporting as part of every process they define.
Reports can be categorized as service and management reports. Service reports will provide data pertinent to the individual services in relation to the service level agreements and targets for those services. Management reports are more administrative in nature and will focus on the underlying capabilities necessary to delivery those services.
Every report must be clearly defined. A clear description of each service report is required including:
Identity.
Purpose.
Audience.
Frequency.
Details of the data source.
The success of all Service Management processes is dependant on the use of the information provided in service reports. It is important that service reports are sufficiently accurate to be used as a decision support tool among all processes.

41. Management Reviews
Top Management must regularly review the service management system and services.
The purpose of the review is to determine continued suitability and effectiveness of the targeted area.
The review may include:
Assessment of improvement opportunities.
Assessment of SMS changes, including strategic and policy changes.
The inputs to management reviews must include at least:
Customer feedback.
Service performance and conformity.
Process performance and conformity.
Current and predicted resources levels in all areas (human, technical, information, and financial).
Current and predicted human and technical capabilities.
Risks.
Audit results and follow-up actions.
Previous management review results and follow-up actions.
Status of corrective and preventive actions.
Changes expected to impact SM or services.
Opportunities for improvement.
Records of these management reviews must be maintained and include decisions and actions resulting from these reviews.

42. Service Reviews
Service and Service Level Agreements are reviewed with customer at planned intervals
Service reviews give service providers and customers an opportunity to evaluate the performance of the service and the effectiveness of the service provider in meting the requirements defined in the service level agreements.
The service reviews are planned; that is, they must consider intent, criticality, timing, and frequency. A typically service review may occur every month; however, this is just a rule of thumb to consider. If a service is critical, unstable, or subject to lots of changes, the frequency may be more often. New services or services with new releases may have more frequent reviews than more established services. IF a service supports a critical business process, the frequency of the service review more increase.
Conducting service reviews requires a commitment from several people within the service provider and customer organizations, a commitment which could take them away from other duties; therefore, it is necessary not to overload any single person with multiple or too frequent service reviews.
As a result of service reviews, areas of nonconformance or opportunities for improvement may be identified, which can include changes to documents service requirements, the service catalog, service level agreements or other agreements. These changes must be managed by the change management process and be reflected appropriately in the service catalog.
Copyright: The Art of Service 2008

43. Continual Service Improvement
Act

44. Step 7 - Implementation
Data drive Decisions Objectives drive Priorities Necessity drive Implementation
Implementation of improvements is largely based on necessity and resource availability. An effective organization can plan for improvements without knowing exactly how resources will be used: in this way resource availability may not be an immediate concern for most organizations. Necessity needs to be supported by the objectives of the organization and the data derived through monitoring.
In this last step, the decision needs to be made regarding what, when, and how to improve. The result of these decisions will typically create a series of project charters to start the process of implementing these improvements. The individual projects will usually follow the same guidelines, restrictions, and processes used to create and implement the service, process, or component initially.